Modern application architectures are embracing public clouds, microservices, and container schedulers like Kubernetes and Nomad. These bring complex service-to-service communication patterns, increased scale, dynamic IP addresses, ephemeral infrastructure, and higher failure rates. These changes require a new approach for service discovery, configuration, and segmentation. Service discovery enables services to find and communicate with each other. Service configuration allows us to dynamically configure applications at runtime. Service segmentations lets us secure our microservices architectures by limiting access. In this talk, we cover these challenges and how to solve them with Consul providing as a service mesh.

1. Service Mesh for Microservices

2. Armon Dadgar
Founder and CTO
@armon

3. PROVISION, SECURE AND RUN ANY INFRASTRUCTURE
Nomad Consul
Vault
Vagrant Packer Terraform
Consul Enterprise
Terraform Enterprise
Vault Enterprise
PRODUCT SUITEOSS TOOL SUITE
RUN
Applications
SECURE
Application Infrastructure
PROVISION
Infrastructure
FOR INDIVIDUALS FOR TEAMS
Nomad Enterprise

4. Service Mesh for Microservices

5. A B
C D
Monolith

6. Monolith
A B
C D

7. Monolith
A B
C D
Static IP

8. Monolith
LB
A B
C D
Static IP

9. Zone FirewallDMZ Firewall
Monolith
A B
C D
Static IP
LB

10. What Changed?

11. A B
C D
Monolith

12. Microservices
A B
C D

13. Microservices
A B
C D
?

14. BB
Microservices
A B
C D
?

15. Microservices
BBA B
C D
LB

16. Operating in the Cloud + Containers
Dynamic IP Addresses
Higher Failure Rate
Ephemeral Infrastructure
Complex Network Topology

17. Service Discovery

18. Service Registry
Register
BBA B

19. Service Registry
Discover
BBA B

20. Service Registry
Connect
BBA B

21. Service Registry
Connect
BBAttacker B

22. Service Segmentation

23. Defining Segmentation
Splitting network into sub-networks
Restricting communication between sub-networks
Virtual LAN, Firewalls, Software Defined Networks
Coarse Grained, Many Services
Segment
A
Segment
B
Network

24. Zone FirewallDMZ Firewall
Monolith
A B
C D
Static IP
LB

25. Microservices
A B
C D

27. A -> B
C -> D
D -> C
A B
C D

28. B -> DA -> C
A B
C D

30. Service Mesh for Microservices
Service Discovery. Connect services with a dynamic registry
Service Configuration. Configure services with runtime configs
Service Segmentation. Secure services based on identity

31. Consul Usage
Launched in 2014
12K+ GitHub Stars
1M+ Downloads monthly
Customers running 50,000+ agents

32. Public Users

33. Service Discovery
Registry of Nodes, Services, Checks
DNS API
HTTP API
Web UI

34. T E R M I N A L
$ dig redis.service.consul
; <<>> DiG 9.8.3-P1 <<>> redis.service.consul
; (3 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:
9046
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY:
0, ADDITIONAL: 0
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;redis.service.consul.IN A
;; ANSWER SECTION:
redis.service.consul. 0 IN A 10.1.10.38

35. T E R M I N A L
$ curl http://localhost:8500/v1/catalog/service/redis
[
{
"ID": "52f73400-a352-80d2-9624-e70cc9996762",
"Node": "consul-client-2",
"Address": "10.0.1.83",
"Datacenter": "dc1",
"ServiceName": "redis",
"ServiceTags": [
"global",
"cache"
],
"ServiceAddress": "10.0.1.83",
"ServicePort": 24815,
"ModifyIndex": 31,
…

37. Service Configuration
Hierarchical Key/Value Store
HTTP API
Long-polling / Edge trigger
Locking

38. T E R M I N A L
$ consul kv put service/web/enable_foo true
Put successfully!
$ consul kv get service/web/enable_foo
true

40. Consul Connect

41. Consul Connect
Service Access Graph
Certificate Distribution
Application Integration

42. Service Access Graph
Intentions to Allow/Deny Communication
Source and Destination Service
Scale Independent
Managed with CLI, API, UI, Terraform

43. T E R M I N A L
$ consul intention create -deny web '*'
Created: web => * (deny)
$ consul intention create -allow web db
Created: web => db (allow)

45. Certificate Distribution
Transport Layer Security (TLS)
Service Identity
Encryption of all traffic

46. Certificate Generation
Automatic Generation & Rotation
ServerClient
Certificate
Signing Request
Generate
Key Pair
Sign Certificate

47. Certificate Format
X.509 Certificate
SPIFFE Compatible

48. Certificate Authority Rotation
Root
Intermediary
Leaf

49. Certificate Authority Rotation
Root
Intermediary
Leaf
Root
Intermediary
Leaf

50. Certificate Authority Rotation
Root
Intermediary
Leaf
Root
Intermediary Intermediary
Leaf Leaf

51. Application Integration
Consul Client for Service Graph and Certificates
Sidecar Proxies
Native Integrations

52. Sidecar Proxy Integration
No Code Modification
Minimal Performance Overhead
Operational Flexibility

53. Sidecar Proxies
ClientProxy
App
Configure
Connect
ProxyClient
App
Configure
Connect

54. Pluggable Proxies
Client
App
Configure
Connect
Client
App
Configure
Connect

55. {
"service": "web",
"connect": {
"proxy": {
"config": {
"upstreams": [{
"destination_name": "redis",
"local_bind_port": 1234
}]
}
}
}
}
C O D E E D I T O R

56. ProxyClient
App
Configure
Connect localhost:1234
Connect to
upstream redis

57. T E R M I N A L
$ consul connect proxy
-service web
-upstream postgresql:8181
$ psql -h 127.0.0.1 -p 8181 -U mitchellh mydb
>

58. Native Integration
Standard TLS
Negligible Performance Overhead
Requires Code Modification

59. // Create a Consul API client
client, _ := api.NewClient(api.DefaultConfig())
// Create an instance representing this service.
svc, _ := connect.NewService("my-service", client)
defer svc.Close()
// Creating an HTTP server that serves via Connect
server := &http.Server{
Addr: ":8080",
TLSConfig: svc.ServerTLSConfig(),
// ... other standard fields
}
// Serve!
server.ListenAndServeTLS("", "")
C O D E E D I T O R

60. Consul Connect
Service Access Graph. Intentions allow or deny communication of
logical services.
Certificate Distribution. Standard TLS certificates with SPIFFE
compatibility.
Application Integration. Native integrations or side car proxies.

61. Consul Architecture

62. Deployment
Single Binary
Server and Client Agents
3-5 Servers per Datacenter
Multi-Datacenter Support

63. Consul Servers
Replicated State, Automatic Failover
Service Registry
Service Access Graph
Key/Value Store
Multi-DC Forwarding
Leader
FollowerFollower
Replication

64. Consul Clients
Expose HTTP and DNS API
Transparently Forward
Register and Monitor Services
Cache Service Graph
Server(s)
Client

65. Cluster Awareness
Lightweight Gossip (Serf)
Cluster Membership
Failure Detection Gossip
Server
Client Client

66. Cluster Membership
Join Requires Any Peer
Server Discovery
Protocol Versioning New Server
Server
Client Client
Server

67. Failure Detection
Leaving vs Failing
Automatic Reaping
No Heart beating Failed Client
Server
Client Client

68. Leader
Client
Follower
Replication
RPC
RPCGossip
Datacenter

69. Leader
Client
Follower
Replication
RPC
RPCGossip
Datacenter
Leader
Client
Follower
Replication
RPC
RPCGossip
Datacenter
RPC
Gossip

70. Control Plane vs. Data Plane
Consul as Control Plane
Pluggable Proxies as Data Plane
Configure
Communicate
Control
Data Data

71. Data Path
ClientProxy
App
Configure
Connect
ProxyClient
App
Configure
Connect

72. Consul with Containers
Consul Agent per Host
DaemonSet with Kubernetes
Proxy per Container / Pod

73. Consul Architecture
Batteries Included
Highly Available & Scalable
Pluggable Data Plane

74. Conclusion

75. Common Challenges
Infrastructure is means to an ends
Microservices Architecture
Operational Challenges

76. Patchwork Solutions
Re-invent the wheel
Long Term Maintenance
Minimum Viable vs Maximum Utility

77. Service Mesh for Microservices
Service Discovery. Connect services with a dynamic registry
Service Configuration. Configure services with runtime configs
Service Segmentation. Secure services based on identity