Ravello – the Easiest Way to Cloud
Die SlideShare-Präsentation wird heruntergeladen.
×
Hier ansehen
Empfohlen
Weitere Verwandte Inhalte
Diashows für Sie (20)
Ähnlich wie Service Mesh: Two Big Words But Do You Need It? (20)
Weitere von DevOps.com (20)
Aktuellste (20)
Service Mesh: Two Big Words But Do You Need It?
- 1. Service Mesh TWO BIG WORDS BUT DO YOU NEED IT?
- 2. | ©2020 F52 About Speaker - 10 years working with distributed systems. - Long time NGINX user, joined NGINX team early 2020 Ravi Vagadia - Solutions Engineer, F5 (NGINX BU) @ravirdv https://www.linkedin.com/in/ravi-vagadia/
- 3. | ©2020 F53 Agenda • Modern Application Overview • What is a Service Mesh? • What does a Service Mesh solve? • When do you need it?
- 4. | ©2020 F54 Modern Application Overview
- 5. | ©2020 F55 Kubernetes becoming platform for developing, testing and running applications Traditional CI/CD products being retrofitted to run on Kubernetes Emergenceof Kubernetes-native CI/CD tools for defining and running pipelines on Kubernetes using native Kubernetes constructs Portability makes this particularly attractive Kubernetes in production is growing rapidly NGINX Survey: about half of customers use Kubernetes in production CNCF 2019 survey: 84% use containers in production What we see in the market KUBERNETES-CENTRIC PERSPECTIVE SOURCE: INFORMATIONEXAMPLE Adoption of managed and commercial Kubernetes platforms We see rapid adoption of OpenShiftand Rancher in the private cloud space EKS and GKE adoption in public cloud
- 6. 42% Actively using Microservices in Production 37% Investigating or using in pre-production NGINX User Survey 2018, 2019 Who is using Microservices in Production?
- 7. | ©2020 F57 ModernApps Require a ModernArchitecture From Monolithic ... ... to Dynamic Three-tier, J2EE-style architectures Complex protocols (HTML, SOAP) Persistent deployments Fixed, static Infrastructure Big-bang releases Silo’ed teams (Dev, Test, Ops) Microservices Lightweight (REST, gRPC, GraphQL) Containers, VMs, Functions Infrastructure as Code Continuous delivery DevOps Culture
- 8. | ©2020 F58 Operating a distributed application is hard Static, Predictable Monolith: Dynamic, Distributed App: Fast, reliable function calls Local debugging Local profiling Calendared, big-bang upgrades ‘Integration hell’ contained in dev Slow, unreliable API calls Distributed fault finding Distributed tracing In-place dynamic updates ‘Continuous integration’ live in prod More things can go wrong, it’s harder to find the faults, everything happens live
- 9. | ©2020 F59 What’s In A Service Mesh!
- 10. | ©2020 F510 WHAT’S MISSING IN K8S AND WHAT DO YOU REALLY WANT AND NEED FROM A MESH? What Is A Service Mesh? Service mesh aims to improve application traffic control, observability and security for distributed systems. - The New Stack
- 11. | ©2020 F511 L7 Logic (Ingress) L3-L4 Networking L3 – L7 Network Management == Service Mesh An Overly Simplified Picture
- 12. | ©2020 F512 WHAT’S MISSING IN K8S AND WHAT DO YOU REALLY WANT AND NEED FROM A MESH? What Is A Service Mesh? • A service mesh adds L7 traffic management & security: • sidecar deployment • policy management • application availability/health, • Service mesh isn’t just one “thing”, it’s a lot of managed and dependent components • Takes over where K8s networking stops (service/pod IP endpoints) • “Traffic management for containers”
- 13. | ©2020 F513 What DoesA Service Mesh Do? Service Mesh controls communications between pods and external apps Secure Traffic End-to-end encryption (Mutual TLS / mTLS), ACLs Manage All Service Traffic Load Balance, Circuit breaker, B|G, Rate Limiting… Orchestration Injection and sidecar management, K8s API integration Measure Traffic Generate transaction traces and real-time monitoring
- 14. | ©2020 F514 What Is A Sidecar? A Sidecar is a containerized service that another containerized service depends on for some function: “Helper Containers” • Not just networking, can be used for any separationof process:API GW, logging, data mining, etc. In our world, a Sidecar would be a reverse proxy that sits beside an application service container (in the same pod) and provides all inbound and outbound network routing to that application container App Pod
- 15. | ©2020 F515 HowAre Sidecars Deployed? Separate Container In The App Pod • The separate container is attached to the app service container in a pod • Networking in the app container is altered via a policy from the mesh that tells the app “You can only talk to your sidecar for network access.” • Policy and architecture are defined and orchestrated via the control plane,managed with a combo of ConfigMap and control plane. • A Service Mesh takes care of auto-associating the sidecar with the app container in the same pod via Sidecar Injection App Pod
- 16. | ©2020 F516 Use Cases – Securing InternalTraffic (mTLS) Pod A Pod B Pod A Pod B NSM Traffic Flow Without Service Mesh: Traffic Flow With Service Mesh:
- 17. | ©2020 F517 Use Cases – Control Traffic Flow Target-svc Target-v1 Target-v2 0% 100%
- 18. | ©2020 F518 Use Cases – Telemetry | Tracing Pod A Pod B Pod C
- 19. | ©2020 F519 Service Mesh Policies © 2017 F5 Networks Network Policy • Serviceto servicerouting • Serviceavailability • Servicediscovery Access Policy • IP allow/deny • Allow/Deny • JWT Security Policy • SSL/mTLSTermination • DDoS • WAF E F THE MOST IMPORTANT (AND DIFFICULT) PART
- 20. | ©2020 F520 NSM Service Mesh The “Data Plane” Service Mesh
- 21. | ©2020 F521 What is the NGINX Service Mesh? Data Plane East/West traffic Control Plane Management Plane Infrastructure Kubernetes VMware AWS Bare Metal SVC SVCSVCSVCSVC SVC Conf DbKubernetes Service Registry Inventory VMware, AWS… Inventory
- 22. | ©2020 F522 What is the NGINX Service Mesh? Data Plane East/West traffic Control Plane Management Plane Infrastructure Kubernetes VMware AWS Bare Metal Conf DbKubernetes Service Registry Inventory VMware, AWS… Inventory SVC SVCSVCSVCSVC SVC
- 23. | ©2020 F523 What is the NGINX Service Mesh? Data Plane East/West traffic Control Plane Management Plane Infrastructure Kubernetes VMware AWS Bare Metal NGINX Service Mesh control plane SVC SVCSVCSVCSVC SVC Topology Policies Conf DbKubernetes Service Registry Inventory VMware, AWS… InventoryCLI / API $>_
- 24. | ©2020 F524 What is the NGINX Service Mesh? Data Plane East/West traffic Control Plane Management Plane Infrastructure Kubernetes VMware AWS Bare Metal NGINX Service Mesh control plane Topology Policies Conf DbKubernetes Service Registry Inventory VMware, AWS… Inventory SPIRE SVC SVCSVCSVCSVC SVC CLI / API $>_
- 25. | ©2020 F525 What is the NGINX Service Mesh? Data Plane East/West traffic Control Plane Management Plane Infrastructure Kubernetes VMware AWS Bare Metal NGINX Service Mesh control plane Topology Policies Conf DbKubernetes Service Registry Inventory VMware, AWS… Inventory SPIRE Grafana OpenTracing SVC SVCSVCSVCSVC SVC CLI / API $>_
- 26. | ©2020 F526 What is the NGINX Service Mesh? Data Plane East/West traffic Control Plane Management Plane Infrastructure Kubernetes VMware AWS Bare Metal NGINX Service Mesh control plane Topology Policies Conf DbKubernetes Service Registry Inventory VMware, AWS… Inventory SPIRE Grafana OpenTracing SVC SVCSVCSVCSVC SVC CLI / API $>_ NGINX Ingress NGINX Egress
- 27. | ©2020 F527 What is the NGINX Service Mesh? Data Plane East/West traffic Control Plane Management Plane Infrastructure Kubernetes VMware AWS Bare Metal NGINX Service Mesh control plane Topology Policies Conf DbKubernetes Service Registry Inventory VMware, AWS… Inventory SPIRE Grafana OpenTracing NGINX Controller Centralized management Service Mesh connector Integrations SVC SVCSVCSVCSVC SVC CLI / API $>_ NGINX Ingress NGINX Egress
- 28. | ©2020 F528 NSM Components • NSM runs within a K8s cluster • Securely manages ingress/egress traffic to external services • Can be deployed in any K8s cluster platform
- 29. | ©2020 F529 NSM Features
- 30. | ©2020 F530 Security • Zero-trust model • mTLS enforcement • Service identity • Access control CRDs • Access control via mTLS • Single source of truth for network (K8s) and identity (Spire) • Ingress mTLS • Egress opt-in allowlist SVC
- 31. | ©2020 F531 Integrated N/S Ingress/Egress • NGINX Plus for sidecars and KIC • Ingress traffic treated as S2S service traffic • Full integration with Spire identity and SSL key store • mTLS for ingress into NSM • Egress name service support
- 32. | ©2020 F532 Traffic Management • Full support for microservice traffic models − Circuit Breaker − Blue/Green − Canary − Weighted distribution • Rate shaping and QoS/priority queueing • Container-based load balancing • Dynamic service availability • SSL keepalive for performance SVC
- 33. | ©2020 F533 Lightweight andAgile • Control plane designed to optimize NGINX Plus data plane • Standards-based: SPIFFE, SMI- spec • Single CLI for management of all mesh services • CI/CD pipeline’able for orchestrated deployment and policy management
- 34. | ©2020 F534 Demo!
- 35. | ©2020 F535 A reality check… Service Mesh technology addresses one specific set of problems It’s not a magic bullet that makes all applications ‘better’ There are many other, well-proven ways to address the same problems Service Mesh technology is very complex ever-evolving Cost of operating a mesh in production can be high, and there can be many risks
- 36. | ©2020 F536 WhenAm I Ready For A Service Mesh? ✓ You have a mature, fully-automated CI/CD pipeline (GitOps-enabled) ✓ You are fully invested in microservices and using Kubernetes ✓ You are deploying frequently to production (at least once per day) ✓ You have a zero-trust production environment (so need mTLS) ✓ You need/want additional visibility of container traffic interaction
- 37. | ©2020 F537 • Flexible Traffic Management • Secure Internal Communication • In-depth monitoring and distributed tracing • NGINX Service Mesh is available as free download,check this link for more info : NGINX Service Mesh CONFIDENTIAL Download NGINX Service Mesh
- 38. | ©2020 F538 Questions?
