Embed Size (px)
Citation preview
2
Poll: Are you development, operations, or something else?
3
Microservices
Long Release Cycle of Monolithic Apps
Faster Release Cycles of Microservices
4
The good • Velocity, Velocity, Velocity • Ownership • Freedom • Velocity
The bad • Lots of cats to herd
• independent releases and deployments
• Inherently a distributed system! • Fragility, latency,
nonobservability, cascading failures…
Interesting Times: Microservices
5
Interesting Times: Microservices
The ugly: fixing “the bad” is really hard. • Example: retry on network failure • Sounds simple but there are a lot of details!
• Not too quickly, not too many times, should often do exponential backoff…
• It’s just not feasible for all devs to independently get it right.
6
What Do We Do About This?
Reduce operational friction • Automate or eliminate needless operational touchpoint
Move the Hard Stuff™ down into your infrastructure layer • Get it right once • Let everyone use it
• This is the concept of a service mesh
7
Service Mesh
Service mesh is about collecting services into an application • Give dev & ops the experience they had with a single host
• Visibility, resiliency, control, security, policy
So how does a service mesh work?
8
We start with the Envoy proxy …
C++ L4/L7 reverse proxy
Built at Lyft, and brutally battle-tested • hundreds of services, tens of thousands of
VMs, millions of requests per second • includes support for many mesh features • increasingly active community
HTTP/2 & gRPC
Zone-aware load balancing w/ failover
Health checks, circuit breakers, timeouts, retry budgets
No hot reloads - API driven config updates
9
And then use something to manage a fleet of Envoys … Istio
“Network for services instead of bytes”
Built by IBM and Google using Envoy • ~2200 GitHub stars, 40+ engineers 😀 • rather than having libraries, just put an
Envoy sidecar next to each service • load balancing • retries • rate limiting • telemetry and monitoring
10
Recap: Service Mesh
Service
Service
Service
Service
Service
Service
Resilience
Observability
Security
11
But what about exposing (some) of your service APIs to the Internet?
12
API Gateway
API Gateway
Service
Service
Service
" # $
Client
13
With microservices, you want to extend resilience, observability, and security to the edge.
API Gateway
Service
Service
Service
" # $Client
Resilience
Observability
Security
14
Poll: Do you currently use an API Gateway?
15
Ambassador
Self-service API gateway, built on Envoy • Built for Kubernetes • Provides routing, TLS termination, authentication • Istio integration for observability, security, resilience • HTTP/2 & gRPC support
16
Ambassador: Routing
Self-service routing, TLS, and authentication • Understands HTTP(s) URLs
• route resource to service • “resource” identified by URL path prefix • “service” is… a Kubernetes service • routes all HTTP methods
17
Ambassador: Self Service
Self-service routing, TLS, and authentication • Developer can route resources to their service on their own
• Simple REST interface for routing control • “Move fast and make things”
• reduce friction, so no ops gate for a new release • …but also no ops gate for a rollback!
18
Ambassador: TLS
Self-service routing, TLS, and authentication • Ambassador can terminate TLS
• Tell Ambassador about certificates • Ambassador will accept HTTPS connections
• TLS client-certificate authentication, too
19
Ambassador: Custom Authentication
Self-service routing, TLS, and authentication • REST API to outboard authentication service:
• auth service gets HTTP request headers • return HTTP status code
• Applies to all microservices • if a microservice gets a connection, auth said OK • of course, the auth service could allow public access to some
microservices! • Supplied auth service for HTTP Basic Auth
20
Ambassador Roadmap
Ambassador under active development
Better integration with Istio • still support standalone ops
First-class custom filters • embedded interpreter
Rate limiting, authorization, etc.
http://getambassador.io/ for more
21
Demo and Q&A
http://getambassador.io/
@datawire.io
