Front Door Architectures API Connect Istio Integration Monolithic - - PowerPoint PPT Presentation

front door architectures
SMART_READER_LITE
LIVE PREVIEW

Front Door Architectures API Connect Istio Integration Monolithic - - PowerPoint PPT Presentation

Jan 01, 2024 275 likes •617 views

Front Door Architectures API Connect Istio Integration Monolithic versus Microservices UI UI UI UI Business Logic c Business Business Data Business Logic Logic Business Logic Access Logic Business Logic Business Business

slide-1
SLIDE 1

Front Door Architectures

API Connect Istio Integration

slide-2
SLIDE 2

c

versus Monolithic Microservices

UI Business Logic Data Access

Data Access Data Access Data Access Data Access Data Access Business Logic Business Logic Business Logic Business Logic Business Logic Business Logic Business Logic Business Logic Business Logic UI UI UI

slide-3
SLIDE 3

Kubernetes enables the microservice design goals of clean packaging, consistency, scalability and rapid deployment Kubernetes alone does not address all of the complexities of the challenge

Weighing the Microservice Investment

3

Improved delivery velocity and agility Increased operational complexity

slide-4
SLIDE 4

Deploying microservice applications is not necessarily easy, the network layer is challenging and tooling is essential

Microservice Adoption Considerations

4

Canary Deployments Visibility Policy Management Rate Limiting Circuit Breaking A/B Testing Fault Injection

IBM Cloud @ 2019 Corporation

slide-5
SLIDE 5

Connect, secure, control and observe services

Istio

slide-6
SLIDE 6

Service mesh describes the network of microservices that make up applications and the corresponding interactions between them.

IBM Cloud @ 2019 Corporation

slide-7
SLIDE 7

Intelligently control the flow of traffic and API calls between services, conduct a range of tests and upgrade gradually with red / black deployments Automatically secure your services through managed authentication, authorization and encryption of communication between services Apply policies and ensure that they are enforced and that resources are fairly distributed among consumers See what’s happening with rich automatic tracing, monitoring and logging of all your services

Connect Secure Control Observe

IBM Cloud @ 2019 Corporation

slide-8
SLIDE 8

Istio Core Features and Value

Traffic management

  • Easy-to-Configure routing and traffic control
  • Simplified configuration of circuit breakers, timeouts,

and retries supporting A/B testing, canary and staged rollouts

  • High visibility into your traffic

Security

  • Free developers to focus on security at the application

level

  • Istio manages authentication, authorization, and

encryption of service communication at scale

  • Service communications are secured by default with

little or no changes to the application

  • Via integration with the platform secure pod-to-pod or

service-to-service communication at the network AND application layers Observability

  • Rich tracing, monitoring, and logging provide deep

insights into the service mesh

  • Understand upstream and downstream performance

effects

  • Out of the box dashboards provide deep visibility into

service usage and performance

  • Enables fine-grained control over all interactions

between the mesh and infrastructure backends

  • Detect, diagnose and fix issues with greater speed

and agility Platform support

  • Platform independence
  • Deploy across services running in IBM Cloud Private

(Kubernetes) and hosted on Virtual Machines

8 IBM Cloud @ 2019 Corporation

slide-9
SLIDE 9

Istio’s OOTB Components

A modular set of services/components:

  • Sidecar Proxies (Envoy): Handles ingress/egress traffic between services in the cluster and from a service

to external services transparently

  • Pilot: Configures the proxies at runtime
  • Mixer: Enforces ACLs, rate limits, quotas, authentication, request tracing, and telemetry collection
  • Certificate Authority: Issues and rotates certs for service identities
  • Initializer: Injects sidecar proxies
  • Ingress: Manages external access to the services

IBM Cloud @ 2019 Corporation 9

slide-10
SLIDE 10

Istio Architecture

Data Plane & Control Plane

Istio is logically composed from a data plane and a control plane Data Plane

  • Intelligent proxies are deployed as sidecars within the

service pods

  • The proxies mediate and control communication

between microservices

  • Proxies interface with the Mixer to provide telemetry

data and enforce policy Control Plane

  • Configures the proxies for traffic routing
  • Configures Mixers for policy enforcement and telemetry

collection

IBM Cloud @ 2019 Corporation 10

slide-11
SLIDE 11

11

Istio Traffic Management Overview

The traffic management model decouples traffic flow and infrastructure scaling giving you the option of specifying via rules and Pilot how traffic should flow For example, you can direct a percentage of traffic for a particular service to a canary service or only direct to the canary based upon the content of the request Decoupling traffic flow from scaling of infrastructure allows for traffic management features outside of the application code including failure recovery via timeouts, retries, circuit breakers and fault injection to test failure recovery procedures

Traffic splitting decoupled from infrastructure scaling Content based traffic steering

slide-12
SLIDE 12
  • Service Mesh Tech Preview with RHOCP 3.11
  • A few limitations: Only supports OCP Software Defined

Networking configured as a flat network (no external providers), no federation, no external microservice support

  • Forked version of Istio
  • Injection is not managed by namespace
  • Matching header information via regex has been added
  • BoringSSL replaced by OpenSSL
  • OpenShift will add two namespaces / projects: istio-operator,

istio-system

  • Multi-tenancy differences

OpenShift Service Mesh

IBM Cloud @ 2019 Corporation

slide-13
SLIDE 13

Kubernetes manages the lifecycle of individual containers Istio runs on Kubernetes allowing you to manage and associate the interaction between microservices (deployed in containers) Kubernetes provides routing of microservices but is not concerned with the security or routing requirements between individual microservices Istio provides a policy-based approach to provide security, app resiliency and dynamic routing between microservices

Ma Managing the Interaction Be Between Microservices

Microservice

Microservices application

Microservice Ingress Microservice Microservice Microservice

IBM Cloud @ 2019 Corporation 13

slide-14
SLIDE 14

Ma Managing the Interaction Be Between Microservices

Microservice

Microservices application

Microservice Ingress Microservice Microservice Microservice

Envoy Envoy Envoy Envoy Envoy NAME READY STATUS RESTARTS AGE fancave-client-66764c4796-4cr7l 1/1 Running 3m fancave-db-c9d67ccb7-bdxjv 1/1 Running 3m fancave-news-7b577ff4b7-nj2z7 1/1 Running 3m fancave-teams-ab577ytfs-n3rz7 1/1 Running 3m fancave-players-bcfd9bd68-v6lgk 1/1 Running 2 3m NAME READY STATUS RESTARTS AGE fancave-client-66764c4796-4cr7l 2/2 Running 3m fancave-db-c9d67ccb7-bdxjv 2/2 Running 3m fancave-news-7b577ff4b7-nj2z7 2/2 Running 3m fancave-teams-ab577ytfs-n3rz7 2/2 Running 3m fancave-players-bcfd9bd68-v6lgk 2/2 Running 2 3m

De Deploy

  • yment in Kubernetes

De Deploy

  • yment with Istio
  • Sidecars

Ma Managing with Po Policy

NAME READY istio-system istio-citadel-6b6fdfdd6f-qnk2p istio-system istio-policy-67f4d49564-5tx5 istio-system istio-pilot-6f8d49d4c4-qdbzs

14

slide-15
SLIDE 15

Capabilities of Istio and API Connect

API Connect and Istio Comparison

slide-16
SLIDE 16

Istio is NOT a complete API Management solution Istio does not provide API lifecycle, socialization or comprehensive edge API security

Can Istio replace API Management solutions?

IBM Cloud @ 2019 Corporation

slide-17
SLIDE 17

No, they have very different value propositions

Can I replace DataPower with Istio / Envoy?

IBM Cloud @ 2019 Corporation

slide-18
SLIDE 18

Yes, they are complementary and great things happen when they work together

Can I use DataPower & Envoy together?

IBM Cloud @ 2019 Corporation

slide-19
SLIDE 19

API management has the goal of greater API control with control of change, consumption and API subscriptions Th The goals of Microservice Management are managing service interaction and change (as a collection) over time API management becomes critical when the

  • rganizational distance increases between the API

provider and the API consumer

API API Mana nagement nt Empha hasizes th the API Consumer

IBM Cloud @ 2019 Corporation

slide-20
SLIDE 20

API API Econo nomy requi uires Externa nal API API St Strategy

IBM Cloud @ 2019 Corporation

API changes & versioning requires a controlled communication process especially if there are a large number of public API consumers APIs must be managed as products since third- party applications are built trusting their availability API Providers manage changes as part of the API lifecycle: staging, published, replacement (non- breaking), deprecation (if breaking), and finally retirement

slide-21
SLIDE 21

Rate Limiting of Microservices is to prevent the application from hanging and failing fast to recover quickly Rate Limiting of APIs is a business requirement to manage the number of API calls, potentially for monetization Circuit Breakers in Microservices management provide an additional level of protection to timeout long running microservices and act more resiliently

Mi Microservices and API Rate Limiting Se Serve Different nt Pur Purposes

IBM Cloud @ 2019 Corporation 21

slide-22
SLIDE 22

API Management Provides Developer Portals for Service Discovery

IBM Cloud @ 2019 Corporation

API Management platforms provide a Developer portal so developers can self- discover APIs and invoke them without contacting the API provider Microservice Management does not have a socialization strategy Access to the service mesh can be given to services but the discovery and relationship is manually managed

22

slide-23
SLIDE 23

API Management is GREAT at

  • Managing API Consumers and communicating lifecycle

changes about the API

  • Securely expose data assets as APIs to third-party

applications

  • Self-service discovery and management of APIs using

Developer Portal Microservice Management (ISTIO) is GREAT at:

  • Mesh routing and discovery between Microservices
  • Mesh security between microservices without impacting

performance

  • Preventing microservices from catastrophic application

failures - failing fast to recover quickly

  • Providing visibility into the service landscape
  • Si

Simplifi fication n of the de develope per experience

Key Takeaways

IBM Cloud @ 2019 Corporation 23

slide-24
SLIDE 24

Reference Architecture

API Connect Istio Enablement

slide-25
SLIDE 25

API Connect & Istio Reference Architecture

slide-26
SLIDE 26

API vs Microservices Management Guidance

Only requires (basic)

  • mTLS,
  • ClientID
  • JWT Validation

API Security Rate Limit Security Microservice Security Mediation Traffic Control

Requires (basic) + API Security

Circuit Breaker Request Routing

K8 metadata Payload Service provider Consumer

Service Governance Socialization

API Connect API Connect API Connect API Connect API Connect API Connect

* Overlapping features are not called out below (ie API Key, API key rate limiting)

26

slide-27
SLIDE 27

API Connect Istio Mesh

IBM Cloud @ 2019 Corporation 27

slide-28
SLIDE 28

API Connect Istio Enablement

Edge Gateway Istio Mesh

IBM Cloud @ 2019 Corporation 28

slide-29
SLIDE 29

Context Augmentation & Plan Based Routing

API Connect Istio Demo

slide-30
SLIDE 30

Context Augmentation & Plan Based Routing

IBM Cloud @ 2019 Corporation 30

slide-31
SLIDE 31

API config with context augmentation

IBM Cloud @ 2019 Corporation 31

Istio plan based policy

slide-32
SLIDE 32

33

IBM Cloud @ 2019 Corporation