Multi-Cluster Deployment Patterns for Ingress and API Gateways

Transcript

1. Multi-Cluster API Gateway Patterns with Envoy Proxy and Gloo Christian

   Posta Global Field CTO – Solo.io

2. 2 | Copyright © 2020 Our customers’ challenges

3. 3 | Copyright © 2020 SERVICE MESH JOURNEY INNOVATION MODERNIZE

   TO MICROSERVICES SERVICE MESH MANAGEMENT ADAPTIVE SERVICE MESH

4. 4 | Copyright © 2020 December 11, 2018 2018 TOP

   WOMEN ENTREPRENEURS IN CLOUD INNOVATION Seventh Annual Award Honors Women Founders for Outstanding Accomplishments in Cloud and Emerging Technologies, Sponsored by Facebook, Intel, and Google. Award Winning Innovation Enterprise Credibility Key Industry Collaborations https://www.solo.io/customers/

5. 5 | Copyright © 2020 API connectivity & communication challenges

   SERVICE A SERVICE B SERVICE C SERVICE D SERVICE E Challenges • Entry point for services • Establishing boundary • AuthN/AuthZ • Traffic routing • Transformations • Rate limiting • Automation • Extension

6. 6 | Copyright © 2020 API connectivity & communication challenges

   Challenges • Discovering APIs • Documentation • Self-service sign up • Security • Internal vs External SERVICE A SERVICE B SERVICE C SERVICE D SERVICE E

7. 7 | Copyright © 2020 Solo.io solves API connectivity &

   communication challenges SERVICE A SERVICE B SERVICE C SERVICE D SERVICE E API portal

8. 8 | Copyright © 2020 Gloo Enterprise Features

9. 9 | Copyright © 2020 Gloo Data Plane and Control

   Plane EXTERNAL AUTH RATE LIMITING GLOO FILTERS ROUTER UPSTREAM EXTERNAL AUTH SERVER RATE LIMITING SERVER CACHING DATA LOSS PREVENTION LAMBDA NATS.IO TRANSFORMATION WEB APPLICATION FIREWALL (WAF)

10. 10 | Copyright © 2020 Why Gloo? Security Highly Extensible

    Multi-platform Web Assembly Integration Decentralized API • Basic auth • OIDC • JWT • API Keys • Custom Auth • TLS • mTLS • SNI • Let’s Encrypt • CORS • OPA • RBAC • Delegation • WAF • Data Loss Prevention • Rate Limit • Circuit Breaker

11. 11 | Copyright © 2020 API connectivity & communication challenges

    Challenges • Multiple clusters • Hybrid deployments • Centralized view • Consistency • Security • Configuration • Federation • Centralization vs Decentralization S E R V I C E A S E R V I C E B S E R V I C E C S E R V I C E D S E R V I C E E S E R V I C E A S E R V I C E B S E R V I C E C S E R V I C E D S E R V I C E E S E R V I C E A S E R V I C E B S E R V I C E C S E R V I C E D S E R V I C E E S E R V I C E A S E R V I C E B S E R V I C E C S E R V I C E D S E R V I C E E

12. 12 | Copyright © 2020 API Federation • Autonomous clusters

    • Different organizational/network/administrative boundaries • Share pieces of configuration • For those shared pieces, treat union as a single unit • Uses an orchestrator to stitch together policies for federation

13. 13 | Copyright © 2020 SERVICE A SERVICE B SERVICE

    C SERVICE D SERVICE E SERVICE F SERVICE G SERVICE H Solo.io solves API connectivity & communication challenges Federation

14. 14 | Copyright © 2020 Problems Solo.io solves with federation

    • Security (authz/authn/encryption/identity) • Service discovery • Failover / traffic shifting / transparent routing • Observability • Separate networks • Well-defined fault domains • Balance of centralized management with decentralized enforcement

15. 15 | Copyright © 2020 15 | Copyright © 2020

    Envoy as the backbone of application networking

16. 16 | Copyright © 2020 Why Envoy Proxy? • Neutral

    Foundation (CNCF) • Large, diverse, vibrant community • Built ground up for dynamic services environment • Dynamic configuration, driven by API • Highly extensible • L7 filters (HTTP/1, HTTP/2, gRPC, redis, mysql, Kafka, etc) • Deep metrics/telemetry out of the box • Versatile deployment options

17. 17 | Copyright © 2020 Exploring Envoy failover routing capabilities:

    Request racing Account work load work load work load Calls http://products.service/ work load work load us-west-1 us-west-2 Timeout Race request First to return is the response to the caller

18. 18 | Copyright © 2020 Exploring Envoy failover routing capabilities:

    Zone aware routing (Envoy decides) Account work load work load work load Calls http://products.service/ work load work load us-west-1 us-west-2 Not enough healthy hosts in same zone Spill over to another zone

19. 19 | Copyright © 2020 Exploring Envoy failover routing capabilities:

    Locality aware (Control plane decides) Account work load work load work load Calls http://products.service/ work load work load us-west-1 us-west-2 Not enough healthy hosts in same zone Spill over to another zone W=1 W=1 W=1 W=5 W=5

20. 20 | Copyright © 2020 Exploring Envoy failover routing capabilities:

    Aggregate Cluster (for routing to gateways) Account work load work load work load Calls http://products.service/ Edge gw us-west-1 us-west-2 EDS Strict DNS

21. 21 | Copyright © 2020 21 | Copyright © 2020

    Multi-cluster patterns

22. 22 | Copyright © 2020 @christianposta work load work load

    work load Single cluster ingress/gateway

23. 23 | Copyright © 2020 @christianposta work load work load

    work load work load work load work load work load work load work load Decentralized API Gateway

24. 24 | Copyright © 2020 @christianposta work load work load

    work load work load work load work load work load work load work load Leaf nodes/ application clusters Hybrid, two-tier gateways

25. 25 | Copyright © 2020 @christianposta work load work load

    work load work load work load work load work load work load work load Leaf nodes/ application clusters Hybrid, two-tier gateways with tenancy

26. 26 | Copyright © 2020 @christianposta work load Istiod work

    load work load work load Istiod work load work load work load Istiod work load work load API/Edge Gateway tier Access Proxy / Gateway Routing Leaf nodes/ application clusters

27. 27 | Copyright © 2020 27 | Copyright © 2020

    Operating a multi-cluster topology

28. 28 | Copyright © 2020 @christianposta Access Proxy / Gateway

    Routing Leaf nodes/ application clusters GlooFederation Plane work load work load work load work load work load work load work load work load work load

29. 29 | Copyright © 2020 @christianposta Access Proxy / Gateway

    Routing Leaf nodes/ application clusters GlooFederation Plane work load work load work load work load work load work load work load work load work load

30. 30 | Copyright © 2020 @christianposta Access Proxy / Gateway

    Routing Leaf nodes/ application clusters GlooFederation Plane work load work load work load work load work load work load work load work load work load

31. 31 | Copyright © 2020 31 | Copyright © 2020

    Demo

32. 32 | Copyright © 2020 • https://solo.io • https://slack.solo.io •

    https://gloo.solo.io • https://envoyproxy.io • https://istio.io • https://webassemblyhub.io • https://servicemeshhub.io • https://blog.christianposta.com