Smart networking with service meshes

Smart Networking with Service Meshes
aka What is this “Service Mesh” hype about?
Developer Advocate, HashiCorp
@anubhavm
Anubhav Mishra

@anubhavm
Anubhav Mishra

@anubhavm
Anubhav Mishra
Atlan&s

@anubhavm
Anubhav Mishra
Atlan&s
Gopher Artwork by Ashley McNamara

PROVISION, SECURE AND RUN ANY INFRASTRUCTURE
Nomad Consul
Vault
Vagrant Packer Terraform
Consul Enterprise
Terraform Enterprise
Vault Enterprise
PRODUCT SUITEOSS TOOL SUITE
RUN
Applications
SECURE
Application Infrastructure
PROVISION
Infrastructure
FOR INDIVIDUALS FOR TEAMS
Nomad Enterprise

@anubhavmBlog Post Link: https://www.hashicorp.com/blog/smart-networking-with-consul-and-service-meshes

@anubhavm
Agenda
1. Introduction to “Smart Networking” and “Service Mesh”
2. Introduction to HashiCorp Consul
3. Architecture and overview of Consul
4. Exercises (Hands-On Lab)
• Exploring Service Discovery, K/V Store, and Consul Template
• NGINX and Consul (Smart Proxy)
• Fabio and Consul (Smart Networking in containers)
• Consul Connect (Service Mesh)
• Consul Connect for Service to Service Communication
• Consul Connect for Service to Database Communication
• Consul Connect for Serverless Applications
5. Conclusion
6. Discussion / Q&A

@anubhavm
Service
A
Service
B

@anubhavm
Service
A
Service
B
Service
B
Service
B
Multiple Instances?

@anubhavm
Service
A
Service
B
Service
B
Service
B
Multiple Instances?
Service Discovery

@anubhavm
Service
A
Service
B
Request Failed

@anubhavm
Service
A
Service
B
Request Failed
Retries

@anubhavm
Service
A
Service
B
Cert: serviceA.foo.com Cert: serviceB.foo.com
Assigning Identity

@anubhavm
Service
A
Service
B
Assigning IdentityMutual TLS

@anubhavm
Service
A
Service
B
Authorizing trafficMutual TLS
Allow?

@anubhavm
Smart Networking - First Principles
Dumb Pipe or Smart Network
Protocol Awareness

@anubhavm
Protocol Awareness
Service
A
Service
B

@anubhavm
Protocol Awareness
Service
A
Service
B
Ribbon

@anubhavm
Dumb Pipe
Pros:
Simplicity for Networks
Smart Applications (“What you see is what you get”)
Easily Customizable
Cons:
Redundant Code
Every Application has to Implement the Code (Polyglot?)

@anubhavm
Protocol Awareness
Service
A
Service
B
Proxy Proxy

@anubhavm
Smart Network
Pros:
Little to no Application Code changes are required
Features like Traffic Shaping, Service Discovery and Network Policy Control come
out of the Box
Cons:
Smart Network becomes an Implicit Dependency of the Application
Harder to Reason about the Whole System

@anubhavm
“Service Mesh” aka “Smart Network”
Service
A
Service
B
Proxy Proxy

@anubhavm
Service
A
Service
B
Proxy Proxy
Conﬁgure

@anubhavm
Service
A
Service
B
Proxy Proxy
Conﬁgure
Two parts

@anubhavm
Separation of Control and Data Plane
Control Plane
Data Plane

@anubhavm
Control Plane
Data Plane
• Traffic Routing / Shaping
• Conﬁguring the Data Plane
• Policy Enforcement
• Provide Service Discovery Data to Data Plane

@anubhavm
Control Plane
Data Plane
• Forward Request from the Applications
• Health Checking
• Load Balancing
• Circuit Breaking
• Timeouts
• Retries
• Authentication
• Authorization

@anubhavm
Control Plane
Data Plane
…..
• Forward Request from the Applications
• Health Checking
• Load Balancing
• Circuit Breaking
• Timeouts
• Retries
• Authentication
• Authorization

@anubhavm
Protocol Awareness
Layer 4 vs Layer 7

@anubhavm
Protocol Awareness
Layer 4 vs Layer 7
TCP, UDP vs HTTP “Universally” Compatible
High Performance
Difficult to provide Sophisticated
request aware features
Layer 4

@anubhavm
Protocol Awareness
Layer 4 vs Layer 7
TCP, UDP vs HTTP Perform complex routing decisions
Header and Path based routing
Can yield lower performance
Layer 7

@anubhavm
Service Mesh for Microservices
Service Discovery. Connect services with a dynamic registry
Service Configuration. Configure services with runtime configs
Service Segmentation. Secure services based on identity

@anubhavm
Consul Usage
Launched in 2014
12K+ GitHub Stars
1M+ Downloads monthly
Customers running 50,000+ agents

@anubhavm
Single Data Center
CLIENT CLIENT CLIENT CLIENT CLIENT CLIENT
SERVER SERVER SERVER
REPLICATION REPLICATION
RPC
RPC
LAN GOSSIP

@anubhavm
Multi Data Center
CLIENT CLIENT CLIENT CLIENT CLIENT CLIENT
SERVER SERVER SERVER
RPC
RPC
LAN GOSSIP
SERVERSERVER SERVER
WAN GOSSIP

@anubhavm
Service Discovery
Registry of Nodes, Services, Checks
DNS API
HTTP API
Web UI

T E R M I N A L
$ dig llama.node.consul
; <<>> DiG 9.10.3-P4-Ubuntu <<>> testing-llama.node.consul
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64443
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1280
;; QUESTION SECTION:
;testing-llama.node.consul.IN A
;; ANSWER SECTION:
testing-llama.node.consul. 0 IN A 10.1.1.148

@anubhavm
Service Conﬁguration
Hierarchical Key/Value Store
HTTP API
Long-polling / Edge trigger
Locking

@anubhavm
Workstations
Claim your workstation!
https://hashi.co/velocity-new-york

@anubhavm
Excercise: SSH into your workstations
SSH into your workstation using the provided credentials.
ssh servicemesh@<your.ip.address> 
password: veloc1ty2018
Run consul members command to see what happens!
Your tutorial working directory will be /workstation/consul

T E R M I N A L
$ consul members
Node Address Status Type Build Protocol DC Segment
velocity-server-0 10.1.1.73:8301 alive server 1.2.3 2 dc1 <all>
velocity-ant 10.1.1.82:8301 alive client 1.2.3 2 dc1 <default>
velocity-badger 10.1.2.22:8301 alive client 1.2.3 2 dc1 <default>

WA R N I N G You are sharing a cluster
Let’s be nice to each other.

@anubhavm
Service Discovery - DNS Interface
Consul's DNS interface is zero touch
Randomized Round-Robin DNS
Filters on Health Checks

@anubhavm
Exercise: Query Service
Query for consul service information using dig and the DNS
interface.
HINT: Remember the DNS naming format is
{service_name}.service.consul

T E R M I N A L
$ dig consul.service.consul
; <<>> DiG 9.10.3-P4-Ubuntu <<>> consul.service.consul
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9334
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 4
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;consul.service.consul. IN A
;; ANSWER SECTION:
consul.service.consul. 0 IN A 10.1.1.164
;; ADDITIONAL SECTION:
consul.service.consul. 0 IN TXT "consul-network-segment="

T E R M I N A L
$ dig +short consul.service.consul
10.1.1.164
10.1.2.16
10.1.1.73

@anubhavm
Registering Services
Services are registered using JSON deﬁnition or via the HTTP
API.
JSON ﬁles are put into a dot-d directory and loaded by Consul.

{
"service": {
"name": "my-service",
"tags": ["tag-1", "tag-2"],
"port": 1234
}
}
C O D E E D I T O R

{
"service": {
"tags": ["tag-1", "tag-2"],
"port": 1234
}
}
C O D E E D I T O R
Exposed via DNS and HTTP APIs
Referred to as the "logical service" name
dig my-service.service.consul

{
"service": {
"tags": ["tag-1", "tag-2"],
"port": 1234
}
}
C O D E E D I T O R
dig tag-1.my-service.service.consul

{
"service": {
"tags": ["tag-1", "tag-2"],
"port": 1234
}
}
C O D E E D I T O R
dig SRV my-service.service.consul

@anubhavm
Service Discovery - Consul CLI
Consul CLI provides basic interactions with service discovery
Do not use the CLI to build tooling (use API instead)
Allows easily querying services
Currently only supports the catalog

@anubhavm
Exercise: Get Help
Run consul catalog -h to see the list of available CLI
service discovery commands.

T E R M I N A L
$ consul catalog -h
Usage: consul catalog <subcommand> [options] [args]
This command has subcommands for interacting with Consul's catalog. The
catalog should not be confused with the agent, although the APIs and
responses may be similar.
Here are some simple examples, and more detailed examples are available
in the subcommands or the documentation.
List all datacenters:
$ consul catalog datacenters
List all nodes:
$ consul catalog nodes
List all services:
$ consul catalog services
.....

@anubhavm
Exercise: List Services with Tags
List all registered services with their tags using the service
discovery CLI.

T E R M I N A L
$ consul catalog services -tags
consul
counting velocity
counting-proxy
dashboard velocity
dashboard-proxy
fabio
http
nomad http,rpc,serf
nomad-client http

@anubhavm
K/V Store
Highly-available, globally accessible key-value store
Folder-like architecture allows for easy organization
Optional ACLs can enforce policy and access
Accessible via HTTP API (no DNS interface)
Can be used via the CLI or via a tool like curl
K/V Store: Use Cases

@anubhavm
K/V Store: Use Cases
Runtime conﬁguration data
Secrets or sensitive application data (eg. Vault’s encrypted data)

T E R M I N A L
$ consul kv put <KEY> <DATA>
Success! Data written to: <KEY>
$ curl -X PUT -d <DATA> http://localhost:8500/v1/kv/<KEY>
true

T E R M I N A L
$ consul kv get <KEY>
<DATA>
$ curl http://localhost:8500/v1/kv/<KEY>

@anubhavm
Exercise: Create KV Data
Create two new key-value pairs in the store.
Keep in mind that everyone is using the same Consul servers, so
choose a unique name that won't conﬂict with another user.
Read those values back out.

T E R M I N A L
$ consul kv put anubhavmishra/velocity hello
Success! Data written to: anubhavmishra/velocity
$ consul kv get anubhavmishra/velocity
hello

@anubhavm
Consul Template: A Helper tool for Consul
Consul Template handles the HTTP API ﬂow with Consul
Retrieves keys and services from Consul and renders them into a
template
Optionally integration with HashiCorp Vault as well

@anubhavm
Consul Template: Architecture
{{ key “hello/world“ }}
CONSUL TEMPLATE
CONSUL
value
FILE
1
2
3

@anubhavm
Exercise: Validate Consul Template
Validate Consul Template is installed and conﬁgured.

T E R M I N A L
$ consul-template -h
Usage: consul-template [options]
Watches a series of templates on the file system, writing new changes when
Consul is updated. It runs until an interrupt is received unless the -once
flag is specified.
Options:
-config=<path>
Sets the path to a configuration file or folder on disk. This can be
specified multiple times to load multiple files or folders. If multiple
values are given, they are merged left-to-right, and CLI arguments take
the top-most precedence.
-consul-addr=<address>
Sets the address of the Consul instance

@anubhavm
Exercise: Create Template
Create and execute a Consul Template template that iterates over
all the healthy services named "consul" and prints out the IP
address.
HINT: Consul Template's documentation is very verbose and
probably has examples that you can follow.

{{ range service “consul" }}
{{ .Address }}
{{ end }}
C O D E E D I T O R

T E R M I N A L
$ consul-template -dry —template=in.tpl
>
10.1.1.13
10.1.2.250
10.1.1.36

@anubhavm
“Smart Proxy” with NGINX and Consul
Similar to AirBnB’s “Smart Stack”
Conﬁgure NGINX dynamically using Consul’s service catalog
Make the simplest form of a “Smart Proxy”
Use Consul Template as the helper tool to achieve this

@anubhavm
“Smart Nginx”
server {
listen 5051;
server {
listen 5050;
.....
NGINX

@anubhavm
“Smart NGINX”
server {
listen 5051;
server {
listen 5050;
.....
NGINX
SERVICE A
server {
listen 5051;
server {
listen 5050;
.....
NGINX
SERVICE B
:8080
10.0.0.1 10.0.0.2

@anubhavm
“Smart NGINX”
server {
listen 5051;
server {
listen 5050;
.....
NGINX
SERVICE A
server {
listen 5051;
server {
listen 5050;
.....
NGINX
SERVICE B
:8080
https://10.0.0.2:5051/service/service-b/hello
10.0.0.1 10.0.0.2

@anubhavm
Exercise: Validate NGINX
Validate NGINX is installed and conﬁgured.

T E R M I N A L
$ nginx -v
nginx version: nginx/1.10.3 (Ubuntu)

@anubhavm
Exercise Goal
{{ key “hello/world“ }}
CONSUL TEMPLATE
CONSUL
server {
.....
NGINX
SERVICE

@anubhavm
Counting Application
For the purpose of this tutorial we will be using a simple Golang
application called “counting-service”.
The application is already installed on your workstations can be
started by typing the following command in your shell:
sudo service counting start

T E R M I N A L
$ sudo service counting start
$ curl http://localhost:9001
{“count":8,"hostname":"velocity-ant.node.consul"} 
 
$ curl http://localhost:9001/health 
Hello, you've hit /health

@anubhavm
Exercise: Register Counting Service in Consul
Register a new service named “counting” with tags “velocity”,
running on port 9001.
Query that service using the DNS interface.
 
Note: Use consul reload command to reload Consul.

T E R M I N A L
$ vim /workstation/consul/counting.json 
 
# INSERT PORT AND HEALTH CHECK ENDPOINT 
 
$ sudo mv /workstation/consul/counting.json /etc/consul.d/counting.json
$ ls /etc/consul.d/

{
"service": {
"name": “counting",
"tags": [“velocity-ant"],
"port": 9001,
"check": {
"id": "counting-check",
"http": "http://localhost:9001/health",
"method": "GET",
"interval": "1s",
"timeout": "1s"
}
}
}
C O D E E D I T O R

T E R M I N A L
$ consul reload
Configuration reload triggered
$ dig $(identity).counting.service.consul

@anubhavm
Exercise: Create a NGINX Template
Create and execute a Consul Template template that iterates over
all services that are tagged as “velocity” and create NGINX
backends for them.

T E R M I N A L
$ cd /workstation/consul/nginx
$ vim nginx.conf.tpl

T E R M I N A L
$ consul-template -template=nginx.conf.tpl -dry

{
"service": {
"name": "counting",
"tags": ["velocity-ant", "velocity"],
"port": 9001,
"check": {
"method": "GET",
"interval": "1s",
"timeout": "1s"
}
}
}
C O D E E D I T O R

@anubhavm
Exercise: Create Consul Template Config file
Create a config file for Consul Template that can be used to supply
NGINX with the dynamic configuration and then reload it.

T E R M I N A L
$ sudo vim /etc/consul.d/templates/nginx-smart-router.json

log_level = "info"
wait {
min = "5s"
max = "600s"
}
max_stale = "1m"
template {
source = "/etc/consul.d/templates/template/nginx.conf.tpl"
destination ="/etc/nginx/sites-available/nginx-smart-router.conf"
command = "nginx -s reload"
}
C O D E E D I T O R

T E R M I N A L
# Move nginx.conf.tpl to /etc/consul.d/templates/template/nginx.conf.tpl
$ sudo mv nginx.conf.tpl /etc/consul.d/templates/template/nginx.conf.tpl
# Open consul-template systemd configuration and supply it the configuration 
$ sudo vim /etc/systemd/system/consul-template.service

[Unit]
Description=Template rendering, notifier, and supervisor for HashiCorp Consul and
Vault data
Requires=network-online.target
After=network-online.target
[Service]
ExecStart=/usr/local/bin/consul-template -config /etc/consul.d/templates/nginx-
smart-router.json
ExecReload=/bin/kill -HUP
KillSignal=SIGINT
Restart=on-failure
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target
C O D E E D I T O R

T E R M I N A L
$ sudo systemctl daemon-reload
$ sudo service consul-template start

T E R M I N A L
$ cd /etc/nginx/sites-enabled
$ sudo ln -s /etc/nginx/sites-available/nginx-smart-router.conf nginx-smart-router
$ sudo service nginx restart

@anubhavm
Exercise: Request Counting Service via “Smart NGINX”
Make a request to the counting service using the newly conﬁgured
NGINX router.
HINT: Use the local port 5050

T E R M I N A L
$ curl http://localhost:5050/service/counting/
{“count":1,"hostname":"velocity-badger.node.consul"}

T E R M I N A L
# Try the -i flag in curl to include the protocol headers
$ curl -i http://localhost:5050/service/counting/

@anubhavm
Exercise: Use the Dashboard Service to Connect to Counting Service
Explore the Dashboard service on your workstations. Start the
service and register it in Consul.

T E R M I N A L
$ vim /etc/systemd/system/dashboard.service

[Unit]
Description=An simple dashboard service
[Service]
Environment=PORT=9002
Environment=COUNTING_SERVICE_URL=http://localhost:5050/service/counting/
ExecStart=/usr/local/bin/dashboard-service
ExecReload=/bin/kill -HUP $MAINPID
KillSignal=SIGINT
Restart=on-failure
LimitNOFILE=65536
[Install]
C O D E E D I T O R

T E R M I N A L
$ cp /workstation/consul/dashboard.json /etc/consul.d/dashboard.json
$ vim /etc/consul.d/dashboard.json

{
"service": {
"name": "dashboard",
"tags": ["velocity-ant"],
"port": 9002,
"check": {
"id": "dashboard-check",
"method": "GET",
"interval": "1s",
"timeout": "1s"
}
}
}
C O D E E D I T O R

T E R M I N A L
$ sudo service dashboard start
$ consul reload

@anubhavm
Exercise: Verify Dashboard Application
Open the dashboard application and make sure it is able to
connect to the counting service via “Smart NGINX”.
Your dashboard application will be available at the following URL:
http://{workstation_ip}:9002

@anubhavm
Use Consul K/V as a Control Plane for NGINX
Consul K/V store can be used to store runtime conﬁguration for
the proxy.
Consul Template will watch for these values to change, if they do
then it will immediately make them available for the proxy.

T E R M I N A L
$ while true;do curl -i http://localhost:5050/service/counting/;sleep 0.5;done

T E R M I N A L
$ consul kv put config/global/router/prefer-local-routing 1

@anubhavm
Runtime Conﬁguration
Consul K/V store can be used to store runtime conﬁguration for
the proxy.
These can extend to things like storing values for request retries,
rate limits, etc.

@anubhavm
“Smart Proxy” with X and Consul
This approach can be extended to other proxies like HAProxy,
Apache2, etc.
This approach will also work with containers.

@anubhavm
Fabio: A Consul Load Balancer
Fabio integrates with Consul and acts as a load balancer for all
healthy services in a given name.
HTTP(S) and TCP router
Developed at Ebay and used by Ebay, kijiji
Github Repository: https://github.com/fabiolb/fabio
Website: https://fabiolb.net/

@anubhavm
Exercise: Use Fabio as an Ingress into Nomad
Run the counting service using a cluster scheduler (in this case we
will use Nomad).
Use Fabio to get to the counting service using host headers.

T E R M I N A L
$ cd /workstation/nomad
$ vim counting-service.nomad

job "counting-service-velocity-badger" {
datacenters = ["dc1"]
group "counting-service" {
count = 1
task "web" {
driver = "docker"
config {
image = "anubhavmishra/counting-service"
port_map = {
http = 9001
}
}
.....
service {
name = "counting-service"
port = "http"
tags = [
"velocity-badger",
"velocity",
"urlprefix-counting-service.hashicorp.live/",
C O D E E D I T O R

job "counting-service-velocity-badger" {
.....
service {
name = "counting-service"
port = "http"
tags = [
"velocity-badger",
"velocity",
"urlprefix-counting-service.hashicorp.live/",
]
check {
type = "http"
path = "/health"
interval = "2s"
timeout = "2s"
}
}
}
}
}
C O D E E D I T O R

T E R M I N A L
$ nomad run counting-service.nomad
$ nomad status counting-service

T E R M I N A L
$ curl -i -H 'Host: counting-service.hashicorp.live' http://localhost:9999
HTTP/1.1 200 OK
Content-Length: 37
Content-Type: text/plain; charset=utf-8
Date: Fri, 28 Sep 2018 19:09:01 GMT
{“count":2,"hostname":"09cb1e97a2bf"} 
# Access your application using the internet 
$ curl -i -H 'Host: counting-service.hashicorp.live' http://fabio.hashicorp.live

@anubhavm
Fabio: A Consul Load Balancer
Fabio feels like a “global” load balancer since it spans both, VMs
and Containers!

@anubhavm
Service Mesh for Microservices
Zero Trust Networks!

@anubhavm
Consul Connect
Service Access Graph
Certiﬁcate Distribution
Application Integration

@anubhavm
Service Access Graph
Intentions to Allow/Deny Communication
Source and Destination Service
Scale Independent
Managed with CLI, API, UI, Terraform

T E R M I N A L
$ consul intention create -deny web '*'
Created: web => * (deny)
$ consul intention create -allow web db
Created: web => db (allow)

@anubhavm
Certiﬁcate Distribution
Transport Layer Security (TLS)
Service Identity
Encryption of all traffic

@anubhavm
Certiﬁcate Format
X.509 Certiﬁcate
SPIFFE Compatible

@anubhavm
Application Integration
Consul Client for Service Graph and Certiﬁcates
Sidecar Proxies
Native Integrations

@anubhavm
Sidecar Proxy Integration
No Code Modiﬁcation
Minimal Performance Overhead
Operational Flexibility

@anubhavm
Sidecar Proxies
ClientProxy
App
Conﬁgure
Connect
ProxyClient
App
Conﬁgure
Connect

@anubhavm
Pluggable Proxies
Client
App
Conﬁgure
Connect
Client
App
Conﬁgure
Connect

@anubhavm
Pluggable Proxies
Client
App
Conﬁgure
Connect
Client
App
Conﬁgure
Connect
Coming soon!

{
"service": "web",
"connect": {
"proxy": {
"config": {
"upstreams": [{
"destination_name": "redis",
"local_bind_port": 1234
}]
}
}
}
}
C O D E E D I T O R

@anubhavm
ProxyClient
App
Conﬁgure
Connect localhost:1234
Connect to
upstream redis

T E R M I N A L
$ consul connect proxy
-service web
-upstream postgresql:8181
$ psql -h 127.0.0.1 -p 8181 -U mitchellh mydb
>

@anubhavm
Exercise: Connect Two Service via Consul Connect
Take two services, dashboard and counting service and connect
them over TLS using Consul’s Connect feature.
dashboard counting
mTLS

@anubhavm
Edit the dashboard and counting Consul service ﬁles to enable
connect.

T E R M I N A L
$ sudo vim /etc/consul.d/counting.json

{
"service": {
"name": "counting",
"tags": ["velocity"],
"port": 9001,
"connect": {
"proxy": {}
},
"check": {
"method": "GET",
"interval": "1s",
"timeout": "1s"
}
}
}
C O D E E D I T O R

T E R M I N A L
$ sudo vim /etc/consul.d/dashboard.json

{
"service": {
"name": "dashboard",
"port": 9002,
"tags": [“velocity-ant"],
"connect": {
"proxy": {
"config": {
"upstreams": [
{
"destination_name": "counting",
"local_bind_port": 9003
}
]
}
}
},
"check": {
"id": "dashboard-check",
"method": "GET",
"interval": "1s",
"timeout": "1s"
C O D E E D I T O R

@anubhavm
Edit the dashboard systemd conﬁg ﬁle to point to the
local_bind_port 9003.

[Unit]
Description=An simple dashboard service
[Service]
Environment=PORT=9002
Environment=COUNTING_SERVICE_URL=http://localhost:9003
ExecStart=/usr/local/bin/dashboard-service
ExecReload=/bin/kill -HUP $MAINPID
KillSignal=SIGINT
Restart=on-failure
LimitNOFILE=65536
[Install]
C O D E E D I T O R

@anubhavm
Reload Consul.
Restart dashboard service.

T E R M I N A L
$ consul reload
Configuration reload triggered
$ sudo systemctl daemon-reload
$ sudo service dashboard restart

@anubhavm
Exercise: Verify Dashboard and Counting Services
Use the Consul UI to verify that both, dashboard and counting
services are healthy and running.
Consul UI is located at http://consul.hashicorp.live
HINT: Navigate the “services” tab in the Consul UI and ﬁlter for
your node.

T E R M I N A L
$ open http://consul.hashicorp.live

@anubhavm
Exercise: Verify Dashboard Application
Open the dashboard application and make sure it is able to
connect to the counting service via Consul Connect.
Your dashboard application will be available at the following URL:
http://{workstation_ip}:9002

@anubhavm
Exercise: Use “Intentions” to Deny All Access
Use the Consul UI to deny all access to all services.

@anubhavm
Exercise: Connect to a Database Using Consul Connect
Use Consul Connect to open a encrypted connection to a database
running on a VM.
Client will use Consul Connect to spin up a proxy masquerading as
the “web” service, connecting to the “redis-db” service, binding on
local port 8081

T E R M I N A L
$ sudo apt-get install -y redis-tools
$ redis-cli -h

T E R M I N A L
# Instructor will run this command.
$ sudo apt-get install redis-server
# Register redis service in Consul
# Show traffic without Consul Connect.
# Enable Consul Connect.

T E R M I N A L
$ consul connect proxy
-service web
-upstream redis-db:6379 &
$ redis-cli

@anubhavm
Data Planes for L4
Encrypted Connections to Databases (TCP)
Proxy Masquerading

@anubhavm
Native Integration
Standard TLS
Negligible Performance Overhead
Requires Code Modiﬁcation

// Create a Consul API client
client, _ := api.NewClient(api.DefaultConfig())
// Create an instance representing this service.
svc, _ := connect.NewService("my-service", client)
defer svc.Close()
// Creating an HTTP server that serves via Connect
server := &http.Server{
Addr: ":8080",
TLSConfig: svc.ServerTLSConfig(),
// ... other standard fields
}
// Serve!
server.ListenAndServeTLS("", "")
C O D E E D I T O R

@anubhavm
Consul Connect Lambda Integration
Consul’s Connect feature can be used to connect AWS Lambda
functions to services running inside a datacenter (EC2 instances,
RDS databases etc).
DISCLAIMER: THIS IS NOT PRODUCTION READY!
Github Repository: https://github.com/anubhavmishra/consul-connect-lambda

@anubhavm
SERVER
Internal Loadbalancer
SERVER
SERVER
LB
App
App
App
App
VPC
Lambda
Function
SDK
API
GATEWAY
Internet

@anubhavm
SERVER
Internal Loadbalancer
SERVER
SERVER
LB
App
App
App
App
VPC
Lambda
Function
SDK
API
GATEWAY
Internet Mutual TLS

@anubhavm
Consul Connect
Service Access Graph. Intentions allow or deny communication of
logical services.
Certiﬁcate Distribution. Standard TLS certiﬁcates with SPIFFE
compatibility.
Application Integration. Native integrations or side car proxies.

@anubhavm
Consul for Service Mesh Control Plane
Pluggable Control Plane and Data Plane.

@anubhavm
Useful Links
• Envoy Consul Service Discovery Service: https://github.com/
anubhavmishra/envoy-consul-sds
• Consul Connect Lambda Integration: https://github.com/
anubhavmishra/consul-connect-lambda

Thanks! I have stickers!
Consul: https://consul.io
@anubhavm

Smart networking with service meshes

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (20)

Ähnlich wie Smart networking with service meshes

Ähnlich wie Smart networking with service meshes (20)

Mehr von Mitchell Pronschinske

Mehr von Mitchell Pronschinske (20)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

Smart networking with service meshes