Tweet
Tweet

Slide 1

Slide 1 text

Multi-Cluster API Gateway Patterns with Envoy Proxy and Gloo Christian Posta Global Field CTO – Solo.io

Slide 2

Slide 2 text

2 | Copyright © 2020 Our customers’ challenges

Slide 3

Slide 3 text

3 | Copyright © 2020 SERVICE MESH JOURNEY INNOVATION MODERNIZE TO MICROSERVICES SERVICE MESH MANAGEMENT ADAPTIVE SERVICE MESH

Slide 4

Slide 4 text

4 | Copyright © 2020 December 11, 2018 2018 TOP WOMEN ENTREPRENEURS IN CLOUD INNOVATION Seventh Annual Award Honors Women Founders for Outstanding Accomplishments in Cloud and Emerging Technologies, Sponsored by Facebook, Intel, and Google. Award Winning Innovation Enterprise Credibility Key Industry Collaborations https://www.solo.io/customers/

Slide 5

Slide 5 text

5 | Copyright © 2020 API connectivity & communication challenges SERVICE A SERVICE B SERVICE C SERVICE D SERVICE E Challenges ● Entry point for services ● Establishing boundary ● AuthN/AuthZ ● Traffic routing ● Transformations ● Rate limiting ● Automation ● Extension

Slide 6

Slide 6 text

6 | Copyright © 2020 API connectivity & communication challenges Challenges ● Discovering APIs ● Documentation ● Self-service sign up ● Security ● Internal vs External SERVICE A SERVICE B SERVICE C SERVICE D SERVICE E

Slide 7

Slide 7 text

7 | Copyright © 2020 Solo.io solves API connectivity & communication challenges SERVICE A SERVICE B SERVICE C SERVICE D SERVICE E API portal

Slide 8

Slide 8 text

8 | Copyright © 2020 Gloo Enterprise Features

Slide 9

Slide 9 text

9 | Copyright © 2020 Gloo Data Plane and Control Plane EXTERNAL AUTH RATE LIMITING GLOO FILTERS ROUTER UPSTREAM EXTERNAL AUTH SERVER RATE LIMITING SERVER CACHING DATA LOSS PREVENTION LAMBDA NATS.IO TRANSFORMATION WEB APPLICATION FIREWALL (WAF)

Slide 10

Slide 10 text

10 | Copyright © 2020 Why Gloo? Security Highly Extensible Multi-platform Web Assembly Integration Decentralized API ● Basic auth ● OIDC ● JWT ● API Keys ● Custom Auth ● TLS ● mTLS ● SNI ● Let’s Encrypt ● CORS ● OPA ● RBAC ● Delegation ● WAF ● Data Loss Prevention ● Rate Limit ● Circuit Breaker

Slide 11

Slide 11 text

11 | Copyright © 2020 API connectivity & communication challenges Challenges ● Multiple clusters ● Hybrid deployments ● Centralized view ● Consistency ● Security ● Configuration ● Federation ● Centralization vs Decentralization S E R V I C E A S E R V I C E B S E R V I C E C S E R V I C E D S E R V I C E E S E R V I C E A S E R V I C E B S E R V I C E C S E R V I C E D S E R V I C E E S E R V I C E A S E R V I C E B S E R V I C E C S E R V I C E D S E R V I C E E S E R V I C E A S E R V I C E B S E R V I C E C S E R V I C E D S E R V I C E E

Slide 12

Slide 12 text

12 | Copyright © 2020 API Federation • Autonomous clusters • Different organizational/network/administrative boundaries • Share pieces of configuration • For those shared pieces, treat union as a single unit • Uses an orchestrator to stitch together policies for federation

Slide 13

Slide 13 text

13 | Copyright © 2020 SERVICE A SERVICE B SERVICE C SERVICE D SERVICE E SERVICE F SERVICE G SERVICE H Solo.io solves API connectivity & communication challenges Federation

Slide 14

Slide 14 text

14 | Copyright © 2020 Problems Solo.io solves with federation • Security (authz/authn/encryption/identity) • Service discovery • Failover / traffic shifting / transparent routing • Observability • Separate networks • Well-defined fault domains • Balance of centralized management with decentralized enforcement

Slide 15

Slide 15 text

15 | Copyright © 2020 15 | Copyright © 2020 Envoy as the backbone of application networking

Slide 16

Slide 16 text

16 | Copyright © 2020 Why Envoy Proxy? • Neutral Foundation (CNCF) • Large, diverse, vibrant community • Built ground up for dynamic services environment • Dynamic configuration, driven by API • Highly extensible • L7 filters (HTTP/1, HTTP/2, gRPC, redis, mysql, Kafka, etc) • Deep metrics/telemetry out of the box • Versatile deployment options

Slide 17

Slide 17 text

17 | Copyright © 2020 Exploring Envoy failover routing capabilities: Request racing Account work load work load work load Calls http://products.service/ work load work load us-west-1 us-west-2 Timeout Race request First to return is the response to the caller

Slide 18

Slide 18 text

18 | Copyright © 2020 Exploring Envoy failover routing capabilities: Zone aware routing (Envoy decides) Account work load work load work load Calls http://products.service/ work load work load us-west-1 us-west-2 Not enough healthy hosts in same zone Spill over to another zone

Slide 19

Slide 19 text

19 | Copyright © 2020 Exploring Envoy failover routing capabilities: Locality aware (Control plane decides) Account work load work load work load Calls http://products.service/ work load work load us-west-1 us-west-2 Not enough healthy hosts in same zone Spill over to another zone W=1 W=1 W=1 W=5 W=5

Slide 20

Slide 20 text

20 | Copyright © 2020 Exploring Envoy failover routing capabilities: Aggregate Cluster (for routing to gateways) Account work load work load work load Calls http://products.service/ Edge gw us-west-1 us-west-2 EDS Strict DNS

Slide 21

Slide 21 text

21 | Copyright © 2020 21 | Copyright © 2020 Multi-cluster patterns

Slide 22

Slide 22 text

22 | Copyright © 2020 @christianposta work load work load work load Single cluster ingress/gateway

Slide 23

Slide 23 text

23 | Copyright © 2020 @christianposta work load work load work load work load work load work load work load work load work load Decentralized API Gateway

Slide 24

Slide 24 text

24 | Copyright © 2020 @christianposta work load work load work load work load work load work load work load work load work load Leaf nodes/ application clusters Hybrid, two-tier gateways

Slide 25

Slide 25 text

25 | Copyright © 2020 @christianposta work load work load work load work load work load work load work load work load work load Leaf nodes/ application clusters Hybrid, two-tier gateways with tenancy

Slide 26

Slide 26 text

26 | Copyright © 2020 @christianposta work load Istiod work load work load work load Istiod work load work load work load Istiod work load work load API/Edge Gateway tier Access Proxy / Gateway Routing Leaf nodes/ application clusters

Slide 27

Slide 27 text

27 | Copyright © 2020 27 | Copyright © 2020 Operating a multi-cluster topology

Slide 28

Slide 28 text

28 | Copyright © 2020 @christianposta Access Proxy / Gateway Routing Leaf nodes/ application clusters GlooFederation Plane work load work load work load work load work load work load work load work load work load

Slide 29

Slide 29 text

29 | Copyright © 2020 @christianposta Access Proxy / Gateway Routing Leaf nodes/ application clusters GlooFederation Plane work load work load work load work load work load work load work load work load work load

Slide 30

Slide 30 text

30 | Copyright © 2020 @christianposta Access Proxy / Gateway Routing Leaf nodes/ application clusters GlooFederation Plane work load work load work load work load work load work load work load work load work load

Slide 31

Slide 31 text

31 | Copyright © 2020 31 | Copyright © 2020 Demo

Slide 32

Slide 32 text

32 | Copyright © 2020 • https://solo.io • https://slack.solo.io • https://gloo.solo.io • https://envoyproxy.io • https://istio.io • https://webassemblyhub.io • https://servicemeshhub.io • https://blog.christianposta.com