Istio Ambient Mesh in ACTION - Istio UG Singapore - 22June,2023
- 1. Istio User Group SINGAPORE Sai, Field Engineer @ Solo.io ISTIO Ambient Mesh in ACTION
- 2. Istio User Group SINGAPORE @_hellosai_ [email protected] https://www.linkedin.com/in/sailinnthu/ https://www.youtube.com/@SaiLinnThu Field Engineer - APAC @ Solo.io
- 3. Istio User Group SINGAPORE Business Drivers for Application Modernization Reduce Costs / Shift Capex to Opex Access to Innovation Increase flexibility and Capacity of Infrastructure Increase Velocity of Development Reduce Risk Monolithic Microservices
- 4. Istio User Group SINGAPORE The Way We Build Applications Monolithic On-Prem Built on a VM+OS Large Teams Microservices Cloud Built on Kubernetes Agile Teams
- 5. Istio User Group SINGAPORE Online Boutique Microservices Demo Source: https://github.com/GoogleCloudPlatform/microservices-demo
- 6. Istio User Group SINGAPORE Application Networking Challenges ● Service discovery ● Load balancing ● Timeouts ● Retry / Budgets ● Circuit breaking ● Tracing, observability ● Secure transport ● Extension Challenges
- 7. Istio User Group SINGAPORE Application Networking
- 8. Istio User Group SINGAPORE Data Plane & Control Plane
- 9. Istio User Group SINGAPORE Istio - Open Source Service Mesh 2017 Istio Launched Data Plane Enhancements 2019-20 7 New Community Releases 1000s Production Customers ~ 1000 Community Contributors 2022 CNCF 2019-2022
- 10. Istio User Group SINGAPORE Challenges with Sidecar Proxies
- 11. Istio User Group SINGAPORE Operational Complexity
- 12. Istio User Group SINGAPORE Application mesh aware
- 15. Istio User Group SINGAPORE Introducing Istio Ambinet Mesh
- 16. Istio User Group SINGAPORE Introducing Istio Ambient Mesh A new, open source contribution to the Istio project, that defines a new sidecar-less data plane. Solo.io and Google are the lead contributors to Istio Ambient Mesh. Cost Reduction Simplify Operations Improve Performance
- 17. Istio User Group SINGAPORE Istio - Open Source Service Mesh 2017 Istio Launched 2022 Ambient Mesh Launched Data Plane Enhancements 2019-20 7 New Community Releases 1000s Production Customers ~ 1000 Community Contributors 2022 CNCF 2019-2022
- 18. Istio User Group SINGAPORE Proxy per-node Architecture P P P P P P P P P P P P P P P P P P Proxy Istio Sidecar Data Plane 1 Pod/Container = 1 Proxy Ambient Mesh Data Plane 1 Node = 1 Proxy Move from Sidecar Proxy per-pod architecture to a Proxy per-node architecture.
- 19. Istio User Group SINGAPORE Istio Ambient Benefit - Reduced Cost Blog: https://www.solo.io/blog/what-istio-ambient-mesh-means-for-your-wallet/
- 20. Istio User Group SINGAPORE Istio Ambient Benefit - Simplify Operations Simplify Operations of the Service Mesh Upgrades | Adding Applications “Making the Mesh Transparent to Applications” Proxy Proxy
- 21. Istio User Group SINGAPORE Slicing the Layers ● Ambient approach splits Istio’s functionality in two distinct layers ● Adopt Istio in a more incremental approach: no mesh -> to secure overly -> to full L7 processing (on a per namespace basics if needed) Secure Overlay Layer L7 processing Layer All features of Secure Overlay PLUS … ● Traffic Mgmt: HTTP routing & load balancing, circuit breaking, rate limiting, fault injection, retry, timeout, etc … ● Security: Rich authorization policies ● Observability: HTTP metrics, Access Logging and Tracing Streamlined, low resource, high performance with zero trust ● Traffic Management: TCP Routing ● Security: mTLS tunneling, Simple authorization policies ● Observability: TCP metrics & logging
- 22. Istio User Group SINGAPORE Istio Ambient Benefit - Performance L4 L7 0.5ms 2ms
- 24. Istio User Group SINGAPORE Installing Ambient Mesh curl -sL https://istio.io/downloadIstio | ISTIO_VERSION=1.18.0-alpha.0 sh - istioctl install --set profile=ambient -y
- 25. Istio User Group SINGAPORE Ztunnel (DaemonSet) ● running as daemonset is intentional ● responsible for redirecting application traffic to the zero-trust tunnel (ztunnel) on that node ○ option 1 - iptables and Geneve overlay tunnels to achieve the traffic redirection ○ option 2 - e-BPF based method of traffic redirection
- 26. Istio User Group SINGAPORE Istio-cni-node (DaemonSet) ● running as daemonset is intentional ○ each istio-cni plug-in pod checks all pods co-located on the same node to see if they are part of the ambient mesh ● responsible for redirecting application traffic to the zero-trust tunnel (ztunnel) on that node ○ option 1 - iptables and Geneve overlay tunnels to achieve the traffic redirection ○ option 2 - e-BPF based method of traffic redirection
- 27. Istio User Group SINGAPORE How does it work ?
- 28. Istio User Group SINGAPORE Ztunnel (DaemonSet)
- 29. Istio User Group SINGAPORE How does it work ?
- 30. Istio User Group SINGAPORE Ztunnel (DaemonSet)
- 31. Istio User Group SINGAPORE HBONE HTTP Based Overlay Network Encapsulation Protocol source: https://www.solo.io/blog/understanding-istio-ambient-ztunnel-and-secure-overlay/
- 33. Istio User Group SINGAPORE Business Drivers for Adopting Istio
- 34. Istio User Group SINGAPORE Life without ServiceMesh `vs` Life with ServiceMesh Business Logic Security Logic Traffic Management Logic Golden Metrics/ Observability Logic Resiliency Logic Managed by Developer - Multiple Tasks - Multiple Frameworks - Language Specific - Poor Dev Experience - 100s of Manual Steps Business Logic Security Logic Traffic Management Logic Golden Metrics/ Observability Logic Resiliency Logic Managed by Developer - Focus on Biz Logic - Developer Productivity Managed by ServiceMesh - Automated Workflow - Deploy Consistent Infrastructure Layer - Eliminate Language Specific Libraries - Consistent Security & Observability across LOBs Before Service Mesh After Service Mesh Microservice App Microservice App
- 35. Istio User Group SINGAPORE Istio Deployment (Sidecar Architecture)
- 36. Istio User Group SINGAPORE Istio Deployment (Sidecar-less Architecture)
- 37. Istio User Group SINGAPORE Learn More …
- 38. Istio User Group SINGAPORE Learn More … 10,000+ students have attended hands-on workshops 1,800+ engineers have achieved certifications NPS Score 75 https://academy.solo.io