Slide 1

Slide 1 text

Service Mesh for Microservices

Slide 2

Slide 2 text

Armon Dadgar Founder and CTO @armon

Slide 3

Slide 3 text

PROVISION, SECURE AND RUN ANY INFRASTRUCTURE Nomad Consul Vault Vagrant Packer Terraform Consul Enterprise Terraform Enterprise Vault Enterprise PRODUCT SUITE OSS TOOL SUITE RUN Applications SECURE Application Infrastructure PROVISION Infrastructure FOR INDIVIDUALS FOR TEAMS Nomad Enterprise

Slide 4

Slide 4 text

Service Mesh for Microservices

Slide 5

Slide 5 text

A B C D Monolith

Slide 6

Slide 6 text

Monolith A B C D

Slide 7

Slide 7 text

Monolith A B C D Static IP

Slide 8

Slide 8 text

Monolith LB A B C D Static IP

Slide 9

Slide 9 text

Zone Firewall DMZ Firewall Monolith A B C D Static IP LB

Slide 10

Slide 10 text

What Changed?

Slide 11

Slide 11 text

A B C D Monolith

Slide 12

Slide 12 text

Microservices A B C D

Slide 13

Slide 13 text

Microservices A B C D ?

Slide 14

Slide 14 text

B B Microservices A B C D ?

Slide 15

Slide 15 text

Microservices B B A B C D LB

Slide 16

Slide 16 text

Operating in the Cloud + Containers Dynamic IP Addresses Higher Failure Rate Ephemeral Infrastructure Complex Network Topology

Slide 17

Slide 17 text

Service Discovery

Slide 18

Slide 18 text

Service Registry Register B B A B

Slide 19

Slide 19 text

Service Registry Discover B B A B

Slide 20

Slide 20 text

Service Registry Connect B B A B

Slide 21

Slide 21 text

Service Registry Connect B B Attacker B

Slide 22

Slide 22 text

Service Segmentation

Slide 23

Slide 23 text

Defining Segmentation Splitting network into sub-networks Restricting communication between sub-networks Virtual LAN, Firewalls, Software Defined Networks Coarse Grained, Many Services Segment A Segment B Network

Slide 24

Slide 24 text

Zone Firewall DMZ Firewall Monolith A B C D Static IP LB

Slide 25

Slide 25 text

Microservices A B C D

Slide 26

Slide 26 text

No content

Slide 27

Slide 27 text

A -> B C -> D D -> C A B C D

Slide 28

Slide 28 text

B -> D A -> C A B C D

Slide 29

Slide 29 text

No content

Slide 30

Slide 30 text

Service Mesh for Microservices Service Discovery. Connect services with a dynamic registry Service Configuration. Configure services with runtime configs Service Segmentation. Secure services based on identity

Slide 31

Slide 31 text

Consul Usage Launched in 2014 12K+ GitHub Stars 1M+ Downloads monthly Customers running 50,000+ agents

Slide 32

Slide 32 text

Public Users

Slide 33

Slide 33 text

Service Discovery Registry of Nodes, Services, Checks DNS API HTTP API Web UI

Slide 34

Slide 34 text

T E R M I N A L $ dig redis.service.consul ; <<>> DiG 9.8.3-P1 <<>> redis.service.consul ; (3 servers found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9046 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;redis.service.consul.IN A ;; ANSWER SECTION: redis.service.consul. 0 IN A 10.1.10.38

Slide 35

Slide 35 text

T E R M I N A L $ curl http://localhost:8500/v1/catalog/service/redis [ { "ID": "52f73400-a352-80d2-9624-e70cc9996762", "Node": "consul-client-2", "Address": "10.0.1.83", "Datacenter": "dc1", "ServiceName": "redis", "ServiceTags": [ "global", "cache" ], "ServiceAddress": "10.0.1.83", "ServicePort": 24815, "ModifyIndex": 31, …

Slide 36

Slide 36 text

No content

Slide 37

Slide 37 text

Service Configuration Hierarchical Key/Value Store HTTP API Long-polling / Edge trigger Locking

Slide 38

Slide 38 text

T E R M I N A L $ consul kv put service/web/enable_foo true Put successfully! $ consul kv get service/web/enable_foo true

Slide 39

Slide 39 text

No content

Slide 40

Slide 40 text

Consul Connect

Slide 41

Slide 41 text

Consul Connect Service Access Graph Certificate Distribution Application Integration

Slide 42

Slide 42 text

Service Access Graph Intentions to Allow/Deny Communication Source and Destination Service Scale Independent Managed with CLI, API, UI, Terraform

Slide 43

Slide 43 text

T E R M I N A L $ consul intention create -deny web '*' Created: web => * (deny) $ consul intention create -allow web db Created: web => db (allow)

Slide 44

Slide 44 text

No content

Slide 45

Slide 45 text

Certificate Distribution Transport Layer Security (TLS) Service Identity Encryption of all traffic

Slide 46

Slide 46 text

Certificate Generation Automatic Generation & Rotation Server Client Certificate Signing Request Generate Key Pair Sign Certificate

Slide 47

Slide 47 text

Certificate Format X.509 Certificate SPIFFE Compatible

Slide 48

Slide 48 text

Certificate Authority Rotation Root Intermediary Leaf

Slide 49

Slide 49 text

Certificate Authority Rotation Root Intermediary Leaf Root Intermediary Leaf

Slide 50

Slide 50 text

Certificate Authority Rotation Root Intermediary Leaf Root Intermediary Intermediary Leaf Leaf

Slide 51

Slide 51 text

Application Integration Consul Client for Service Graph and Certificates Sidecar Proxies Native Integrations

Slide 52

Slide 52 text

Sidecar Proxy Integration No Code Modification Minimal Performance Overhead Operational Flexibility

Slide 53

Slide 53 text

Sidecar Proxies Client Proxy App Configure Connect Proxy Client App Configure Connect

Slide 54

Slide 54 text

Pluggable Proxies Client App Configure Connect Client App Configure Connect

Slide 55

Slide 55 text

{ "service": "web", "connect": { "proxy": { "config": { "upstreams": [{ "destination_name": "redis", "local_bind_port": 1234 }] } } } } C O D E E D I T O R

Slide 56

Slide 56 text

Proxy Client App Configure Connect localhost:1234 Connect to upstream redis

Slide 57

Slide 57 text

T E R M I N A L $ consul connect proxy \ -service web \ -upstream postgresql:8181 $ psql -h 127.0.0.1 -p 8181 -U mitchellh mydb >

Slide 58

Slide 58 text

Native Integration Standard TLS Negligible Performance Overhead Requires Code Modification

Slide 59

Slide 59 text

// Create a Consul API client client, _ := api.NewClient(api.DefaultConfig()) // Create an instance representing this service. svc, _ := connect.NewService("my-service", client) defer svc.Close() // Creating an HTTP server that serves via Connect server := &http.Server{ Addr: ":8080", TLSConfig: svc.ServerTLSConfig(), // ... other standard fields } // Serve! server.ListenAndServeTLS("", "") C O D E E D I T O R

Slide 60

Slide 60 text

Consul Connect Service Access Graph. Intentions allow or deny communication of logical services. Certificate Distribution. Standard TLS certificates with SPIFFE compatibility. Application Integration. Native integrations or side car proxies.

Slide 61

Slide 61 text

Consul Architecture

Slide 62

Slide 62 text

Deployment Single Binary Server and Client Agents 3-5 Servers per Datacenter Multi-Datacenter Support

Slide 63

Slide 63 text

Consul Servers Replicated State, Automatic Failover Service Registry Service Access Graph Key/Value Store Multi-DC Forwarding Leader Follower Follower Replication

Slide 64

Slide 64 text

Consul Clients Expose HTTP and DNS API Transparently Forward Register and Monitor Services Cache Service Graph Server(s) Client

Slide 65

Slide 65 text

Cluster Awareness Lightweight Gossip (Serf) Cluster Membership Failure Detection Gossip Server Client Client

Slide 66

Slide 66 text

Cluster Membership Join Requires Any Peer Server Discovery Protocol Versioning New Server Server Client Client Server

Slide 67

Slide 67 text

Failure Detection Leaving vs Failing Automatic Reaping No Heart beating Failed Client Server Client Client

Slide 68

Slide 68 text

Leader Client Follower Replication RPC RPC Gossip Datacenter

Slide 69

Slide 69 text

Leader Client Follower Replication RPC RPC Gossip Datacenter Leader Client Follower Replication RPC RPC Gossip Datacenter RPC Gossip

Slide 70

Slide 70 text

Control Plane vs. Data Plane Consul as Control Plane Pluggable Proxies as Data Plane Configure Communicate Control Data Data

Slide 71

Slide 71 text

Data Path Client Proxy App Configure Connect Proxy Client App Configure Connect

Slide 72

Slide 72 text

Consul with Containers Consul Agent per Host DaemonSet with Kubernetes Proxy per Container / Pod

Slide 73

Slide 73 text

Consul Architecture Batteries Included Highly Available & Scalable Pluggable Data Plane

Slide 74

Slide 74 text

Conclusion

Slide 75

Slide 75 text

Common Challenges Infrastructure is means to an ends Microservices Architecture Operational Challenges

Slide 76

Slide 76 text

Patchwork Solutions Re-invent the wheel Long Term Maintenance Minimum Viable vs Maximum Utility

Slide 77

Slide 77 text

Service Mesh for Microservices Service Discovery. Connect services with a dynamic registry Service Configuration. Configure services with runtime configs Service Segmentation. Secure services based on identity

Slide 78

Slide 78 text

No content