The Devops Guide Essential to Service Meshes Synopsis

The Devops Guide Essential to Service Meshes Synopsis

eBook: The DevOps Guide Essential to Service Meshes Synopsis Service mesh recently emerged to provide an abstraction layer that streamlines service-to-service communication in order to address the failure of conventional strategies used to orchestrate microservices. They are quickly becoming an entire industry on their own. Here is an in depth view of the service mesh capabilities and current key players. Index Introduction ....................................................... 1 Why service mesh? ................................................ 3 What is a service mesh ecosystem? ................................. 5 Who are the key service mesh players? Istio ............................................................... 10 App Mesh ......................................................... 13 Linkerd ........................................................... 15 Consul Connect .................................................... 18 Microso Service Mesh Interface (SMI) ............................... 21 Kong ............................................................. 23 Conclusion ........................................................ 26 The term “Service Mesh” was coined to represent a network of applications or microservices, and the relationships and interactions between them. Relatively new on the scene, a service mesh is an infrastructure layer controlling delivery service requests that enables DevOps to abstract numerous application network functions from the service code when developing hybrid or cloud-native applications. This infrastructure layer manages inter-service communications in the microservice architecture now becoming the norm for cloud-native applications. A service mesh considerably reduces application architecture complexity by providing a unified way to manage traffic flow and access policy enforcement across microservices, regardless of their location. As communications occur on a single layer, the service mesh layer, it facilitates diagnosing communication errors between applications and services. Security features provided by the service mesh, such as encryption, authentication and authorization, further explain its fast growing popularity. 1 A service mesh’s main attributes and features cover wide areas such as: Resiliency features (retries, timeouts, deadlines, etc) Cascading failure prevention (circuit breaking and failover) Robust load balancing algorithms managing automatic retries, circuit breaking, global rate limiting, request shadowing, zone local load balancing, etc. Control over request routing (convenient for CI/CD release patterns) Configuration and management of TLS and mTLS Rich sets of metrics providing instrumentation at the service-to-service layer Mesh expansion to VM (not limited to k8s clusters), including cross-cluster routing and encryption According to Gartner, the global public cloud services market is set to reach $266.4 billion in 2020. Service meshes abstract cloud-native application architecture complexities, so it is no wonder that service mesh is taking the soware industry by storm. 2 Why service mesh? Digital transformation drives the adoption of cloud-native methodology, where applications are built as a collection of microservices that work with each other to deliver the expected user experience. Such a microservices-based architecture shis the complexity from within the monolithic application code to a distributed system. There are many more endpoints and interactions to scale, secure, and monitor, resulting in an exponential increase in debugging time and security vulnerabilities. The service mesh is emerging as a way to address these requirements. Traffic management - When adding or removing a microservice, the service mesh eliminates the gateway updates necessary when using API gateways to handle protocol transactions. Service meshes are location agnostic thereby providing a unified way for developers to manage traffic flow and access policy enforcement across microservices, regardless of where they reside. 3 Reduce complexity - It leverages a proxy instance called a sidecar. Sidecar proxies reduce the complexity in the microservice code by abstracting common infrastructure-related functionalities (encryption, endpoint discovery, failure recovery etc.) to a different layer. Situated next to a container cluster, they effectively manage network services. As enthusiastically expressed by Gabe Monroy, Director of Product at Microso Azure Application Platform, “Service mesh is obviously hot technology — and for good reasons. The cloud-native ecosystem is driving the need for smarter networks and smarter pipes and service mesh technology provides answers.” 4 What is a service mesh ecosystem? Operating at the application level, a Service Mesh is a network communication infrastructure that allows decoupling and offloading most of the application network functions from the service code by handling service to service communication for cloud-native applications. The service mesh overlay is logically split between a control plane and a data plane.The data plane consists of an array of lightweight proxies known as sidecars The control plane manages and configures proxies to route traffic. Its rich sets of metrics provides instrumentation at the service-to-service layer, facilitating the implementation of communication and security policies, as well as aggregating telemetry data for monitoring. 5 Currently the most popular capabilities that users are requesting from a service mesh are: Traffic management - to connect and control the flow of traffic and API calls between services Security - You can enforce mTLS- Mutual TLS authentication to ensure that traffic is both secure and trusted in both directions between a client and server. Also you can enforce service-level authentication using either TLS or JSON web tokens. Access Control - to apply policies and ensure that they’re enforced, and that resources are fairly distributed among users. Observability - Enables inferring the internal states of a system from knowledge of external outputs. 6 The service mesh overlay is logically split between a control plane and a data plane.The data plane consists of an array of lightweight proxies known as sidecars that, deployed alongside application code, handle the ingress and egress traffic between services. The control plane manages and configures proxies to route traffic. Its rich sets of metrics provide instrumentation at the service-to-service layer, facilitating the implementation of communication and security policies. It also aggregates telemetry data for monitoring. By streamlining the CI/CD process, service mesh provides granular control over request routing. When leveraged during a canary or blue-green deployment set, it enables sending only a portion of the traffic, or traffic of a particular type to the new service version, thus preventing cascading failure. Regular traffic is optimized through robust load balancing algorithms. Also, authentication, authorization, and encryption policies secure service-to-service communications protecting the services and data in the mesh with the possibility to expand to VM and across clusters. 7 Troubleshooting service latency or errors gets a lot easier with the service mesh's rich set of metrics traces and logs aggregated by the service mesh, helping to pinpoint what went wrong and exactly where it happened rapidly, benefiting both developers and operators. Developers no longer need to worry about embedding libraries like service discovery, Transport Layer Security (TLS), or metrics into the application code, and instead, can focus on delivering new features and business values. Operators gain the visibility and control they need to manage microservices at scale. It helps them achieve a consistent operational model across all cloud-native applications by reducing the complexity of managing a distributed system. 8 In short, the main use cases of service meshes are Traffic Governance: configuring the mesh network to implement fine-grained traffic management policies, including connection and control of the traffic flow and API calls between services and all ingress and egress traffic to and from the mesh, without going back and changing the application. Security: Configuring and managing mTLSauthentication to ensure a traffic secure and trusted traffic between a client and server, including the ability to enforce service-level authentication with TLS or JSON web tokens Control: Configuring and enforcing of policies with Policy Repositories (PR), Policy Decision Points (PDP) andPolicy Enforcement Points (PEP), and managing load balancing Observability: generating extensive detailed telemetry, including metrics to understand cluster statuses, accelerate debugging, and improve system architecture readability, system resilience and system stability. 9 Who are the key service mesh players? Istio Cofounded by IBM, Google, and Ly in 2017, Istio currently supports Kubernetes and is developing into additional environments. An open-source project, Istio uses Envoy as a sidecar and is one of the most feature-rich service mesh available today. Its features include: Fully open-source Support for multi-cluster and mesh expansion Automated policy-based inter-service load-balancing (currently only with Kubernetes) Zero-Trust Security concept: Service communication is restricted to required services to minimize attack propagation Authenticating services 10 Inter-services encrypted traffic Security policies enforcement Unified and language agnostic standard task management Built in CA (Citadel) with the

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    29 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us