SLIDE 1
Building a Secure, Performant Network Fabric for Microservice Applications
August 24, 2016
Christopher Stetson
Chief Architect, Professional Services NGINX
Building a Secure, Performant Network Fabric for Microservice - - PowerPoint PPT Presentation
Building a Secure, Performant Network Fabric for Microservice - - PowerPoint PPT Presentation
Building a Secure, Performant Network Fabric for Microservice Applications August 24, 2016 Christopher Stetson Chief Architect, Professional Services NGINX MORE INFORMATION AT NGINX.COM Agenda Agenda A little NGINX History The
SLIDE 2 MORE INFORMATION AT NGINX.COM
SLIDE 3 MORE INFORMATION AT NGINX.COM
Agenda Agenda
- A little NGINX History
- The Big Shift
- The Networking Problem
- Service Discovery
- Load Balancing
- Secure & Fast Intercommunication
- Architectures
- Issues
SLIDE 4 MORE INFORMATION AT NGINX.COM
NGINX History and NGINX History and Products Products
SLIDE 5 MORE INFORMATION AT NGINX.COM
- First team to crack C10K
- OSS NGINX released in 2004
- Company founded in 2011
- Launched product late 2013
- 3x bookings growth last year
SLIDE 6 NGINX, Inc. Confidential Information 6
SLIDE 7
170+ 170+ million million
total sites running on NGINX
7 Source: http://news.netcraft.com/archives/category/web-server-survey/ SLIDE 8
50%
- f the Top 10,000
most visited websites
8 Source: W3Techs Web Technology Survey SLIDE 9
750+ 750+
Commercial Customers
- n NGINX Plus
SLIDE 10 MORE INFORMATION AT NGINX.COM
High Performance Webserver
10Web Server
SLIDE 11 MORE INFORMATION AT NGINX.COM
Flawless Application Delivery for the Modern Web
11Load Balancer Monitoring & Management Web Server Content Cache Security Controls
SLIDE 12
Small Small
Binary is 1.2 MBs
12 SLIDE 13
Fast Fast
100,000’s of connections/sec
13 SLIDE 14
Reliable Reliable
Stablest part of the stack.
14 SLIDE 15 MORE INFORMATION AT NGINX.COM
The Big Shift The Big Shift
SLIDE 16 MORE INFORMATION AT NGINX.COM
Architectural Changes: Monolith to Microservices
SLIDE 17 MORE INFORMATION AT NGINX.COM
Architectural Changes: Monolith to Microservices
SLIDE 18 MORE INFORMATION AT NGINX.COM
An Anecdote An Anecdote
SLIDE 19 MORE INFORMATION AT NGINX.COM
The tight loop problem
- Rest calls
- 1000’s of requests
- Looped data
SLIDE 20 MORE INFORMATION AT NGINX.COM
Mitigation
- Group requests
- Cache data
- Optimize the network
SLIDE 21 MORE INFORMATION AT NGINX.COM
NGINX NGINX Microservices Microservices
SLIDE 22 MORE INFORMATION AT NGINX.COM
Microservices Reference Architecture
- Docker containers
- Polyglot services
- 12-Factor App(-esque)
design
SLIDE 23 MORE INFORMATION AT NGINX.COM
The Networking The Networking Problem Problem
SLIDE 24 MORE INFORMATION AT NGINX.COM
Service Discovery
- Services needs to know
where other services are
- Service registries work in
many different ways
- Register and read service
information
SLIDE 25 MORE INFORMATION AT NGINX.COM
Load-balancing
- High Quality Load
Balancing
- Developer Configurable
SLIDE 26 MORE INFORMATION AT NGINX.COM
Secure & Fast Communication
- Encryption at the
transmission layer is becoming standard
- SSL communication is
slow
- Encryption is CPU
intensive
SLIDE 27 MORE INFORMATION AT NGINX.COM
Solution
- Service discovery
- Robust load balancing
- Fast encryption
SLIDE 28 MORE INFORMATION AT NGINX.COM
Network Network Architectures Architectures
SLIDE 29 MORE INFORMATION AT NGINX.COM
Proxy Model
- In bound traffic is
managed through a reverse proxy/load balancer
- Services are left to
themselves to connect to each other.
- Often through round-robin
DNS
SLIDE 30 MORE INFORMATION AT NGINX.COM
Proxy Model
- Focus on internet traffic
- A shock absorber for your app
- Dynamic connectivity
SLIDE 31 MORE INFORMATION AT NGINX.COM
Router Mesh Model
- In-bound routing through
reverse proxy
- Centralized load
balancing through a separate load balancing service
- Deis Router work like this.
SLIDE 32 MORE INFORMATION AT NGINX.COM
Circuit Breakers
- Active health checks
- Retry
- Caching
SLIDE 33 MORE INFORMATION AT NGINX.COM
Router Mesh
- Robust service discovery
- Advanced load balancing
- Circuit breaker pattern
SLIDE 34 MORE INFORMATION AT NGINX.COM
Inter-Process Communication
- Routing is done at the
container level
- Services connect to each
- ther as needed
- NGINX Plus acts as the
forward and reverse proxy for all requests
SLIDE 35 MORE INFORMATION AT NGINX.COM
Normal Process
- DNS service discovery
- Relies on round robin
DNS
- Each request creates a
new SSL connection which fully implemented is 9 requests
SLIDE 36 MORE INFORMATION AT NGINX.COM
Detail
- NGINX Plus runs in each
container
- Application code talks to
NGINX locally
- NGINX talks to NGINX
- NGINX queries the
service registry
SLIDE 37 MORE INFORMATION AT NGINX.COM
Service Discovery
- DNS is a clear way to
manage service discovery
- NGINX Plus
Asynchronous Resolver
- SRV records allow you to
effectively use your resources
SLIDE 38 MORE INFORMATION AT NGINX.COM
Load-balancing
- Proper request
distribution
- Flexibility based on the
backing service
- Different load-balancing
schemes
SLIDE 39 MORE INFORMATION AT NGINX.COM
Persistent SSL Connections
- Applications generate
thousands of connections
- 9 steps in SSL
negotiation
- Persistent SSL upstream
keepalive
SLIDE 40 MORE INFORMATION AT NGINX.COM
Circuit Breaker Plus
- Active health checks
- Retry
- Caching
SLIDE 41 MORE INFORMATION AT NGINX.COM
The solution
- Service discovery
- Container-based load-
balancing
- Persistent SSL
connections
- Circuit-breaker
functionality
SLIDE 42 MORE INFORMATION AT NGINX.COM
Issues Issues
SLIDE 43 MORE INFORMATION AT NGINX.COM
Docker Recommendation: 1 service per container
- Keeps docker images
simple
- Process failure means
container failure
- Only a recommendation
1
*
SLIDE 44 MORE INFORMATION AT NGINX.COM
Complexity
- Adding another layer to
the stack
- Lots of power to give to
dev team
- Tooling to make the
Fabric Model simple to create and deploy
SLIDE 45 MORE INFORMATION AT NGINX.COM