$30 off During Our Annual Pro Sale. View Details »

Service Mesh and the future of networking

Service Mesh and the future of networking

In the world of microservices, we have seen this new technology, the Service Mesh, emerge and grow very fast. Projects like Istio, Linkerd or Consul have become very popular and people are starting to adopt them and figuring out the new possibilities these projects bring. But beyond the individual features each of those projects provide, in this talk, we will present the core concepts of a Service Mesh, the novel things this technology brings, and the use cases it is meant to solve.

We will explore how Service Meshes will push networking to the next level, opening the door to a whole new set of possibilities especially designed for this new era of multi-cloud and hybrid architectures, and giving us a mental model with which to explore and evaluate after the talk.

Ignasi Barrera

October 06, 2019
Tweet

More Decks by Ignasi Barrera

Other Decks in Technology

Transcript

  1. Service Mesh
    …and the future of Networking
    #SCBCN19 - VII Edition

    View Slide

  2. PLATINUM
    GOLD
    SILVER
    SUPPORTERS

    View Slide

  3. Journey to the chaos

    View Slide

  4. View Slide

  5. View Slide

  6. View Slide

  7. View Slide

  8. Micro-services

    View Slide

  9. Failure happens

    View Slide

  10. And shit hits the fan

    View Slide

  11. Frameworks and tools to the rescue

    View Slide

  12. Must-have primitives
    • Service discovery
    • Fault tolerance
    • Circuit breakers
    • Back-pressure
    • Tracing

    View Slide

  13. Apps are still coupled to the network

    View Slide

  14. Heterogeneous environments

    View Slide

  15. Heterogeneous environments

    View Slide

  16. Let’s get some perspective

    View Slide

  17. Quite some time ago…
    We managed to let Server A
    send packets to Server B

    View Slide

  18. And we made it in a reliable way

    View Slide

  19. But we are dealing with the same kind of
    problems again…

    View Slide

  20. But we are dealing with the same kind of
    problems again…
    at the application layer

    View Slide

  21. Service Mesh

    View Slide

  22. Main Features
    • Separate the network from the applications
    • Consistency across the fleet
    • Centralized control
    • Fast to change (apply config to affect change; not
    redeploy)

    View Slide

  23. Platform abstractions
    • Networking
    • Observability
    • Security
    Focus on creating services
    and providing value

    View Slide

  24. Data plane

    View Slide

  25. Envoy Proxy
    • L7 proxy built for today’s SOA
    • Deployment agnostic, lightweight
    • L3/L4 filter’s at core, rich L7 filters
    • Built-In HTTP/2 support
    • Protocol extensibility (Mongo, Redis, MySQL, etc)
    • Programmability (xDS APIs)
    • Push based model

    View Slide

  26. Control plane

    View Slide

  27. Networking

    View Slide

  28. Traffic management
    80%
    20%
    50 req/sec

    View Slide

  29. Observability

    View Slide

  30. Telemetry reporting

    View Slide

  31. Security

    View Slide

  32. Policy enforcement (AuthZ)

    View Slide

  33. The network is still not secure

    View Slide

  34. Identity

    View Slide

  35. SPIFFE
    • A naming scheme to encode workload identities
    • How to encode those names in a X.509 certificate
    (SVID)
    • How a peer (client or server) validates the X.509
    certificate to authenticate the SPIFFE identity inside of it
    spiffe://trust-domain/path
    spiffe://k8s.example.com/ns/staging/sa/default

    View Slide

  36. AuthN and encryption in transit
    mTLS

    View Slide

  37. Identity is not only about mTLS
    • Finally break the L3/L4
    dependency
    • L7 policies
    • Multi-cloud & cloud-agnostic
    applications

    View Slide

  38. Let’s interconnect a hybrid environment

    View Slide

  39. Secure connections with VPNs
    VPN

    View Slide

  40. Expensive and hard to scale
    VPN

    View Slide

  41. VPN
    Use the primitives the Mesh provides!
    mTLS

    View Slide

  42. Unified identity domain
    authN/authZ

    View Slide

  43. Recap

    View Slide

  44. Traffic routing
    • Service discovery
    • Application level overlay network
    • L7 addressing
    • Canaries
    • Traffic shifting
    • Protocol transcoding

    View Slide

  45. Traffic management
    • (Client-side) Load balancing
    • Failure detection
    • Circuit breakers
    • Retries
    • Deadlines
    • Rate limiting
    • Fault injection

    View Slide

  46. Observability
    • Logs
    • Metrics
    • Distributed tracing
    • Consistency for monitoring tools

    View Slide

  47. Security
    • Runtime policy enforcement
    • Trusted Identity
    • Transparent mTLS
    • Authentication and Authorization

    View Slide

  48. Help build the future!

    View Slide

  49. Let’s contribute!
    • https://github.com/envoyproxy/envoy
    • https://linkerd.io/community/
    • https://istio.io/about/community/join/
    • https://www.consul.io/community.html
    • https://spiffe.io/community/

    View Slide

  50. Thanks!

    View Slide