View
641
Download
0
Category
Preview:
Citation preview
1
Don’t assume your API Gateway is ready for microservices
Flynn flynn@datawire.io
4
The good • Velocity, Velocity, Velocity • Ownership • Freedom • Velocity
The bad • Lots of cats to herd
• independent releases and deployments
• Inherently a distributed system! • Fragility, latency,
nonobservability, cascading failures…
Interesting Times: Microservices
5
Interesting Times: Microservices
The ugly: fixing “the bad” is really hard. • Example: retry on network failure • Sounds simple but there are a lot of details!
• Not too quickly, not too many times, should often do exponential backoff…
• It’s just not feasible for all devs to independently get it right.
6
What Do We Do About This?
Reduce operational friction • Automate or eliminate needless operational touchpoint
Move the Hard Stuff™ down into your infrastructure layer • Get it right once • Let everyone use it
• This is the concept of a service mesh
7
Service Mesh
Service mesh is about collecting services into an application • Give dev & ops the experience they had with a single host
• Visibility, resiliency, control, security, policy
So how does a service mesh work?
8
We start with the Envoy proxy …
C++ L4/L7 reverse proxy
Built at Lyft, and brutally battle-tested • hundreds of services, tens of thousands of
VMs, millions of requests per second • includes support for many mesh features • increasingly active community
HTTP/2 & gRPC
Zone-aware load balancing w/ failover
Health checks, circuit breakers, timeouts, retry budgets
No hot reloads - API driven config updates
9
And then use something to manage a fleet of Envoys … Istio
“Network for services instead of bytes”
Built by IBM and Google using Envoy • ~2200 GitHub stars, 40+ engineers 😀 • rather than having libraries, just put an
Envoy sidecar next to each service • load balancing • retries • rate limiting • telemetry and monitoring
10
Recap: Service Mesh
Service
Service
Service
Service
Service
Service
Resilience
Observability
Security
13
With microservices, you want to extend resilience, observability, and security to the edge.
API Gateway
Service
Service
Service
" # $Client
Resilience
Observability
Security
15
Ambassador
Self-service API gateway, built on Envoy • Built for Kubernetes • Provides routing, TLS termination, authentication • Istio integration for observability, security, resilience • HTTP/2 & gRPC support
16
Ambassador: Routing
Self-service routing, TLS, and authentication • Understands HTTP(s) URLs
• route resource to service • “resource” identified by URL path prefix • “service” is… a Kubernetes service • routes all HTTP methods
17
Ambassador: Self Service
Self-service routing, TLS, and authentication • Developer can route resources to their service on their own
• Simple REST interface for routing control • “Move fast and make things”
• reduce friction, so no ops gate for a new release • …but also no ops gate for a rollback!
18
Ambassador: TLS
Self-service routing, TLS, and authentication • Ambassador can terminate TLS
• Tell Ambassador about certificates • Ambassador will accept HTTPS connections
• TLS client-certificate authentication, too
19
Ambassador: Custom Authentication
Self-service routing, TLS, and authentication • REST API to outboard authentication service:
• auth service gets HTTP request headers • return HTTP status code
• Applies to all microservices • if a microservice gets a connection, auth said OK • of course, the auth service could allow public access to some
microservices! • Supplied auth service for HTTP Basic Auth
20
Ambassador Roadmap
Ambassador under active development
Better integration with Istio • still support standalone ops
First-class custom filters • embedded interpreter
Rate limiting, authorization, etc.
http://getambassador.io/ for more
21
Demo and Q&A
http://getambassador.io/
ambassador@datawire.io
@datawire.io
Recommended