Service Mesh and the future of networking

Service Mesh and the future of networking

In the world of microservices, we have seen this new technology, the Service Mesh, emerge and grow very fast. Projects like Istio, Linkerd or Consul have become very popular and people are starting to adopt them and figuring out the new possibilities these projects bring. But beyond the individual features each of those projects provide, in this talk, we will present the core concepts of a Service Mesh, the novel things this technology brings, and the use cases it is meant to solve.

We will explore how Service Meshes will push networking to the next level, opening the door to a whole new set of possibilities especially designed for this new era of multi-cloud and hybrid architectures, and giving us a mental model with which to explore and evaluate after the talk.

4ca6230b05046f1a809835985b1f8bc2?s=128

Ignasi Barrera

October 06, 2019
Tweet

Transcript

  1. Service Mesh …and the future of Networking #SCBCN19 - VII

    Edition
  2. PLATINUM GOLD SILVER SUPPORTERS

  3. Journey to the chaos

  4. None
  5. None
  6. None
  7. None
  8. Micro-services

  9. Failure happens

  10. And shit hits the fan

  11. Frameworks and tools to the rescue

  12. Must-have primitives • Service discovery • Fault tolerance • Circuit

    breakers • Back-pressure • Tracing
  13. Apps are still coupled to the network

  14. Heterogeneous environments

  15. Heterogeneous environments

  16. Let’s get some perspective

  17. Quite some time ago… We managed to let Server A

    send packets to Server B
  18. And we made it in a reliable way

  19. But we are dealing with the same kind of problems

    again…
  20. But we are dealing with the same kind of problems

    again… at the application layer
  21. Service Mesh

  22. Main Features • Separate the network from the applications •

    Consistency across the fleet • Centralized control • Fast to change (apply config to affect change; not redeploy)
  23. Platform abstractions • Networking • Observability • Security Focus on

    creating services and providing value
  24. Data plane

  25. Envoy Proxy • L7 proxy built for today’s SOA •

    Deployment agnostic, lightweight • L3/L4 filter’s at core, rich L7 filters • Built-In HTTP/2 support • Protocol extensibility (Mongo, Redis, MySQL, etc) • Programmability (xDS APIs) • Push based model
  26. Control plane

  27. Networking

  28. Traffic management 80% 20% 50 req/sec

  29. Observability

  30. Telemetry reporting

  31. Security

  32. Policy enforcement (AuthZ)

  33. The network is still not secure

  34. Identity

  35. SPIFFE • A naming scheme to encode workload identities •

    How to encode those names in a X.509 certificate (SVID) • How a peer (client or server) validates the X.509 certificate to authenticate the SPIFFE identity inside of it spiffe://trust-domain/path spiffe://k8s.example.com/ns/staging/sa/default
  36. AuthN and encryption in transit mTLS

  37. Identity is not only about mTLS • Finally break the

    L3/L4 dependency • L7 policies • Multi-cloud & cloud-agnostic applications
  38. Let’s interconnect a hybrid environment

  39. Secure connections with VPNs VPN

  40. Expensive and hard to scale VPN

  41. VPN Use the primitives the Mesh provides! mTLS

  42. Unified identity domain authN/authZ

  43. Recap

  44. Traffic routing • Service discovery • Application level overlay network

    • L7 addressing • Canaries • Traffic shifting • Protocol transcoding
  45. Traffic management • (Client-side) Load balancing • Failure detection •

    Circuit breakers • Retries • Deadlines • Rate limiting • Fault injection
  46. Observability • Logs • Metrics • Distributed tracing • Consistency

    for monitoring tools
  47. Security • Runtime policy enforcement • Trusted Identity • Transparent

    mTLS • Authentication and Authorization
  48. Help build the future!

  49. Let’s contribute! • https://github.com/envoyproxy/envoy • https://linkerd.io/community/ • https://istio.io/about/community/join/ • https://www.consul.io/community.html

    • https://spiffe.io/community/
  50. Thanks!