SlideShare a Scribd company logo
1 of 51
1 | Copyright © 2019
API Gateways are going through an
identity crisis
@christianposta
2 | Copyright © 2019 @christianposta
CHRISTIAN POSTA
• Field CTO @ Solo.io
• Author of a few books
• Contributor to many open-source projects
• Architect, blogger, speaker, mentor, leader
@christianposta
christian@solo.io
https://blog.christianposta.com
https://slideshare.net/ceposta
3 | Copyright © 2019 @christianposta
WROTE THE FIRST BOOK ON ISTIO…
4 | Copyright © 2019 @christianposta
WRITING ISTIO BOOK FOR MANNING
https://bit.ly/istio-in-action
5 | Copyright © 20195 | Copyright © 2019
Identity Crisis
6 | Copyright © 2019 @christianposta
INSPIRED BY A BLOG…
http://bit.ly/gateway-identity-crisis
8 | Copyright © 2019 @christianposta
• API Management solutions
• Kubernetes/cluster ingress
• Service Mesh proxies, gateways
• Application-built gateways
Identity crisis?
9 | Copyright © 2019 @christianposta
“I am just going to
use service mesh,
doesn’t that make
gateways obsolete?”
IDENTITY CRISIS?
10 | Copyright © 201910 | Copyright © 2019
Alternative talk title:
Role of edge gateways in relation to service
mesh adoption
11 | Copyright © 2019 @christianposta
• Problem statement, challenges, tradeoffs
• Useful patterns to set context
• Envoy proxy as the foundation
• Architecture patterns to consider
• Demo
• Wrap up
What to expect from rest of this talk:
12 | Copyright © 2019 @christianposta
• Augment, complement, replace existing API infrastructure
• Support a microservices, cloud environment
• Need better traffic control and observability
• As little disruption as possible, target multiple compute
• Improve security posture
Goals we see
13 | Copyright © 2019
THE PROBLEM
HOW DO YOU
OBSERVE?
HOW DO YOU
MANAGE APIS?
HOW CAN ENFORCE
SECURITY?
MONOLITH MICROSERVICES
14 | Copyright © 2019 @christianposta
• Traffic control
• Traffic routing
• Secure communications
• Application-level network observability
• Policy enforcement
Solving challenges between services within the organization
15 | Copyright © 2019
LARGE, CENTRALIZED, LOW-TRUST, SHARED ENVIRONMENTS
16 | Copyright © 2019
CENTRALIZED VS DECENTRALIZED
17 | Copyright © 2019
CENTRALIZED VS DECENTRALIZED WITHOUT GAPS
18 | Copyright © 201918 | Copyright © 2019
How to get there?
19 | Copyright © 2019 @christianposta
20 | Copyright © 2019 @christianposta
• Start with one proxy, grow to more
• Pick a subset of traffic applications
• Get demonstrable value from it
• Data plane matters
• Leverage high-value patterns for application traffic
Start with a gateway approach
21 | Copyright © 201921 | Copyright © 2019
Three important gateway patterns
22 | Copyright © 2019 @christianposta
“Edge” concerns, North-South vs East-West
23 | Copyright © 2019 @christianposta
“Edge” concerns, North-South vs East-West
Capability Service Mesh Edge
Traffic Control ✔ ✔
Traffic Routing ✔ ✔
TLS/mTLS ✔ ✔
Network Observability ✔ ✔
Policy Enforcement ✔ ✔
24 | Copyright © 2019 @christianposta
“Edge” concerns, North-South vs East-West
Capability Service Mesh Edge
OAuth/OIDC ✘ ✔
Web Application Firewall ✘ ✔
Message transformation ✘ ✔
Request/response caching ✘ ✔
Domain-specific rate limit ✘ ✔
HMAC, request path security ✘ ✔
Understand API surface,
intended decoupling ✘ ✔
25 | Copyright © 2019 @christianposta
API Gateway Pattern
“A service that’s the entry point into the microservices-
based application … is responsible for request routing,
API composition, protocol translation …
and edge functions like authentication,
authorization, rate limiting, caching, et. al.”
See also:
https://microservices.io/patterns/apigateway.html
https://www.manning.com/books/microservices-patterns
26 | Copyright © 2019 @christianposta
API Gateway Pattern: what it does
• Tailored API for different kinds of clients
• Abstracts backend services, protocols, message shapes, etc
• Powerful matching/routing, discovery, transformation,
aggregation, protocol translation
• Backends for front-ends
• A developer-first construct
• Intended to be decentralized and change at the pace of your
applications
• Network-level functions including rate-limiting,
authentication/authorization, caching, metrics collection
27 | Copyright © 2019 @christianposta
Mediator pattern
http://en.wikipedia.org/wiki/Design_Patterns
Credit: https://springframework.guru/gang-of-four-design-patterns/mediator-pattern/
28 | Copyright © 2019 @christianposta
29 | Copyright © 2019 @christianposta
30 | Copyright © 2019 @christianposta
31 | Copyright © 2019 @christianposta
32 | Copyright © 201932 | Copyright © 2019
Envoy proxy as a gateway
33 | Copyright © 2019 @christianposta
Meet Envoy Proxy
http://envoyproxy.io
34 | Copyright © 2019 @christianposta
Envoy Proxy implements:
• zone aware, least request load balancing
• circuit breaking
• outlier detection
• retries, retry policies
• timeout (including budgets)
• traffic shadowing
• rate limiting
• access logging, statistics collection
• Many other features!
35 | Copyright © 2019 @christianposta
36 | Copyright © 2019 @christianposta
37 | Copyright © 2019 @christianposta
Edge Gateway built on Envoy
https://github.com/solo-io/gloo
38 | Copyright © 2019 @christianposta
What is Gloo?
● Enterprise Envoy Proxy
● API-level routing, decoupling
● Complements any service mesh
● Traffic control, canary releases
● OAuth flows
● TLS termination, passthrough, mTLS
● Rate limiting, Caching
● Request/Response transformation
● Kubernetes CRDs (when deployed to Kubernetes)
https://gloo.solo.io
39 | Copyright © 2019 @christianposta
Edge Gateway built on Envoy
40 | Copyright © 2019 @christianposta
Gloo companion project: Sqoop
Query
Monolith Microservice
s
Cloud Functions
Result
https://sqoop.solo.io
41 | Copyright © 2019 @christianposta
Demo!
42 | Copyright © 201942 | Copyright © 2019
Gateway adoption patterns
(waypoint architecture) on the journey
to service mesh
43 | Copyright © 2019 @christianposta
Start with single proxy
44 | Copyright © 2019 @christianposta
Bring in decoupling points (multi-tier gateway)
45 | Copyright © 2019 @christianposta
Gateway per product/domain/bounded context
46 | Copyright © 2019 @christianposta
Push gateways down as you grow,
avoid death star architecture!
47 | Copyright © 2019 @christianposta
Push gateways down as you grow,
avoid death star architecture!
48 | Copyright © 2019 @christianposta
• Crawl, walk, run approach
• Leverage shared gateways, path for decentralization
• Envoy/Gloo proven open-source projects, successful adoption
• Reduce risk, target multi-platform compute, move at your own
pace
Final thoughts
49 | Copyright © 2019 @christianposta
Check out Solo.io!
50 | Copyright © 2019 @christianposta
Sneak peak, https://servicemeshhub.io
51 | Copyright © 2019 @christianposta
CHRISTIAN POSTA
@christianposta
christian@solo.io
https://blog.christianposta.com
https://slideshare.net/ceposta
52 | Copyright © 201952 | Copyright © 2019
@soloio_inc

More Related Content

What's hot

Evolution of integration and microservices patterns with service mesh
Evolution of integration and microservices patterns with service meshEvolution of integration and microservices patterns with service mesh
Evolution of integration and microservices patterns with service mesh
Christian Posta
 

What's hot (20)

API World: The service-mesh landscape
API World: The service-mesh landscapeAPI World: The service-mesh landscape
API World: The service-mesh landscape
 
Intro Istio and what's new Istio 1.1
Intro Istio and what's new Istio 1.1Intro Istio and what's new Istio 1.1
Intro Istio and what's new Istio 1.1
 
Layer 7 Observability and Centralized Configuration with Consul Service Mesh
Layer 7 Observability and Centralized Configuration with Consul Service MeshLayer 7 Observability and Centralized Configuration with Consul Service Mesh
Layer 7 Observability and Centralized Configuration with Consul Service Mesh
 
Open Source Networking Days- Service Mesh
Open Source Networking Days- Service MeshOpen Source Networking Days- Service Mesh
Open Source Networking Days- Service Mesh
 
Deep Dive: Building external auth plugins for Gloo Enterprise
Deep Dive: Building external auth plugins for Gloo EnterpriseDeep Dive: Building external auth plugins for Gloo Enterprise
Deep Dive: Building external auth plugins for Gloo Enterprise
 
Evolution of integration and microservices patterns with service mesh
Evolution of integration and microservices patterns with service meshEvolution of integration and microservices patterns with service mesh
Evolution of integration and microservices patterns with service mesh
 
Navigating the service mesh landscape with Istio, Consul Connect, and Linkerd
Navigating the service mesh landscape with Istio, Consul Connect, and LinkerdNavigating the service mesh landscape with Istio, Consul Connect, and Linkerd
Navigating the service mesh landscape with Istio, Consul Connect, and Linkerd
 
PHX DevOps Days: Service Mesh Landscape
PHX DevOps Days: Service Mesh LandscapePHX DevOps Days: Service Mesh Landscape
PHX DevOps Days: Service Mesh Landscape
 
Making sense of microservices, service mesh, and serverless
Making sense of microservices, service mesh, and serverlessMaking sense of microservices, service mesh, and serverless
Making sense of microservices, service mesh, and serverless
 
The Service Mesh: It's about Traffic
The Service Mesh: It's about TrafficThe Service Mesh: It's about Traffic
The Service Mesh: It's about Traffic
 
Running Consul on Kubernetes and Beyond
Running Consul on Kubernetes and BeyondRunning Consul on Kubernetes and Beyond
Running Consul on Kubernetes and Beyond
 
20190727 HashiCorp Consul Workshop: 管管你們家 config 啦
20190727 HashiCorp Consul Workshop: 管管你們家 config 啦20190727 HashiCorp Consul Workshop: 管管你們家 config 啦
20190727 HashiCorp Consul Workshop: 管管你們家 config 啦
 
AzureConf 2014 - Azure hybrid connections (Sam Vanhoutte)
AzureConf 2014 - Azure hybrid connections (Sam Vanhoutte)AzureConf 2014 - Azure hybrid connections (Sam Vanhoutte)
AzureConf 2014 - Azure hybrid connections (Sam Vanhoutte)
 
Microservices Integration Patterns with Kafka
Microservices Integration Patterns with KafkaMicroservices Integration Patterns with Kafka
Microservices Integration Patterns with Kafka
 
Service mesh on Kubernetes - Istio 101
Service mesh on Kubernetes - Istio 101Service mesh on Kubernetes - Istio 101
Service mesh on Kubernetes - Istio 101
 
A Peering Strategy for the Pacific Islands
A Peering Strategy for the Pacific IslandsA Peering Strategy for the Pacific Islands
A Peering Strategy for the Pacific Islands
 
Integration Microservices
Integration MicroservicesIntegration Microservices
Integration Microservices
 
Microservices for Enterprises
Microservices for Enterprises Microservices for Enterprises
Microservices for Enterprises
 
Communication in a Microservice Architecture
Communication in a Microservice ArchitectureCommunication in a Microservice Architecture
Communication in a Microservice Architecture
 
NGINX MRA Fabric Model Release and Ask Me Anything Part 4
NGINX MRA Fabric Model Release and Ask Me Anything Part 4NGINX MRA Fabric Model Release and Ask Me Anything Part 4
NGINX MRA Fabric Model Release and Ask Me Anything Part 4
 

Similar to Role of edge gateways in relation to service mesh adoption

API Gateways are going through an identity crisis
API Gateways are going through an identity crisisAPI Gateways are going through an identity crisis
API Gateways are going through an identity crisis
Christian Posta
 
Techniques for scaling application with security and visibility in cloud
Techniques for scaling application with security and visibility in cloudTechniques for scaling application with security and visibility in cloud
Techniques for scaling application with security and visibility in cloud
Akshay Mathur
 

Similar to Role of edge gateways in relation to service mesh adoption (20)

Service Mesh in the Real World [Raleigh NC Meetup]
Service Mesh in the Real World [Raleigh NC Meetup]Service Mesh in the Real World [Raleigh NC Meetup]
Service Mesh in the Real World [Raleigh NC Meetup]
 
Libra and its effect on the global economy
Libra and its effect on the global economyLibra and its effect on the global economy
Libra and its effect on the global economy
 
2019 04-25-agile communitymeetup-essentialcapabilitiesbehindmicroservices
2019 04-25-agile communitymeetup-essentialcapabilitiesbehindmicroservices2019 04-25-agile communitymeetup-essentialcapabilitiesbehindmicroservices
2019 04-25-agile communitymeetup-essentialcapabilitiesbehindmicroservices
 
2019 04-25-agile communitymeetup-essentialcapabilitiesbehindmicroservices
2019 04-25-agile communitymeetup-essentialcapabilitiesbehindmicroservices2019 04-25-agile communitymeetup-essentialcapabilitiesbehindmicroservices
2019 04-25-agile communitymeetup-essentialcapabilitiesbehindmicroservices
 
2019 03-23-2nd-meetup-essential capabilities behind microservices
2019 03-23-2nd-meetup-essential capabilities behind microservices2019 03-23-2nd-meetup-essential capabilities behind microservices
2019 03-23-2nd-meetup-essential capabilities behind microservices
 
Modernizing Identity Access Management Platforms - Dale Kinney & Damian Flannery
Modernizing Identity Access Management Platforms - Dale Kinney & Damian FlanneryModernizing Identity Access Management Platforms - Dale Kinney & Damian Flannery
Modernizing Identity Access Management Platforms - Dale Kinney & Damian Flannery
 
GDG Cloud Southlake #10 Christian Posta: Future of Service Mesh
GDG Cloud Southlake #10 Christian Posta: Future of Service MeshGDG Cloud Southlake #10 Christian Posta: Future of Service Mesh
GDG Cloud Southlake #10 Christian Posta: Future of Service Mesh
 
From Zero to DevOps Superhero: The Container Edition (JenkinsWorld SF)
From Zero to DevOps Superhero: The Container Edition (JenkinsWorld SF)From Zero to DevOps Superhero: The Container Edition (JenkinsWorld SF)
From Zero to DevOps Superhero: The Container Edition (JenkinsWorld SF)
 
Api Management and Demo
Api Management and DemoApi Management and Demo
Api Management and Demo
 
Breaking Up the Monolith While Migrating to AWS (GPSTEC320) - AWS re:Invent 2018
Breaking Up the Monolith While Migrating to AWS (GPSTEC320) - AWS re:Invent 2018Breaking Up the Monolith While Migrating to AWS (GPSTEC320) - AWS re:Invent 2018
Breaking Up the Monolith While Migrating to AWS (GPSTEC320) - AWS re:Invent 2018
 
Gloo 1.0 - API Gateway Overview and Demo
Gloo 1.0 - API Gateway Overview and DemoGloo 1.0 - API Gateway Overview and Demo
Gloo 1.0 - API Gateway Overview and Demo
 
API Gateways are going through an identity crisis
API Gateways are going through an identity crisisAPI Gateways are going through an identity crisis
API Gateways are going through an identity crisis
 
Case Study: ParkMobile Builds for Scale with Kubernetes, Gloo and AWS Cloud
Case Study: ParkMobile Builds for Scale with Kubernetes, Gloo and AWS CloudCase Study: ParkMobile Builds for Scale with Kubernetes, Gloo and AWS Cloud
Case Study: ParkMobile Builds for Scale with Kubernetes, Gloo and AWS Cloud
 
Techniques for scaling application with security and visibility in cloud
Techniques for scaling application with security and visibility in cloudTechniques for scaling application with security and visibility in cloud
Techniques for scaling application with security and visibility in cloud
 
Beyond S3 Buckets - Effective Countermeasures for Emerging Cloud Threats
Beyond S3 Buckets - Effective Countermeasures for Emerging Cloud ThreatsBeyond S3 Buckets - Effective Countermeasures for Emerging Cloud Threats
Beyond S3 Buckets - Effective Countermeasures for Emerging Cloud Threats
 
Transforming Software Architecture for the 21st Century (September 2009)
Transforming Software Architecture for the 21st Century (September 2009)Transforming Software Architecture for the 21st Century (September 2009)
Transforming Software Architecture for the 21st Century (September 2009)
 
Messing Up Your Microservices
Messing Up Your Microservices Messing Up Your Microservices
Messing Up Your Microservices
 
Leveraging Multiple Cloud Orchestration
Leveraging Multiple Cloud OrchestrationLeveraging Multiple Cloud Orchestration
Leveraging Multiple Cloud Orchestration
 
Compliance and Zero Trust Ambient Mesh
Compliance and Zero Trust Ambient MeshCompliance and Zero Trust Ambient Mesh
Compliance and Zero Trust Ambient Mesh
 
Navigating a Mesh of Microservices in the new Cloud-Native World with Istio
Navigating a Mesh of Microservices in the new Cloud-Native World with IstioNavigating a Mesh of Microservices in the new Cloud-Native World with Istio
Navigating a Mesh of Microservices in the new Cloud-Native World with Istio
 

More from Christian Posta

More from Christian Posta (13)

Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and Istio
 
Understanding Wireguard, TLS and Workload Identity
Understanding Wireguard, TLS and Workload IdentityUnderstanding Wireguard, TLS and Workload Identity
Understanding Wireguard, TLS and Workload Identity
 
Cilium + Istio with Gloo Mesh
Cilium + Istio with Gloo MeshCilium + Istio with Gloo Mesh
Cilium + Istio with Gloo Mesh
 
KubeCon NA 2018: Evolution of Integration and Microservices with Service Mesh...
KubeCon NA 2018: Evolution of Integration and Microservices with Service Mesh...KubeCon NA 2018: Evolution of Integration and Microservices with Service Mesh...
KubeCon NA 2018: Evolution of Integration and Microservices with Service Mesh...
 
Intro to Knative
Intro to KnativeIntro to Knative
Intro to Knative
 
Come for the traffic management, stay for the security
Come for the traffic management, stay for the securityCome for the traffic management, stay for the security
Come for the traffic management, stay for the security
 
A microservices journey - Round 2
A microservices journey - Round 2A microservices journey - Round 2
A microservices journey - Round 2
 
An eventful tour from enterprise integration to serverless and functions
An eventful tour from enterprise integration to serverless and functionsAn eventful tour from enterprise integration to serverless and functions
An eventful tour from enterprise integration to serverless and functions
 
Lowering the risk of monolith to microservices
Lowering the risk of monolith to microservicesLowering the risk of monolith to microservices
Lowering the risk of monolith to microservices
 
Istio: solving challenges of hybrid cloud
Istio: solving challenges of hybrid cloudIstio: solving challenges of hybrid cloud
Istio: solving challenges of hybrid cloud
 
Microservices and Integration: what's next with Istio service mesh
Microservices and Integration: what's next with Istio service meshMicroservices and Integration: what's next with Istio service mesh
Microservices and Integration: what's next with Istio service mesh
 
The Hardest Part of Microservices: Calling Your Services
The Hardest Part of Microservices: Calling Your ServicesThe Hardest Part of Microservices: Calling Your Services
The Hardest Part of Microservices: Calling Your Services
 
Atlanta Microservices Day: Istio Service Mesh
Atlanta Microservices Day: Istio Service MeshAtlanta Microservices Day: Istio Service Mesh
Atlanta Microservices Day: Istio Service Mesh
 

Recently uploaded

Team Transformation Tactics for Holistic Testing and Quality (NewCrafts Paris...
Team Transformation Tactics for Holistic Testing and Quality (NewCrafts Paris...Team Transformation Tactics for Holistic Testing and Quality (NewCrafts Paris...
Team Transformation Tactics for Holistic Testing and Quality (NewCrafts Paris...
Lisi Hocke
 

Recently uploaded (20)

Team Transformation Tactics for Holistic Testing and Quality (NewCrafts Paris...
Team Transformation Tactics for Holistic Testing and Quality (NewCrafts Paris...Team Transformation Tactics for Holistic Testing and Quality (NewCrafts Paris...
Team Transformation Tactics for Holistic Testing and Quality (NewCrafts Paris...
 
GraphSummit Milan - Visione e roadmap del prodotto Neo4j
GraphSummit Milan - Visione e roadmap del prodotto Neo4jGraphSummit Milan - Visione e roadmap del prodotto Neo4j
GraphSummit Milan - Visione e roadmap del prodotto Neo4j
 
Abortion Pill Prices Jane Furse ](+27832195400*)[ 🏥 Women's Abortion Clinic i...
Abortion Pill Prices Jane Furse ](+27832195400*)[ 🏥 Women's Abortion Clinic i...Abortion Pill Prices Jane Furse ](+27832195400*)[ 🏥 Women's Abortion Clinic i...
Abortion Pill Prices Jane Furse ](+27832195400*)[ 🏥 Women's Abortion Clinic i...
 
Anypoint Code Builder - Munich MuleSoft Meetup - 16th May 2024
Anypoint Code Builder - Munich MuleSoft Meetup - 16th May 2024Anypoint Code Builder - Munich MuleSoft Meetup - 16th May 2024
Anypoint Code Builder - Munich MuleSoft Meetup - 16th May 2024
 
architecting-ai-in-the-enterprise-apis-and-applications.pdf
architecting-ai-in-the-enterprise-apis-and-applications.pdfarchitecting-ai-in-the-enterprise-apis-and-applications.pdf
architecting-ai-in-the-enterprise-apis-and-applications.pdf
 
Navigation in flutter – how to add stack, tab, and drawer navigators to your ...
Navigation in flutter – how to add stack, tab, and drawer navigators to your ...Navigation in flutter – how to add stack, tab, and drawer navigators to your ...
Navigation in flutter – how to add stack, tab, and drawer navigators to your ...
 
CERVED e Neo4j su una nuvola, migrazione ed evoluzione di un grafo mission cr...
CERVED e Neo4j su una nuvola, migrazione ed evoluzione di un grafo mission cr...CERVED e Neo4j su una nuvola, migrazione ed evoluzione di un grafo mission cr...
CERVED e Neo4j su una nuvola, migrazione ed evoluzione di un grafo mission cr...
 
Automate your OpenSIPS config tests - OpenSIPS Summit 2024
Automate your OpenSIPS config tests - OpenSIPS Summit 2024Automate your OpenSIPS config tests - OpenSIPS Summit 2024
Automate your OpenSIPS config tests - OpenSIPS Summit 2024
 
[GeeCON2024] How I learned to stop worrying and love the dark silicon apocalypse
[GeeCON2024] How I learned to stop worrying and love the dark silicon apocalypse[GeeCON2024] How I learned to stop worrying and love the dark silicon apocalypse
[GeeCON2024] How I learned to stop worrying and love the dark silicon apocalypse
 
Optimizing Operations by Aligning Resources with Strategic Objectives Using O...
Optimizing Operations by Aligning Resources with Strategic Objectives Using O...Optimizing Operations by Aligning Resources with Strategic Objectives Using O...
Optimizing Operations by Aligning Resources with Strategic Objectives Using O...
 
Abortion Clinic In Pretoria ](+27832195400*)[ 🏥 Safe Abortion Pills in Pretor...
Abortion Clinic In Pretoria ](+27832195400*)[ 🏥 Safe Abortion Pills in Pretor...Abortion Clinic In Pretoria ](+27832195400*)[ 🏥 Safe Abortion Pills in Pretor...
Abortion Clinic In Pretoria ](+27832195400*)[ 🏥 Safe Abortion Pills in Pretor...
 
GraphSummit Milan & Stockholm - Neo4j: The Art of the Possible with Graph
GraphSummit Milan & Stockholm - Neo4j: The Art of the Possible with GraphGraphSummit Milan & Stockholm - Neo4j: The Art of the Possible with Graph
GraphSummit Milan & Stockholm - Neo4j: The Art of the Possible with Graph
 
BusinessGPT - Security and Governance for Generative AI
BusinessGPT  - Security and Governance for Generative AIBusinessGPT  - Security and Governance for Generative AI
BusinessGPT - Security and Governance for Generative AI
 
Effective Strategies for Wix's Scaling challenges - GeeCon
Effective Strategies for Wix's Scaling challenges - GeeConEffective Strategies for Wix's Scaling challenges - GeeCon
Effective Strategies for Wix's Scaling challenges - GeeCon
 
Microsoft365_Dev_Security_2024_05_16.pdf
Microsoft365_Dev_Security_2024_05_16.pdfMicrosoft365_Dev_Security_2024_05_16.pdf
Microsoft365_Dev_Security_2024_05_16.pdf
 
UNI DI NAPOLI FEDERICO II - Il ruolo dei grafi nell'AI Conversazionale Ibrida
UNI DI NAPOLI FEDERICO II - Il ruolo dei grafi nell'AI Conversazionale IbridaUNI DI NAPOLI FEDERICO II - Il ruolo dei grafi nell'AI Conversazionale Ibrida
UNI DI NAPOLI FEDERICO II - Il ruolo dei grafi nell'AI Conversazionale Ibrida
 
Community is Just as Important as Code by Andrea Goulet
Community is Just as Important as Code by Andrea GouletCommunity is Just as Important as Code by Andrea Goulet
Community is Just as Important as Code by Andrea Goulet
 
Abortion Clinic Pretoria ](+27832195400*)[ Abortion Clinic Near Me ● Abortion...
Abortion Clinic Pretoria ](+27832195400*)[ Abortion Clinic Near Me ● Abortion...Abortion Clinic Pretoria ](+27832195400*)[ Abortion Clinic Near Me ● Abortion...
Abortion Clinic Pretoria ](+27832195400*)[ Abortion Clinic Near Me ● Abortion...
 
Modern binary build systems - PyCon 2024
Modern binary build systems - PyCon 2024Modern binary build systems - PyCon 2024
Modern binary build systems - PyCon 2024
 
Transformer Neural Network Use Cases with Links
Transformer Neural Network Use Cases with LinksTransformer Neural Network Use Cases with Links
Transformer Neural Network Use Cases with Links
 

Role of edge gateways in relation to service mesh adoption

  • 1. 1 | Copyright © 2019 API Gateways are going through an identity crisis @christianposta
  • 2. 2 | Copyright © 2019 @christianposta CHRISTIAN POSTA • Field CTO @ Solo.io • Author of a few books • Contributor to many open-source projects • Architect, blogger, speaker, mentor, leader @christianposta christian@solo.io https://blog.christianposta.com https://slideshare.net/ceposta
  • 3. 3 | Copyright © 2019 @christianposta WROTE THE FIRST BOOK ON ISTIO…
  • 4. 4 | Copyright © 2019 @christianposta WRITING ISTIO BOOK FOR MANNING https://bit.ly/istio-in-action
  • 5. 5 | Copyright © 20195 | Copyright © 2019 Identity Crisis
  • 6. 6 | Copyright © 2019 @christianposta INSPIRED BY A BLOG… http://bit.ly/gateway-identity-crisis
  • 7. 8 | Copyright © 2019 @christianposta • API Management solutions • Kubernetes/cluster ingress • Service Mesh proxies, gateways • Application-built gateways Identity crisis?
  • 8. 9 | Copyright © 2019 @christianposta “I am just going to use service mesh, doesn’t that make gateways obsolete?” IDENTITY CRISIS?
  • 9. 10 | Copyright © 201910 | Copyright © 2019 Alternative talk title: Role of edge gateways in relation to service mesh adoption
  • 10. 11 | Copyright © 2019 @christianposta • Problem statement, challenges, tradeoffs • Useful patterns to set context • Envoy proxy as the foundation • Architecture patterns to consider • Demo • Wrap up What to expect from rest of this talk:
  • 11. 12 | Copyright © 2019 @christianposta • Augment, complement, replace existing API infrastructure • Support a microservices, cloud environment • Need better traffic control and observability • As little disruption as possible, target multiple compute • Improve security posture Goals we see
  • 12. 13 | Copyright © 2019 THE PROBLEM HOW DO YOU OBSERVE? HOW DO YOU MANAGE APIS? HOW CAN ENFORCE SECURITY? MONOLITH MICROSERVICES
  • 13. 14 | Copyright © 2019 @christianposta • Traffic control • Traffic routing • Secure communications • Application-level network observability • Policy enforcement Solving challenges between services within the organization
  • 14. 15 | Copyright © 2019 LARGE, CENTRALIZED, LOW-TRUST, SHARED ENVIRONMENTS
  • 15. 16 | Copyright © 2019 CENTRALIZED VS DECENTRALIZED
  • 16. 17 | Copyright © 2019 CENTRALIZED VS DECENTRALIZED WITHOUT GAPS
  • 17. 18 | Copyright © 201918 | Copyright © 2019 How to get there?
  • 18. 19 | Copyright © 2019 @christianposta
  • 19. 20 | Copyright © 2019 @christianposta • Start with one proxy, grow to more • Pick a subset of traffic applications • Get demonstrable value from it • Data plane matters • Leverage high-value patterns for application traffic Start with a gateway approach
  • 20. 21 | Copyright © 201921 | Copyright © 2019 Three important gateway patterns
  • 21. 22 | Copyright © 2019 @christianposta “Edge” concerns, North-South vs East-West
  • 22. 23 | Copyright © 2019 @christianposta “Edge” concerns, North-South vs East-West Capability Service Mesh Edge Traffic Control ✔ ✔ Traffic Routing ✔ ✔ TLS/mTLS ✔ ✔ Network Observability ✔ ✔ Policy Enforcement ✔ ✔
  • 23. 24 | Copyright © 2019 @christianposta “Edge” concerns, North-South vs East-West Capability Service Mesh Edge OAuth/OIDC ✘ ✔ Web Application Firewall ✘ ✔ Message transformation ✘ ✔ Request/response caching ✘ ✔ Domain-specific rate limit ✘ ✔ HMAC, request path security ✘ ✔ Understand API surface, intended decoupling ✘ ✔
  • 24. 25 | Copyright © 2019 @christianposta API Gateway Pattern “A service that’s the entry point into the microservices- based application … is responsible for request routing, API composition, protocol translation … and edge functions like authentication, authorization, rate limiting, caching, et. al.” See also: https://microservices.io/patterns/apigateway.html https://www.manning.com/books/microservices-patterns
  • 25. 26 | Copyright © 2019 @christianposta API Gateway Pattern: what it does • Tailored API for different kinds of clients • Abstracts backend services, protocols, message shapes, etc • Powerful matching/routing, discovery, transformation, aggregation, protocol translation • Backends for front-ends • A developer-first construct • Intended to be decentralized and change at the pace of your applications • Network-level functions including rate-limiting, authentication/authorization, caching, metrics collection
  • 26. 27 | Copyright © 2019 @christianposta Mediator pattern http://en.wikipedia.org/wiki/Design_Patterns Credit: https://springframework.guru/gang-of-four-design-patterns/mediator-pattern/
  • 27. 28 | Copyright © 2019 @christianposta
  • 28. 29 | Copyright © 2019 @christianposta
  • 29. 30 | Copyright © 2019 @christianposta
  • 30. 31 | Copyright © 2019 @christianposta
  • 31. 32 | Copyright © 201932 | Copyright © 2019 Envoy proxy as a gateway
  • 32. 33 | Copyright © 2019 @christianposta Meet Envoy Proxy http://envoyproxy.io
  • 33. 34 | Copyright © 2019 @christianposta Envoy Proxy implements: • zone aware, least request load balancing • circuit breaking • outlier detection • retries, retry policies • timeout (including budgets) • traffic shadowing • rate limiting • access logging, statistics collection • Many other features!
  • 34. 35 | Copyright © 2019 @christianposta
  • 35. 36 | Copyright © 2019 @christianposta
  • 36. 37 | Copyright © 2019 @christianposta Edge Gateway built on Envoy https://github.com/solo-io/gloo
  • 37. 38 | Copyright © 2019 @christianposta What is Gloo? ● Enterprise Envoy Proxy ● API-level routing, decoupling ● Complements any service mesh ● Traffic control, canary releases ● OAuth flows ● TLS termination, passthrough, mTLS ● Rate limiting, Caching ● Request/Response transformation ● Kubernetes CRDs (when deployed to Kubernetes) https://gloo.solo.io
  • 38. 39 | Copyright © 2019 @christianposta Edge Gateway built on Envoy
  • 39. 40 | Copyright © 2019 @christianposta Gloo companion project: Sqoop Query Monolith Microservice s Cloud Functions Result https://sqoop.solo.io
  • 40. 41 | Copyright © 2019 @christianposta Demo!
  • 41. 42 | Copyright © 201942 | Copyright © 2019 Gateway adoption patterns (waypoint architecture) on the journey to service mesh
  • 42. 43 | Copyright © 2019 @christianposta Start with single proxy
  • 43. 44 | Copyright © 2019 @christianposta Bring in decoupling points (multi-tier gateway)
  • 44. 45 | Copyright © 2019 @christianposta Gateway per product/domain/bounded context
  • 45. 46 | Copyright © 2019 @christianposta Push gateways down as you grow, avoid death star architecture!
  • 46. 47 | Copyright © 2019 @christianposta Push gateways down as you grow, avoid death star architecture!
  • 47. 48 | Copyright © 2019 @christianposta • Crawl, walk, run approach • Leverage shared gateways, path for decentralization • Envoy/Gloo proven open-source projects, successful adoption • Reduce risk, target multi-platform compute, move at your own pace Final thoughts
  • 48. 49 | Copyright © 2019 @christianposta Check out Solo.io!
  • 49. 50 | Copyright © 2019 @christianposta Sneak peak, https://servicemeshhub.io
  • 50. 51 | Copyright © 2019 @christianposta CHRISTIAN POSTA @christianposta christian@solo.io https://blog.christianposta.com https://slideshare.net/ceposta
  • 51. 52 | Copyright © 201952 | Copyright © 2019 @soloio_inc