Download as PDF, PPTX
Uploaded byMatt Turner
What is a Service Mesh and what can it do for your Microservices
The document discusses the concept of a service mesh, its necessity in modern applications, and the benefits it provides in terms of service discovery, fault tolerance, and observability. It highlights various functionalities of service meshes like traffic management and security, while also addressing common counter-arguments and alternative solutions. Additionally, the document includes insights on the workings of Istio, a prominent service mesh framework, and details the lifecycle of packet processing within Istio's architecture.
More Related Content
Similar to What is a Service Mesh and what can it do for your Microservices
![[BDD 2025 - Full-Stack Development] The Modern Stack: Building Web & AI Appli...](https://cdn.slidesharecdn.com/ss_thumbnails/fs-themodernstackbuildingwebaiapplicationswithserverless-251124030844-388cf04f-thumbnail.jpg?width=640&height=640&fit=bounds)
![[BDD 2025 - Mobile Development] Mobile Engineer and Software Engineer: Are we...](https://cdn.slidesharecdn.com/ss_thumbnails/md-mobileengineerandsoftwareengineerarewestillrelevantsidiqpermana-251127010650-55224ef1-thumbnail.jpg?width=640&height=640&fit=bounds)
![[BDD 2025 - Artificial Intelligence] Building AI Systems That Users (and Comp...](https://cdn.slidesharecdn.com/ss_thumbnails/ai-buildingaisystemsthatusersandcompanieslove-251124030845-038f7732-thumbnail.jpg?width=640&height=640&fit=bounds)
![[DevFest Strasbourg 2025] - NodeJs Can do that !!](https://cdn.slidesharecdn.com/ss_thumbnails/devfeststrasbourg2025-nodejscandothat-251127142731-da65b6fd-thumbnail.jpg?width=640&height=640&fit=bounds)
![[BDD 2025 - Full-Stack Development] Digital Accessibility: Why Developers nee...](https://cdn.slidesharecdn.com/ss_thumbnails/fs-digitalaccessibilitywhydevelopersneedtoknowandcarein2025-251127011019-0674441d-thumbnail.jpg?width=640&height=640&fit=bounds)
What is a Service Mesh and what can it do for your Microservices
- 1. What is aService Mesh? DevOps Thames Valley, Reading UK | January 2020 @mt165 | mt165.co.uk
- 2. Part I: DoYou Need a Service Mesh?
- 3. Outline ● What arewe talking about this? ● How did we get here? ● What is a Service Mesh anyway? ● Demo! ● What can a Service Mesh do? ● Common counter-arguments ● So: Do you need a Service Mesh?
- 4.
- 5. Why are wetalking about this?
- 6. Business Value ● TopLine ● Bottom Line ● Time to Market & Speed of Iteration ● Risk Reduction
- 7.
- 8. Pod Pod Pod Break the Monolith NamespaceA Namespace B Namespace C Namespace A Namespace B Namespace C
- 9.
- 10. How did weget here?
- 17. Do you needa service mesh? @mt165 In-process libraries and frameworks
- 18.
- 19.
- 20. Must-have primitives ● ServiceDiscovery ● Fault Tolerance ○ Circuit breakers ○ Back pressure ● Observability ○ Logging ○ Metrics ○ Tracing
- 21. Do you needa service mesh? @mt165 Declarative Infrastructure
- 22. Do you needa service mesh? @mt165 And declarative infrastructure
- 23. Do you needa service mesh? @mt165 And declarative infrastructure
- 24. Assertion: A Service Meshis the best of both
- 25. Question: What isa Service Mesh?
- 26. They work byadding a proxy to every service
- 27. And a controlplane
- 28. “A service meshprovides a transparent and language-independent way to flexibly and easily automate application network functions” - Google (istio vendor)
- 29. “A service meshprovides a transparent and language-independent way to flexibly and easily automate application network functions”
- 30. “A service meshprovides a transparent and language-independent way to flexibly and easily automate application network functions”
- 31. “A service meshprovides a transparent and language-independent way to flexibly and easily automate application network functions”
- 32. “A service meshprovides a transparent and language-independent way to flexibly and easily automate application network functions”
- 33. “A service meshprovides a transparent and language-independent way to flexibly and easily automate application network functions” Host: users Host: users X-testing: true Host: users Pod.namespace: staging users-v1 users-v2 users-mock
- 34.
- 35. Pray to thedemo gods...
- 36. Pray to thedemo gods... The old...
- 37. Pray to thedemo gods... The old... ...and the new
- 38. Service Meshes can domuch more
- 39.
- 40.
- 41. Declarative Traffic Management Everyonegets reviews v1 Except Jason
- 42.
- 43.
- 44.
- 45.
- 46. But I havean Edge Proxy! ✅ Ingress proxy ✅ Sidecar model terminates security closer to the app
- 47. But I havean API Gateway! ✅ Rate limiting ✅ Access control ✅ JWT validation ❌ OIDC ❌ Bot blocking
- 48. But I havea CDN! Keep it
- 49. But I havea WAF! ✅ CORS header injection ❌ Injection attack prevention
- 50. But I havean APM system! ✅ Logs ✅ Metrics ✅ Tracing ✅ Multiple, arbitrary telemetry backends ❌ JVM, .Net CLR insight
- 51. But I havean ESB! ✅ Retries etc ✅ Flexible service discovery / late binding ✅ No client/server distinction; better than a middle proxy ❌ Broadcast / pubsub
- 52. So: Do youneed a Service Mesh?
- 53.
- 54. There are manyoptions
- 55. Istio has themost momentum
- 56. Istio has widebacking Google, IBM, Lyft, RedHat, Cisco, and more
- 57. Istio and Linkerdare (quite) easy to install WIll be managed soon Go home and try it!
- 58. Recap ● Why werewe talking about this? ● How did we get here? ● What is a Service Mesh anyway? ● Demo! ● What can a Service Mesh do? ● Common counter-arguments ● So: Do you need a Service Mesh?
- 59.
- 60. Part II: TheLife of a Packet Through Istio
- 61. Objectives Learn how apacket traverses an Istio/Envoy/Kubernetes system See what control plane calls are made in that process Build a useful mental model for reasoning about, and debugging Istio
- 62. Prerequisites Basic networking knowledge IntermediateKubernetes knowledge An understanding of what Istio is and does
- 63. Outline ● Networking andContainers ● Pilot and Routing ● Mixer and Policy ● Citadel and mTLS
- 64.
- 65.
- 66.
- 67.
- 68.
- 69.
- 70.
- 71.
- 72.
- 73.
- 74.
- 75.
- 76.
- 77.
- 78.
- 79. Services $ kubectl getservice -o wide service-b NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE SELECTOR service-b ClusterIP 10.98.84.169 <none> 80/TCP 90s app=service-b
- 80. Service DNS exposure $dig service-b.default.svc.cluster.local. ;; ANSWER SECTION: service-b.default.svc.cluster.local. 5 IN A 10.98.84.169
- 81. Pods $ kubectl getpods -o wide | grep service-b service-b-644856485c-4rk88 1/1 Running 0 7m46s 10.32.0.4 kind-1-control-plane <none> service-b-644856485c-dc2zv 1/1 Running 0 7m46s 10.32.0.6 kind-1-control-plane <none> service-b-644856485c-gr75k 1/1 Running 0 7m46s 10.32.0.5 kind-1-control-plane <none>
- 82. Endpoints $ kubectl getendpoints service-b NAME ENDPOINTS AGE service-b 10.32.0.4:8080,10.32.0.5:8080,10.32.0.6:8080 8m55s
- 83. Endpoints $ kubectl getendpoints service-b -o yaml ... subsets: - addresses: - ip: 10.32.0.4 nodeName: kind-1-control-plane targetRef: kind: Pod … ports: - name: http port: 8080 protocol: TCP
- 84. Envoy SvcA Pilot Control Plane API ServiceA Config to Envoys
- 85. Envoy SvcA Pilot Control Plane API ServiceA Config to Envoys k8s consul zk Data plane API
- 86. Pilot ● Ingress Routing ●Traffic Mirroring ● Traffic Shifting ● Canary Deployments ● Circuit Breaking ● Fault Injection
- 87.
- 88. Envoy SvcA Pilot Control Plane API ServiceA Service B Config to Envoys
- 89. Envoy SvcA Envoy SvcB Pilot Mixer Control PlaneAPI Service A Service B Config to Envoys Policy checks, Telemetry
- 90. IP 5-tuple (src_addr, src_port,dst_addr, dst_port, proto)
- 91. IP Router Architecture Interrupt Kernelmodule User process DATA PLANE CONTROL PLANE OSPF ARPBGP STP Router Information Base Forwarding Information Base
- 92. IP Router Architecture DATAPLANE CONTROL PLANE OSPF ARPBGP STP PILOT MIXER ENVOYInterrupt Kernel module User process Router Information Base Forwarding Information Base
- 93. Envoy SvcA Envoy SvcB Pilot Mixer Control Plane API ServiceA Service B Config to Envoys prom ES REPORT CHECK RBAC Rate limit Mixer fat client Mixer fat client
- 94. Mixer ● Check ○ ACLs/ Authorization ○ Rate Limiting ● Report ○ Logs ○ Metrics ○ Tracing
- 95. Envoy SvcA Envoy SvcB Pilot Mixer Control PlaneAPI Service A Service B Config to Envoys Policy checks, Telemetry
- 96. Envoy SvcA Envoy SvcB Pilot Mixer Citadel ControlPlane API Service A Service B Config to Envoys TLS certs to Envoys Policy checks, Telemetry
- 97. Envoy SvcA Envoy SvcB Pilot Mixer Citadel ControlPlane API Service A Service B Config to Envoys TLS certs to Envoys Policy checks, Telemetry
- 98. Envoy SvcA Envoy SvcB Pilot Mixer Citadel ControlPlane API Service A Service B Config to Envoys TLS certs to Envoys Policy checks, Telemetry Envoy Envoy Envoy Envoy Envoy Envoy Envoy Envoy Ingress Egress
- 99. Envoy SvcA Envoy SvcB Pilot Mixer Citadel ControlPlane API Service A Service B Config to Envoys TLS certs to Envoys Policy checks, Telemetry API Serveretcd kubectl
- 100. Envoy SvcA Envoy SvcB Pilot Mixer Citadel ControlPlane API Service A Service B Config to Envoys TLS certs to Envoys Policy checks, Telemetry Galleyetcd kubectl
- 101. Outline ● Context andIntroduction ● Networking and Containers ● Pilot and Routing ● Mixer and Policy ● Citadel and mTLS
- 102. Recap We learned: ● Howa packet traverses an Istio/Envoy/Kubernetes system ● What control plane calls are made in that process ● A useful mental model for reasoning about, and debugging Istio
- 103.