A service mesh is necessary for organizations adopting microservices and dynamic cloud-native infrastructure. Traditional host-based network security must be replaced with modern service-based security to accommodate the highly dynamic nature of modern runtime environments. In this talk, we will look at Connect a significant new feature in Consul that provides secure service-to-service communication with automatic TLS encryption and identity-based authorization. We will look at the features of Connect, how to enable Connect in an existing Consul cluster and how easy it is to secure service-to-service communication using Connect.
3. PROVISION, SECURE AND RUN ANY INFRASTRUCTURE
Nomad Consul
Vault
Vagran
t
Packer
Terrafor
m
Consul Enterprise
Terraform
Enterprise
Vault Enterprise
PRODUCT SUITEOSS TOOL SUITE
RUN
Applications
SECURE
Application Infrastructure
PROVISION
Infrastructure
FOR INDIVIDUALS FOR TEAMS
Nomad Enterprise
18. Defining Segmentation
Splitting network into sub-networks
Restricting communication between sub-networks
Virtual LAN, Firewalls, Software Defined Networks
Coarse Grained, Many Services
Segment
A
Segment
B
Network
27. Service Mesh for Microservices
Service Discovery. Connect services with a dynamic
registry
Service Configuration. Configure services with runtime
configs
Service Segmentation. Secure services based on
identity
28. Service Mesh for Microservices
Service Discovery. Connect services with a dynamic
registry
Service Configuration. Configure services with runtime
configs
Service Segmentation. Secure services based on
identity
49. // Create a Consul API client
client, _ := api.NewClient(api.DefaultConfig())
// Create an instance representing this service.
svc, _ := connect.NewService("my-service", client)
defer svc.Close()
// Creating an HTTP server that serves via Connect
server := &http.Server{
Addr: ":8080",
TLSConfig: svc.ServerTLSConfig(),
// ... other standard fields
}
// Serve!
server.ListenAndServerTLS("", "")
CODE EDITOR
50. Consul Connect
Service Access Graph. Intentions allow or deny communication
of logical services.
Certificate Authority. Standard TLS certificates with SPIFFE
compatibility.
Application Integration. Native integrations or side car
proxies.
55. Service Mesh for Microservices
Service Discovery. Connect services with a dynamic
registry
Service Configuration. Configure services with runtime
configs
Service Segmentation. Secure services based on identity