Modernize, Deploy and Manage Enterprise Apps at scale in Hybrid Lakshmi Sharma, Director Product Management, Networking, Google Cloud 1 Established enterprises have built up increasingly complex software environments On-prem legacy apps Private-hosted apps Cloud apps Threat of vendor lock in Threat of new technology IT must now manage across legacy on-prem, private-hosted, and one or more public cloud environments 2 1. With minimal down time 2. By re-architecting monolithic architecture into We want microservices Hybrid with 3. To lower our technical debt 4. But need a design that seamlessly manages all our Modernization business lines 5. And continue to use same tools, and APIs across 3 Migration options 1. Lift and shift 2. Transform 3. Greenfield 4. Hybrid approach 4 Legacy software development practice: An Example New requirement to launch / scale Difficult to migrate / break apart existing mobile component of an existing app due to hard dependencies in legacy app on-prem environment At launch, unpredictable traffic spikes, causing downtime IT Teams build mobile backend based on existing legacy architecture The mobile component needs to be Team decides to switch environments developed, configured, secured, and and replatform their app, forcing a scaled differently in each environment full rewrite due to inflexibility of it’s deployed legacy systems 5 SERVICE MESH Connect and secure applications CI / CD Manage applications ORCHESTRATION Run applications CONTAINERIZATION Package applications ISTIO+gRPC Connect and secure applications SPINNAKER Manage application KUBERNETES Run applications DOCKER Package applications Container based methods offer a flexible approach to infrastructure Applications aren’t tied to underlying infrastructure or vendors... ...addressing issues of tight coupling 8 Running Applications 01 with Kubernetes Kubernetes Automate deployment of A portable platform on top of which A portability layer hat applications on to developers can build applications, abstracts away differences in any infrastructure so that they are easily... underlying computer platforms Ported Changed Redeployed 10 Kubernetes is a declarative way to describe your applications API KUBERNETES GCP On Prem / Cloud VM VPC STORAGE ROUTERS FW LB IAM VM VPC STORAGE ROUTERS FW LB IAM ● Google launches more than four billion containers every Containers week globally ● Full range of Google-run applications including Search, at Google Gmail, and YouTube. ● Inspired by Google’s Cluster Manager called Borg which enables direct software tasks across vast machine clusters. ● A culmination of Google’s experience deploying resilient applications at scale. 12 Managing applications 02 with Spinnaker CICD/ on Google Cloud Source Repository Cloud Build Container Cloud Registry Storage Build/ Artifact Source Deploy Test storage CSR Bitbucket Jenkins Circle CI quay Docker jenkins Codefresh Hub Spinnaker Spinnaker is an open-source, multi-cloud, continuous delivery platform Application deployment Application management Deployment Sequencing Pipelines Stages Deployment Strategies Safe Deployments Execution Windows Manual Judgements Manual Rollbacks Automated Rollbacks Trigger a pipeline that does a rollback on a failed deployment Connecting and Securing 03 Applications with gRPC and Istio Learning from Predecessor of gRPC called Stubby at Google Microservices at Google: O(1010) RPC per second Images by Connie Zhou what did we learn from scaled Stubby ● Contracts between services should be strict ● Common language helps ● Common understanding for deadlines, cancellations, flow control messages ● Common stats/tracing framework is essential for monitoring, debugging ● Common framework lets uniform policy application for control and lb Single point of integration for logging, monitoring, tracing, service discovery and load balancing makes lives much easier ! Stubby to gRPC -> What Is gRPC? Proto Request gRPC gRPC Server Stub Proto Response Ruby Client Proto Request gRPC Stub Proto Response(s) C++ Service Android-Java Client gRPC Speaks Your Language GoLang Service gRPC Stub gRPC gRPC Stub Service gRPC gRPC gRPC Service Stub Service gRPC Java Service Python Service gRPC Stub gRPC Service Stub C++ Service gRPC Runs Everywhere 3rd Party Front end Cloud App Service API API API External Internal μService μService μService App App μService μService μService APIs APIs Internet of Things μService μService μService API API Micro service architecture 3 API 0 Backend & Shared Services • HTTP/2 performance: Multiplexing, Header Compression, Binary Framing gRPC is: • Binary compact protos: Serialization time, size of message on wire, client and server compute time, Performant network throughput Extensible • Streaming is native to gRPC Service Mesh Integrations Easy • Monitoring and Tracing Widely Adopted Prometheus, Zipkin, Opentracing integrations • Service Discovery Etcd, Consul, Zookeeper as controller for gRPC-lb • Auth & Security mTLS , Plugin auth mechanism (e.g. OAuth) • Proxies Nginx and others Service Mesh Transparently automate application network functions. Separating (business Logic) applications from network functions Everybody got all fired up about Kubernetes and microservices and then were like ‘Wow, what’s going on?’ Istio lets us view our entire system and find trouble spots. Anonymous early adopter Istio is a service mesh. It is an open framework for connecting, securing, managing and monitoring services. Secure, Monitor, Manage Intelligent routing Resilience Security & policy Telemetry ● Dynamic route ● Timeouts ● Mutual TLS ● Service Dependencies configuration ● Retries ● Organizational policy ● Traffic Flow ● A/B tests ● Health checks ● Access policies ● Distributed Tracing ● Canaries ● Circuit breakers ● Rate Limiting ● Gradually upgrade versions How Istio works Frontend Payments HTTP/1.1, HTTP/2, gRPC or TCP -- with or without Traffic transparently proxied — unaware of proxies Proxy mTLS Proxy Discovery & config Policy checks, TLS certs data to proxies telemetry to proxies Pilot Mixer Citadel Istio Control Plane Control Plane API Service architecture Frontend Auth Users Cloud SQL Pictures Payments External Payment Processor Istio-enabling a service Frontend Frontend Proxy spec: spec: containers: containers: - image: frontend:v2.0.17 - image: frontend:v2.0.17 - image: istio/proxy:v1.0 Service architecture with Istio Frontend Auth Proxy Proxy Users Cloud SQL Proxy Proxy Pictures Payments External Payment Processor Steady state Traffic control tied to infrastructure Service Default Default Default In the past Default Default Traffic control tied to Default infrastructure 10% canaries Canary Load Balancing Default Default Default With Istio 90% of traffic Default Traffic flow separated from 10% canaries infrastructure Istio Load Balancing Canary 10% of traffic Traffic steering Frontend destination: pictures.example.local match: Proxy httpHeaders: user-agent: regex: ^(.*?;)?(iPhone)(;.*)?$ precedence: 2 pictures route: - tags: version: 2.0-alpha Proxy Proxy env: staging Pictures Pictures version: 1.5 version: 2.0-alpha env: prod env: staging Regular communication Frontend Payments Automatic secured Communication Frontend Payments Proxy Proxy Citadel Istio Control Plane ISTIO+gRPC Connect and secure applications SPINNAKER Manage application KUBERNETES Run applications DOCKER Package applications Some important Links https://cloud.google.com/solutions/hybrid-and-multi-cloud-patterns-and-practices IO201-Best practices using Kubernetes, Spinnaker and Istio to Manage a Multi-cloud Environment Best Practices from Google SRE: How You Can Use Them with GKE + Istio https://cloud.google.com/containers/ https://cloud.google.com/kubernetes-engine/ https://cloud.google.com/istio/ Thank you 43.