When to manage Microservices as a Mesh or APIs

Transcript

1. November, 2021 When to manage Microservices as a Mesh or

   as APIs Mark Cheshire Director, Product Management 1

2. North-South model for traditional API Management Gateway API API Client

   • APIs as a digital access point for your business • Security, developer onboarding and analytics • “North-South” service architecture pattern • Requires traditional API management capabilities • APIs As A Product API Gateway 2

3. Managing APIs for External Clients API Products and backends Example

   3 https://core.api.company.com Affiliate Website Mobile Partner Widget Internet Shipping Web plan Mobile plan Widget Customers Finance Tracking Logistics $ API Consumers API Products API Backends http://api.widget.local https://database.api/custrs https://finance.dept wss://tracking/api/v1 https://gds.log/api https://widget.api.company.com https://shipping.api.company.com Enterprise Boundary

4. East-West model for Microservice Mesh • APIs as an interaction

   pattern between microservices • Separation of control plane and data plane • Scaling management to 1000s of APIs • Distributed tracing, mutual TLS, allow-list/deny-list • “East-West” service architecture pattern • Service Mesh Microservices API API API API API API 4

5. Enterprise boundary When to use API Management and when to

   use Service Mesh Management? Microservice Microservice MS 1 MS 2 MS n Microservices group A Microservice MS 1 MS 2 MS n Microservices group B API Product External facing APIs Internal facing Microservice API Consumers

6. North-South Management East-West Management API Management for external traffic, Service

   Mesh Management for internal traffic Microservice Microservice MS 1 MS 2 MS n Microservices group A Microservice MS 1 MS 2 MS n Microservices group B API Product Enterprise boundary External facing APIs Internal facing Microservice API Consumers

7. North-South Management East-West Management API Management for external traffic, Service

   Mesh Management for internal traffic Microservice Microservice MS 1 MS 2 MS n Microservices group A Microservice MS 1 MS 2 MS n Microservices group B API Product Enterprise boundary External facing APIs Internal facing Microservice API Consumers

8. Not so easy! 8

9. Manage interfaces at Domain Boundaries just like at the Enterprise

   Boundary Enterprise boundary Inter Domain APIs Intra Domain Microservice Domain Boundary

10. What distinguishes Inter- and Intra-Domain traffic? 10 Hierarchical producer/consumer Network

    graph of connected services • Usually 1:N • Differentiate roles for consumer groups • AuthN + AuthZ • Formalized “contracts” • Guided discovery with developer portal and docs • Usually 1:1 • Consumers are part of the same team • AuthN • Implicit “contracts” • Internal documentation within code

11. Service Mesh AND API Management 11 Manage the relationship between

    APIs/Services and their consumers API Management Deliver advanced traffic control, security, resilience and observability for cloud-native apps Service Mesh

12. Red Hat Integration across App Architecture 12 RED HAT OPENSHIFT

    SERVICE MESH RED HAT OPENSHIFT Config Monitoring Infra Security Release Management Load Balancing Deployment Resiliency Service Discovery Resource Management Elasticity Logs Resilience Observability Traffic Control Security "TRADITIONAL" ARCHITECTURE MICROSERVICE ARCHITECTURE RED HAT 3SCALE API MANAGEMENT Monetization Developer Portal Analytics Authorization Authentication

13. Serving different stakeholders RED HAT OPENSHIFT SERVICE MESH RED HAT

    OPENSHIFT "TRADITIONAL" ARCHITECTURE MICROSERVICE ARCHITECTURE RED HAT 3SCALE API MANAGEMENT Service/API Owner App Developer Infrastructure Owner App Developer DevOps

14. 14 Integrated Use Case

15. API implementation Multiple new microservices Leverage existing services, some with

    performance limits that need protecting Allow (managed) access for External and Internal application developers via a defined API that is independent of the implementation behind it Do not allow direct access to backing services, that is an implementation detail to be controlled by development and ops teams We are aware there will be more moving parts, so we need visibility into what’s happening Product API Details Service Ratings Service Reviews Service Product Service 15

16. HTTP1.1, HTTP2, gRPC, TCP w/TLS istioctl, API, config Quota, Telemetry

    Rate Limiting, ACL CA, SPIFFE Service Mesh with Istio Separation of Data and Control Plane POD SERVICE A Istio Proxy POD SERVICE B Istio Proxy POD SERVICE C Istio Proxy Pilot Telemetry Citadel HTTP1.1, HTTP2, gRPC, TCP w/TLS Data Plane Control Plane Istio Control Plane

17. Service B Envoy WASM VM Filters Service Mesh and API

    Management integration Shared Data Plane ➔ Istio Proxy policies configured by two control plans: ➔ Service Mesh with Istio control plane ➔ API Management with 3scale control plane configuring filters within the Web Assembly (WASM) VM of Envoy Service A Envoy Data Plane WASM VM Filters istiod Control Planes Istio proxy Istio proxy API Mgmt

18. A new “Service Mesh” option can be selected in Admin

    Portal when configuring an API 18 API management and Service Mesh Integration

19. Ratings Service Reviews Service Details Service Product Service Product API

    Service Mesh Istio Ingress Istio Control Plane API Management Adapter API Consumers Admin Portal Developer Portal API Manager API Provider API Request Developer Apps 19 API management and Service Mesh Integration

20. 20 Rollout Flexibility

21. Two Rollout Scenarios 21 1. API Mgmt: Starting point 2.

    Add Service Mesh 3. Enable 3scale Istio adapter 4. Activate 3scale auth for desired nodes 5. Deactivate auth through 3scale APIcast gateways 6. Result: ◦ Minimal effort to add Service Mesh ◦ Prior investment in access control continues without change ◦ No duplication in traffic control gateways 1. Service Mesh: Starting point 2. Enable 3scale Istio adapter 3. Activate 3scale auth for desired nodes 4. Configure API Management policies for access control 5. Result: ◦ Minimal effort to add API Management ◦ No duplication in traffic control gateways Don’t boil the ocean, phase your deployment for successful Microservices projects

22. 22 Takeaway

23. Service Mesh AND API Management 23 Manage the relationship between

    APIs/Services and their consumers API Management Deliver advanced traffic control, security, resilience and observability for cloud-native apps Service Mesh

24. linkedin.com/company/red-hat youtube.com/user/RedHatVideos facebook.com/redhatinc twitter.com/RedHat Red Hat is the world’s leading

    provider of enterprise open source software solutions. Award-winning support, training, and consulting services make Red Hat a trusted adviser to the Fortune 500. Thank you 24

25. API MANAGEMENT 25 Source: https://developers.redhat.com/blog/2019/03/12/distributed-microservices-architecture-enterprise-integration-istio-and-managed-api-gateways/ API Management Service Mesh API

    Contracts Monetisation Partner Ecosystem Developer Documentation Rate Limits, Policy, Security Observability Resiliency Chaos Testing Traffic Routing, Retry, timeouts Header and URL rewrite Targeted User API Creator Targeted User Developers DevOps Engineers API Consumers API Management Capabilities Responsibilities of API Management vs Service Mesh