Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Gloo - Envoy Proxy and Modern API Gateway Archi...

Solo.io
February 26, 2020

Gloo - Envoy Proxy and Modern API Gateway Architecture

Today's modernization projects including serverless, Kubernetes and microservices involve more than just how applications are written and deployed - but require new components in the technology stack to properly deploy and operate them. As application services become smaller, loosely coupled together and distributed, how you manage and secure the traffic to them and amongst them becomes critical to a properly behaving application. To enable this, technologies like edge or API gateways and ingress controllers are considered.

Gloo is a next generation API gateway and ingress controller built with Envoy Proxy and designed to support your entire portfolio of applications from legacy monoliths, microservices to serverless. Gloo is designed to connect, secure and control all incoming application traffic and provide a stepping stone to service mesh.

This webinar will cover the following topics:
* What is Envoy Proxy
* Data plane and Control plane interaction
* Gloo Technical Architecture, Features and Benefits

Learn More
* Watch the video https://youtu.be/nl-vnjnpLxU
* Website https://solo.io/products/gloo
* Join the discussion https://slack.solo.io

Solo.io

February 26, 2020
Tweet

More Decks by Solo.io

Other Decks in Technology

Transcript

  1. 4 | Copyright © 2020 Gloo API Gateway SERVICE A

    SERVICE B SERVICE C SERVICE D SERVICE E
  2. 5 | Copyright © 2020 Gloo API Gateway SERVICE A

    SERVICE B SERVICE C SERVICE D SERVICE E NORTH-SOUTH TRAFFIC
  3. 6 | Copyright © 2020 Gloo API Gateway SERVICE A

    SERVICE B SERVICE C SERVICE D SERVICE E NORTH-SOUTH TRAFFIC
  4. 7 | Copyright © 2020 Why Envoy Proxy? • Neutral

    Foundation (CNCF) • Large, diverse, vibrant community • Built ground up for dynamic services environment • Dynamic configuration, driven by API • Highly extensible • L7 filters (HTTP/1, HTTP/2, gRPC, redis, mysql, Kafka, etc) • Deep signals telemetry out of the box • Versatile deployment options
  5. 8 | Copyright © 2020 Open Source Gloo Gateway Proxy

    ENVOY CONFIG CONTROL PLANE DATA PLANE END USERS SERVICE 1 SERVICE 2 SERVICE 3
  6. 10 | Copyright © 2020 Open Source Gloo Gateway Proxy

    Gloo apiVersion: gloo.solo.io/v1 kind: Proxy metadata: name: gateway-proxy namespace: gloo-system spec: listeners: - bindAddress: '::' bindPort: 8080 httpListener: virtualHosts: - domains: - '*' routes: - matchers: - prefix: /contact routeAction: single: destinationSpec: aws: logicalName: contact-form:3
  7. 11 | Copyright © 2020 Open Source Gloo Gateway Proxy

    Gloo ... spec: listeners: - bindAddress: '::' bindPort: 8080 httpListener: virtualHosts: - domains: - '*' name: gloo-system.petclinic routes: - matchers: - prefix: /vets routeAction: single: upstream: name: default-petclinic-vets-8080 namespace: gloo-system - matchers: - prefix: / metadata:
  8. 12 | Copyright © 2020 Open Source Gloo Gateway Proxy

    Gloo ... routes: - matchers: - prefix: /contact routeAction: single: destinationSpec: aws: logicalName: contact-form:3 responseTransformation: true upstream: name: aws namespace: gloo-system ...
  9. 15 | Copyright © 2020 Open Source Gloo Gateway Proxy

    Gloo Discovery ➜ k get upstream -n gloo-system default-kubernetes-443 default-petclinic-8080 default-petclinic-db-3306 default-petclinic-db-petclinic-db-0-3306 default-petclinic-vets-8080 gloo-system-apiserver-ui-8080 gloo-system-apiserver-ui-gloo-8080 gloo-system-extauth-8083 gloo-system-gateway-443 gloo-system-gateway-proxy-443 gloo-system-gateway-proxy-80 gloo-system-gateway-proxy-gateway-proxy-443 gloo-system-gateway-proxy-gateway-proxy-80 gloo-system-gloo-9966 gloo-system-gloo-9977 gloo-system-gloo-9979 gloo-system-gloo-9988 gloo-system-glooe-grafana-80 gloo-system-glooe-prometheus-ku-460d37aaba5d9eee a0c7ef0b6194981
  10. 16 | Copyright © 2020 Open Source Gloo Gateway Proxy

    Gloo Discovery apiVersion: gloo.solo.io/v1 kind: Upstream metadata: labels: discovered_by: kubernetesplugin name: default-petclinic-vets-8080 namespace: gloo-system spec: discoveryMetadata: {} kube: selector: app: petclinic-vets serviceName: petclinic-vets serviceNamespace: default servicePort: 8080 status: reported_by: gloo state: 1
  11. 17 | Copyright © 2020 Open Source Gloo Gateway Proxy

    Gloo Discovery apiVersion: gloo.solo.io/v1 kind: Upstream metadata: name: aws namespace: gloo-system spec: aws: lambdaFunctions: - lambdaFunctionName: contact logicalName: contact qualifier: $LATEST - lambdaFunctionName: contact-form logicalName: contact-form qualifier: $LATEST - lambdaFunctionName: contact-form logicalName: contact-form:1 qualifier: "1" - lambdaFunctionName: contact-form logicalName: contact-form:2 qualifier: "2" ...
  12. 19 | Copyright © 2020 Open Source Gloo Gateway Proxy

    Gloo Discovery Gateway apiVersion: gateway.solo.io/v1 kind: VirtualService metadata: name: petclinic namespace: gloo-system spec: virtualHost: domains: - '*' routes: - matchers: - prefix: / routeAction: single: upstream: name: default-petclinic-8080 namespace: gloo-system status: reported_by: gateway state: 1 subresource_statuses:
  13. 20 | Copyright © 2020 Open Source Gloo Gateway Proxy

    Gloo Discovery Gateway ... options: timeout: 10s routes: - matchers: - prefix: / routeAction: single: upstream: name: default-petclinic-8080 namespace: gloo-system options: prefixRewrite: /api/petclinic headerManipulation: {...} transformations: requestTransformations: {...} ... tracing: {...} ...
  14. 21 | Copyright © 2020 Open Source Gloo Gateway Proxy

    Gloo Discovery Gateway apiVersion: gateway.solo.io/v1 kind: Gateway metadata: name: tcp namespace: gloo-system spec: bindAddress: '::' bindPort: 8000 tcpGateway: tcpHosts: - name: one destination: single: upstream: name: gloo-system-tcp-echo-1025 namespace: gloo-system useProxyProto: false
  15. 22 | Copyright © 2020 VIRTUAL SERVICE /foo /bar /cheese

    ROUTE TABLE ROUTE TABLE ROUTE TABLE UPSTREAM SERVICE UPSTREAM SERVICE UPSTREAM SERVICE Platform team Developers Platform Distributed Ownership and Delegation
  16. 24 | Copyright © 2020 xDS SERVER GATEWAY DISCOVERY VIRTUAL

    SERVICE, GATEWAY CREATES DISCOVERS SERVICES: KUBERNETES, CONSUL, TERRAFORM, EC2, ETC REGISTRY UPSTREAM GLOO SENDS xDS CONFIG SNAPSHOTS GATEWAY PROXY PROXY, UPSTREAM SOURCE OF TRUTH FOR xDS CREATED BY ADMINS, DEVS, OR PROCESS CAN BE DISCOVERED OR MANUALLY CREATED
  17. 26 | Copyright © 2020 xDS SERVER GATEWAY DISCOVERY VIRTUAL

    SERVICE, GATEWAY CREATES DISCOVERS SERVICES: KUBERNETES, CONSUL, TERRAFORM, EC2, ETC REGISTRY UPSTREAM GLOO SENDS xDS CONFIG SNAPSHOTS GATEWAY PROXY PROXY, UPSTREAM SOURCE OF TRUTH FOR xDS CREATED BY ADMINS, DEVS, OR PROCESS CAN BE DISCOVERED OR MANUALLY CREATED EXTERNAL AUTH External Auth
  18. 28 | Copyright © 2020 Web Application Firewall (WAF) Prevent

    harmful traffic from entering your environment • Implements Modsecurity open source WAF and Core Rule Set (CRS) • Inspects, monitors and blocks traffic • Applies to all inbound and outbound traffic SECURE WEB APPLICATION FIREWALL RATE LIMITING gRPC TRANSCODER ROUTER UPSTREAM
  19. 29 | Copyright © 2020 xDS SERVER GATEWAY DISCOVERY VIRTUAL

    SERVICE, GATEWAY CREATES DISCOVERS SERVICES: KUBERNETES, CONSUL, TERRAFORM, EC2, ETC REGISTRY UPSTREAM GLOO SENDS xDS CONFIG SNAPSHOTS GATEWAY PROXY PROXY, UPSTREAM SOURCE OF TRUTH FOR xDS CREATED BY ADMINS, DEVS, OR PROCESS CAN BE DISCOVERED OR MANUALLY CREATED EXTERNAL AUTH RATE LIMITING Rate Limiting
  20. 30 | Copyright © 2020 xDS SERVER GATEWAY DISCOVERY VIRTUAL

    SERVICE, GATEWAY CREATES DISCOVERS SERVICES: KUBERNETES, CONSUL, TERRAFORM, EC2, ETC REGISTRY UPSTREAM GLOO SENDS xDS CONFIG SNAPSHOTS GATEWAY PROXY PROXY, UPSTREAM SOURCE OF TRUTH FOR xDS CREATED BY ADMINS, DEVS, OR PROCESS CAN BE DISCOVERED OR MANUALLY CREATED EXTERNAL AUTH RATE LIMITING OBSERVABILITY Observability
  21. 33 | Copyright © 2020 Envoy Proxy and Gloo: Control

    Path and Data Path EXTERNAL AUTH RATE LIMITING gRPC TRANSCODER ROUTER UPSTREAM EXTERNAL AUTH SERVER RATE LIMITING SERVER
  22. 34 | Copyright © 2020 Envoy Proxy and Gloo: Control

    Path EXTERNAL AUTH RATE LIMITING gRPC TRANSCODER ROUTER UPSTREAM EXTERNAL AUTH SERVER RATE LIMITING SERVER VirtualService : route: / -> svc1 auth: opa: allow = ... auth: opa: allow = ... route: / -> svc1
  23. 35 | Copyright © 2020 Envoy Proxy and Gloo: Data

    Path EXTERNAL AUTH RATE LIMITING GLOO gRPC TRANSCODER ROUTER UPSTREAM EXTERNAL AUTH SERVER RATE LIMITING SERVER POST /dentists Content-Type: application/json Authorization: Bearer xyz {"name":”Dr. Seuss"} POST /com.example.DentistService/AddDentist Content-Type: application/grpc Authorization: Bearer xyz Binary protobuf: \x12\x011\x12\seuss { Method: "POST", Path: "/dentists", Headers: { "Content-Type”:"application/json", "Authorization": "Bearer xyz" } } OK Descriptors {generic_key: "add-drs"} OK
  24. 36 | Copyright © 2020 Envoy Proxy and Gloo: Data

    Path EXTERNAL AUTH RATE LIMITING gRPC TRANSCODER ROUTER UPSTREAM EXTERNAL AUTH SERVER RATE LIMITING SERVER 201 Created Content-Type: application/json {"id": ”2301", "name":”Dr. Seuss"}
  25. 37 | Copyright © 2020 Envoy Proxy and Gloo: Data

    Path EXTERNAL AUTH RATE LIMITING gRPC TRANSCODER ROUTER UPSTREAM EXTERNAL AUTH SERVER RATE LIMITING SERVER 201 Created Content-Type: application/json {"id": ”2301", "name":”Dr. Seuss"} RATE LIMITING
  26. 38 | Copyright © 2020 Envoy Proxy and Gloo: Data

    Path EXTERNAL AUTH RATE LIMITING ROUTER UPSTREAM EXTERNAL AUTH SERVER RATE LIMITING SERVER GET /dentists/2301 Content-Type: application/json Authorization: Bearer xyz { Method: "POST", Path: "/dentists", Headers: { "Content-Type”:"application/json", "Authorization": "Bearer xyz" } } OK, ["id","name"]
  27. 39 | Copyright © 2020 Envoy Proxy and Gloo: Data

    Path EXTERNAL AUTH ROUTER UPSTREAM EXTERNAL AUTH SERVER RATE LIMITING SERVER 200 OK Content-Type: application/json {"id": "2301", "name":"Dr. Seuss", "license":"32-23892" } 200 OK Content-Type: application/json {"id": "2301", "name":"Dr. Seuss"}