A service mesh is necessary for organizations adopting microservices and dynamic cloud-native infrastructure. Traditional host-based network security must be replaced with modern service-based security to accommodate the highly dynamic nature of modern runtime environments. In this talk, we will look at Connect a significant new feature in Consul that provides secure service-to-service communication with automatic TLS encryption and identity-based authorization. We will look at the features of Connect, how to enable Connect in an existing Consul cluster and how easy it is to secure service-to-service communication using Connect.

1. Service Mesh for
Microservices

2. Peter Souter
Technical Account Manager @ HashiCorp
@petersouter

3. PROVISION, SECURE AND RUN ANY INFRASTRUCTURE
Nomad Consul
Vault
Vagran
t
Packer
Terrafor
m
Consul Enterprise
Terraform
Enterprise
Vault Enterprise
PRODUCT SUITEOSS TOOL SUITE
RUN
Applications
SECURE
Application Infrastructure
PROVISION
Infrastructure
FOR INDIVIDUALS FOR TEAMS
Nomad Enterprise

4. Service Mesh for
Microservices

5. A B
C D
Monolith

6. Monolith
A B
C D

7. Monolith
A B
C D
Static IP

8. Monolith
LB
A B
C D
Static IP

9. Zone
Firewall
DMZ Firewall
Monolith
A B
C D
Static IP
LB

10. What Changed?

11. A B
C D
Monolith

12. Microservices
A B
C D

13. Microservices
A B
C D
?

14. BB
Microservices
A B
C D
?

15. Microservices
BBA B
C D
L
B

16. Operating in the Cloud + Containers
Dynamic IP Addresses
Higher Failure Rate
Ephemeral Infrastructure
Complex Network Topology

17. Service Segmentation

18. Defining Segmentation
Splitting network into sub-networks
Restricting communication between sub-networks
Virtual LAN, Firewalls, Software Defined Networks
Coarse Grained, Many Services
Segment
A
Segment
B
Network

19. Zone
Firewall
DMZ Firewall
Monolith
A B
C D
Static IP
LB

20. Microservices
A B
C D

22. A -> B
C -> D
D -> C
A B
C D

23. B -> DA -> C
A B
C D

25. Consul Usage
Launched in 2014
12K+ GitHub Stars
1M+ Downloads monthly
Customers running 50,000+ agents

26. Public Users

27. Service Mesh for Microservices
Service Discovery. Connect services with a dynamic
registry
Service Configuration. Configure services with runtime
configs
Service Segmentation. Secure services based on
identity

28. Service Mesh for Microservices
Service Discovery. Connect services with a dynamic
registry
Service Configuration. Configure services with runtime
configs
Service Segmentation. Secure services based on
identity

29. Consul Connect

30. Consul Connect
Service Access Graph
Certificate Authority
Application Integration

31. Service Access Graph
Intentions to Allow/Deny Communication
Source and Destination Service
Scale Independent
Managed with CLI, API, UI

32. TERMINAL
$ consul intention create -deny web '*'
Created: web => * (deny)
$ consul intention create -allow web db
Created: web => db (allow)

34. Certificate Authority
Transport Layer Security (TLS)
Service Identity
Encryption of all traffic

35. Certificate Generation
Automatic Generation & Rotation
ServerClient
Certificate
Signing Request
Generate
Key Pair
Sign Certificate

36. Certificate Format
X.509 Certificate
SPIFFE Compatible

37. Certificate Authority Rotation
Root
Intermediary
Leaf

38. Certificate Authority Rotation
Root
Intermediary
Leaf
Root
Intermediary
Leaf

39. Certificate Authority Rotation
Root
Intermediary
Leaf
Root
Intermediary Intermediary
Leaf Leaf

40. Application Integration
Consul Client for Service Graph and Certificates
Sidecar Proxies
Native Integrations

41. Sidecar Proxy Integration
No Code Modification
Minimal Performance Overhead
Operational Flexibility
Managed or Unmanaged

42. Sidecar Proxies
ClientProxy
App
Configure
Connect
ProxyClient
App
Configure
Connect

43. Pluggable Proxies
Client
App
Configure
Connect
Client
App
Configure
Connect

44. Managed vs Unmanaged Proxies
Lifecycle of Proxy
Auto-Configured
Special ACL Token
ProxyClient
App
Configure
Connect

45. {
"service": "web",
"connect": {
"proxy": {
"config": {
"upstreams": [{
"destination_name": "redis",
"local_bind_port": 1234
}]
}
}
}
}
CODE EDITOR

46. ProxyClient
App
Configure
Connect localhost:1234
Connect to
upstream redis

47. TERMINAL
$ consul connect proxy
-service web
-upstream postgresql:8181
$ psql -h 127.0.0.1 -p 8181 -U mitchellh mydb
>

48. Native Integration
Standard TLS
Negligible Performance Overhead
Requires Code Modification

49. // Create a Consul API client
client, _ := api.NewClient(api.DefaultConfig())
// Create an instance representing this service.
svc, _ := connect.NewService("my-service", client)
defer svc.Close()
// Creating an HTTP server that serves via Connect
server := &http.Server{
Addr: ":8080",
TLSConfig: svc.ServerTLSConfig(),
// ... other standard fields
}
// Serve!
server.ListenAndServerTLS("", "")
CODE EDITOR

50. Consul Connect
Service Access Graph. Intentions allow or deny communication
of logical services.
Certificate Authority. Standard TLS certificates with SPIFFE
compatibility.
Application Integration. Native integrations or side car
proxies.

51. Consul Architecture
Batteries Included
Highly Available & Scalable
Pluggable Data Plane

52. Summary

53. Common Challenges
Infrastructure is means to an ends
Microservices Architecture
Operational Challenges

54. Patchwork Solutions
Re-invent the wheel
Long Term Maintenance
Minimum Viable vs Maximum Utility

55. Service Mesh for Microservices
Service Discovery. Connect services with a dynamic
registry
Service Configuration. Configure services with runtime
configs
Service Segmentation. Secure services based on identity

57. K8s Demo:
https://github.com/hashicorp/da-connect-demo/tree/master/kubernetes-azur
e
Consul Connect intro:
https://play.instruqt.com/hashicorp/tracks/connec
t
LINKS
Connect SDK demo:
https://github.com/nicholasjackson/consul-connect-route
r