“Service mesh is going to go through this wonderful phase of growth,” said Chris Aniszczyk, CTO/COO of the Cloud Native Computing Foundation (CNCF). As companies adopt Kubernetes, break apart their monoliths and start to modernize, they begin to look for solutions to traffic management and they need to observe their systems at another level. That’s where service mesh comes in, and this is the kind of fundamental thing that CNCF wants to grow and support.
Matt Klein, the creator of Envoy, says he had greatly underestimated the market demand for a proxy that could be used in a generic way. The Lyft software engineer wrote Envoy as a “communication bus” to handle issues like rate limiting, circuit breaking, and load balancing. It facilitates network-transparent applications and allows developers to focus on business logic rather than debugging and network management.
The keynote at Tetrate’s Service Mesh Day 2019 spoke about the rise of Envoy, its ecosystem, and its growth from a proxy into more of a platform.
Tetrate’s Zack Butcher gave a whirlwind session, a “Practical Guide to Istio,” at DockerCon in San Francisco last week, with one of the 5 top-rated talks at the conference. He pointed to 5 traits of successful service mesh adopters.
#1. They’re focused on a single pain point.
Tetrate CEO Varun Talwar kicked off Service Mesh Day, the first ever industry conference on service mesh, with a few words about what had brought the standing-room-only crowd, from a variety of organizations and industries, together.
From the 10,000-foot view, compute density is growing. Users need more compute, network and storage capacity. The shift to microservices and containers has enabled organizations to keep growing with necessary speed, but has opened the door to the networking problems encapsulated by the well-known eight fallacies of distributed computing.
Enter service mesh.
“The way we think of service mesh is an application-aware networking layer,” said Talwar. “And when I say applications, I mean everything. I don’t just mean containers. I mean, brownfield, greenfield applications on containers, virtual machines, bare metal and serverless functions.”
Talwar welcomed an amazing lineup of conference speakers. They included service mesh stalwarts like Envoy creator Matt Klein, Eric Brewer, the VP of infrastructure at Google Cloud, Larry Peterson, CTO of the Open Networking Foundation, who would talk about how modern networking is moving to the application layer, as well as end users from organizations like Yelp, Square, Salesforce, ING and more who are deploying Envoy and thinking about app security rather than perimeter security and services, rather than servers. Cloud providers like Nick Coult (AWS) and Prajakta Joshi (Google Cloud) would describe how they’re putting in policy-based mesh into public cloud environments to control traffic. Check out the full playlist.
But before the kicking off the agenda, Talwar sought to set straight a few myths about service mesh:
Myth #1: You do service mesh after Kubernetes.
Users can use mesh to containerize and go from VM to containers, as Tetrate engineer Dhi Aurrahman, with Prajakta Joshi, would later describe.
Myth #2: Service mesh only works in containers.
Service mesh can work equally well on VM and containers. This would be the topic of a session on Istio and Envoy for VM and Kubernetes Workloads presented by Tetrate’s Shriram Rajagopalan.
Myth #3: Service mesh is hard to adopt.
Adopters tend to begin using service mesh in a three-step journey. Most people are starting from ingress, because it’s less complex than taking it all the way into individual services. Second, users will take requests from ingress all the way to an actual sidecar, or running workload, in what’s often called east-west traffic management. And in step three, they introduce security from ingress to the running workload.
Tetrate’s offerings tame the complexities of service mesh adoption. GetEnvoy provides organizations with certified, compliant builds of Envoy. Without peace of mind and confidence about security compliance and the ability to upgrade, companies won’t get close to putting Envoy into production. Apache SkyWalking, founded by Tetrate engineer Sheng Wu, an APM and observability tool that’s widely adopted in China, integrates with service mesh and answers the need for operators to have a unified and meaningful map of their entire network’s performance. And the newly announced Tetrate Q adopts Next Generation Access Control (NGAC) for the multi-cloud world, to be described in an NGAC session with David Farraiolo of NIST and Tetrate Engineer Ignasi Barrera.
Service Mesh Day was organized by Tetrate and sponsored by Google Cloud, Juniper Networks, Capital One, Cloud Foundry, AWS, the Cloud Native Computing Foundation, the Open Networking Foundation (ONF) and the OpenStack Foundation.
All right. Welcome everyone to the first service Mesh Day. My name is Varun. I am the founder and CEO of Tetrate and thank you all for coming. Uh, this is the first industry conference on focused on service Mesh. I would like to thank all of you, our speakers and most importantly all of our sponsors, CNCF, ONF and OpenStack foundation, our diamond sponsor Google Cloud, gold sponsor Juniper Networks, silver sponsor Capital One, Bronze sponsors, Cloud Foundry Foundation and AWS. So there’s … who all are here. There’s within the community here. There are end users. There’s startups, there is cloud providers, there is 200 plus organizations which registered and it looks like quite a few showed up. So that’s great. I’m super excited about it, so this clearly interest in the space.
But before we get into the amazing lineup of speakers, I just wanted to set context for the day for spend like just five minutes on this, as to why is, what are we hearing about service mesh? Why is it even an interesting area? So if you just step back from all the noise, what is happening in industry, it is a computes growing computes going everywhere, amount of computers, growing, the density of computers growing. Um, and this is numbers from uh, uh, one of the largest networking companies in the world, um, and their research from 2016 to 2021. So not just network storage, which is growing 27%, but correspondingly compute, um, is growing and compute densities growing both in data center as well as cloud. So what does it mean when you have lots of compute and distributed? What happens? Networking to connect, which is an n by n problem is, is the one which is becoming extremely complex. And that’s the space that we are here to talk about – networking.
The other thing that’s happening because of containers and microservices, and that’s one of the factors why compute density is growing, um, is the promise of microservices is great. You move fast, every team runs at their own speed. But we all know that when you break one process into multiprocessors, it’s the all of the networking problems, commonly known, eight fallacies of distributed computing. We’re all familiar with that. We can’t assume a bunch of characteristics about the network.
So how do we think about service mesh? So today you’ll hear from, you know, um, stalwards like Eric who is the VP of infrastructure at Google Cloud. Um, Larry Peterson, who was the CTO for Open Networking Foundation on how networking is moving to the application layer. The way we think of service mesh is an application aware networking layer. And when I say applications, I mean everything. I don’t just mean containers, I mean brownfield, greenfield, VMs, serverless functions, next thing that’s yet to be discovered. Um, so that’s how we think about, uh, the space. So as complexity moves to network, um, there’s a few things that we, concepts that we have to rethink. Um, and you’ll again hear from Matt will go over Envoy and Envoy roadmap and how Envoy is one of those first proxies that thought about proxying to services, not IP addresses.
You’ll hear from, um, endusers of Envoy, like, Yelp, Square, Salesforce. There’s a bunch of in this room who are deploying Envoy and thinking of services, not servers. You’ll hear from a cloud providers, Nick, uh, from AWS, Prajakta from Google Cloud, how they are putting in policy based mesh into their public cloud environments to think about all traffic policies. You’ll hear from end users like ING who were thinking about putting security into application and thinking about app security in our perimeter security. So as you go through this, just day to day, I think you’ll get a lot of the concepts conveyed into why, you know, how the rethink is happening?
So, but before we kick off the great agenda that I want to debunk a few myths about service mesh. I call them myths because I think they’re not real, but there’s quite a bit of confusion around them.
Myth number one, you do service mesh after Kubernetes. So there’s a talk today from one of the engineers at Tetrate, Dhi, and Prajakta and they’ll talk about how you do mesh before you adopt Kubernetes. Why you do mesh to containerize and go from VM to containers.
Myth number two, which is it only works in containers. Tthere was a reason when I was at Google, we, I personally and bunch of others fought for Istio to be a separate project. Um, and I still believe that’s the right case. Service mesh can work equally well on VMs and containers and a, there’s a talk today from Sriram, one of the engineers at Tetrate on how you work Istio natively both on VM and containers.
Myth number three, it’s hard to adopt. Um, so my next slide I’ll cover how we are seeing adoption in steps and I think that is how mesh is going to be adopted. So in terms of what we are seeing in terms of how people are starting to use service mesh is somewhat of a three step journey. Um, most people, um, we are seeing are starting from ingress, which is step one. Why is that? Um, primarily it’s an easier concept. It’s less intrusive. A pattern that is known to people. Um, you get to learn Envoy and then you can take it all the way into individual services where you get into protocols and performance characteristics and all of the complexities. Step number two is when you take requests from ingress all the way to actual sidecar and actual running workload, which often called east west traffic management. Um, and step number three, which you start to introduce security from all the way from ingress to the running workload. So that’s what we are seeing in terms of a probable adoption sort of path for service mesh.
So with that… I’ll take 30 seconds promotion preview for what Tetrate it is up to. So a few weeks ago we launched something called GetEnvoy, which is a way for you to get certified compliant builds of Envoy. Now for any end user to actually put Envoy in production, you need to have that peace of mind. You need to know it’s secure, compliant. I can upgrade it without which you’re not getting it close to production. Um, one other project, Sky Walking, Wu Sheng who is somewhere here. There. He is the author of Sky Walking. It’s an APM project done right for services. I’m happy to note there it’s graduating soon as a top-level Apache project and something that he’s worked hard to integrate with service mesh and Istio and those and it’s widely adopted in China.
Something that I’m really, really excited about, which we actually announced an hour ago is Tetrate Q. This is a fresh look at access control, which we are doing in collaboration with NIST. You’ll hear from David, David’s here somewhere in the room back there. David and Ignacio will touch upon what this is, but this is thinking about access control for modern infrastructure. All right, so I want, that’s what we are up to with that, I would like to invite our first speaker, Larry Peterson. Larry is the CTO for open Networking Foundation. He’s a director for Stanford Platform Labs, also a professor at Princeton University. Uh, I think of him as the father of SDN and the guy who created SDN and NFE. And today, we’re super excited to have him here to talk about how he thinks about future of networking in service mesh and multicloud world. So please welcome Larry.
Apache SkyWalking, the open source APM that Tetrate has embraced as the path to observability, was featured yestreday by the New Stack, the podcast and DevOps tech blog.
In “[SkyWalking: APM for the Heterogeneous New Stack] (https://thenewstack.io/skywalking-apm-for-the-heterogeneous-new-stack/),” Susan Hall describes SkyWalking founder Sheng Wu– who is now a Tetrate engineer– grew SkyWalking in just four years from a small project supported by a handful of volunteers into an Apache Top Level Project with hundreds of contributors, used in more than 70 companies. SkyWalking provides a “holistic platform for collection, aggregation and domain specific query system,” Wu told the New Stack. “It also is truly heterogeneous, in that it not only has agents for different systems, it also seamlessly blends service mesh in.”
Tetrate has endorsed SkyWalking as an essential tool for any company looking for a complete and meaningful map of their entire, distributed system. SkyWalking went service-mesh ready with its last, 6.0 release, and will soon support service mesh observability directly from Envoy.
New Stack highlighted the following SkyWalking features:
- A polyglot agent-based instrumentation mechanism.
- Tools that focus solely on distributed tracing usually don’t provide agents. Multiple language agents provided, especially with auto instrumentation supported, in Java, .NET and Nodejs.
- Performance: Its impact CPU on the monitored application is less than 10%, even with a payload instance of just over 5k transactions per second/requests per second. This lightweight payload would support 100% trace sampling in production environments.
- Observability for distributed systems based on traditional, agent-based and service mesh architectures, with consistent analysis and visualization.
- Topology and dependency analysis without sampling.
- Easy operation and maintenance achieved directly by our clusters, without reliance on big data technology
Check back soon for SkyWalking’s performance-boosting 6.1 release, expected at the end of May.
Analysts Jean Atelsek and William Fellows of 451 Research give their take on the role of service mesh as a cloud-native enabler, calling it a potential “Swiss Army Knife of modern-day software, solving for the most vexing challenges of distributed microservices based applications.”
The role of service mesh as a cloud-native enabler is building fast
In a multi-cloud, hybrid IT architecture world, where applications are deployed as microservices, the use of service meshes is becoming an important (although not mandatory) component of cloud- native architecture. Early deployments of the technology – which promises network routing, security and configuration control for microservices-based applications – are largely based on open source code, with Envoy emerging as a de facto standard data plane.
The Envoy security team today [announced] the availability of Envoy 1.9.1 to address two high-risk vulnerabilities related to header values and HTTP URL paths.
We also released the GetEnvoy build of Envoy 1.9.1 and the latest master build that fixes the vulnerability. Users are encouraged to upgrade to 1.9.1 or latest master build to address the following CVEs:
- CVE-2019-9900: When parsing HTTP/1.x header values, Envoy 1.9 and before does not reject embedded zero characters (NUL, ASCII 0x0). This allows remote attackers crafting header values containing embedded NUL characters to potentially bypass header matching rules, gaining access to unauthorized resources.
- CVE-2019-9901: Envoy does not normalize HTTP URL paths in Envoy 1.9 and before. A remote attacker may craft a path with a relative path, e.g. something/../admin, to bypass access control, e.g. a block on /admin. A backend server could then interpret the unnormalized path and provide an attacker access beyond the scope provided for by the access control policy.
By SHRIRAM RAJAGOPALAN, IGNASI BARERRA, and DAVID FERRAIOLO
Editors note: Tetrate Q has been folded into Tetrate Service Bridge, making Next Generation Access Control (NIST) a built-in feature for Tetrate’s service bridge platform.
The modern enterprise infrastructure is a mishmash of legacy infrastructure, SaaS services, a smattering of cloud-native platforms like Kubernetes, along with an aging access control system that struggles to keep up with all the changes in the enterprise as it marches toward modernization. We no longer live in a world where the infrastructure is full of pets and the users come from set geographies with fixed access patterns. Technology has enabled users to access applications from the convenience of their mobile phones, anytime, anywhere on the planet. The security perimeter that was once synonymous with the network perimeter has now disappeared.
BusinessWire – Tetrate works with Amazon Web Services to bring enterprise-grade Envoy to AWS App Mesh users
Tetrate, the recently launched enterprise service mesh company, today announced its support for the launch of Amazon Web Services (AWS) App Mesh, a cloud service that makes it easy to run microservices by providing consistent visibility and network traffic controls for each microservice in an application. The two companies will demonstrate AWS App Mesh and Tetrate GetEnvoy for Global 2000 enterprises for the first time at Service Mesh Day on March 29, 2019 in San Francisco.
AWS also rolled out new tools that make it easier for developers to navigate this new world across compute instances, containers, and serverless applications. One of these is App Mesh, a service mesh that allows customers to monitor and control communications across applications running in AWS Fargate (its serverless containers product), EC2 (compute instances), ECS (containers), Elastic Container Service for Kubernetes (managed Kubernetes containers), or Kubernetes.
It’s generally available today, and integrates with Tetrate, Datadog, HashiCorp, Sysdig, and SignalFx.