Globalcode – Open4education Service Mesh Magic in the Cloud Frank Munz Senior Technical Evangelist Amazon Web Services @frankmunz

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. About me • Software Architect / DevOps Engineer • Technical Evangelist @ AWS • Published an AWS book • Containers, serverless and a sprinkle of ML & big / fast data @frankmunz

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. 10+ Years Back in Time: SOA ESB = Service Virtualization Layer • Reduces complexity #cx: squared -> linear with ESB • VETO pattern = Validate, Enrich, Transform, Operate • CCC = location transparency, throttling, monitoring, security, audit

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Splitting the Monolith – A. Cockroft @ AWS https://youtu.be/aBcG57Gw9k0

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Enterprise SW Modernization -> Microservices Building Blocks / Technical Architecture • Containers • Serverless (AWS Lambda) • Other cloud services • Do NOT stuff everything into a container! • AWS API Gateway, Kinesis, Aurora, Dynamo DB, etc. -> Container / K8s will not make other cloud services redundant

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Challenges of Containers at Scale • More transient • More distributed and complex • Networking • Scheduling / Resource Management • Not virtualized, but isolated: containers share Linux kernel -> Tooling and orchestration required

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. … so we built a solution for that

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. ECS Easiest way to deploy and manage containers at scale Integration with entire AWS platform ALB, Auto Scaling, Batch, Elastic Beanstalk, CloudFormation, CloudTrail, CloudWatch Events, CloudWatch Logs, CloudWatch Metrics, ECR, EC2 Spot, IAM, NLB, Parameter Store, and VPC Scales to support clusters of any size Service integrations (like ALB and NLB) are at container level 1 2 3

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Then Kubernetes entered the stage

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. … and devOps ❤ Kubernetes

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Open source container management platform Helps you run containers at scale Gives you primitives for building modern applications What is Kubernetes (K8s)?

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. “Run Kubernetes for me.”

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Availability Zone 1 Availability Zone 2 Availability Zone 3 Kubectl EKS Architecture

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Kubernetes Ressources (incomplete list) Ressource Pod Basic K8s unit, co-located containers Namespace Non-overlapping group of ressources Replica Set Keeps pod replicas running Service Exposes pod at single stable IP Deployment Rolling update of pods Ingress Expose service with static IP to external client Admission Controller Run code after API request, e.g. inject sidecar

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. OSS Hystrix library: code changes required; language specific Service Mesh: decentral, language agnostic, dumb endpoints https://www.infoq.com/articles/microservices-post-kubernetes Shift in Infrastructure Logic ESB: clustered monolith

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Istio Service Mesh Connect, secure, and observe services • Shift in where functionality is located • Istio = control plane • Set of all Envoy proxies = data plane • Envoy proxy as sidecar in K8s pod • Automatic / manual injection of proxy

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Istio Service Mesh with Envoy Proxy Add a 5s delay to 10% of all requests

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. User Based Routing Traffic Shifting

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Envoy Proxy • Level 7 proxy • HTTP, HTTP/2, gRPC, AWS Dynamo DB, MongoDB • C++11 code base , only 8 MB (statically linked) • No language or framework dependencies • No code changes • OSS started at Lyft

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Service Mesh Cross Cutting Concerns such as retries, timeouts, circuit breaking, fault injection, client-side load balancing, service discovery, security, metrics-collection, A/B deployments, and traffic shifting / mirroring / routing

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Service Mesh But Docker / Kubernetes can do rolling updates! Yes, but Istio sparates traffic flow from replica deployment

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. A bath tub full of cold water ? K8s rolling update 25% 1 pod at a time … or just wetten your feet? Service Mesh 3% Traffic routing ! ! ! " # ! $❄$❄$❄ Fancy a Swim in the Arctic Sea ? Blue / Green 100% All services at once Microservices Update Strategies

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Install Istio with Helm $ helm install --wait --name istio \ --namespace istio-system \ install/kubernetes/helm/istio \ --set grafana.enabled=true \ --set tracing.enabled=true \ --set servicegraph.enabled=true $ # K8s label turn on automatic sidecar injection $ kubectl label namespace default istioinjection=enabled

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Grafana

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Jaeger

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Servicegraph

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Kiali

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Kiali

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Customers

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Snap @AWS Summit in New York 2018 https://youtu.be/mCVdcz01Z-g?t=2052

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS App Mesh

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. App Mesh works across compute services Amazon ECS AWS Fargate Amazon EKS Amazon EC2 Kubernetes on EC2

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Logging HTTP access logging Amazon CloudWatch Logs Available as container logs on Amazon ECS, Amazon EKS, AWS Fargate Metrics CloudWatch metrics StatsD (with tags) Prometheus Tracing AWS X-Ray Other Envoy tracing drivers Observability

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Traffic shaping Load balancing Weight targets Service discovery (DNS + AWS Cloud Map) Health checks Retries* Timeouts* Circuit breakers* *Coming soon Traffic Management Routing controls Protocols support (HTTP, TCP, gRPC*) Path-based Header-based* Cookie-based* Host-based*

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. App Mesh Architecture

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS App Mesh Roadmap is Public https://github.com/awslabs/aws-app-mesh-examples

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Summary • Architect wisely • Running K8s is hard Use a managed K8s service in the cloud. • A Service Meshes complements K8s: It adds observability and traffic management • Istio with Envoy on EKS • AWS App Mesh

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Open-source Istio and Enovy on AWS EKS Video https://www.youtube.com/watch?v=fDmJf9kWFws

Globalcode – Open4educa0on Muito obrigado! Frank Munz Senior Technical Evangelist Amazon Web Services @frankmunz