Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Istio and the Service Mesh Architecture
Search
Sponsored
·
Your Podcast. Everywhere. Effortlessly.
Share. Educate. Inspire. Entertain. You do you. We'll handle the rest.
→
Manatsawin Hanmongkolchai
September 08, 2018
Programming
1.1k
3
Share
Embed
Copy iframe code
Copy JS code
Copy link
Start on current slide
Istio and the Service Mesh Architecture
DevOps BKK 2018
Manatsawin Hanmongkolchai
September 08, 2018
More Decks by Manatsawin Hanmongkolchai
See All by Manatsawin Hanmongkolchai
Nix: Declarative OS
whs
0
130
gRPC load balancing with xDS
whs
0
1.1k
ArgoCD
whs
0
490
Writing Babel Plugin
whs
0
230
What's new in Cloud Next 2019
whs
0
330
A Date with gRPC
whs
1
1.5k
ตีแผ่ Microservice ด้วย Tracing
whs
0
410
Next Generation Smart Home
whs
0
1k
State Management with MobX
whs
2
420
Other Decks in Programming
See All in Programming
作って学ぶ、 JSX (TSX) ランタイムの基本
syumai
7
1.7k
Strategic Design in the Frontend: Moduliths & Micro Frontends @DDDEurope
manfredsteyer
PRO
0
130
気づいたらRubyで100作品 ー クリエイティブコーディングが生活の一部になるまで / 100 Ruby Sketches Later: How Creative Coding Became Part of My Life
chobishiba
3
610
TAKTでAI駆動開発の品質を設計する
j5ik2o
7
1.5k
Signal Forms: Details & Live Coding @enterJS 2026 in Mannheim
manfredsteyer
PRO
0
200
鹿野さんに聞く!『TypeScriptコードレシピ集』で磨く実践力
tonkotsuboy_com
4
860
Honoでのサプライチェーン侵害対策 〜 3つのライブラリに学ぶ
yusukebe
7
1.5k
dRuby over BLE
makicamel
2
390
肥大化するレガシーコードに立ち向かうためのインターフェース分離と依存の逆転 / JJUG CCC 2026 Spring
hirokunimaeta
0
640
ローカルLLMを使ってB2Bサービスを作っていての学び
yaotti
0
220
Observability in Practice:Grafana 與 Edge Device SRE 的那些事
blueswen
0
180
そのテスト、説明できますか?~LWテスト戦略FW~のご紹介
nakahara
0
170
Featured
See All Featured
Building Flexible Design Systems
yeseniaperezcruz
330
40k
Color Theory Basics | Prateek | Gurzu
gurzu
0
370
Making the Leap to Tech Lead
cromwellryan
135
9.9k
Un-Boring Meetings
codingconduct
0
320
SEO Brein meetup: CTRL+C is not how to scale international SEO
lindahogenes
1
2.7k
The Anti-SEO Checklist Checklist. Pubcon Cyber Week
ryanjones
0
170
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
sstephenson
162
16k
What’s in a name? Adding method to the madness
productmarketing
PRO
24
4.1k
Ethics towards AI in product and experience design
skipperchong
2
320
Google's AI Overviews - The New Search
badams
0
1k
Exploring the relationship between traditional SERPs and Gen AI search
raygrieselhuber
PRO
2
4k
ReactJS: Keep Simple. Everything can be a component!
pedronauck
666
130k
Transcript
Istio and the Service Mesh Architecture DevOps BKK 2018
About me • Manatsawin Hanmongkolchai • Junior Architect at Wongnai
How I sold Istio to my team
How Wongnai monitor microservices
Microservice monitoring • In-service metrics eg. controller time
Microservice monitoring • AWS X-Ray SDK
Microservice monitoring • Sentry
Microservice monitoring • ELB Error Rate
Microservice monitoring These must be integrated into your service AWS
X-Ray
Microservice monitoring The problem in microservice world • Service can
be written in many languages. Not all tools support every languages
Microservice monitoring The problem in microservice world • People in
a rush skip implementing proper monitoring
Meet Istio
Service mesh Istio handle interservice connection Sidecar
How Istio sidecar work? Istio use admission controller to install
2 containers in your pod
How Istio sidecar work? 1. Init container to setup transparent
proxy iptables rule (as root) 2. Envoy running alongside your app as the transparent proxy
What Istio can do for you Monitoring • Network calls
• Tracing
Network monitoring Istio provide insight into your network in layer
7
Total requests 4xx 5xx
Request count of service Response time
Service network monitoring Measured client side Request count Success rate
Resp. time Speed (for TCP) Measured server side
Who call me?
Distributed Tracing • All incoming/outgoing HTTP calls are traced to
Jaeger • Needs to propagate OpenTracing headers from incoming call to outgoing call to track calls correctly
Distributed Tracing • Easiest way is to just integrate Zipkin
OpenTracing into your app
Distributed Tracing
Distributed Tracing
What Istio can do for you • Traffic Management ◦
Routing ▪ Traffic Shifting ▪ Mirror ◦ Fault Injection ◦ Circuit Breaker
Routing • Kubernetes service operates in Layer 4 Cluster IP
Backend Backend Backend Req Req Req Req Req Req
Routing • Istio operate in layer 7 and can do
per-call load balancing Envoy Req Req Req Req Req Req Backend Backend Backend
Split traffic • Split traffic between service (eg. 1% to
new version)
Mirror traffic • Test in production by cloning traffic Envoy
Live version Test version Req
Fault Injection • Intentionally making service worse • Why? Let’s
hear a story
Fault Injection Site Reliability Engineering How Google runs production systems
landing.google.com /sre/book/
#WongnaiIsHiring • Wongnai is looking for our first Site Reliability
Engineer • careers.wongnai.com
Chubby
Fault Injection Over time, we found that the failures of
the global instance of Chubby consistently generated service outages.
Fault Injection As it turns out, true global Chubby outages
are so infrequent that service owners began to add dependencies to Chubby assuming that it would never go down.
Fault Injection The solution to this Chubby scenario is interesting:
SRE makes sure that global Chubby meets, but does not significantly exceed, its service level objective.
Fault Injection In any given quarter, if a true failure
has not dropped availability below the target, a controlled outage will be synthesized by intentionally taking down the system.
Fault Injection • Slow down services ◦ Delay 80% of
requests for 5 seconds • Make errors ◦ Return 500 error code for 80% of requests
Circuit Breaker Remove a backend from service if it return
too many errors in a row Frontend Backend Work Queue 503 Timeout F5
Summary Istio provide visibility and configurability to your network. This
is traditionally done by adding library, but in a microservice world you need a cross language solution
The catch Here’s what we found while moving to Istio
• While requiring zero code changes, your service must already be well behaved cloud application
The catch • Do not connect directly to pod IP
(eg. no service discovery - just use cluster IP and avoid headless service)
The catch • Do not mix port type in the
cluster (eg. don’t run HTTP server on port 6379 with another pod running TCP service at the same port)
The catch • Set the Host header to the destination.
Don’t connect to gateway and set Host header to cooking. ◦ This case is really hard to debug...
The catch • External services (ie. outside Kubernetes) but in
the capturing IP range must have ServiceEntry defined ◦ ServiceEntry is cluster-wide
Slides on speakerdeck.com/whs