Tweet
Tweet

Slide 1

Slide 1 text

Service Mesh …and the future of Networking #SCBCN19 - VII Edition

Slide 2

Slide 2 text

PLATINUM GOLD SILVER SUPPORTERS

Slide 3

Slide 3 text

Journey to the chaos

Slide 4

Slide 4 text

No content

Slide 5

Slide 5 text

No content

Slide 6

Slide 6 text

No content

Slide 7

Slide 7 text

No content

Slide 8

Slide 8 text

Micro-services

Slide 9

Slide 9 text

Failure happens

Slide 10

Slide 10 text

And shit hits the fan

Slide 11

Slide 11 text

Frameworks and tools to the rescue

Slide 12

Slide 12 text

Must-have primitives • Service discovery • Fault tolerance • Circuit breakers • Back-pressure • Tracing

Slide 13

Slide 13 text

Apps are still coupled to the network

Slide 14

Slide 14 text

Heterogeneous environments

Slide 15

Slide 15 text

Heterogeneous environments

Slide 16

Slide 16 text

Let’s get some perspective

Slide 17

Slide 17 text

Quite some time ago… We managed to let Server A send packets to Server B

Slide 18

Slide 18 text

And we made it in a reliable way

Slide 19

Slide 19 text

But we are dealing with the same kind of problems again…

Slide 20

Slide 20 text

But we are dealing with the same kind of problems again… at the application layer

Slide 21

Slide 21 text

Service Mesh

Slide 22

Slide 22 text

Main Features • Separate the network from the applications • Consistency across the fleet • Centralized control • Fast to change (apply config to affect change; not redeploy)

Slide 23

Slide 23 text

Platform abstractions • Networking • Observability • Security Focus on creating services and providing value

Slide 24

Slide 24 text

Data plane

Slide 25

Slide 25 text

Envoy Proxy • L7 proxy built for today’s SOA • Deployment agnostic, lightweight • L3/L4 filter’s at core, rich L7 filters • Built-In HTTP/2 support • Protocol extensibility (Mongo, Redis, MySQL, etc) • Programmability (xDS APIs) • Push based model

Slide 26

Slide 26 text

Control plane

Slide 27

Slide 27 text

Networking

Slide 28

Slide 28 text

Traffic management 80% 20% 50 req/sec

Slide 29

Slide 29 text

Observability

Slide 30

Slide 30 text

Telemetry reporting

Slide 31

Slide 31 text

Security

Slide 32

Slide 32 text

Policy enforcement (AuthZ)

Slide 33

Slide 33 text

The network is still not secure

Slide 34

Slide 34 text

Identity

Slide 35

Slide 35 text

SPIFFE • A naming scheme to encode workload identities • How to encode those names in a X.509 certificate (SVID) • How a peer (client or server) validates the X.509 certificate to authenticate the SPIFFE identity inside of it spiffe://trust-domain/path spiffe://k8s.example.com/ns/staging/sa/default

Slide 36

Slide 36 text

AuthN and encryption in transit mTLS

Slide 37

Slide 37 text

Identity is not only about mTLS • Finally break the L3/L4 dependency • L7 policies • Multi-cloud & cloud-agnostic applications

Slide 38

Slide 38 text

Let’s interconnect a hybrid environment

Slide 39

Slide 39 text

Secure connections with VPNs VPN

Slide 40

Slide 40 text

Expensive and hard to scale VPN

Slide 41

Slide 41 text

VPN Use the primitives the Mesh provides! mTLS

Slide 42

Slide 42 text

Unified identity domain authN/authZ

Slide 43

Slide 43 text

Recap

Slide 44

Slide 44 text

Traffic routing • Service discovery • Application level overlay network • L7 addressing • Canaries • Traffic shifting • Protocol transcoding

Slide 45

Slide 45 text

Traffic management • (Client-side) Load balancing • Failure detection • Circuit breakers • Retries • Deadlines • Rate limiting • Fault injection

Slide 46

Slide 46 text

Observability • Logs • Metrics • Distributed tracing • Consistency for monitoring tools

Slide 47

Slide 47 text

Security • Runtime policy enforcement • Trusted Identity • Transparent mTLS • Authentication and Authorization

Slide 48

Slide 48 text

Help build the future!

Slide 49

Slide 49 text

Let’s contribute! • https://github.com/envoyproxy/envoy • https://linkerd.io/community/ • https://istio.io/about/community/join/ • https://www.consul.io/community.html • https://spiffe.io/community/

Slide 50

Slide 50 text

Thanks!