Weitere ähnliche Inhalte Ähnlich wie Service Mesh: Two Big Words But Do You Need It? (20) Kürzlich hochgeladen (20) Service Mesh: Two Big Words But Do You Need It?2. | ©2020 F52
About Speaker
- 10 years working with distributed systems.
- Long time NGINX user, joined NGINX team early 2020
Ravi Vagadia - Solutions Engineer, F5 (NGINX BU)
@ravirdv
https://www.linkedin.com/in/ravi-vagadia/
3. | ©2020 F53
Agenda
• Modern Application Overview
• What is a Service Mesh?
• What does a Service Mesh solve?
• When do you need it?
5. | ©2020 F55
Kubernetes becoming platform
for developing, testing and
running applications
Traditional CI/CD products being retrofitted
to run on Kubernetes
Emergenceof Kubernetes-native CI/CD
tools for defining and running pipelines on
Kubernetes using native Kubernetes
constructs
Portability makes this particularly attractive
Kubernetes in production is
growing rapidly
NGINX Survey: about half of customers use
Kubernetes in production
CNCF 2019 survey: 84% use containers in
production
What we see in the market
KUBERNETES-CENTRIC PERSPECTIVE
SOURCE: INFORMATIONEXAMPLE
Adoption of managed and
commercial Kubernetes platforms
We see rapid adoption of OpenShiftand
Rancher in the private cloud space
EKS and GKE adoption in public cloud
7. | ©2020 F57
ModernApps Require a ModernArchitecture
From Monolithic ... ... to Dynamic
Three-tier, J2EE-style architectures
Complex protocols (HTML, SOAP)
Persistent deployments
Fixed, static Infrastructure
Big-bang releases
Silo’ed teams (Dev, Test, Ops)
Microservices
Lightweight (REST, gRPC, GraphQL)
Containers, VMs, Functions
Infrastructure as Code
Continuous delivery
DevOps Culture
8. | ©2020 F58
Operating a distributed application is hard
Static, Predictable Monolith: Dynamic, Distributed App:
Fast, reliable function calls
Local debugging
Local profiling
Calendared, big-bang upgrades
‘Integration hell’ contained in dev
Slow, unreliable API calls
Distributed fault finding
Distributed tracing
In-place dynamic updates
‘Continuous integration’ live in prod
More things can go wrong, it’s harder to find the faults, everything happens live
10. | ©2020 F510
WHAT’S MISSING IN K8S AND WHAT DO YOU REALLY WANT AND NEED FROM A MESH?
What Is A Service Mesh?
Service mesh aims to improve application
traffic control, observability and security for
distributed systems.
- The New Stack
11. | ©2020 F511
L7 Logic (Ingress)
L3-L4 Networking
L3 – L7 Network
Management ==
Service Mesh
An Overly Simplified Picture
12. | ©2020 F512
WHAT’S MISSING IN K8S AND WHAT DO YOU REALLY WANT AND NEED FROM A MESH?
What Is A Service Mesh?
• A service mesh adds L7 traffic management & security:
• sidecar deployment
• policy management
• application availability/health,
• Service mesh isn’t just one “thing”, it’s a lot of managed and dependent
components
• Takes over where K8s networking stops (service/pod IP endpoints)
• “Traffic management for containers”
13. | ©2020 F513
What DoesA Service Mesh Do?
Service Mesh controls communications between pods and external apps
Secure Traffic
End-to-end encryption (Mutual TLS / mTLS), ACLs
Manage All Service Traffic
Load Balance, Circuit breaker, B|G, Rate Limiting…
Orchestration
Injection and sidecar management, K8s API integration
Measure Traffic
Generate transaction traces and real-time monitoring
14. | ©2020 F514
What Is A Sidecar?
A Sidecar is a containerized service that another containerized service
depends on for some function: “Helper Containers”
• Not just networking, can be used for any separationof process:API GW, logging, data mining, etc.
In our world, a Sidecar would be a reverse proxy that sits beside an
application service container (in the same pod) and provides all inbound and
outbound network routing to that application container
App Pod
15. | ©2020 F515
HowAre Sidecars Deployed?
Separate Container In The App Pod
• The separate container is attached to the app service container in a pod
• Networking in the app container is altered via a policy from the mesh that tells the app “You can only talk to
your sidecar for network access.”
• Policy and architecture are defined and orchestrated via the control plane,managed with a combo of
ConfigMap and control plane.
• A Service Mesh takes care of auto-associating the sidecar with the app container in the same pod via
Sidecar Injection
App Pod
16. | ©2020 F516
Use Cases – Securing InternalTraffic (mTLS)
Pod A Pod B
Pod A Pod B
NSM
Traffic Flow Without Service Mesh:
Traffic Flow With Service Mesh:
17. | ©2020 F517
Use Cases – Control Traffic Flow
Target-svc
Target-v1 Target-v2
0% 100%
19. | ©2020 F519
Service Mesh Policies
© 2017 F5 Networks
Network Policy
• Serviceto servicerouting
• Serviceavailability
• Servicediscovery
Access Policy
• IP allow/deny
• Allow/Deny
• JWT
Security Policy
• SSL/mTLSTermination
• DDoS
• WAF
E
F
THE MOST IMPORTANT (AND DIFFICULT) PART
21. | ©2020 F521
What is the NGINX Service Mesh?
Data Plane
East/West traffic
Control
Plane
Management
Plane
Infrastructure
Kubernetes VMware AWS Bare Metal
SVC SVCSVCSVCSVC SVC
Conf DbKubernetes Service Registry Inventory VMware, AWS… Inventory
22. | ©2020 F522
What is the NGINX Service Mesh?
Data Plane
East/West traffic
Control
Plane
Management
Plane
Infrastructure
Kubernetes VMware AWS Bare Metal
Conf DbKubernetes Service Registry Inventory VMware, AWS… Inventory
SVC SVCSVCSVCSVC SVC
23. | ©2020 F523
What is the NGINX Service Mesh?
Data Plane
East/West traffic
Control
Plane
Management
Plane
Infrastructure
Kubernetes VMware AWS Bare Metal
NGINX Service Mesh control plane
SVC SVCSVCSVCSVC SVC
Topology Policies
Conf DbKubernetes Service Registry Inventory VMware, AWS… InventoryCLI / API
$>_
24. | ©2020 F524
What is the NGINX Service Mesh?
Data Plane
East/West traffic
Control
Plane
Management
Plane
Infrastructure
Kubernetes VMware AWS Bare Metal
NGINX Service Mesh control plane Topology Policies
Conf DbKubernetes Service Registry Inventory VMware, AWS… Inventory
SPIRE
SVC SVCSVCSVCSVC SVC
CLI / API
$>_
25. | ©2020 F525
What is the NGINX Service Mesh?
Data Plane
East/West traffic
Control
Plane
Management
Plane
Infrastructure
Kubernetes VMware AWS Bare Metal
NGINX Service Mesh control plane Topology Policies
Conf DbKubernetes Service Registry Inventory VMware, AWS… Inventory
SPIRE Grafana OpenTracing
SVC SVCSVCSVCSVC SVC
CLI / API
$>_
26. | ©2020 F526
What is the NGINX Service Mesh?
Data Plane
East/West traffic
Control
Plane
Management
Plane
Infrastructure
Kubernetes VMware AWS Bare Metal
NGINX Service Mesh control plane Topology Policies
Conf DbKubernetes Service Registry Inventory VMware, AWS… Inventory
SPIRE Grafana OpenTracing
SVC SVCSVCSVCSVC SVC
CLI / API
$>_
NGINX
Ingress
NGINX
Egress
27. | ©2020 F527
What is the NGINX Service Mesh?
Data Plane
East/West traffic
Control
Plane
Management
Plane
Infrastructure
Kubernetes VMware AWS Bare Metal
NGINX Service Mesh control plane Topology Policies
Conf DbKubernetes Service Registry Inventory VMware, AWS… Inventory
SPIRE Grafana OpenTracing
NGINX Controller
Centralized management
Service Mesh connector Integrations
SVC SVCSVCSVCSVC SVC
CLI / API
$>_
NGINX
Ingress
NGINX
Egress
28. | ©2020 F528
NSM Components
• NSM runs within a K8s cluster
• Securely manages ingress/egress
traffic to external services
• Can be deployed in any K8s cluster
platform
30. | ©2020 F530
Security
• Zero-trust model
• mTLS enforcement
• Service identity
• Access control CRDs
• Access control via mTLS
• Single source of truth for network (K8s) and identity
(Spire)
• Ingress mTLS
• Egress opt-in allowlist
SVC
31. | ©2020 F531
Integrated N/S Ingress/Egress
• NGINX Plus for sidecars and KIC
• Ingress traffic treated as S2S service
traffic
• Full integration with Spire identity and
SSL key store
• mTLS for ingress into NSM
• Egress name service support
32. | ©2020 F532
Traffic Management
• Full support for microservice traffic models
− Circuit Breaker
− Blue/Green
− Canary
− Weighted distribution
• Rate shaping and QoS/priority queueing
• Container-based load balancing
• Dynamic service availability
• SSL keepalive for performance
SVC
33. | ©2020 F533
Lightweight andAgile
• Control plane designed to
optimize NGINX Plus data plane
• Standards-based: SPIFFE, SMI-
spec
• Single CLI for management of all
mesh services
• CI/CD pipeline’able for
orchestrated deployment and
policy management
35. | ©2020 F535
A reality check…
Service Mesh technology addresses one specific set of problems
It’s not a magic bullet that makes all applications ‘better’
There are many other, well-proven ways to address the same problems
Service Mesh technology is very complex ever-evolving
Cost of operating a mesh in production can be high, and there can be many
risks
36. | ©2020 F536
WhenAm I Ready For A Service Mesh?
✓ You have a mature, fully-automated CI/CD pipeline (GitOps-enabled)
✓ You are fully invested in microservices and using Kubernetes
✓ You are deploying frequently to production (at least once per day)
✓ You have a zero-trust production environment (so need mTLS)
✓ You need/want additional visibility of container traffic interaction
37. | ©2020 F537
• Flexible Traffic Management
• Secure Internal Communication
• In-depth monitoring and distributed tracing
• NGINX Service Mesh is available as free
download,check this link for more info : NGINX
Service Mesh
CONFIDENTIAL
Download NGINX Service Mesh