SlideShare a Scribd company logo

Building a Service Mesh with NGINX Owen Garrett.pptx

Download as PPTX, PDF
P
PINGXIONG3

This document discusses building a service mesh with NGINX. It notes that operating distributed applications is difficult due to issues like slow and unreliable calls between services, distributed fault finding, and continuous updates occurring in production. It reviews existing approaches like using an NGINX proxy per pod or a simple mesh. A full service mesh provides more capabilities but also more complexity. The document outlines NGINX's plans to build a service mesh focused on hybrid applications, with lightweight and performant data and control planes using open source projects like SPIRE and OpenTracing where possible.

Technology
1 of 23
Building a Service Mesh with NGINX Owen Garrett, Faisal Memon Products & Engineering, NGINX
Operating a distributed application is hard Static, Predictable Monolith: Dynamic, Distributed App: Fast, reliable function calls Local debugging Local profiling Calendared, big-bang upgrades ‘Integration hell’ contained in dev Slow, unreliable API calls Distributed fault finding Distributed tracing In-place dynamic updates ‘Continuous integration’ live in prod More things can go wrong, it’s harder to find the faults, everything happens live
FrontEnd RecommendEng InventoryDB ImageRender AdminConnector UserState PricingEng API-fe N • Security • Instrumentation • Tracing • Traffic Control
Precursors to Service Mesh 1
NGINX per-Pod Proxy Use NGINX Per-Pod Proxy: • To intercept traffic to a single pod • Implement access control, metrics and tracing, web app firewall for that service Complexity: Simple • Single point of configuration, simple • Fully integrated into pod – easy build, test and deployment Each Pod in Service B has a dedicated proxy. We rely on K8s (kubeproxy) to load-balance traffic to Service B B A kubeproxy
What about egress traffic? • Why might this be a problem? 1. Cannot automatically perform mTLS. Need to rely on application to make TLS requests, or rely on overlay network and K8s Network Policies for encryption and authorization 2. Metrics and traces are generated on server-side, not client-side, so do not measure latency effect of K8s network No control of egress traffic, exiting pod Full control of ingress traffic, entering pod
Simple Mesh Use NGINX Simple Mesh: • When the application only needs to talk to a small, well-known set of external services Complexity: Not very simple! • Need to know all egress targets in advance • Fully integrated into pod – easy build, test and deployment Ingress Traffic – exactly as the per-Pod proxy configuration. Egress Traffic – application talks to local NGINX IP address, achieved by e.g. DNS manipulation or IP tables. NGINX needs a virtual server for each egress service.
Service Mesh Use a Service Mesh (Istio, Linkerd): • When you don’t know the topology of the application • When you want an off-the-shelf solution • When the specific service mesh capabilities match your requirements Complexity: Medium-High Service Mesh technology is not fully mature, so operating, troubleshooting and debugging it requires considerable technical expertise. Control Plane e.g. Istio’s Pilot/Mixer/Citadel Sidecar Proxy Service A Sidecar Proxy Service B Sidecar Proxy Service C Sidecar Proxy Service D
NGINX Service Mesh 2
Why is NGINX building a Service Mesh? What are the attributes of modern applications? • Hybrid (microservice and legacy) • Web and API • Multiple technology stacks What is needed to deliver these applications? • Load Balancer / App Delivery • Specialized API management • Internal Service Mesh
NGINX Features and Principles Initial Features • Mutual TLS • Instrumentation • Tracing • Traffic Control Core Principles • Hybrid Applications first • Lightweight and Performant • Architectural Simplicity • Use CNCF etc. projects whenever possible
What is NGINX building? Data Plane East/West traffic Control Plane Management Plane Infrastructure Kubernetes VMware AWS Bare Metal SVC SVC SVC SVC SVC SVC Conf Db Kubernetes Service Registry Inventory VMware, AWS… Inventory
What is NGINX building? Data Plane East/West traffic Control Plane Management Plane Infrastructure Kubernetes VMware AWS Bare Metal SVC SVC SVC SVC SVC SVC Conf Db Kubernetes Service Registry Inventory VMware, AWS… Inventory
What is NGINX building? Data Plane East/West traffic Control Plane Management Plane Infrastructure Kubernetes VMware AWS Bare Metal NGINX Service Mesh control plane SVC SVC SVC SVC SVC SVC Topology Policies Conf Db CLI / API $>_ Kubernetes Service Registry Inventory VMware, AWS… Inventory
What is NGINX building? Data Plane East/West traffic Control Plane Management Plane Infrastructure Kubernetes VMware AWS Bare Metal NGINX Service Mesh control plane SVC SVC SVC SVC SVC SVC Topology Policies Conf Db CLI / API $>_ Kubernetes Service Registry Inventory VMware, AWS… Inventory SPIRE
What is NGINX building? Data Plane East/West traffic Control Plane Management Plane Infrastructure Kubernetes VMware AWS Bare Metal NGINX Service Mesh control plane SVC SVC SVC SVC SVC SVC Topology Policies Conf Db CLI / API $>_ Kubernetes Service Registry Inventory VMware, AWS… Inventory SPIRE Grafana OpenTracing
What’s in the dataplane? • NGINX ◦ OpenTracing module (3rd party, open source) ◦ Prometheus module (open sourced) ◦ SPIFFE support (to-be-open sourced) ◦ NGINX Plus ◦ Sophisticated configuration for fully-hitless reloads SVC
Walkthrough 3 19
Concluding Points 4 20
Find the balance Cost to operate Complexity, Interdependencies, Speed of Change Single simple app Many complex, interdependent apps Using native Kubernetes and other services Using service mesh As service meshes mature, their cost will go down
Solve today’s problem, today • Identify the problem ◦ Security? Visualization? Tracing? Advanced traffic control? • Identify the solution with the minimum technology to solve the problem ◦ Vanilla Kubernetes with Ingress Controller ◦ Per-Service or per-Pod load balancer ◦ “Full-fat” Service Mesh
Owen Garrett, Faisal Memon owen@nginx.com / faisal@nginx.com Thank you

Recommended

Relevez les défis Kubernetes avec NGINX
Relevez les défis Kubernetes avec NGINXRelevez les défis Kubernetes avec NGINX
Relevez les défis Kubernetes avec NGINX
NGINX, Inc.
 
Introducing ONAP for OpenStack St Louis Meetup
Introducing ONAP for OpenStack St Louis MeetupIntroducing ONAP for OpenStack St Louis Meetup
Introducing ONAP for OpenStack St Louis Meetup
djzook
 
Nils Rhode - Does it always have to be k8s - TeC Day 2019
Nils Rhode - Does it always have to be k8s - TeC Day 2019Nils Rhode - Does it always have to be k8s - TeC Day 2019
Nils Rhode - Does it always have to be k8s - TeC Day 2019
Haufe-Lexware GmbH & Co KG
 
Securing Your Apps & APIs in the Cloud
Securing Your Apps & APIs in the CloudSecuring Your Apps & APIs in the Cloud
Securing Your Apps & APIs in the Cloud
Olivia LaMar
 
VMworld 2013: Moving Beyond Infrastructure: Meeting Demands on App Lifecycle ...
VMworld 2013: Moving Beyond Infrastructure: Meeting Demands on App Lifecycle ...VMworld 2013: Moving Beyond Infrastructure: Meeting Demands on App Lifecycle ...
VMworld 2013: Moving Beyond Infrastructure: Meeting Demands on App Lifecycle ...
VMworld
 
Banv meetup-contrail
Banv meetup-contrailBanv meetup-contrail
Banv meetup-contrail
nvirters
 
TechWiseTV Workshop: Enterprise NFV
TechWiseTV Workshop: Enterprise NFVTechWiseTV Workshop: Enterprise NFV
TechWiseTV Workshop: Enterprise NFV
Robb Boyd
 
Data Plane Matters! A Deep Dive and Demo on NGINX Service Mesh
Data Plane Matters! A Deep Dive and Demo on NGINX Service MeshData Plane Matters! A Deep Dive and Demo on NGINX Service Mesh
Data Plane Matters! A Deep Dive and Demo on NGINX Service Mesh
NGINX, Inc.
 

Recommended

Relevez les défis Kubernetes avec NGINX
Relevez les défis Kubernetes avec NGINXRelevez les défis Kubernetes avec NGINX
Relevez les défis Kubernetes avec NGINX
NGINX, Inc.
 
Introducing ONAP for OpenStack St Louis Meetup
Introducing ONAP for OpenStack St Louis MeetupIntroducing ONAP for OpenStack St Louis Meetup
Introducing ONAP for OpenStack St Louis Meetup
djzook
 
Nils Rhode - Does it always have to be k8s - TeC Day 2019
Nils Rhode - Does it always have to be k8s - TeC Day 2019Nils Rhode - Does it always have to be k8s - TeC Day 2019
Nils Rhode - Does it always have to be k8s - TeC Day 2019
Haufe-Lexware GmbH & Co KG
 
Securing Your Apps & APIs in the Cloud
Securing Your Apps & APIs in the CloudSecuring Your Apps & APIs in the Cloud
Securing Your Apps & APIs in the Cloud
Olivia LaMar
 
VMworld 2013: Moving Beyond Infrastructure: Meeting Demands on App Lifecycle ...
VMworld 2013: Moving Beyond Infrastructure: Meeting Demands on App Lifecycle ...VMworld 2013: Moving Beyond Infrastructure: Meeting Demands on App Lifecycle ...
VMworld 2013: Moving Beyond Infrastructure: Meeting Demands on App Lifecycle ...
VMworld
 
Banv meetup-contrail
Banv meetup-contrailBanv meetup-contrail
Banv meetup-contrail
nvirters
 
TechWiseTV Workshop: Enterprise NFV
TechWiseTV Workshop: Enterprise NFVTechWiseTV Workshop: Enterprise NFV
TechWiseTV Workshop: Enterprise NFV
Robb Boyd
 
Data Plane Matters! A Deep Dive and Demo on NGINX Service Mesh
Data Plane Matters! A Deep Dive and Demo on NGINX Service MeshData Plane Matters! A Deep Dive and Demo on NGINX Service Mesh
Data Plane Matters! A Deep Dive and Demo on NGINX Service Mesh
NGINX, Inc.
 
Patterns and Pains of Migrating Legacy Applications to Kubernetes
Patterns and Pains of Migrating Legacy Applications to KubernetesPatterns and Pains of Migrating Legacy Applications to Kubernetes
Patterns and Pains of Migrating Legacy Applications to Kubernetes
QAware GmbH
 
Patterns and Pains of Migrating Legacy Applications to Kubernetes
Patterns and Pains of Migrating Legacy Applications to KubernetesPatterns and Pains of Migrating Legacy Applications to Kubernetes
Patterns and Pains of Migrating Legacy Applications to Kubernetes
Josef Adersberger
 
Designing microservices
Designing microservicesDesigning microservices
Designing microservices
Masashi Narumoto
 
Modern Cloud-Native Streaming Platforms: Event Streaming Microservices with K...
Modern Cloud-Native Streaming Platforms: Event Streaming Microservices with K...Modern Cloud-Native Streaming Platforms: Event Streaming Microservices with K...
Modern Cloud-Native Streaming Platforms: Event Streaming Microservices with K...
confluent
 
Deep Dive: Automating the Application and Security Pipeline with NGINX and An...
Deep Dive: Automating the Application and Security Pipeline with NGINX and An...Deep Dive: Automating the Application and Security Pipeline with NGINX and An...
Deep Dive: Automating the Application and Security Pipeline with NGINX and An...
NGINX, Inc.
 
[OpenStack Day in Korea 2015] Track 2-3 - 오픈스택 클라우드에 최적화된 네트워크 가상화 '누아지(Nuage)'
[OpenStack Day in Korea 2015] Track 2-3 - 오픈스택 클라우드에 최적화된 네트워크 가상화 '누아지(Nuage)'[OpenStack Day in Korea 2015] Track 2-3 - 오픈스택 클라우드에 최적화된 네트워크 가상화 '누아지(Nuage)'
[OpenStack Day in Korea 2015] Track 2-3 - 오픈스택 클라우드에 최적화된 네트워크 가상화 '누아지(Nuage)'
OpenStack Korea Community
 
Accélérez vos déploiements applicatifs avec NGINX Controller
Accélérez vos déploiements applicatifs avec NGINX ControllerAccélérez vos déploiements applicatifs avec NGINX Controller
Accélérez vos déploiements applicatifs avec NGINX Controller
NGINX, Inc.
 
Openshift serverless Solution
Openshift serverless SolutionOpenshift serverless Solution
Openshift serverless Solution
Ryan ZhangCheng
 
The Good, the Bad and the Ugly of Migrating Hundreds of Legacy Applications ...
The Good, the Bad and the Ugly of Migrating Hundreds of Legacy Applications ... The Good, the Bad and the Ugly of Migrating Hundreds of Legacy Applications ...
The Good, the Bad and the Ugly of Migrating Hundreds of Legacy Applications ...
Josef Adersberger
 
Migrating Hundreds of Legacy Applications to Kubernetes - The Good, the Bad, ...
Migrating Hundreds of Legacy Applications to Kubernetes - The Good, the Bad, ...Migrating Hundreds of Legacy Applications to Kubernetes - The Good, the Bad, ...
Migrating Hundreds of Legacy Applications to Kubernetes - The Good, the Bad, ...
QAware GmbH
 
Pivotal Container Service (PKS) at SF Cloud Foundry Meetup
Pivotal Container Service (PKS) at SF Cloud Foundry MeetupPivotal Container Service (PKS) at SF Cloud Foundry Meetup
Pivotal Container Service (PKS) at SF Cloud Foundry Meetup
cornelia davis
 
Mini-Track: Lessons from Public Cloud
Mini-Track: Lessons from Public CloudMini-Track: Lessons from Public Cloud
Mini-Track: Lessons from Public Cloud
Network Automation Forum
 
Embracing SDN in the Next Gen Network
Embracing SDN in the Next Gen NetworkEmbracing SDN in the Next Gen Network
Embracing SDN in the Next Gen Network
NetCraftsmen
 
Reference architectures shows a microservices deployed to Kubernetes
Reference architectures shows a microservices deployed to KubernetesReference architectures shows a microservices deployed to Kubernetes
Reference architectures shows a microservices deployed to Kubernetes
Rakesh Gujjarlapudi
 
Netflix Massively Scalable, Highly Available, Immutable Infrastructure
Netflix Massively Scalable, Highly Available, Immutable InfrastructureNetflix Massively Scalable, Highly Available, Immutable Infrastructure
Netflix Massively Scalable, Highly Available, Immutable Infrastructure
Amer Ather
 
Platform as a Runtime - PaaR QCON 2024 - Final
Platform as a Runtime - PaaR QCON 2024 - FinalPlatform as a Runtime - PaaR QCON 2024 - Final
Platform as a Runtime - PaaR QCON 2024 - Final
Aviran Mordo
 
Cisco Connect 2018 Singapore - Easing the Transition
Cisco Connect 2018 Singapore - Easing the Transition Cisco Connect 2018 Singapore - Easing the Transition
Cisco Connect 2018 Singapore - Easing the Transition
NetworkCollaborators
 
Get the Most Out of Kubernetes with NGINX
Get the Most Out of Kubernetes with NGINXGet the Most Out of Kubernetes with NGINX
Get the Most Out of Kubernetes with NGINX
NGINX, Inc.
 
(SDD302) A Tale of One Thousand Instances - Migrating from Amazon EC2-Classic...
(SDD302) A Tale of One Thousand Instances - Migrating from Amazon EC2-Classic...(SDD302) A Tale of One Thousand Instances - Migrating from Amazon EC2-Classic...
(SDD302) A Tale of One Thousand Instances - Migrating from Amazon EC2-Classic...
Amazon Web Services
 
Resilient Microservices with Spring Cloud
Resilient Microservices with Spring CloudResilient Microservices with Spring Cloud
Resilient Microservices with Spring Cloud
VMware Tanzu
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
Aftab Hussain
 
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc
 

More Related Content

Similar to Building a Service Mesh with NGINX Owen Garrett.pptx

Patterns and Pains of Migrating Legacy Applications to Kubernetes
Patterns and Pains of Migrating Legacy Applications to KubernetesPatterns and Pains of Migrating Legacy Applications to Kubernetes
Patterns and Pains of Migrating Legacy Applications to Kubernetes
QAware GmbH
 
Patterns and Pains of Migrating Legacy Applications to Kubernetes
Patterns and Pains of Migrating Legacy Applications to KubernetesPatterns and Pains of Migrating Legacy Applications to Kubernetes
Patterns and Pains of Migrating Legacy Applications to Kubernetes
Josef Adersberger
 
Designing microservices
Designing microservicesDesigning microservices
Designing microservices
Masashi Narumoto
 
Modern Cloud-Native Streaming Platforms: Event Streaming Microservices with K...
Modern Cloud-Native Streaming Platforms: Event Streaming Microservices with K...Modern Cloud-Native Streaming Platforms: Event Streaming Microservices with K...
Modern Cloud-Native Streaming Platforms: Event Streaming Microservices with K...
confluent
 
Deep Dive: Automating the Application and Security Pipeline with NGINX and An...
Deep Dive: Automating the Application and Security Pipeline with NGINX and An...Deep Dive: Automating the Application and Security Pipeline with NGINX and An...
Deep Dive: Automating the Application and Security Pipeline with NGINX and An...
NGINX, Inc.
 
[OpenStack Day in Korea 2015] Track 2-3 - 오픈스택 클라우드에 최적화된 네트워크 가상화 '누아지(Nuage)'
[OpenStack Day in Korea 2015] Track 2-3 - 오픈스택 클라우드에 최적화된 네트워크 가상화 '누아지(Nuage)'[OpenStack Day in Korea 2015] Track 2-3 - 오픈스택 클라우드에 최적화된 네트워크 가상화 '누아지(Nuage)'
[OpenStack Day in Korea 2015] Track 2-3 - 오픈스택 클라우드에 최적화된 네트워크 가상화 '누아지(Nuage)'
OpenStack Korea Community
 
Accélérez vos déploiements applicatifs avec NGINX Controller
Accélérez vos déploiements applicatifs avec NGINX ControllerAccélérez vos déploiements applicatifs avec NGINX Controller
Accélérez vos déploiements applicatifs avec NGINX Controller
NGINX, Inc.
 
Openshift serverless Solution
Openshift serverless SolutionOpenshift serverless Solution
Openshift serverless Solution
Ryan ZhangCheng
 
The Good, the Bad and the Ugly of Migrating Hundreds of Legacy Applications ...
The Good, the Bad and the Ugly of Migrating Hundreds of Legacy Applications ... The Good, the Bad and the Ugly of Migrating Hundreds of Legacy Applications ...
The Good, the Bad and the Ugly of Migrating Hundreds of Legacy Applications ...
Josef Adersberger
 
Migrating Hundreds of Legacy Applications to Kubernetes - The Good, the Bad, ...
Migrating Hundreds of Legacy Applications to Kubernetes - The Good, the Bad, ...Migrating Hundreds of Legacy Applications to Kubernetes - The Good, the Bad, ...
Migrating Hundreds of Legacy Applications to Kubernetes - The Good, the Bad, ...
QAware GmbH
 
Pivotal Container Service (PKS) at SF Cloud Foundry Meetup
Pivotal Container Service (PKS) at SF Cloud Foundry MeetupPivotal Container Service (PKS) at SF Cloud Foundry Meetup
Pivotal Container Service (PKS) at SF Cloud Foundry Meetup
cornelia davis
 
Mini-Track: Lessons from Public Cloud
Mini-Track: Lessons from Public CloudMini-Track: Lessons from Public Cloud
Mini-Track: Lessons from Public Cloud
Network Automation Forum
 
Embracing SDN in the Next Gen Network
Embracing SDN in the Next Gen NetworkEmbracing SDN in the Next Gen Network
Embracing SDN in the Next Gen Network
NetCraftsmen
 
Reference architectures shows a microservices deployed to Kubernetes
Reference architectures shows a microservices deployed to KubernetesReference architectures shows a microservices deployed to Kubernetes
Reference architectures shows a microservices deployed to Kubernetes
Rakesh Gujjarlapudi
 
Netflix Massively Scalable, Highly Available, Immutable Infrastructure
Netflix Massively Scalable, Highly Available, Immutable InfrastructureNetflix Massively Scalable, Highly Available, Immutable Infrastructure
Netflix Massively Scalable, Highly Available, Immutable Infrastructure
Amer Ather
 
Platform as a Runtime - PaaR QCON 2024 - Final
Platform as a Runtime - PaaR QCON 2024 - FinalPlatform as a Runtime - PaaR QCON 2024 - Final
Platform as a Runtime - PaaR QCON 2024 - Final
Aviran Mordo
 
Cisco Connect 2018 Singapore - Easing the Transition
Cisco Connect 2018 Singapore - Easing the Transition Cisco Connect 2018 Singapore - Easing the Transition
Cisco Connect 2018 Singapore - Easing the Transition
NetworkCollaborators
 
Get the Most Out of Kubernetes with NGINX
Get the Most Out of Kubernetes with NGINXGet the Most Out of Kubernetes with NGINX
Get the Most Out of Kubernetes with NGINX
NGINX, Inc.
 
(SDD302) A Tale of One Thousand Instances - Migrating from Amazon EC2-Classic...
(SDD302) A Tale of One Thousand Instances - Migrating from Amazon EC2-Classic...(SDD302) A Tale of One Thousand Instances - Migrating from Amazon EC2-Classic...
(SDD302) A Tale of One Thousand Instances - Migrating from Amazon EC2-Classic...
Amazon Web Services
 
Resilient Microservices with Spring Cloud
Resilient Microservices with Spring CloudResilient Microservices with Spring Cloud
Resilient Microservices with Spring Cloud
VMware Tanzu
 

Similar to Building a Service Mesh with NGINX Owen Garrett.pptx (20)

Patterns and Pains of Migrating Legacy Applications to Kubernetes
Patterns and Pains of Migrating Legacy Applications to KubernetesPatterns and Pains of Migrating Legacy Applications to Kubernetes
Patterns and Pains of Migrating Legacy Applications to Kubernetes
 
Patterns and Pains of Migrating Legacy Applications to Kubernetes
Patterns and Pains of Migrating Legacy Applications to KubernetesPatterns and Pains of Migrating Legacy Applications to Kubernetes
Patterns and Pains of Migrating Legacy Applications to Kubernetes
 
Designing microservices
Designing microservicesDesigning microservices
Designing microservices
 
Modern Cloud-Native Streaming Platforms: Event Streaming Microservices with K...
Modern Cloud-Native Streaming Platforms: Event Streaming Microservices with K...Modern Cloud-Native Streaming Platforms: Event Streaming Microservices with K...
Modern Cloud-Native Streaming Platforms: Event Streaming Microservices with K...
 
Deep Dive: Automating the Application and Security Pipeline with NGINX and An...
Deep Dive: Automating the Application and Security Pipeline with NGINX and An...Deep Dive: Automating the Application and Security Pipeline with NGINX and An...
Deep Dive: Automating the Application and Security Pipeline with NGINX and An...
 
[OpenStack Day in Korea 2015] Track 2-3 - 오픈스택 클라우드에 최적화된 네트워크 가상화 '누아지(Nuage)'
[OpenStack Day in Korea 2015] Track 2-3 - 오픈스택 클라우드에 최적화된 네트워크 가상화 '누아지(Nuage)'[OpenStack Day in Korea 2015] Track 2-3 - 오픈스택 클라우드에 최적화된 네트워크 가상화 '누아지(Nuage)'
[OpenStack Day in Korea 2015] Track 2-3 - 오픈스택 클라우드에 최적화된 네트워크 가상화 '누아지(Nuage)'
 
Accélérez vos déploiements applicatifs avec NGINX Controller
Accélérez vos déploiements applicatifs avec NGINX ControllerAccélérez vos déploiements applicatifs avec NGINX Controller
Accélérez vos déploiements applicatifs avec NGINX Controller
 
Openshift serverless Solution
Openshift serverless SolutionOpenshift serverless Solution
Openshift serverless Solution
 
The Good, the Bad and the Ugly of Migrating Hundreds of Legacy Applications ...
The Good, the Bad and the Ugly of Migrating Hundreds of Legacy Applications ... The Good, the Bad and the Ugly of Migrating Hundreds of Legacy Applications ...
The Good, the Bad and the Ugly of Migrating Hundreds of Legacy Applications ...
 
Migrating Hundreds of Legacy Applications to Kubernetes - The Good, the Bad, ...
Migrating Hundreds of Legacy Applications to Kubernetes - The Good, the Bad, ...Migrating Hundreds of Legacy Applications to Kubernetes - The Good, the Bad, ...
Migrating Hundreds of Legacy Applications to Kubernetes - The Good, the Bad, ...
 
Pivotal Container Service (PKS) at SF Cloud Foundry Meetup
Pivotal Container Service (PKS) at SF Cloud Foundry MeetupPivotal Container Service (PKS) at SF Cloud Foundry Meetup
Pivotal Container Service (PKS) at SF Cloud Foundry Meetup
 
Mini-Track: Lessons from Public Cloud
Mini-Track: Lessons from Public CloudMini-Track: Lessons from Public Cloud
Mini-Track: Lessons from Public Cloud
 
Embracing SDN in the Next Gen Network
Embracing SDN in the Next Gen NetworkEmbracing SDN in the Next Gen Network
Embracing SDN in the Next Gen Network
 
Reference architectures shows a microservices deployed to Kubernetes
Reference architectures shows a microservices deployed to KubernetesReference architectures shows a microservices deployed to Kubernetes
Reference architectures shows a microservices deployed to Kubernetes
 
Netflix Massively Scalable, Highly Available, Immutable Infrastructure
Netflix Massively Scalable, Highly Available, Immutable InfrastructureNetflix Massively Scalable, Highly Available, Immutable Infrastructure
Netflix Massively Scalable, Highly Available, Immutable Infrastructure
 
Platform as a Runtime - PaaR QCON 2024 - Final
Platform as a Runtime - PaaR QCON 2024 - FinalPlatform as a Runtime - PaaR QCON 2024 - Final
Platform as a Runtime - PaaR QCON 2024 - Final
 
Cisco Connect 2018 Singapore - Easing the Transition
Cisco Connect 2018 Singapore - Easing the Transition Cisco Connect 2018 Singapore - Easing the Transition
Cisco Connect 2018 Singapore - Easing the Transition
 
Get the Most Out of Kubernetes with NGINX
Get the Most Out of Kubernetes with NGINXGet the Most Out of Kubernetes with NGINX
Get the Most Out of Kubernetes with NGINX
 
(SDD302) A Tale of One Thousand Instances - Migrating from Amazon EC2-Classic...
(SDD302) A Tale of One Thousand Instances - Migrating from Amazon EC2-Classic...(SDD302) A Tale of One Thousand Instances - Migrating from Amazon EC2-Classic...
(SDD302) A Tale of One Thousand Instances - Migrating from Amazon EC2-Classic...
 
Resilient Microservices with Spring Cloud
Resilient Microservices with Spring CloudResilient Microservices with Spring Cloud
Resilient Microservices with Spring Cloud
 

Recently uploaded

Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
Aftab Hussain
 
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
Octavian Nadolu
 
GenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizationsGenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizations
kumardaparthi1024
 
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdfUni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems S.M.S.A.
 
20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 202420240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
Matthew Sinclair
 
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
Neo4j
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
mikeeftimakis1
 
Programming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup SlidesProgramming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup Slides
Zilliz
 
Full-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalizationFull-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalization
Zilliz
 
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
Neo4j
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
Safe Software
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
Quotidiano Piemontese
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
Matthew Sinclair
 
RESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for studentsRESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for students
KAMESHS29
 
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success StoryDriving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Safe Software
 
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
Neo4j
 
Mind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AIMind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AI
Kumud Singh
 
Serial Arm Control in Real Time Presentation
Serial Arm Control in Real Time PresentationSerial Arm Control in Real Time Presentation
Serial Arm Control in Real Time Presentation
tolgahangng
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
Alpen-Adria-Universität
 

Recently uploaded (20)

Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
 
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy Survey
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
 
GenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizationsGenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizations
 
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdfUni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdf
 
20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 202420240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
 
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
 
Programming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup SlidesProgramming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup Slides
 
Full-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalizationFull-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalization
 
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
 
RESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for studentsRESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for students
 
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success StoryDriving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success Story
 
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
 
Mind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AIMind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AI
 
Serial Arm Control in Real Time Presentation
Serial Arm Control in Real Time PresentationSerial Arm Control in Real Time Presentation
Serial Arm Control in Real Time Presentation
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
 

Building a Service Mesh with NGINX Owen Garrett.pptx

  • 1.
  • 2. Building a Service Mesh with NGINX Owen Garrett, Faisal Memon Products & Engineering, NGINX
  • 3. Operating a distributed application is hard Static, Predictable Monolith: Dynamic, Distributed App: Fast, reliable function calls Local debugging Local profiling Calendared, big-bang upgrades ‘Integration hell’ contained in dev Slow, unreliable API calls Distributed fault finding Distributed tracing In-place dynamic updates ‘Continuous integration’ live in prod More things can go wrong, it’s harder to find the faults, everything happens live
  • 6. NGINX per-Pod Proxy Use NGINX Per-Pod Proxy: • To intercept traffic to a single pod • Implement access control, metrics and tracing, web app firewall for that service Complexity: Simple • Single point of configuration, simple • Fully integrated into pod – easy build, test and deployment Each Pod in Service B has a dedicated proxy. We rely on K8s (kubeproxy) to load-balance traffic to Service B B A kubeproxy
  • 7. What about egress traffic? • Why might this be a problem? 1. Cannot automatically perform mTLS. Need to rely on application to make TLS requests, or rely on overlay network and K8s Network Policies for encryption and authorization 2. Metrics and traces are generated on server-side, not client-side, so do not measure latency effect of K8s network No control of egress traffic, exiting pod Full control of ingress traffic, entering pod
  • 8. Simple Mesh Use NGINX Simple Mesh: • When the application only needs to talk to a small, well-known set of external services Complexity: Not very simple! • Need to know all egress targets in advance • Fully integrated into pod – easy build, test and deployment Ingress Traffic – exactly as the per-Pod proxy configuration. Egress Traffic – application talks to local NGINX IP address, achieved by e.g. DNS manipulation or IP tables. NGINX needs a virtual server for each egress service.
  • 9. Service Mesh Use a Service Mesh (Istio, Linkerd): • When you don’t know the topology of the application • When you want an off-the-shelf solution • When the specific service mesh capabilities match your requirements Complexity: Medium-High Service Mesh technology is not fully mature, so operating, troubleshooting and debugging it requires considerable technical expertise. Control Plane e.g. Istio’s Pilot/Mixer/Citadel Sidecar Proxy Service A Sidecar Proxy Service B Sidecar Proxy Service C Sidecar Proxy Service D
  • 11. Why is NGINX building a Service Mesh? What are the attributes of modern applications? • Hybrid (microservice and legacy) • Web and API • Multiple technology stacks What is needed to deliver these applications? • Load Balancer / App Delivery • Specialized API management • Internal Service Mesh
  • 12. NGINX Features and Principles Initial Features • Mutual TLS • Instrumentation • Tracing • Traffic Control Core Principles • Hybrid Applications first • Lightweight and Performant • Architectural Simplicity • Use CNCF etc. projects whenever possible
  • 13. What is NGINX building? Data Plane East/West traffic Control Plane Management Plane Infrastructure Kubernetes VMware AWS Bare Metal SVC SVC SVC SVC SVC SVC Conf Db Kubernetes Service Registry Inventory VMware, AWS… Inventory
  • 14. What is NGINX building? Data Plane East/West traffic Control Plane Management Plane Infrastructure Kubernetes VMware AWS Bare Metal SVC SVC SVC SVC SVC SVC Conf Db Kubernetes Service Registry Inventory VMware, AWS… Inventory
  • 15. What is NGINX building? Data Plane East/West traffic Control Plane Management Plane Infrastructure Kubernetes VMware AWS Bare Metal NGINX Service Mesh control plane SVC SVC SVC SVC SVC SVC Topology Policies Conf Db CLI / API $>_ Kubernetes Service Registry Inventory VMware, AWS… Inventory
  • 16. What is NGINX building? Data Plane East/West traffic Control Plane Management Plane Infrastructure Kubernetes VMware AWS Bare Metal NGINX Service Mesh control plane SVC SVC SVC SVC SVC SVC Topology Policies Conf Db CLI / API $>_ Kubernetes Service Registry Inventory VMware, AWS… Inventory SPIRE
  • 17. What is NGINX building? Data Plane East/West traffic Control Plane Management Plane Infrastructure Kubernetes VMware AWS Bare Metal NGINX Service Mesh control plane SVC SVC SVC SVC SVC SVC Topology Policies Conf Db CLI / API $>_ Kubernetes Service Registry Inventory VMware, AWS… Inventory SPIRE Grafana OpenTracing
  • 18. What’s in the dataplane? • NGINX ◦ OpenTracing module (3rd party, open source) ◦ Prometheus module (open sourced) ◦ SPIFFE support (to-be-open sourced) ◦ NGINX Plus ◦ Sophisticated configuration for fully-hitless reloads SVC
  • 21. Find the balance Cost to operate Complexity, Interdependencies, Speed of Change Single simple app Many complex, interdependent apps Using native Kubernetes and other services Using service mesh As service meshes mature, their cost will go down
  • 22. Solve today’s problem, today • Identify the problem ◦ Security? Visualization? Tracing? Advanced traffic control? • Identify the solution with the minimum technology to solve the problem ◦ Vanilla Kubernetes with Ingress Controller ◦ Per-Service or per-Pod load balancer ◦ “Full-fat” Service Mesh
  • 23. Owen Garrett, Faisal Memon owen@nginx.com / faisal@nginx.com Thank you

Editor's Notes

  1. Traffic to pod is terminated by NGINX NGINX forwards traffic to other microservices in Pod Apply policies to traffic Very common when Application does not handle HTTP or HTTPS well, e.g. php-fpm Candidate Implementation: Embed NGINX instance in each pod and expose NGINX port. Simple NGINX virtual server manages traffic and proxy_pass to local app instance Does not intercept egress traffic, from pod to outside Attributes Embeds additional (lightweight 2Mb) process in each pod Very simple to configure and test. Configuration generated at pod build time Manages traffic to pod. Can’t implement advanced load balancing, retries or blue-green; can’t process egress traffic This solution is typically developed by the App team and is ‘invisible’ to operations.
  2. In additional, load advanced load balancing done by per-Service proxy
  3. Not appropriate for a general application where you do not know the topology, as it’s too difficult to manage the NGINX configuration Some NGINX users have created a sidecar proxy using the simple mesh approach. This requires manual configuration for the app. Provided as “Fabric Model” Issues Tooling to deploy is complex No control plane No easy, automated update of credentials No live management of policies or routing Usability is a challenge