Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Service Mesh in the Real World [Raleigh NC Meetup]

148 views

Published on

Slides from Christian Posta's talk about how, when and why to apply service mesh to real world application environments

https://www.solo.io
https://slack.solo.io

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Service Mesh in the Real World [Raleigh NC Meetup]

  1. 1. 1 | Copyright © 2019 Service mesh in the “real world” @christianposta
  2. 2. 2 | Copyright © 2019 @christianposta CHRISTIAN POSTA • Field CTO @ Solo.io • Author of a few books • Contributor to many open-source projects • Architect, blogger, speaker, mentor, leader @christianposta christian@solo.io https://blog.christianposta.com https://slideshare.net/ceposta
  3. 3. 3 | Copyright © 2019 @christianposta WROTE THE FIRST BOOK ON ISTIO…
  4. 4. 4 | Copyright © 2019 @christianposta WRITING ISTIO BOOK FOR MANNING https://bit.ly/istio-in-action http://bit.ly/ATO-2019 Raffle for free copy!
  5. 5. 5 | Copyright © 2019 @christianposta • Augment, complement, replace existing API infrastructure • Support a microservices, cloud environment • Need better traffic control and observability • As little disruption as possible, target multiple compute • Improve security posture Context of organizations we work with
  6. 6. 6 | Copyright © 2019 THE PROBLEM HOW DO YOU OBSERVE? HOW DO YOU MANAGE APIS? HOW CAN ENFORCE SECURITY? MONOLITH MICROSERVICES
  7. 7. 7 | Copyright © 2019 @christianposta • Traffic control • Traffic routing • Secure communications • Application-level network observability • Policy enforcement Solving challenges between services within the organization
  8. 8. 8 | Copyright © 2019 LARGE, CENTRALIZED, LOW-TRUST, SHARED ENVIRONMENTS
  9. 9. 9 | Copyright © 2019 CENTRALIZED VS DECENTRALIZED WITHOUT GAPS
  10. 10. 10 | Copyright © 201910 | Copyright © 2019 Challenges of adopting a service mesh
  11. 11. 11 | Copyright © 2019 @christianposta • Do you have a mix of application languages or frameworks? • Large deployment of microservices on cloud infrastructure? • Struggling to implement application interaction observability? • Have you mastered your existing infrastructure stack? Do you need a service mesh?
  12. 12. 12 | Copyright © 2019 @christianposta • Which one to choose? • Who's going to support it? • Multi-tenancy issues within a single cluster? • No good way to manage multiple clusters? • Fitting with existing services (sidecar lifecycle, race conditions, etc) • What's the delineation between developers and operations? • Non container environments / hybrid env? • Centralization vs decentralization Challenges of adoption
  13. 13. 13 | Copyright © 201913 | Copyright © 2019 How to get there?
  14. 14. 14 | Copyright © 2019 @christianposta
  15. 15. 15 | Copyright © 2019 @christianposta • Start at the edge • Start with one proxy, grow to more • Pick a subset of traffic applications • Get demonstrable value from it • Data plane matters • Pick something that lets you iteratively adopt service mesh Start with a gateway approach
  16. 16. 16 | Copyright © 2019 @christianposta “Edge” concerns, North-South vs East-West
  17. 17. 17 | Copyright © 2019 @christianposta “Edge” concerns, North-South vs East-West Capability Service Mesh Edge Traffic Control ✔ ✔ Traffic Routing ✔ ✔ TLS/mTLS ✔ ✔ Network Observability ✔ ✔ Policy Enforcement ✔ ✔
  18. 18. 18 | Copyright © 2019 @christianposta “Edge” concerns, North-South vs East-West Capability Service Mesh Edge OAuth/OIDC ✘ ✔ Web Application Firewall ✘ ✔ Message transformation ✘ ✔ Request/response caching ✘ ✔ Domain-specific rate limit ✘ ✔ HMAC, request path security ✘ ✔ Understand API surface, intended decoupling ✘ ✔
  19. 19. 19 | Copyright © 201919 | Copyright © 2019 Envoy proxy as a gateway
  20. 20. 20 | Copyright © 2019 @christianposta Meet Envoy Proxy http://envoyproxy.io
  21. 21. 21 | Copyright © 2019 @christianposta Envoy Proxy implements: • zone aware, least request load balancing • circuit breaking • outlier detection • retries, retry policies • timeout (including budgets) • traffic shadowing • rate limiting • access logging, statistics collection • Many other features!
  22. 22. 22 | Copyright © 2019 @christianposta
  23. 23. 23 | Copyright © 2019 @christianposta • Supports workloads across namespaces • Integrates with platform loadbalancers • Support TLS/HTTPS • Works with Istio mTLS ISTIO INGRESS GATEWAY
  24. 24. 24 | Copyright © 2019 @christianposta
  25. 25. 25 | Copyright © 2019 @christianposta Edge Gateway built on Envoy https://github.com/solo-io/gloo
  26. 26. 26 | Copyright © 2019 @christianposta What is Gloo? ● Enterprise Envoy Proxy ● API-level routing, decoupling ● Complements any service mesh ● Traffic control, canary releases ● OAuth flows ● TLS termination, passthrough, mTLS ● Rate limiting, Caching ● Request/Response transformation ● Kubernetes CRDs (when deployed to Kubernetes) https://gloo.solo.io
  27. 27. 27 | Copyright © 2019 @christianposta Edge Gateway built on Envoy
  28. 28. 28 | Copyright © 2019 @christianposta Gloo companion project: Sqoop Query Monolith Microservice s Cloud Functions Result https://sqoop.solo.io
  29. 29. 29 | Copyright © 2019 @christianposta Gloo adds these to Istio! Capability Service Mesh Edge OAuth/OIDC ✘ ✔ Web Application Firewall ✘ ✔ Message transformation ✘ ✔ Request/response caching ✘ ✔ Domain-specific rate limit ✘ ✔ HMAC, request path security ✘ ✔ Understand API surface, intended decoupling ✘ ✔
  30. 30. 30 | Copyright © 2019 @christianposta Demo!
  31. 31. 31 | Copyright © 201931 | Copyright © 2019 Gateway adoption patterns (waypoint architecture) on the journey to service mesh
  32. 32. 32 | Copyright © 2019 @christianposta Start with single proxy
  33. 33. 33 | Copyright © 2019 @christianposta Start with single proxy
  34. 34. 34 | Copyright © 2019 @christianposta Bring in decoupling points (multi-tier gateway)
  35. 35. 35 | Copyright © 2019 @christianposta Gateway per product/domain/bounded context
  36. 36. 36 | Copyright © 2019 @christianposta Push gateways down as you grow, avoid death star architecture!
  37. 37. 37 | Copyright © 2019 @christianposta Push gateways down as you grow, avoid death star architecture!
  38. 38. 38 | Copyright © 2019 @christianposta Push gateways down as you grow, avoid death star architecture!
  39. 39. 39 | Copyright © 2019 @christianposta • Crawl, walk, run approach • Leverage shared gateways, path for decentralization • Envoy/Gloo proven open-source projects, successful adoption • Reduce risk, target multi-platform compute, move at your own pace Final thoughts
  40. 40. 40 | Copyright © 2019 @christianposta Check out Solo.io!
  41. 41. 41 | Copyright © 2019 @christianposta Sneak peak, https://servicemeshhub.io
  42. 42. 42 | Copyright © 2019 @christianposta WRITING ISTIO BOOK FOR MANNING https://bit.ly/istio-in-action http://bit.ly/ATO-2019 Raffle for free copy!
  43. 43. 43 | Copyright © 2019 @christianposta CHRISTIAN POSTA @christianposta christian@solo.io https://blog.christianposta.com https://slideshare.net/ceposta
  44. 44. 44 | Copyright © 201944 | Copyright © 2019 @soloio_inc

×