This document discusses using a service mesh like Istio to manage microservices. It describes how Istio uses the Envoy proxy deployed as a sidecar to each microservice pod to provide capabilities like discovery, load balancing, resiliency, metrics and tracing across the network of microservices. These capabilities help govern microservice behavior at runtime, enforce policies, and improve observability of traffic between microservices. The document also outlines some use cases for a service mesh like traffic shaping, fault injection for testing resilience, and improved security and visibility across the distributed application.

1. Lets make a mesh of all the things
Dustin Humphries
App Dev and MW Solutions Architect
dhumphri@redhat.com
07/19/2018

2. INSERT DESIGNATOR, IF NEEDED
SERVICE CATALOG
(LANGUAGE RUNTIMES, MIDDLEWARE, DATABASES, …)
SELF-SERVICE
APPLICATION LIFECYCLE MANAGEMENT
(CI / CD)
BUILD AUTOMATION DEPLOYMENT AUTOMATION
CONTAINER CONTAINERCONTAINER CONTAINER CONTAINER
NETWORKING SECURITYSTORAGE REGISTRY
LOGS &
METRICS
CONTAINER ORCHESTRATION & CLUSTER MANAGEMENT
(KUBERNETES)
RED HAT ENTERPRISE LINUX
CONTAINER RUNTIME & PACKAGING
(DOCKER)
ATOMIC HOST
INFRASTRUCTURE AUTOMATION & COCKPIT
OpenShift Container Platform - Stack
Build, Deploy and Manage Containerized Apps
Build RUNTIME
SERVICE CATALOG
(LANGUAGE RUNTIMES, MIDDLEWARE, DATABASES, …)
SELF-SERVICE
APPLICATION LIFECYCLE MANAGEMENT
(CI / CD)
BUILD AUTOMATION DEPLOYMENT AUTOMATION
CONTAINER CONTAINERCONTAINER CONTAINER CONTAINER
NETWORKING SECURITYSTORAGE REGISTRY
LOGS &
METRICS
CONTAINER ORCHESTRATION & CLUSTER MANAGEMENT
(KUBERNETES)
ATOMIC HOST /
RED HAT ENTERPRISE LINUX
OCI CONTAINER RUNTIME & PACKAGING
INFRASTRUCTURE AUTOMATION & COCKPIT

3. INSERT DESIGNATOR, IF NEEDED3
OPENSHIFT ARCHITECTURE
EXISTING
AUTOMATION
TOOLSETS
SCM
(GIT)
CI/CD
SERVICE LAYER
ROUTING LAYER
PERSISTEN
T
STORAGE
REGISTRY
RHEL
NODE
c
RHEL
NODE
RHEL
NODE
RHEL
NODE
RHEL
NODE
RHEL
NODE
C
C
C C
C
C
C CC C
RED HAT
ENTERPRISE LINUX
MASTER
API/AUTHENTICATION
DATA STORE
SCHEDULER
HEALTH/SCALING
PHYSICAL VIRTUAL PRIVATE PUBLIC HYBRID

4. INSERT DESIGNATOR, IF NEEDED4
DISTRIBUTED SERVICES
ARCHITECTURES
Benefits (when implemented correctly):
● Performance
● Reliability
● Resiliency
● Extensibility
● Availability
● Robustness

5. INSERT DESIGNATOR, IF NEEDED5
DISTRIBUTED SERVICES
ARCHITECTURES
Fallacies of Distributed Computing
● The network is reliable.
● Latency is zero.
● Bandwidth is infinite.
● The network is secure.
● Topology doesn't change.
● There is one administrator.
● Transport cost is zero.
● The network is homogeneous.
wikipedia.org/wiki/Fallacies_of_distributed_computing

6. INSERT DESIGNATOR, IF NEEDED6
DISTRIBUTED SERVICES
ARCHITECTURES
Applications must deal with
● Unpredictable failure modes
● End-to-end application correctness
● System degradation
● Topology changes
● Elastic/ephemeral/transient resources
A
E
B C
F G
D
H
I
Client

7. INSERT DESIGNATOR, IF NEEDED7
MICROSERVICES == DISTRIBUTED
COMPUTING

8. INSERT DESIGNATOR, IF NEEDED8
Example
ACME Laptop 128GB SSD,
8GB RAM
$323.56
Touchscreen
128GB SSD
8GB RAM
Core i3
Windows 10
Add to Cart
In-Store Pickup (15 available)
Raleigh, Central Ave, Store #1123
Recommendations
Pricing Engine
Reviews
Details/Specifications
Location-based availability
People who purchased also...

9. INSERT DESIGNATOR, IF NEEDED9
Chaining

10. INSERT DESIGNATOR, IF NEEDED10
Chaining (Fail)
X

11. INSERT DESIGNATOR, IF NEEDED11
Chaining (Cascading Fail)
XXXX
X

12. Opportunity – A/B on Service Chains
Pod
Container
JVM
Service A
v1
Pod
Container
JVM
Service A
v2
Service
Route/
Ingress
50%
50%
Service
Pod
Container
JVM
Service B
v1/v2
Pod
Container
JVM
Service C
v1/v2
?
?

13. Opportunity – Fault Injection
Pod
Container
JVM
Service A
v1
Pod
Container
JVM
Service A
v2
Service
Route/
Ingress
Service
Pod
Container
JVM
Service B
v1
Intentionally introduce a 7
second delay to see how
customer is impacted
Much needed testing scenario!

14. Opportunity – Fault Injection
Pod
Container
JVM
Service A
v1
Pod
Container
JVM
Service A
v2
Service
Route/
Ingress
Service
Pod
Container
JVM
Service B
v1
Throttling traffic as Service B
is constrained in capacity
Rate Limiting
Circuit Breaker

15. Opportunity – Granular Security Management
Pod
Container
JVM
Service A
v1
Pod
Container
JVM
Service A
v2
Service
Route/
Ingress
Service
Pod
Container
JVM
Service B
v1
TLS between microservices
Enforce Authn/z in comms
Centralized certs mgmt

16. Opportunity – Testing in Production
Pod
Container
JVM
Service A
v1
Pod
Container
JVM
Service A
v2
Service
Route/
Ingress
Service
Pod
Container
JVM
Service B
v1
Pod
Container
JVM
Service B
v2
When the request is from
Tester Jason, route it to
Service B version 2

17. Opportunity – Logical flow
Too many microservices,
what is my transaction flow?

18. Opportunity – Latency and Tracing
Too many microservices,
where is my latency? How do
I troubleshoot?

19. Opportunity – Microservices Metrics
How many http 4xx/5xx errors?
Transaction Counts?
Bottlenecks?
Custom Dashboards?

20. Monolith
MyApp
@burrsutter

21. Microservices
@burrsutter

22. Microservices
@burrsutter

23. Microservices
@burrsutter

24. Microservices
@burrsutter

25. Microservices
@burrsutter

26. Microservices
@burrsutter

27. Network of Services
@burrsutter

28. OS
JVM
Service C
Microservices == Distributed Computing
@burrsutter
OS
JVM
Service B
OS
JVM
Service A

29. Microservices embedding Capabilities
@burrsutter
Container
JVM
Service B
Discovery
Load-balancer
Resiliency
Metrics
Tracing
Container
JVM
Service A
Discovery
Load-balancer
Resiliency
Metrics
Tracing
Container
JVM
Service C
Discovery
Load-balancer
Resiliency
Metrics
Tracing

30. MyService
Monitoring
Tracing
API
Discovery
Invocation
Resilience
Pipeline
Authentication
Logging Elasticity
Microservices'ilities
@burrsutter

31. @burrsutter

32. MyService
Monitoring
Tracing
API
Discovery
Invocation
Resilience
Pipeline
Authentication
Logging Elasticity
Microservices'ilities + Kubernetes
@burrsutter

33. MyService
Monitoring
Tracing
API
Discovery
Invocation
Resilience
Pipeline
Authentication
Logging Elasticity
Microservices'ilities + OpenShift
@burrsutter

34. Istio - Sail
(Kubernetes - Helmsman or ship’s pilot)
@burrsutter

35. A service mesh is a dedicated infrastructure layer for handling service-to-
service communication. It’s responsible for the reliable delivery of requests
through the complex topology of services that comprise a modern, cloud
native application. In practice, the service mesh is typically implemented as
an array of lightweight network proxies that are deployed alongside
application code, without the application needing to be aware
https://buoyant.io/2017/04/25/whats-a-service-mesh-and-why-do-i-need-one/
Service Mesh Defined

36. MyService
Monitoring
Tracing
API
Discovery
Invocation
Resilience
Pipeline
Authentication
Logging Elasticity
Microservices'ilities + Istio
@burrsutter

37. Microservices embedding Capabilities
@burrsutter
Container
JVM
Service B
Discovery
Load-balancer
Resiliency
Metrics
Tracing
Container
JVM
Service A
Discovery
Load-balancer
Resiliency
Metrics
Tracing
Container
JVM
Service C
Discovery
Load-balancer
Resiliency
Metrics
Tracing
Before Istio

38. Microservices externalizing Capabilities
@burrsutter
Pod
Container
JVM
Service A
Sidecar Container
Pod
Container
JVM
Service C
Sidecar Container
Pod
Container
JVM
Service B
Sidecar Container
After Istio

39. Kubernetes, Istio, Envoy
@burrsutter
Pod
Container
JVM
Service A
Sidecar Container
Pod
Container
JVM
Service C
Sidecar Container
Pod
Container
JVM
Service B
Sidecar Container

40. • Kubernetes for control plane, management of microservices
• Scaling
• OpenShift for making day-2 ops easy
• Builds/deployments
• Software Defined Storage and Networking
• Logging and Metrics
• Service Mesh for Run-time Governance, Policy Enforcement and Traffic shaping
• Use cases listed in a separate page
Service Mesh

41. Use cases- Service Mesh
• Policy Enforcement, Run-time Governance
• Intelligent Routing and Load-Balancing
• Request routing amongst multiple service versions
• A/B testing: Request routing based on user or other http headers
• Traffic Shifting: Smarter Canary Releases
• Chaos: Fault Injection/Delays – Are we resilient, or getting timeouts/errors
• Resilience: Circuit Breakers
• Cluster max connections, max/pending requests, max retries etc
• Rate limiting
• Observability/Ops Visibility
• Metrics and Tracing
• Transaction flow through microservices
• Latency
• Security

42. Pod
Container
JVM
Service A
Envoy Side-car
Pod
Container
JVM
Service B
Envoy Side-car
Pod
Container
JVM
Service C
Envoy Side-car
HTTP1.1, HTTP2,
gRPC, TCP w/TLS
HTTP1.1, HTTP2,
gRPC, TCP w/TLS
HTTP1.1, HTTP2,
gRPC, TCP w/TLS
Istio Pilot Istio Mixer Istio Auth
istioctl, API, config Quota, Telemetry
Rate Limiting, ACL
CA, SPIFFE
@burrsutter
Istio Control Plane

43. LAB: DETECTING AND PREVENTING
ISSUES IN DISTRIBUTED APPS WITH
ISTIO

44. GOAL FOR LAB
In this lab you will learn:
● How to install Istio onto OpenShift Container Platform
● How to deploy apps with sidecar proxies
● How to generate and visualize deep metrics for apps
● How to alter routing dynamically
● How to inject faults for testing
● How to do rate limiting
● How Istio implements circuit breaking and distributed tracing

45. Lab

46. Lab

47. WRAP-UP AND DISCUSSION

48. RESULT OF LAB
In this lab you learned:
● How to install Istio onto OpenShift Container Platform
● How to deploy apps with sidecar proxies
● How to generate and visualize deep metrics for apps
● How to alter routing dynamically
● How to inject faults for testing
● How to do rate limiting
● How Istio implements circuit breaking and distributed tracing
● Use cases for service mesh

49. THANK YOU
plus.google.com/+RedHat
linkedin.com/company/red-hat
youtube.com/user/RedHatVideos
facebook.com/redhatinc
twitter.com/RedHatNews