Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Data Plane Matters! A Deep Dive and Demo on NGINX Service Mesh

145 views

Published on

On-Demand Link: https://www.nginx.com/resources/webinars/service-mesh/

About the Webinar
Join us for a special launch webinar as we introduce you to NGINX Service Mesh, our new offering as part of the NGINX product suite.
In this webinar, you’ll learn about using NGINX Plus and NGINX Controller as part of your microservices journey, why your organization may need a service mesh to improve performance and reliability of your applications, and how NGINX Service Mesh can help you meet these needs. Our presenter(s) will also provide a demonstration of NGINX Service Mesh, giving you an insight into the new experience that awaits you and your team.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Data Plane Matters! A Deep Dive and Demo on NGINX Service Mesh

  1. 1. NGINX Service Mesh (NSM) DATA PLANE MATTERS Alan Murphy, PM NGINX Service Mesh
  2. 2. | ©2020 F52 NGINX Service Mesh:Agenda • What is a Service Mesh? • What does a Service Mesh solve? • NGINX Service Mesh Architecture • Demo Time! • Q&A
  3. 3. | ©2020 F53 What’s In A Service Mesh! CONFIDENTIAL
  4. 4. | ©2020 F54 L7 Logic (Ingress) L3-L4 Networking L3 – L7 Network Management == Service Mesh An Overly Simplified Picture
  5. 5. | ©2020 F55 WHAT’S MISSING IN K8S AND WHAT DO YOU REALLY WANT AND NEED FROM A MESH? What Is A Service Mesh? Service mesh aims to improve application traffic control, observability and security for distributed systems. - The New Stack
  6. 6. | ©2020 F56 WHAT’S MISSING IN K8S AND WHAT DO YOU REALLY WANT AND NEED FROM A MESH? What Is A Service Mesh? • A service mesh adds L7 traffic management & security: • sidecar deployment • policy management • application availability/health, • Service mesh isn’t just one “thing”, it’s a lot of managed and dependent components • Takes over where K8s networking stops (service/pod IP endpoints) • “Traffic management for containers”
  7. 7. | ©2020 F57 What DoesA Service Mesh Do? Service Mesh controls communications between pods and external apps Secure Traffic End-to-end encryption (Mutual TLS / mTLS), ACLs Manage All Service Traffic Load Balance, Circuit breaker, B|G, Rate Limiting… Orchestration Injection and sidecar management, K8s API integration Measure Traffic Generate transaction traces and real-time monitoring
  8. 8. | ©2020 F58 What Is A Sidecar? © 2017 F5 Networks A Sidecar is a containerized service that another containerized service depends on for some function: “Helper Containers” • Not just networking, can be used for any separationof process:API GW, logging, data mining, etc. In our world, a Sidecar would be a reverse proxy that sits beside an application service container (in the same pod) and provides all inbound and outbound network routing to that application container App Pod
  9. 9. | ©2020 F59 HowAre Sidecars Deployed? © 2017 F5 Networks Separate Container In The App Pod • The separate container is attached to the app service container in a pod • Networking in the app container is altered via a policy from the mesh that tells the app “You can only talk to your sidecar for network access.” • Policy and architecture are defined and orchestrated via the control plane,managed with a combo of ConfigMap and control plane. • A Service Mesh takes care of auto-associating the sidecar with the app container in the same pod via Sidecar Injection App Pod
  10. 10. | ©2020 F510 What DoesA Service Mesh Actually Do? © 2017 F5 Networks • Proxy • Orchestration • Policy Management • Policy Enforcement • Monitoring Data Plane Control Plane Management Plane Data Plane Data + Control Planes …[sidecar] proxies cache the state of the mesh but aren’t regarded as the source of truth for the state of the mesh. - Lee Calcote, O’Reilly
  11. 11. | ©2020 F511 Service Mesh Policies © 2017 F5 Networks Network Policy • Serviceto servicerouting • Serviceavailability • Servicediscovery Access Policy • IP allow/deny • Allow/Deny • JWT Security Policy • SSL/mTLSTermination • DDoS • WAF E F THE MOST IMPORTANT (AND DIFFICULT) PART
  12. 12. | ©2020 F512 I DON’T SAY THAT OFTEN, BUT SERIOUSLY: SECURITY It’s ReallyAll About Security: Data Plane Enforcement • Service Security • Identity Management • SSL Key Management • Injection Policies • Network Security • L3/L4 Networking Control • mTLS Between Services • Access Control • Auditing/Governance • Policy and Traffic Monitoring • Zero Trust • Cluster-wide L7 Networking Policies
  13. 13. | ©2020 F513 NSM Service Mesh The “Data Plane” Service Mesh CONFIDENTIAL
  14. 14. | ©2020 F514 Service Mesh Product Goals NGINX Service Mesh controls communications between pods and external apps Secure Traffic End-to-end encryption (Mutual TLS / mTLS), ACLs Manage All Service Traffic Load Balance, Circuit breaker, B|G, Rate Limiting… Orchestration Injection and sidecar management, K8s API integration Measure Traffic Generate transaction traces and real-time monitoring
  15. 15. | ©2020 F515 Why NGINX Service Mesh? Data Plane Matters
  16. 16. | ©2020 F516 Why NGINX Service Mesh? • Complete Microservices Traffic Management and Security • E/W (sidecar) and N/S (NGINX KIC) Ingress and Egress • Security policy definition, enforcement, and governance • Turn-key and Platform Agnostic • Everything you need is included, no need to piecemeal • Run in any K8s environment, anywhere • Data Plane Matters • Brings the world’s best software reverse proxy to container traffic management
  17. 17. | ©2020 F517 What is the NGINX Service Mesh? Data Plane East/West traffic Control Plane Management Plane Infrastructure Kubernetes VMware AWS Bare Metal SVC SVCSVCSVCSVC SVC Conf DbKubernetes Service Registry Inventory VMware, AWS… Inventory
  18. 18. | ©2020 F518 What is the NGINX Service Mesh? Data Plane East/West traffic Control Plane Management Plane Infrastructure Kubernetes VMware AWS Bare Metal Conf DbKubernetes Service Registry Inventory VMware, AWS… Inventory SVC SVCSVCSVCSVC SVC
  19. 19. | ©2020 F519 What is the NGINX Service Mesh? Data Plane East/West traffic Control Plane Management Plane Infrastructure Kubernetes VMware AWS Bare Metal NGINX Service Mesh control plane SVC SVCSVCSVCSVC SVC Topology Policies Conf DbKubernetes Service Registry Inventory VMware, AWS… InventoryCLI / API $>_
  20. 20. | ©2020 F520 What is the NGINX Service Mesh? Data Plane East/West traffic Control Plane Management Plane Infrastructure Kubernetes VMware AWS Bare Metal NGINX Service Mesh control plane Topology Policies Conf DbKubernetes Service Registry Inventory VMware, AWS… Inventory SPIRE SVC SVCSVCSVCSVC SVC CLI / API $>_
  21. 21. | ©2020 F521 What is the NGINX Service Mesh? Data Plane East/West traffic Control Plane Management Plane Infrastructure Kubernetes VMware AWS Bare Metal NGINX Service Mesh control plane Topology Policies Conf DbKubernetes Service Registry Inventory VMware, AWS… Inventory SPIRE Grafana OpenTracing SVC SVCSVCSVCSVC SVC CLI / API $>_
  22. 22. | ©2020 F522 What is the NGINX Service Mesh? Data Plane East/West traffic Control Plane Management Plane Infrastructure Kubernetes VMware AWS Bare Metal NGINX Service Mesh control plane Topology Policies Conf DbKubernetes Service Registry Inventory VMware, AWS… Inventory SPIRE Grafana OpenTracing SVC SVCSVCSVCSVC SVC CLI / API $>_ NGINX Ingress NGINX Egress
  23. 23. | ©2020 F523 What is the NGINX Service Mesh? Data Plane East/West traffic Control Plane Management Plane Infrastructure Kubernetes VMware AWS Bare Metal NGINX Service Mesh control plane Topology Policies Conf DbKubernetes Service Registry Inventory VMware, AWS… Inventory SPIRE Grafana OpenTracing NGINX Controller Centralized management Service Mesh connector Integrations SVC SVCSVCSVCSVC SVC CLI / API $>_ NGINX Ingress NGINX Egress
  24. 24. | ©2020 F524 NSM Components • NSM runs within a K8s cluster • Securely manages ingress/egress traffic to external services • Can be deployed in any K8s cluster platform
  25. 25. | ©2020 F525 Data PlaneControl Plane
  26. 26. | ©2020 F526 NSM Demo Time! CONFIDENTIAL
  27. 27. | ©2020 F527 NSM Features CONFIDENTIAL
  28. 28. | ©2020 F528 Security • Zero-trust model • mTLS enforcement • Service identity • Access control CRDs • Access control via mTLS • Config validation • Single source of truth for network (K8s) and identity (Spire) • Ingress mTLS • Egress opt-in allowlist • Iptables pod firewalling SVC
  29. 29. | ©2020 F529 Integrated N/S Ingress/Egress • NGINX Plus for sidecars and KIC • Ingress traffic treated as S2S service traffic • Full integration with Spire identity and SSL key store • mTLS for ingress into NSM • Egress name service support • Egress opt-in allowlist • Sidecar ”default route” to KIC
  30. 30. | ©2020 F530 Traffic Management • Full support for microservice traffic models − Circuit Breaker − Blue/Green − Canary − Weighted distribution • Rate shaping and QoS/priority queueing • Container-based load balancing • Dynamic service availability • SSL keepalive for performance SVC
  31. 31. | ©2020 F531 Lightweight andAgile • Data Plane Matters • Control plane designed to optimize NGINX Plus data plane • Standards-based: SPIFFE, SMI- spec • Single CLI for management of all mesh services • CI/CD pipeline’able for orchestrated deployment and policy management
  32. 32. | ©2020 F532 A reality check… Service Mesh technology addresses one specific set of problems It’s not a magic bullet that makes all applications ‘better’ There are many other, well-proven ways to address the same problems Service Mesh technology is very complex ever-evolving Cost of operating a mesh in production can be high, and there can be many risks
  33. 33. | ©2020 F533 WhenAm I Ready For A Service Mesh? ✓ You have a mature, fully-automated CI/CD pipeline (GitOps-enabled) ✓ You are fully invested in microservices and using Kubernetes ✓ You are deploying frequently to production (at least once per day) ✓ You have a zero-trust production environment (so need mTLS) ✓ You need/want additional visibility of container traffic interaction
  34. 34. | ©2020 F534 CONFIDENTIAL Where To Start? Define Your Microservice Mesh Needs GET AHEAD OF THE NEED • Why a mesh? • What goals are you trying to solve with a mesh? • Who will own/manage the mesh? • Where will the mesh be deployed? • Decide if you want to build your own components or use a complete mesh. • Plan. Plan. Test.
  35. 35. | ©2020 F535 How To Get NSM • Download − downloads.f5.com • Docs − docs.nginx.com/nginx-service-mesh • Tools/Support − github.com/nginxinc/nginx-service-mesh SVC

×