Scribd
Upload
322 views31 pages

7 Istio Service Mesh

This document discusses microservices architectures and the challenges of implementing them in a distributed environment. It introduces Istio as a service mesh solution that can help address issues like failure handling, traffic management, observability, and policy enforcement for microservices. Istio works by deploying Envoy proxies as sidecars to existing application containers, which mediate and control all network communication in a transparent manner.

Uploaded by

owmciwctoaiekvgjtp
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
322 views31 pages

7 Istio Service Mesh

This document discusses microservices architectures and the challenges of implementing them in a distributed environment. It introduces Istio as a service mesh solution that can help address issues like failure handling, traffic management, observability, and policy enforcement for microservices. Istio works by deploying Envoy proxies as sidecars to existing application containers, which mediate and control all network communication in a transparent manner.

Uploaded by

owmciwctoaiekvgjtp
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 31

CONFIDENTIAL Designator

OpenShift 4.x Architecture Workshop


Istio Service Mesh

July 2019
CONFIDENTIAL Designator

Microservices
Benefits and
Challenges
MICROSERVICES ARCHITECTURE
DISTRIBUTED

Service Service Service


HTML Javascript Web
Runtime Runtime Runtime
Service Service Service

Service Service Service Service Service Service

Data Access Runtime Runtime Runtime

Service Service Service


Application Server
Runtime Runtime Runtime

3 ISTIO WEBINAR
DISTRIBUTED COMPUTING CHALLENGES

Fallacies of Distributed Computing


● The network is reliable.
● Latency is zero.
● Bandwidth is infinite.
● The network is secure.
● Topology doesn't change.
● There is one administrator.
● Transport cost is zero.
● The network is homogeneous.

wikipedia.org/wiki/Fallacies_of_distributed_computing

4 ISTIO WEBINAR
DISTRIBUTED ARCHITECTURE

Service Service Service

Service Service Service

Service Service Service

5 ISTIO WEBINAR
MICROSERVICES ARE HARD

B D
C
H
Because applications must deal with Client A
F G
E
● Unpredictable failures
I
● End-to-end application correctness
● System degradation
● Topology changes
● Elastic/ephemeral/transient resources
● Distributed logs
● The fallacies of distributed computing

6 ISTIO WEBINAR
AN EXAMPLE

ACME Laptop 128GB $323.5 Pricing Engine


SSD, 8GB RAM 6 Reviews

Touchscreen
128GB SSD
Details/Specifications
8GB RAM
Core i3
Windows 10
Add to Cart

In-Store Pickup (15 available) Location-based availability


Raleigh, Central Ave, Store #1123
Recommendations People who purchased also...

7 ISTIO WEBINAR
CHAINING

8 ISTIO WEBINAR
CHAINING (FAILURE)

9 ISTIO WEBINAR
CHAINING (CASCADING FAILURE)

X X X X X

10 ISTIO WEBINAR
CONFIDENTIAL Designator

Traditional
Approaches
POSSIBLE SOLUTIONS

Have your developers do this:

● Circuit Breaking
● Bulkheading
● Timeouts/Retries
● Service Discovery
● Load Balancing
● Traffic Control

12 ISTIO WEBINAR
Container
Hystrix
JVM
service A Zuul

discovery
load-balancer Ribbon
resiliency
metrics Eureka
tracing
app logic Archaius

Need a library to support each


language/framework combination

13 ISTIO WEBINAR
WHAT ABOUT…?

POLYGLOT EXISTING
APPS APPS

14 ISTIO WEBINAR
Kubernetes exacerbates the problem

The trends of containerization,


microservices and hybrid/multi-cloud
deployments have created more
distributed applications than ever.

This has left enterprises unable to


connect, observe or secure or control
their services in a consistent way.

15 ISTIO WEBINAR
CONFIDENTIAL Designator

Enter the service


mesh
SERVICE MESH
A dedicated network for
service-to-service communications

Photo on Visual Hunt


A better way with a service mesh

Service

A service mesh provides a


Tracing transparent and
Circuit Breaker language-independent network for
Routing connecting, observing, securing
Svc Discovery Service
and controlling the connectivity
Config
between services.

Container Platform
Platform
(+ Service Mesh)

...2014 2018

18 ISTIO WEBINAR
19 ISTIO WEBINAR
ISTIO’S CAPABILITIES AT 10,000 FEET

Traffic Management.
Rules and traffic routing lets you control the flow of traffic and API calls between services.

Service Identity and Security.


Enforce consistently across diverse protocols and runtimes with little or no application changes.

Policy Enforcement.
Apply to the interaction between services and ensure they are enforced. Changes are made by
configuring the mesh, not by changing application code.

Observability.
Gain understanding of the dependencies between services and the nature and flow of traffic between
them, providing the ability to quickly identify and fix issues.

20 ISTIO WEBINAR
MICROSERVICES WITH ISTIO
connect, manage, and secure microservices transparently

Pod

Sidecar Container
Pod Istio Logic Pod

Sidecar Container Sidecar Container


Microservice Container
Istio Logic Istio Logic
App/Service B
Microservice Container Microservice Container

App/Service A App/Service C

21 ISTIO WEBINAR
WHAT IS A SIDECAR?

A proxy instance that abstracts common logic away from individual services

SIDECAR PATTERN
POD
● A utility container in the same pod to SIDECAR
enhance the main container’s functionality
● Share the same network and lifecycle
● Istio uses an Istio Proxy (L7 Proxy) sidecar APP

to proxy all network traffic between apps

22 ISTIO WEBINAR
ISTIO PROVIDES BOTH CONTROL AND DATA PLANES

The data plane is composed of a set of


intelligent proxies (Envoy) deployed as
Data
sidecars that mediate and control all Plane App App App
App
network communication between
microservices. Pod
Envoy
Pod
Envoy
Pod
Envoy
Pod
Envoy

The control plane is responsible for Control


managing and configuring proxies to Plane
route traffic, as well as enforcing
policies at runtime.

23 ISTIO WEBINAR
COMPONENTS OF ISTIO

Envoy, originally from Lyft - it’s an intelligent


It’s the
proxy. Highly parallel non-blocking, network sidecar
filtering, service discovery, health checking, Envoy Envoy Envoy Envoy
dynamically configurable.
Data
Plane
Pilot, the component responsible for App App App App
managing a distributed deployment of Envoy Pod Pod Pod Pod
proxies in the service mesh. Intelligent routing,
traffic mgmt, resiliency

Mixer, which provides the policy and access Control Pilot Mixer Citadel
control mechanisms within the service mesh. Plane
Monitoring, reporting, quotas - plugin-based.

Citadel, control service-service traffic based


on origin and user. Key mgmt certificate
authority.

24 ISTIO WEBINAR
WHAT DOES CONNECT MEAN?

.2.3
io n=1
Vers

Ve
rs
io
n
=
1.2
.4
Discovery and Routing: Decoupled from infrastructure, load balancing modes, dynamic routing...
Advanced Deployments: A/B testing, gradual rollouts, canary releases, mirroring...
Failure, Health, and Testing: timeouts, retries, circuit breakers, fault injection, active health checks...

25 ISTIO WEBINAR
HOW DO YOU SECURE SERVICES?

Security by default Defense in depth Zero-trust network


no changes needed for integrate with existing security build security solutions on
application code and systems to provide multiple layers untrusted networks
infrastructure of defense

26 ISTIO WEBINAR
WHAT CAN YOU CONTROL?

Restrict to 2 requests per second per IP :


quotas:
- name: requestcount.quota.istio-system
overrides:
- dimensions:
destination: someservice
maxAmount: 2

Exempt if:
match(request.headers["cookie"], "user=*") == false

Set and Check Policy: Open-ended, connection limits, rate limits, simple denials, lists

27 ISTIO WEBINAR
HOW CAN YOU OBSERVE?

Understand how your services are operating: Metrics, tracing, network visibility

28 ISTIO WEBINAR
ISTIO AVAILABILITY
Istio 1.0!
● After over a year of work,
● ~200 developers
● Google, IBM, VMWare, Cisco, Red Hat, others...
● Adaptors for many monitoring systems

Istio on OpenShift
● Available in Dev Preview today (3.10)
● GA coming soon (4.1)

29 ISTIO WEBINAR
ISTIO ON OPENSHIFT
Istio on OpenShift
● Available in Dev Preview today (3.10)
● GA coming soon (4.1)
● Istio is an “operator first product” (using Operator Framework)
○ https://github.com/Maistra/istio-operator
○ The operator manages the install (eventually updates)
○ Istio is delivered as containers, not RPMs

30 ISTIO WEBINAR
TRY IT YOURSELF
https://learn.openshift.com/servicemesh/

31

You might also like