The document discusses the implementation and adoption of service meshes in microservices and cloud environments, highlighting the challenges and considerations organizations face. It emphasizes the importance of traffic control, observability, and security in these architectures, as well as offering a phased approach to adoption using the Envoy proxy and Gloo gateway. Additionally, it includes recommendations for gradually decentralizing application architecture to enhance flexibility and scalability.

1. 1 | Copyright © 2019
Service mesh in the “real world”
@christianposta

2. 2 | Copyright © 2019 @christianposta
CHRISTIAN POSTA
• Field CTO @ Solo.io
• Author of a few books
• Contributor to many open-source projects
• Architect, blogger, speaker, mentor, leader
@christianposta
christian@solo.io
https://blog.christianposta.com
https://slideshare.net/ceposta

3. 3 | Copyright © 2019 @christianposta
WROTE THE FIRST BOOK ON ISTIO…

4. 4 | Copyright © 2019 @christianposta
WRITING ISTIO BOOK FOR MANNING
https://bit.ly/istio-in-action
http://bit.ly/ATO-2019
Raffle for free copy!

5. 5 | Copyright © 2019 @christianposta
• Augment, complement, replace existing API infrastructure
• Support a microservices, cloud environment
• Need better traffic control and observability
• As little disruption as possible, target multiple compute
• Improve security posture
Context of organizations we work with

6. 6 | Copyright © 2019
THE PROBLEM
HOW DO YOU
OBSERVE?
HOW DO YOU
MANAGE APIS?
HOW CAN ENFORCE
SECURITY?
MONOLITH MICROSERVICES

7. 7 | Copyright © 2019 @christianposta
• Traffic control
• Traffic routing
• Secure communications
• Application-level network observability
• Policy enforcement
Solving challenges between services within the organization

8. 8 | Copyright © 2019
LARGE, CENTRALIZED, LOW-TRUST, SHARED ENVIRONMENTS

9. 9 | Copyright © 2019
CENTRALIZED VS DECENTRALIZED WITHOUT GAPS

10. 10 | Copyright © 201910 | Copyright © 2019
Challenges of adopting a service mesh

11. 11 | Copyright © 2019 @christianposta
• Do you have a mix of application languages or frameworks?
• Large deployment of microservices on cloud infrastructure?
• Struggling to implement application interaction observability?
• Have you mastered your existing infrastructure stack?
Do you need a service mesh?

12. 12 | Copyright © 2019 @christianposta
• Which one to choose?
• Who's going to support it?
• Multi-tenancy issues within a single cluster?
• No good way to manage multiple clusters?
• Fitting with existing services (sidecar lifecycle, race conditions, etc)
• What's the delineation between developers and operations?
• Non container environments / hybrid env?
• Centralization vs decentralization
Challenges of adoption

13. 13 | Copyright © 201913 | Copyright © 2019
How to get there?

14. 14 | Copyright © 2019 @christianposta

15. 15 | Copyright © 2019 @christianposta
• Start at the edge
• Start with one proxy, grow to more
• Pick a subset of traffic applications
• Get demonstrable value from it
• Data plane matters
• Pick something that lets you iteratively adopt service mesh
Start with a gateway approach

16. 16 | Copyright © 2019 @christianposta
“Edge” concerns, North-South vs East-West

17. 17 | Copyright © 2019 @christianposta
“Edge” concerns, North-South vs East-West
Capability Service Mesh Edge
Traffic Control ✔ ✔
Traffic Routing ✔ ✔
TLS/mTLS ✔ ✔
Network Observability ✔ ✔
Policy Enforcement ✔ ✔

18. 18 | Copyright © 2019 @christianposta
“Edge” concerns, North-South vs East-West
Capability Service Mesh Edge
OAuth/OIDC ✘ ✔
Web Application Firewall ✘ ✔
Message transformation ✘ ✔
Request/response caching ✘ ✔
Domain-specific rate limit ✘ ✔
HMAC, request path security ✘ ✔
Understand API surface,
intended decoupling ✘ ✔

19. 19 | Copyright © 201919 | Copyright © 2019
Envoy proxy as a gateway

20. 20 | Copyright © 2019 @christianposta
Meet Envoy Proxy
http://envoyproxy.io

21. 21 | Copyright © 2019 @christianposta
Envoy Proxy implements:
• zone aware, least request load balancing
• circuit breaking
• outlier detection
• retries, retry policies
• timeout (including budgets)
• traffic shadowing
• rate limiting
• access logging, statistics collection
• Many other features!

22. 22 | Copyright © 2019 @christianposta

23. 23 | Copyright © 2019 @christianposta
• Supports workloads across
namespaces
• Integrates with platform
loadbalancers
• Support TLS/HTTPS
• Works with Istio mTLS
ISTIO INGRESS GATEWAY

24. 24 | Copyright © 2019 @christianposta

25. 25 | Copyright © 2019 @christianposta
Edge Gateway built on Envoy
https://github.com/solo-io/gloo

26. 26 | Copyright © 2019 @christianposta
What is Gloo?
● Enterprise Envoy Proxy
● API-level routing, decoupling
● Complements any service mesh
● Traffic control, canary releases
● OAuth flows
● TLS termination, passthrough, mTLS
● Rate limiting, Caching
● Request/Response transformation
● Kubernetes CRDs (when deployed to Kubernetes)
https://gloo.solo.io

27. 27 | Copyright © 2019 @christianposta
Edge Gateway built on Envoy

28. 28 | Copyright © 2019 @christianposta
Gloo companion project: Sqoop
Query
Monolith Microservice
s
Cloud Functions
Result
https://sqoop.solo.io

29. 29 | Copyright © 2019 @christianposta
Gloo adds these to Istio!
Capability Service Mesh Edge
OAuth/OIDC ✘ ✔
Web Application Firewall ✘ ✔
Message transformation ✘ ✔
Request/response caching ✘ ✔
Domain-specific rate limit ✘ ✔
HMAC, request path security ✘ ✔
Understand API surface,
intended decoupling ✘ ✔

30. 30 | Copyright © 2019 @christianposta
Demo!

31. 31 | Copyright © 201931 | Copyright © 2019
Gateway adoption patterns
(waypoint architecture) on the journey
to service mesh

32. 32 | Copyright © 2019 @christianposta
Start with single proxy

33. 33 | Copyright © 2019 @christianposta
Start with single proxy

34. 34 | Copyright © 2019 @christianposta
Bring in decoupling points (multi-tier gateway)

35. 35 | Copyright © 2019 @christianposta
Gateway per product/domain/bounded context

36. 36 | Copyright © 2019 @christianposta
Push gateways down as you grow,
avoid death star architecture!

37. 37 | Copyright © 2019 @christianposta
Push gateways down as you grow,
avoid death star architecture!

38. 38 | Copyright © 2019 @christianposta
Push gateways down as you grow,
avoid death star architecture!

39. 39 | Copyright © 2019 @christianposta
• Crawl, walk, run approach
• Leverage shared gateways, path for decentralization
• Envoy/Gloo proven open-source projects, successful adoption
• Reduce risk, target multi-platform compute, move at your own
pace
Final thoughts

40. 40 | Copyright © 2019 @christianposta
Check out Solo.io!

41. 41 | Copyright © 2019 @christianposta
Sneak peak, https://servicemeshhub.io

42. 42 | Copyright © 2019 @christianposta
WRITING ISTIO BOOK FOR MANNING
https://bit.ly/istio-in-action
http://bit.ly/ATO-2019
Raffle for free copy!

43. 43 | Copyright © 2019 @christianposta
CHRISTIAN POSTA
@christianposta
christian@solo.io
https://blog.christianposta.com
https://slideshare.net/ceposta

44. 44 | Copyright © 201944 | Copyright © 2019
@soloio_inc