Diese Präsentation wurde erfolgreich gemeldet.
Wir verwenden Ihre LinkedIn Profilangaben und Informationen zu Ihren Aktivitäten, um Anzeigen zu personalisieren und Ihnen relevantere Inhalte anzuzeigen. Sie können Ihre Anzeigeneinstellungen jederzeit ändern.

Consul Connect - EPAM SEC - 22nd september 2018

72 Aufrufe

Veröffentlicht am

A service mesh is necessary for organizations adopting microservices and dynamic cloud-native infrastructure. Traditional host-based network security must be replaced with modern service-based security to accommodate the highly dynamic nature of modern runtime environments. In this talk, we will look at Connect a significant new feature in Consul that provides secure service-to-service communication with automatic TLS encryption and identity-based authorization. We will look at the features of Connect, how to enable Connect in an existing Consul cluster and how easy it is to secure service-to-service communication using Connect.

Veröffentlicht in: Technologie
  • Als Erste(r) kommentieren

Consul Connect - EPAM SEC - 22nd september 2018

  1. 1. Service Mesh for Microservices
  2. 2. Peter Souter Technical Account Manager @ HashiCorp @petersouter
  3. 3. PROVISION, SECURE AND RUN ANY INFRASTRUCTURE Nomad Consul Vault Vagran t Packer Terrafor m Consul Enterprise Terraform Enterprise Vault Enterprise PRODUCT SUITEOSS TOOL SUITE RUN Applications SECURE Application Infrastructure PROVISION Infrastructure FOR INDIVIDUALS FOR TEAMS Nomad Enterprise
  4. 4. Service Mesh for Microservices
  5. 5. A B C D Monolith
  6. 6. Monolith A B C D
  7. 7. Monolith A B C D Static IP
  8. 8. Monolith LB A B C D Static IP
  9. 9. Zone Firewall DMZ Firewall Monolith A B C D Static IP LB
  10. 10. What Changed?
  11. 11. A B C D Monolith
  12. 12. Microservices A B C D
  13. 13. Microservices A B C D ?
  14. 14. BB Microservices A B C D ?
  15. 15. Microservices BBA B C D L B
  16. 16. Operating in the Cloud + Containers Dynamic IP Addresses Higher Failure Rate Ephemeral Infrastructure Complex Network Topology
  17. 17. Service Segmentation
  18. 18. Defining Segmentation Splitting network into sub-networks Restricting communication between sub-networks Virtual LAN, Firewalls, Software Defined Networks Coarse Grained, Many Services Segment A Segment B Network
  19. 19. Zone Firewall DMZ Firewall Monolith A B C D Static IP LB
  20. 20. Microservices A B C D
  21. 21. A -> B C -> D D -> C A B C D
  22. 22. B -> DA -> C A B C D
  23. 23. Consul Usage Launched in 2014 12K+ GitHub Stars 1M+ Downloads monthly Customers running 50,000+ agents
  24. 24. Public Users
  25. 25. Service Mesh for Microservices Service Discovery. Connect services with a dynamic registry Service Configuration. Configure services with runtime configs Service Segmentation. Secure services based on identity
  26. 26. Service Mesh for Microservices Service Discovery. Connect services with a dynamic registry Service Configuration. Configure services with runtime configs Service Segmentation. Secure services based on identity
  27. 27. Consul Connect
  28. 28. Consul Connect Service Access Graph Certificate Authority Application Integration
  29. 29. Service Access Graph Intentions to Allow/Deny Communication Source and Destination Service Scale Independent Managed with CLI, API, UI
  30. 30. TERMINAL $ consul intention create -deny web '*' Created: web => * (deny) $ consul intention create -allow web db Created: web => db (allow)
  31. 31. Certificate Authority Transport Layer Security (TLS) Service Identity Encryption of all traffic
  32. 32. Certificate Generation Automatic Generation & Rotation ServerClient Certificate Signing Request Generate Key Pair Sign Certificate
  33. 33. Certificate Format X.509 Certificate SPIFFE Compatible
  34. 34. Certificate Authority Rotation Root Intermediary Leaf
  35. 35. Certificate Authority Rotation Root Intermediary Leaf Root Intermediary Leaf
  36. 36. Certificate Authority Rotation Root Intermediary Leaf Root Intermediary Intermediary Leaf Leaf
  37. 37. Application Integration Consul Client for Service Graph and Certificates Sidecar Proxies Native Integrations
  38. 38. Sidecar Proxy Integration No Code Modification Minimal Performance Overhead Operational Flexibility Managed or Unmanaged
  39. 39. Sidecar Proxies ClientProxy App Configure Connect ProxyClient App Configure Connect
  40. 40. Pluggable Proxies Client App Configure Connect Client App Configure Connect
  41. 41. Managed vs Unmanaged Proxies Lifecycle of Proxy Auto-Configured Special ACL Token ProxyClient App Configure Connect
  42. 42. { "service": "web", "connect": { "proxy": { "config": { "upstreams": [{ "destination_name": "redis", "local_bind_port": 1234 }] } } } } CODE EDITOR
  43. 43. ProxyClient App Configure Connect localhost:1234 Connect to upstream redis
  44. 44. TERMINAL $ consul connect proxy -service web -upstream postgresql:8181 $ psql -h 127.0.0.1 -p 8181 -U mitchellh mydb >
  45. 45. Native Integration Standard TLS Negligible Performance Overhead Requires Code Modification
  46. 46. // Create a Consul API client client, _ := api.NewClient(api.DefaultConfig()) // Create an instance representing this service. svc, _ := connect.NewService("my-service", client) defer svc.Close() // Creating an HTTP server that serves via Connect server := &http.Server{ Addr: ":8080", TLSConfig: svc.ServerTLSConfig(), // ... other standard fields } // Serve! server.ListenAndServerTLS("", "") CODE EDITOR
  47. 47. Consul Connect Service Access Graph. Intentions allow or deny communication of logical services. Certificate Authority. Standard TLS certificates with SPIFFE compatibility. Application Integration. Native integrations or side car proxies.
  48. 48. Consul Architecture Batteries Included Highly Available & Scalable Pluggable Data Plane
  49. 49. Summary
  50. 50. Common Challenges Infrastructure is means to an ends Microservices Architecture Operational Challenges
  51. 51. Patchwork Solutions Re-invent the wheel Long Term Maintenance Minimum Viable vs Maximum Utility
  52. 52. Service Mesh for Microservices Service Discovery. Connect services with a dynamic registry Service Configuration. Configure services with runtime configs Service Segmentation. Secure services based on identity
  53. 53. K8s Demo: https://github.com/hashicorp/da-connect-demo/tree/master/kubernetes-azur e Consul Connect intro: https://play.instruqt.com/hashicorp/tracks/connec t LINKS Connect SDK demo: https://github.com/nicholasjackson/consul-connect-route r

×