Gloo - Envoy Proxy and Modern API Gateway Architecture

Gloo Architecture Feb 26, 2020

4 | Copyright © 2020 Gloo API Gateway SERVICE A
SERVICE B SERVICE C SERVICE D SERVICE E

SERVICE B SERVICE C SERVICE D SERVICE E NORTH-SOUTH TRAFFIC

7 | Copyright © 2020 Why Envoy Proxy? • Neutral
Foundation (CNCF) • Large, diverse, vibrant community • Built ground up for dynamic services environment • Dynamic configuration, driven by API • Highly extensible • L7 filters (HTTP/1, HTTP/2, gRPC, redis, mysql, Kafka, etc) • Deep signals telemetry out of the box • Versatile deployment options

8 | Copyright © 2020 Open Source Gloo Gateway Proxy
ENVOY CONFIG CONTROL PLANE DATA PLANE END USERS SERVICE 1 SERVICE 2 SERVICE 3

Gloo

Gloo apiVersion: gloo.solo.io/v1 kind: Proxy metadata: name: gateway-proxy namespace: gloo-system spec: listeners: - bindAddress: '::' bindPort: 8080 httpListener: virtualHosts: - domains: - '*' routes: - matchers: - prefix: /contact routeAction: single: destinationSpec: aws: logicalName: contact-form:3

Gloo ... spec: listeners: - bindAddress: '::' bindPort: 8080 httpListener: virtualHosts: - domains: - '*' name: gloo-system.petclinic routes: - matchers: - prefix: /vets routeAction: single: upstream: name: default-petclinic-vets-8080 namespace: gloo-system - matchers: - prefix: / metadata:

Gloo ... routes: - matchers: - prefix: /contact routeAction: single: destinationSpec: aws: logicalName: contact-form:3 responseTransformation: true upstream: name: aws namespace: gloo-system ...

Gloo

Gloo Discovery

Gloo Discovery ➜ k get upstream -n gloo-system default-kubernetes-443 default-petclinic-8080 default-petclinic-db-3306 default-petclinic-db-petclinic-db-0-3306 default-petclinic-vets-8080 gloo-system-apiserver-ui-8080 gloo-system-apiserver-ui-gloo-8080 gloo-system-extauth-8083 gloo-system-gateway-443 gloo-system-gateway-proxy-443 gloo-system-gateway-proxy-80 gloo-system-gateway-proxy-gateway-proxy-443 gloo-system-gateway-proxy-gateway-proxy-80 gloo-system-gloo-9966 gloo-system-gloo-9977 gloo-system-gloo-9979 gloo-system-gloo-9988 gloo-system-glooe-grafana-80 gloo-system-glooe-prometheus-ku-460d37aaba5d9eee a0c7ef0b6194981

Gloo Discovery apiVersion: gloo.solo.io/v1 kind: Upstream metadata: labels: discovered_by: kubernetesplugin name: default-petclinic-vets-8080 namespace: gloo-system spec: discoveryMetadata: {} kube: selector: app: petclinic-vets serviceName: petclinic-vets serviceNamespace: default servicePort: 8080 status: reported_by: gloo state: 1

Gloo Discovery apiVersion: gloo.solo.io/v1 kind: Upstream metadata: name: aws namespace: gloo-system spec: aws: lambdaFunctions: - lambdaFunctionName: contact logicalName: contact qualifier: $LATEST - lambdaFunctionName: contact-form logicalName: contact-form qualifier: $LATEST - lambdaFunctionName: contact-form logicalName: contact-form:1 qualifier: "1" - lambdaFunctionName: contact-form logicalName: contact-form:2 qualifier: "2" ...

Gloo Discovery

Gloo Discovery Gateway apiVersion: gateway.solo.io/v1 kind: VirtualService metadata: name: petclinic namespace: gloo-system spec: virtualHost: domains: - '*' routes: - matchers: - prefix: / routeAction: single: upstream: name: default-petclinic-8080 namespace: gloo-system status: reported_by: gateway state: 1 subresource_statuses:

Gloo Discovery Gateway ... options: timeout: 10s routes: - matchers: - prefix: / routeAction: single: upstream: name: default-petclinic-8080 namespace: gloo-system options: prefixRewrite: /api/petclinic headerManipulation: {...} transformations: requestTransformations: {...} ... tracing: {...} ...

Gloo Discovery Gateway apiVersion: gateway.solo.io/v1 kind: Gateway metadata: name: tcp namespace: gloo-system spec: bindAddress: '::' bindPort: 8000 tcpGateway: tcpHosts: - name: one destination: single: upstream: name: gloo-system-tcp-echo-1025 namespace: gloo-system useProxyProto: false

22 | Copyright © 2020 VIRTUAL SERVICE /foo /bar /cheese
ROUTE TABLE ROUTE TABLE ROUTE TABLE UPSTREAM SERVICE UPSTREAM SERVICE UPSTREAM SERVICE Platform team Developers Platform Distributed Ownership and Delegation

24 | Copyright © 2020 xDS SERVER GATEWAY DISCOVERY VIRTUAL
SERVICE, GATEWAY CREATES DISCOVERS SERVICES: KUBERNETES, CONSUL, TERRAFORM, EC2, ETC REGISTRY UPSTREAM GLOO SENDS xDS CONFIG SNAPSHOTS GATEWAY PROXY PROXY, UPSTREAM SOURCE OF TRUTH FOR xDS CREATED BY ADMINS, DEVS, OR PROCESS CAN BE DISCOVERED OR MANUALLY CREATED

25 | Copyright © 2020 25 | Copyright © 2020
Gloo Enterprise

SERVICE, GATEWAY CREATES DISCOVERS SERVICES: KUBERNETES, CONSUL, TERRAFORM, EC2, ETC REGISTRY UPSTREAM GLOO SENDS xDS CONFIG SNAPSHOTS GATEWAY PROXY PROXY, UPSTREAM SOURCE OF TRUTH FOR xDS CREATED BY ADMINS, DEVS, OR PROCESS CAN BE DISCOVERED OR MANUALLY CREATED EXTERNAL AUTH External Auth

28 | Copyright © 2020 Web Application Firewall (WAF) Prevent
harmful traffic from entering your environment • Implements Modsecurity open source WAF and Core Rule Set (CRS) • Inspects, monitors and blocks traffic • Applies to all inbound and outbound traffic SECURE WEB APPLICATION FIREWALL RATE LIMITING gRPC TRANSCODER ROUTER UPSTREAM

SERVICE, GATEWAY CREATES DISCOVERS SERVICES: KUBERNETES, CONSUL, TERRAFORM, EC2, ETC REGISTRY UPSTREAM GLOO SENDS xDS CONFIG SNAPSHOTS GATEWAY PROXY PROXY, UPSTREAM SOURCE OF TRUTH FOR xDS CREATED BY ADMINS, DEVS, OR PROCESS CAN BE DISCOVERED OR MANUALLY CREATED EXTERNAL AUTH RATE LIMITING Rate Limiting

SERVICE, GATEWAY CREATES DISCOVERS SERVICES: KUBERNETES, CONSUL, TERRAFORM, EC2, ETC REGISTRY UPSTREAM GLOO SENDS xDS CONFIG SNAPSHOTS GATEWAY PROXY PROXY, UPSTREAM SOURCE OF TRUTH FOR xDS CREATED BY ADMINS, DEVS, OR PROCESS CAN BE DISCOVERED OR MANUALLY CREATED EXTERNAL AUTH RATE LIMITING OBSERVABILITY Observability

34 | Copyright © 2020 Envoy Proxy and Gloo: Control
Path EXTERNAL AUTH RATE LIMITING gRPC TRANSCODER ROUTER UPSTREAM EXTERNAL AUTH SERVER RATE LIMITING SERVER VirtualService : route: / -> svc1 auth: opa: allow = ... auth: opa: allow = ... route: / -> svc1

35 | Copyright © 2020 Envoy Proxy and Gloo: Data
Path EXTERNAL AUTH RATE LIMITING GLOO gRPC TRANSCODER ROUTER UPSTREAM EXTERNAL AUTH SERVER RATE LIMITING SERVER POST /dentists Content-Type: application/json Authorization: Bearer xyz {"name":”Dr. Seuss"} POST /com.example.DentistService/AddDentist Content-Type: application/grpc Authorization: Bearer xyz Binary protobuf: \x12\x011\x12\seuss { Method: "POST", Path: "/dentists", Headers: { "Content-Type”:"application/json", "Authorization": "Bearer xyz" } } OK Descriptors {generic_key: "add-drs"} OK

Path EXTERNAL AUTH RATE LIMITING gRPC TRANSCODER ROUTER UPSTREAM EXTERNAL AUTH SERVER RATE LIMITING SERVER 201 Created Content-Type: application/json {"id": ”2301", "name":”Dr. Seuss"}

Path EXTERNAL AUTH RATE LIMITING gRPC TRANSCODER ROUTER UPSTREAM EXTERNAL AUTH SERVER RATE LIMITING SERVER 201 Created Content-Type: application/json {"id": ”2301", "name":”Dr. Seuss"} RATE LIMITING

Path EXTERNAL AUTH RATE LIMITING ROUTER UPSTREAM EXTERNAL AUTH SERVER RATE LIMITING SERVER GET /dentists/2301 Content-Type: application/json Authorization: Bearer xyz { Method: "POST", Path: "/dentists", Headers: { "Content-Type”:"application/json", "Authorization": "Bearer xyz" } } OK, ["id","name"]

Path EXTERNAL AUTH ROUTER UPSTREAM EXTERNAL AUTH SERVER RATE LIMITING SERVER 200 OK Content-Type: application/json {"id": "2301", "name":"Dr. Seuss", "license":"32-23892" } 200 OK Content-Type: application/json {"id": "2301", "name":"Dr. Seuss"}

Gloo - Envoy Proxy and Modern API Gateway Architecture

Gloo - Envoy Proxy and Modern API Gateway Architecture

More Decks by Solo.io

Other Decks in Technology

Featured

Transcript