Connecting, Managing, Observing, and Securing Services

Slides:



Advertisements
Similar presentations
New Directions in Enterprise Network Management Aditya Akella University of Wisconsin, Madison MSR Networking Summit June 2006.
Advertisements

New Solutions to New Threats. The Threats, They Are A Changing Page 2 | © 2008 Palo Alto Networks. Proprietary and Confidential.
A Java Architecture for the Internet of Things Noel Poore, Architect Pete St. Pierre, Product Manager Java Platform Group, Internet of Things September.
Windows Network Policy Server Fundamentals Ranjana Jain MCSE, MCT, RHCE, CISSP, CIW Security Analyst IT Pro Evangelist Microsoft India
® IBM Software Group © IBM Corporation IBM Information Server Service Oriented Architecture WebSphere Information Services Director (WISD)
Getting Started with Oracle Compute Cloud
Presented by Xiaoyu Qin Virtualized Access Control & Firewall Virtualization.
Microsoft and Community Tour 2011 – Infrastrutture in evoluzione Community Tour 2011 Infrastrutture in evoluzione.
Open Source Open Standards Example of OpenSER with OSP
NA-MIC National Alliance for Medical Image Computing UCSD: Engineering Core 2 Portal and Grid Infrastructure.
1 Week #5 Routing and NAT Network Overview Configuring Routing Configuring Network Address Translation Troubleshooting Routing and Remote Access.
1 Server Business Logic & OAuth Beta Overview October 4, 2010 Alan Hantke Product Development Server Business Logic Intuit Partner Platform Diane Weiss.
Towards Secure and Dependable Software-Defined Networks Fernando M. V. Ramos LaSIGE/FCUL, University of Lisbon
Software Defined Networking BY RAVI NAMBOORI. Overview  Origins of SDN.  What is SDN ?  Original Definition of SDN.  What = Why We need SDN ?  Conclusion.
MySQL HA An overview Kris Buytaert. ● Senior Linux and Open Source ● „Infrastructure Architect“ ● I don't remember when I started.
Copyright © 2006, Oracle. All rights reserved Oracle Web Services Manager.
Presented by Michael Rainey South Mississippi Linux Users Group
DISA Cyclops Program.
Netscape Application Server
OpenLegacy Training Day Four Introduction to Microservices
Securing the Network Perimeter with ISA 2004
Using Microsoft Identity Manger with SharePoint 2016 to fill the User Profile Sync Gap Max Fritz Senior Systems Consultant Now Micro.
Author: Ragalatha P, Manoj Challa, Sundeep Kumar. K
CoreDNS and Kubernetes
Power BI Security Best Practices
Secure communication among services
Certificate and Secret Management Services
Hyperledger Fabric Roadmap
Introduction to Microservices Prepared for
Bring new levels of visibility to your datacenter with Cisco Tetration
Chapter 4: Switched Networks
iWay Sentinel: Centralized Monitoring and Management Inessa Gerber
2018 Real Cisco Dumps IT-Dumps
Confidential – Oracle Internal/Restricted/Highly Restricted
Kubernetes Container Orchestration
Welcome! Power BI User Group (PUG)
OpenStack Octavia, Kubernetes, and Terraform
Moving Cloud Services to Service Fabric
Sherwood Zern Consulting Solutions Architect Oracle A-Team
Securing Cloud-Native Applications Jason Schmitt CEO
HP Networking OpenFlow in Action
Yellowfin: An Azure-Compatible Business Intelligence Platform That Connects People with Their Data for Better Decision Making MICROSOFT AZURE APP BUILDER.
Kubernetes intro.
Logsign All-In-One Security Information and Event Management (SIEM) Solution Built on Azure Improves Security & Business Continuity MICROSOFT AZURE APP.
Arrested by the CAP Handling Data in Distributed Systems
Goals Introduce the Windows Server 2003 family of operating systems
Welcome! Power BI User Group (PUG)
Getting Started with Kubernetes and Rancher 2.0
Cloud Analytics for Microsoft Azure
Requirements for Client-facing Interface to Security controller draft-ietf-i2nsf-client-facing-interface-req-02 Rakesh Kumar Juniper networks.
Container cluster management solutions
Module P3 Practical: Building a webapp in nodejs and
Frankenstein Microservices
MicroProfile Meets Istio
Platform Architecture
ECA – Endpoint Context Agent
Why Build Another Application Server
A DevOps világ következő kedvence
Stretching your application from OpenStack into Public Cloud
OpenShift as a cloud for Data Science
Kubernetes.
OpenStack Summit Berlin – November 14, 2018
Nagios with The Decision Engine Implementing Passive Checks
Calypso Service Architecture
ISTIO & ENVOY – Security
Enterprise Use Cases and A-Level Attestation
Enterprise Use Cases and A-Level Attestation
ONAP Architecture Principle Review
.NET Core and Kubernetes
Presentation transcript:

Connecting, Managing, Observing, and Securing Services QCon SF - Nov 5, 2018 Zack Butcher

Intro Zack Butcher Core Contributor to Istio Founding Engineer, Tetrate @ZackButcher on Twitter

Agenda The Problem Shape of the Solution A Brief Tour of Service Meshes Dive Into Istio Architecture Use Cases Demo

The Problem IT’s shift to a modern distributed architecture has left enterprises unable to connect, monitor, manage, or secure their services in a consistent way.

The Problem modern distributed architecture container based services deployed into dynamic environments composed via the network

The Problem IT’s shift to a modern distributed architecture has left enterprises unable to connect, monitor, manage, or secure their services in a consistent way.

Connect Get the network out of the application. Service Discovery Resiliency retry, circuit breaking, timeouts, lame ducking, etc. (Client Side) Load Balancing

Monitor Understand what’s actually happening in your deployment. Metrics Logs Tracing

Manage Control where and how requests flow, and which requests are allowed. Fine grained traffic control L7, not L4! Route by headers, destination or source ID, etc Policy on requests Authn/z, rate limiting, arbitrary policy based on L7 request metadata

Secure Elevate security out of the network. (L7) Workload Identity IP:port is not an identity Reachability != Authorization Service-to-Service Authn/z

The Service Mesh The goal of a service mesh is to move this functionality out of the application so application developers don’t need to worry about it. Consistency across the fleet Centralized control Fast to change (update config to affect change, not redeploy)

Istio Istio is a platform to connect, monitor, manage, and secure services consistently.

How Istio Works A B call

How Istio Works 1. Deploy a proxy (Envoy) beside your application (“sidecar deployment”) Envoy A Envoy B call

2. Deploy Galley to configure the rest of the Istio control plane How Istio Works 2. Deploy Galley to configure the rest of the Istio control plane Envoy A Envoy B config Galley

3. Deploy Pilot to configure the sidecars How Istio Works 3. Deploy Pilot to configure the sidecars Envoy A Envoy B config Galley config Pilot

3. Deploy Mixer to get telemetry and enforce policy How Istio Works 3. Deploy Mixer to get telemetry and enforce policy Envoy A Envoy B telemetry policy decisions Galley Pilot Mixer

4. Deploy Citadel to assign identities and enable secure communication How Istio Works 4. Deploy Citadel to assign identities and enable secure communication Envoy A Envoy B certs Galley Pilot Mixer Citadel

How Istio Works Envoy A Call Envoy B Galley Pilot Mixer Citadel

How Istio Works Envoy A Envoy B Galley Pilot Mixer Citadel

How Istio Works Envoy A Envoy B Call Galley Pilot Mixer Citadel

How Istio Works Envoy A Envoy B Policy Galley Pilot Mixer Citadel

How Istio Works Envoy A Envoy B Galley Pilot Mixer Citadel

How Istio Works Envoy A Envoy B Response Galley Pilot Mixer Citadel

How Istio Works Envoy A Envoy B Telemetry Galley Pilot Mixer Citadel

Architecture Control Plane API Mixer Pilot Citadel Galley Service A Service B proxy HTTP/1.1, HTTP/2, gRPC or TCP -- with or without mTLS Pilot Citadel Config data to Envoys TLS certs to Envoys Policy checks, telemetry Galley Pilot: Control plane to configure and push service communication policies. Envoy: Network proxy to intercept communication and apply policies. Mixer: Policy enforcement with a flexible plugin model for providers for a policy. Citadel: Service-to-service auth[n,z] using mutual TLS, with built-in identity and credential management. Galley: Configuration validation, distribution* *not yet, but upcoming in 1.1

Demo Cluster A Details Reviews v1 User Traffic Product Page Ingress Ratings Reviews v3

Demo End State Cluster A Cluster B Details User Traffic Ingress CoreDNS CoreDNS Details User Traffic Ingress Product Page Ingress Reviews v1 Reviews v2 Ratings Ingress Reviews v3

Demo Step 1 Cluster A Cluster B User Traffic Ingress Product Page CoreDNS CoreDNS User Traffic Ingress Product Page Ingress Details Reviews v1, v2, v3 Ratings

Demo Step 2 (Oops!) Cluster A Cluster B Details User Traffic Ingress CoreDNS CoreDNS Details User Traffic Ingress Product Page Ingress Reviews v1 Reviews v2 Ratings Reviews v3

Demo End State Cluster A Cluster B Details User Traffic Ingress CoreDNS CoreDNS Details User Traffic Ingress Product Page Ingress Reviews v1 Reviews v2 Ratings Ingress Reviews v3

Thanks! Istio: https://istio.io https://github.com/istio @IstioMesh on Twitter Coddiwomple (config gen tool): https://github.com/istio-ecosystem/coddiwomple Istio CoreDNS plugin: https://github.com/istio-ecosystem/istio-coredns-plugin Me: @ZackButcher on Twitter

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.