The service mesh is an infrastructure component that helps manage services running within our clusters. Without any changes to service or application code, solutions like Istio and Linkerd provide features to manage container deployments at scale. With Istio we get traffic management, security, rate limiting, monitoring, and many more things out of the box. We will discuss these solutions and some of their features at a high level, then roll in some specific demonstrations of using a service mesh to route and shift service traffic, easily manage deployments and test our services with micro benchmarks and fault injection.

1. Istio Mesh
Jesse Butler Cloud Native Advocate, Oracle Cloud Infrastructure
Mofizur Rahman Developer Advocate, IBM
Managing Container
Deployments at Scale

2. About Us
Jesse Butler
• Oracle via Sun Microsystems
• Responsible for Docker on Solaris,
later on Oracle Linux
• Some work with Open Containers and
CNCF WGs
• Now a Cloud Native Advocate @
Oracle Cloud
@jlb13
2
Mofizur Rahman (Mofi)
• Developer Advocate @IBM
• Works on container and cloud native
technologies
• Favorite programming language is
golang.
@moficodes

3. Bookinfo
3

5. Monolithic Applications
5
Users
Application
Database

6. Monolithic Applications
6
Users
Application
Database

7. Microservices
• Microservices are the de facto
standard for cloud native software
• Microservices allow development
teams to deploy portable and scalable
applications
8

8. Microservices
9
Users
Cart Orders
Database
Cluster
Reports

9. Architecture
10

10. Source Code
11
https://github.com/istio/istio/tree/master/samples/bookinfo/src

12. Microservices
• Microservices can put a significant
burden on Ops and DevOps teams
13

14. DevOps, Mother of Invention
15
• Microservices
• CI / CD
• Cloud Adoption
• Containers

15. Docker
• Docker changed the way we build and
ship software
• Application and host are decoupled,
making application services portable
• Containers are an implementation
detail, but a critical one
16

16. Containerizing an APP
17

17. Dockerfile
18
FROM ruby:2.3-slim
COPY details.rb /opt/microservices/
ARG service_version
ENV SERVICE_VERSION ${service_version:-v1}
ARG enable_external_book_service
ENV ENABLE_EXTERNAL_BOOK_SERVICE ${enable_external_book_service:-false}
EXPOSE 9080
WORKDIR /opt/microservices
CMD ruby details.rb 9080

18. 19

20. Docker Is a Start
But, once we abstract the host away by
using containers, we no longer have our
hands on an organized platform.
21

21. Who you Gonna call?
22

22. 23

23. Kubernetes
Kubernetes provides abstractions for
deploying software in containers at scale
24

24. Kubernetes as a Platform
• Infrastructure resource abstraction
• Cluster software where one or more
masters control worker nodes
• Scheduler deploys work to the nodes
• Work is deployed in groups of containers
25

25. Kubernetize our App
26
apiVersion:v1
kind:Service
metadata:
name:details
labels:
app:details
service:details
spec:
ports:
-port:9080
name:http
selector:
app:details
apiVersion:extensions/v1beta1
kind:Deployment
metadata:
name:details-v1
labels:
app:details
version:v1
spec:
replicas:1
template:
metadata:
labels:
app:details
version:v1
spec:
containers:
- name:details
image:istio/examples-bookinfo-details-v1:1.10.1
imagePullPolicy:IfNotPresent
ports:
- containerPort:9080

26. Migration from the Old World…
27
Users
Application
Database

27. …to Cloud Native Kubernetes Hotness
• Microservices running in orchestrated
containers
• Everybody's happy
• What happens now?
28
Load
balancer
Service Service
Database
Service
Queue

28. …to Cloud Native Kubernetes Hotness
• Microservices running in orchestrated
containers
• Everybody's happy
• What happens now?
29
Load
balancer
Service
Service
Service Service
Service
Database
Service
Queue

30. 31

31. Day Two
32

32. 33

33. Table Stakes for Services at Cloud
Scale
• We require a method to simply and repeatably deploy software,
and simply and recoverably modify deployments
• We require telemetry, observability, and diagnosability for our
software if we hope to run at cloud scale
34

34. Day 2 Solutions
• Ingress and Traffic Management
35
• Metrics and Analytics
• Tracing and Observability
• Identity and Security

35. Abstract Requirements
• Traffic Management
36
• Policy
• Security
• Observability

36. Hard Things are Hard
37

37. These are Hard Problems™, and
some software may address one of
them well.
Service mesh addresses them all.
38

38. What Is a Service Mesh?
• Infrastructure layer for controlling and
monitoring service-to-service traffic
• A data plane deployed alongside
application services, and a control
plane used to manage the mesh
39

39. Service Mesh
• Provides DevOps teams a stable and
extensible platform to monitor and
maintain deployed services
• For the most part, invisible to
development teams
40

40. Service Mesh
• This is not a new solution which solves all the
world’s problems, but a different way to apply
existing solutions
• Enables integration of existing (as well as future)
best-in-class solutions for All The Things
41

41. Let’s Talk About Istio
Istio a service mesh that allows us to connect,
secure, control and observe services at scale,
often requiring no service code modification
42

42. Istio Components
• Envoy
• Sidecar proxy
• Pilot
• Propagates rules to
sidecars
43
• Mixer
– Enforces access control,
collects telemetry data
• Citadel
– Service-to-service and
end-user AuthN and AuthZ

43. Istio Features
• Traffic Management
• Fine-grained control with rich routing rules, retries,
failovers, and fault injection
• Observability
• Automatic metrics, logs, and traces for all traffic within a
cluster, including cluster ingress and egress
44

44. Istio Features
• Security
• Strong identity-based AuthN and AuthZ layer, secure by
default for ingress, egress and service-to-service traffic
• Policy
• Extensible policy engine supporting access controls, rate
limits and quotas
45

46. Sidecar Proxy
47

47. Sidecar Proxy
48

50. Envoy
High performance proxy which
mediates inbound and outbound
traffic.
51
• Dynamic service discovery
• Load balancing
• TLS termination
• HTTP/2 and gRPC proxies
• Circuit breakers
• Health checks
• Split traffic
• Fault injection
• Rich metrics

51. Istio Architecture
52

52. Istio Architecture
53

53. Istio Architecture
54

54. Istio Architecture
55

55. Traffic Management
• Integrated Ingress and Egress
• Error handling, retries, circuit breaking
• Application knowledge can be leveraged
for intelligent routing
• Fault injection for end-to-end testing
56

56. DEMO

57. Telemetry
• Istio’s Mixer is stateless and does not manage
any persistent storage of its own
• Capable of accumulating a large amount of
transient ephemeral state
• Designed to be a highly reliable, goal is >
99.999% uptime for any individual instance
• Many adapters available: Prometheus, Cloud
providers, Datadog, Solarwinds…
58

58. Performance and Scalability
• Code level micro-benchmarks
• Synthetic end-to-end benchmarks across various
scenarios
• Realistic complex app end-to-end benchmarks
across various settings
• Automation to ensure performance doesn’t
regress
59

59. Security
• Traffic encryption to defend against the man-
in-the-middle attacks
• Mutual TLS and fine-grained access policies
to provide flexible access control
• Auditing tools to monitor all of it
60

60. So are you sold on Istio yet?
61

61. Istio is not the end game.
62

62. Thanks!