More Related Content Similar to Data Plane Matters! A Deep Dive and Demo on NGINX Service Mesh (20) More from NGINX, Inc. (20) Data Plane Matters! A Deep Dive and Demo on NGINX Service Mesh2. | ©2020 F52
NGINX Service Mesh:Agenda
• What is a Service Mesh?
• What does a Service Mesh solve?
• NGINX Service Mesh Architecture
• Demo Time!
• Q&A
4. | ©2020 F54
L7 Logic (Ingress)
L3-L4 Networking
L3 – L7 Network
Management ==
Service Mesh
An Overly Simplified Picture
5. | ©2020 F55
WHAT’S MISSING IN K8S AND WHAT DO YOU REALLY WANT AND NEED FROM A MESH?
What Is A Service Mesh?
Service mesh aims to improve application
traffic control, observability and security for
distributed systems.
- The New Stack
6. | ©2020 F56
WHAT’S MISSING IN K8S AND WHAT DO YOU REALLY WANT AND NEED FROM A MESH?
What Is A Service Mesh?
• A service mesh adds L7 traffic management & security:
• sidecar deployment
• policy management
• application availability/health,
• Service mesh isn’t just one “thing”, it’s a lot of managed and dependent
components
• Takes over where K8s networking stops (service/pod IP endpoints)
• “Traffic management for containers”
7. | ©2020 F57
What DoesA Service Mesh Do?
Service Mesh controls communications between pods and external apps
Secure Traffic
End-to-end encryption (Mutual TLS / mTLS), ACLs
Manage All Service Traffic
Load Balance, Circuit breaker, B|G, Rate Limiting…
Orchestration
Injection and sidecar management, K8s API integration
Measure Traffic
Generate transaction traces and real-time monitoring
8. | ©2020 F58
What Is A Sidecar?
© 2017 F5 Networks
A Sidecar is a containerized service that another containerized service
depends on for some function: “Helper Containers”
• Not just networking, can be used for any separationof process:API GW, logging, data mining, etc.
In our world, a Sidecar would be a reverse proxy that sits beside an
application service container (in the same pod) and provides all inbound and
outbound network routing to that application container
App Pod
9. | ©2020 F59
HowAre Sidecars Deployed?
© 2017 F5 Networks
Separate Container In The App Pod
• The separate container is attached to the app service container in a pod
• Networking in the app container is altered via a policy from the mesh that tells the app “You can only talk to
your sidecar for network access.”
• Policy and architecture are defined and orchestrated via the control plane,managed with a combo of
ConfigMap and control plane.
• A Service Mesh takes care of auto-associating the sidecar with the app container in the same pod via
Sidecar Injection
App Pod
10. | ©2020 F510
What DoesA Service Mesh Actually Do?
© 2017 F5 Networks
• Proxy
• Orchestration
• Policy Management
• Policy Enforcement
• Monitoring
Data Plane
Control Plane
Management Plane
Data Plane
Data + Control Planes
…[sidecar] proxies cache the state of the mesh but aren’t regarded as the
source of truth for the state of the mesh.
- Lee Calcote, O’Reilly
11. | ©2020 F511
Service Mesh Policies
© 2017 F5 Networks
Network Policy
• Serviceto servicerouting
• Serviceavailability
• Servicediscovery
Access Policy
• IP allow/deny
• Allow/Deny
• JWT
Security Policy
• SSL/mTLSTermination
• DDoS
• WAF
E
F
THE MOST IMPORTANT (AND DIFFICULT) PART
12. | ©2020 F512
I DON’T SAY THAT OFTEN, BUT SERIOUSLY: SECURITY
It’s ReallyAll About Security: Data Plane Enforcement
• Service Security
• Identity Management
• SSL Key Management
• Injection Policies
• Network Security
• L3/L4 Networking Control
• mTLS Between Services
• Access Control
• Auditing/Governance
• Policy and Traffic Monitoring
• Zero Trust
• Cluster-wide L7 Networking Policies
14. | ©2020 F514
Service Mesh Product Goals
NGINX Service Mesh controls communications between pods and external apps
Secure Traffic
End-to-end encryption (Mutual TLS / mTLS), ACLs
Manage All Service Traffic
Load Balance, Circuit breaker, B|G, Rate Limiting…
Orchestration
Injection and sidecar management, K8s API integration
Measure Traffic
Generate transaction traces and real-time monitoring
16. | ©2020 F516
Why NGINX Service Mesh?
• Complete Microservices Traffic Management and Security
• E/W (sidecar) and N/S (NGINX KIC) Ingress and Egress
• Security policy definition, enforcement, and governance
• Turn-key and Platform Agnostic
• Everything you need is included, no need to piecemeal
• Run in any K8s environment, anywhere
• Data Plane Matters
• Brings the world’s best software reverse proxy to container traffic
management
17. | ©2020 F517
What is the NGINX Service Mesh?
Data Plane
East/West traffic
Control
Plane
Management
Plane
Infrastructure
Kubernetes VMware AWS Bare Metal
SVC SVCSVCSVCSVC SVC
Conf DbKubernetes Service Registry Inventory VMware, AWS… Inventory
18. | ©2020 F518
What is the NGINX Service Mesh?
Data Plane
East/West traffic
Control
Plane
Management
Plane
Infrastructure
Kubernetes VMware AWS Bare Metal
Conf DbKubernetes Service Registry Inventory VMware, AWS… Inventory
SVC SVCSVCSVCSVC SVC
19. | ©2020 F519
What is the NGINX Service Mesh?
Data Plane
East/West traffic
Control
Plane
Management
Plane
Infrastructure
Kubernetes VMware AWS Bare Metal
NGINX Service Mesh control plane
SVC SVCSVCSVCSVC SVC
Topology Policies
Conf DbKubernetes Service Registry Inventory VMware, AWS… InventoryCLI / API
$>_
20. | ©2020 F520
What is the NGINX Service Mesh?
Data Plane
East/West traffic
Control
Plane
Management
Plane
Infrastructure
Kubernetes VMware AWS Bare Metal
NGINX Service Mesh control plane Topology Policies
Conf DbKubernetes Service Registry Inventory VMware, AWS… Inventory
SPIRE
SVC SVCSVCSVCSVC SVC
CLI / API
$>_
21. | ©2020 F521
What is the NGINX Service Mesh?
Data Plane
East/West traffic
Control
Plane
Management
Plane
Infrastructure
Kubernetes VMware AWS Bare Metal
NGINX Service Mesh control plane Topology Policies
Conf DbKubernetes Service Registry Inventory VMware, AWS… Inventory
SPIRE Grafana OpenTracing
SVC SVCSVCSVCSVC SVC
CLI / API
$>_
22. | ©2020 F522
What is the NGINX Service Mesh?
Data Plane
East/West traffic
Control
Plane
Management
Plane
Infrastructure
Kubernetes VMware AWS Bare Metal
NGINX Service Mesh control plane Topology Policies
Conf DbKubernetes Service Registry Inventory VMware, AWS… Inventory
SPIRE Grafana OpenTracing
SVC SVCSVCSVCSVC SVC
CLI / API
$>_
NGINX
Ingress
NGINX
Egress
23. | ©2020 F523
What is the NGINX Service Mesh?
Data Plane
East/West traffic
Control
Plane
Management
Plane
Infrastructure
Kubernetes VMware AWS Bare Metal
NGINX Service Mesh control plane Topology Policies
Conf DbKubernetes Service Registry Inventory VMware, AWS… Inventory
SPIRE Grafana OpenTracing
NGINX Controller
Centralized management
Service Mesh connector Integrations
SVC SVCSVCSVCSVC SVC
CLI / API
$>_
NGINX
Ingress
NGINX
Egress
24. | ©2020 F524
NSM Components
• NSM runs within a K8s cluster
• Securely manages ingress/egress
traffic to external services
• Can be deployed in any K8s cluster
platform
28. | ©2020 F528
Security
• Zero-trust model
• mTLS enforcement
• Service identity
• Access control CRDs
• Access control via mTLS
• Config validation
• Single source of truth for network (K8s) and identity
(Spire)
• Ingress mTLS
• Egress opt-in allowlist
• Iptables pod firewalling
SVC
29. | ©2020 F529
Integrated N/S Ingress/Egress
• NGINX Plus for sidecars and KIC
• Ingress traffic treated as S2S service
traffic
• Full integration with Spire identity and
SSL key store
• mTLS for ingress into NSM
• Egress name service support
• Egress opt-in allowlist
• Sidecar ”default route” to KIC
30. | ©2020 F530
Traffic Management
• Full support for microservice traffic models
− Circuit Breaker
− Blue/Green
− Canary
− Weighted distribution
• Rate shaping and QoS/priority queueing
• Container-based load balancing
• Dynamic service availability
• SSL keepalive for performance
SVC
31. | ©2020 F531
Lightweight andAgile
• Data Plane Matters
• Control plane designed to
optimize NGINX Plus data plane
• Standards-based: SPIFFE, SMI-
spec
• Single CLI for management of all
mesh services
• CI/CD pipeline’able for
orchestrated deployment and
policy management
32. | ©2020 F532
A reality check…
Service Mesh technology addresses one specific set of problems
It’s not a magic bullet that makes all applications ‘better’
There are many other, well-proven ways to address the same problems
Service Mesh technology is very complex ever-evolving
Cost of operating a mesh in production can be high, and there can be many
risks
33. | ©2020 F533
WhenAm I Ready For A Service Mesh?
✓ You have a mature, fully-automated CI/CD pipeline (GitOps-enabled)
✓ You are fully invested in microservices and using Kubernetes
✓ You are deploying frequently to production (at least once per day)
✓ You have a zero-trust production environment (so need mTLS)
✓ You need/want additional visibility of container traffic interaction
34. | ©2020 F534 CONFIDENTIAL
Where To Start?
Define Your Microservice Mesh Needs
GET AHEAD OF THE NEED
• Why a mesh?
• What goals are you trying to solve with a mesh?
• Who will own/manage the mesh?
• Where will the mesh be deployed?
• Decide if you want to build your own components or use a complete
mesh.
• Plan. Plan. Test.
35. | ©2020 F535
How To Get NSM
• Download
− downloads.f5.com
• Docs
− docs.nginx.com/nginx-service-mesh
• Tools/Support
− github.com/nginxinc/nginx-service-mesh SVC