This document provides an overview of Consul and Consul Connect for service mesh. It begins with a brief history of applications moving from monoliths to microservices and the need for a service mesh. It then explains what Consul is, including its key features like service discovery, configuration, and segmentation. The document demonstrates Consul Connect through a live demo of a Sock Shop application deployed on Kubernetes with Consul and Ambassador. It concludes with additional best practices and resources for using Consul in production environments.

1. Copyright © 2019 HashiCorp
Demystifying Consul
and Consul Connect
Service Mesh Made Easy

2. Demystifying Consul and Consul Connect
Todd Radel
Technology Evangelist at HashiCorp

3. Agenda 1. What is service mesh? A brief history lesson
2. What is Consul and how does it work?
3. Live demo: building a working Kube cluster
with Consul, Ambassador, and demo app
4. Q&A

4. ∕
A Quick History Lesson:
From Monoliths to Microservices

5. The Dawn of Time (pre-2010)
In the beginning was the monolith

6. The Age of Enlightenment
Breaking up the Monolith

7. The Age of Enlightenment
Google Trends: Microservices
2009 2010 2011 2012 2013 2014 2015 2016 2017 2018

8. The Age of Enlightenment?
Enterprise Services Buses

9. The Reformation
Service mesh is a lightweight infrastructure component designed to
answer these questions:
▪ Where are my services?
▪ Are they all healthy?
▪ How do I connect them securely?

10. The Renaissance
Google Trends: ESB, SOA, Service Mesh
2009 2010 2011 2012 2013 2014 2015 2016 2017 2018
enterprise service bus
service oriented architecture
service mesh

11. The Smart Guys
Armon Dadgar
Mitchell Hashimoto
Co-Founders and Co-CTOs

12. Application Security
Monolithic architecture (pre-cloud)
Statically provisioned servers live in your
corporate datacenter, probably in a DMZ,
fronted by a firewall and a load balancer.
Security is based on IP address and port.

13. Application Security
Cloud microservices
Monoliths are decomposed into small units
of code (microservices), easier to deploy
and scale in the cloud (or multiple clouds).
But where do you put the security barrier?

14. Zero-Trust
Security
Encryption,
Authentication,
Authorization

15. Zero-Trust
Security
Use your favorite
proxy server

16. ∕
How does Consul work?

17. What is Consul?
Consul is a service mesh solution providing a full featured control plane
with service discovery, configuration, and segmentation functionality.

18. Huh?

19. What is Consul?
Consul is a service mesh solution
providing a full featured control plane with
service discovery,
configuration, and
segmentation functionality.

20. Features Service Registry
Keeps a real-time list of services, their location,
and their current health status.
Multi Datacenter
Supports multiple datacenters out of the box.
Automatic failover to other data centers.
DNS Interface
Enables service discovery using a built-in DNS
server.
Health Checks
Prevents routing requests to unhealthy hosts and
enables services to easily provide circuit breakers.
HTTP Interface
HTTP API to query the service registry for nodes,
services, and health check information. This allows
automation tools to react to services in real time.
Load Balancing
Provides dynamic east-west load balancing of
services and distributes traffic to healthy instances
only.

21. Consul
Architecture

22. Consul
Architecture
Gossip Protocol

23. Consul
Architecture
RPC and HTTP
Traffic with Raft
Consensus
Algorithm

24. Consul
Connect
Architecture
Declarative
security through
intentions

25. Consul
Connect
Architecture
Certificate-based
authentication

26. ∕
Demo Time!

27. Service Mesh Demos
Heat Clinic
Legacy monolithic e-commerce application with three tiers — database, app
server, web server — running on 6 cloud compute instances.
Sock Shop
Modern microservice e-commerce application deployed in a Kubernetes cluster
with Consul and Ambassador.

28. Consul
Service
Discovery/Configuration/Segmentation
Ambassador
North-South Gateway
(Ingress Controller)
Sock Shop
Microservices
Node.js, Python, Java
Kubernetes
Container Orchestration

29. Why do we need Ambassador?
Consul is designed to manage East-West traffic between services.
Ambassador is designed to manage North-South traffic.
▪ URL-based routing and rewriting
▪ Canary release/traffic shadowing/AB testing
▪ Session management

30. Consul Connect in Kubernetes
Injection of sidecar proxies
Adding the connect-inject annotation to a
pod will cause Consul to spin up a proxy
sidecar in the pod and register the service
with Consul.

31. Consul Connect in Kubernetes
Adapting your existing services
1. Add annotations.
2. Configure app to use localhost.
3. There is no step 3.
Replace
with”localhost”

32. Best Practice Anti-Pattern
Don’t hardcode service names in code!

33. Best Practice
Configure via environment variables

34. Building our
demo
1. Generate Gossip encryption key
2. Deploy Consul Helm chart
3. Deploy Ambassador
4. Deploy Sock Shop Helm chart
5. Declare intentions

35. ∕
Additional thoughts

36. Walk
Turn on Consul Connect and
secure traffic between
services.
Crawl
Deploy Consul, register some
services, start using it for
service discovery.
Run
Connect multiple datacenters,
incorporate both Kubernetes
and legacy environments, etc.
Crawl-Walk-Run Approach

37. Securing for
production
1. Gossip encryption
2. TLS for RPC between Consul nodes
3. TLS for HTTP
4. Bootstrap the ACL system
#1 and #4 are fully supported in Helm chart.
#2 and #3 will be added soon.

38. ∕
Questions?

39. Resources
and Useful
Links
▪ Heat Clinic Demo
https://github.com/tradel/cc-heat-clinic
▪ Sock Shop Demo
https://github.com/tradel/cc-kube-sockshop
▪ Live Sock Shop Tutorial
https://instruqt.com/hashicorp/tracks/sock-shop-tutorial
▪ Animated Raft Tutorial
http://thesecretlivesofdata.com/raft/

40. Thank You!
Todd Radel
Technology Evangelist at HashiCorp
twitter.com/tradel
github.com/tradel
todd@hashicorp.com