Smart Networking with Service Meshes aka What is this Service Mesh - - PowerPoint PPT Presentation

Smart Networking with Service Meshes

aka What is this “Service Mesh” hype about?

Developer Advocate, HashiCorp @anubhavm

Anubhav Mishra

@anubhavm

Anubhav Mishra

Developer Advocate, HashiCorp

@anubhavm

Anubhav Mishra

Developer Advocate, HashiCorp

Atlan&s

@anubhavm

Anubhav Mishra

Developer Advocate, HashiCorp

Atlan&s

@anubhavm

Anubhav Mishra

Developer Advocate, HashiCorp

Atlan&s

Gopher Artwork by Ashley McNamara

@anubhavm

Anubhav Mishra

Developer Advocate, HashiCorp

Atlan&s

Gopher Artwork by Ashley McNamara

PROVISION, SECURE AND RUN ANY INFRASTRUCTURE

Nomad Consul Vault Vagrant Packer Terraform

Consul Enterprise Terraform Enterprise Vault Enterprise

PRODUCT SUITE OSS TOOL SUITE

RUN

Applications

SECURE

Application Infrastructure

PROVISION

Infrastructure

FOR INDIVIDUALS FOR TEAMS

Nomad Enterprise

@anubhavm 

Blog Post Link: https://www.hashicorp.com/blog/smart-networking-with-consul-and-service-meshes

Agenda

@anubhavm 

Agenda

• 1. Introduction to “Smart Networking” and “Service Mesh”
• 2. Introduction to HashiCorp Consul
• 3. Architecture and overview of Consul
• 4. Exercises (Hands-On Lab)
• Exploring Service Discovery, K/V Store, and Consul Template
• NGINX and Consul (Smart Proxy)
• Fabio and Consul (Smart Networking in containers)
• Consul Connect (Service Mesh)
• Consul Connect for Service to Service Communication
• Consul Connect for Service to Database Communication
• Consul Connect for Serverless Applications
• 5. Conclusion
• 6. Discussion / Q&A

“Smart Networking”

@anubhavm 

Service A Service B

@anubhavm 

Service A Service B Service B Service B

Multiple Instances ?

@anubhavm 

Service A Service B Service B Service B

Multiple Instances ? Service Discovery

@anubhavm 

Service A Service B

@anubhavm 

Service A Service B

Request Failed

@anubhavm 

Service A Service B

Request Failed Retries

@anubhavm 

Service A Service B

@anubhavm 

Service A Service B

Cert: serviceA.foo.com Cert: serviceB.foo.com Assigning Identity

@anubhavm 

Service A Service B

Cert: serviceA.foo.com Cert: serviceB.foo.com Assigning Identity Mutual TLS

@anubhavm 

Service A Service B

Cert: serviceA.foo.com Cert: serviceB.foo.com Authorizing traffjc Mutual TLS Allow?

@anubhavm 

Smart Networking - First Principles

Dumb Pipe or Smart Network Protocol Awareness

@anubhavm 

Smart Networking - First Principles

Dumb Pipe or Smart Network Protocol Awareness

@anubhavm 

Smart Networking - First Principles

Dumb Pipe or Smart Network Protocol Awareness

Service A Service B

@anubhavm 

Smart Networking - First Principles

Dumb Pipe or Smart Network Protocol Awareness

Service A Service B

Ribbon

@anubhavm 

Dumb Pipe

Pros: Simplicity for Networks Smart Applications (“What you see is what you get”) Easily Customizable Cons: Redundant Code Every Application has to Implement the Code (Polyglot?)

@anubhavm 

Smart Networking - First Principles

Dumb Pipe or Smart Network Protocol Awareness

Service A Service B

@anubhavm 

Smart Networking - First Principles

Dumb Pipe or Smart Network Protocol Awareness

Service A Service B

Proxy Proxy

@anubhavm 

Smart Network

Pros: Little to no Application Code changes are required Features like Traffjc Shaping, Service Discovery and Network Policy Control come

• ut of the Box

Cons: Smart Network becomes an Implicit Dependency of the Application Harder to Reason about the Whole System

“Service Mesh”

@anubhavm 

“Service Mesh” aka “Smart Network” Service A Service B

Proxy Proxy

@anubhavm 

“Service Mesh” aka “Smart Network” Service A Service B

Proxy Proxy

Configure

@anubhavm 

“Service Mesh” aka “Smart Network” Service A Service B

Proxy Proxy

Configure Two parts

@anubhavm 

Separation of Control and Data Plane

Control Plane Data Plane

@anubhavm 

Separation of Control and Data Plane

Control Plane Data Plane

• Traffjc Routing / Shaping
• Configuring the Data Plane
• Policy Enforcement
• Provide Service Discovery Data to Data Plane

@anubhavm 

Separation of Control and Data Plane

Control Plane Data Plane

@anubhavm 

Separation of Control and Data Plane

Control Plane Data Plane

• Forward Request from the Applications
• Health Checking
• Load Balancing
• Circuit Breaking
• Timeouts
• Retries
• Authentication
• Authorization

@anubhavm 

Separation of Control and Data Plane

Control Plane Data Plane

…..

• Forward Request from the Applications
• Health Checking
• Load Balancing
• Circuit Breaking
• Timeouts
• Retries
• Authentication
• Authorization

@anubhavm 

Smart Networking - First Principles

Dumb Pipe or Smart Network Protocol Awareness

@anubhavm 

Smart Networking - First Principles

Dumb Pipe or Smart Network Protocol Awareness

@anubhavm 

Smart Networking - First Principles

Dumb Pipe or Smart Network Protocol Awareness

Layer 4 vs Layer 7

@anubhavm 

Protocol Awareness

Layer 4 vs Layer 7 TCP, UDP vs HTTP

“Universally” Compatible High Performance Diffjcult to provide Sophisticated request aware features

Layer 4

@anubhavm 

Protocol Awareness

Layer 4 vs Layer 7 TCP, UDP vs HTTP

Perform complex routing decisions Header and Path based routing Can yield lower performance

Layer 7

Consul as the Control Plane

@anubhavm 

Service Mesh for Microservices

Service Discovery. Connect services with a dynamic registry Service Configuration. Configure services with runtime configs Service Segmentation. Secure services based on identity

@anubhavm 

Consul Usage

Launched in 2014 12K+ GitHub Stars 1M+ Downloads monthly Customers running 50,000+ agents

@anubhavm 

Public Users

Architecture

@anubhavm 

Single Data Center

CLIENT CLIENT CLIENT CLIENT CLIENT CLIENT SERVER SERVER SERVER

REPLICATION REPLICATION RPC RPC LAN GOSSIP

@anubhavm 

Multi Data Center

CLIENT CLIENT CLIENT CLIENT CLIENT CLIENT SERVER SERVER SERVER

REPLICATION REPLICATION RPC RPC LAN GOSSIP

SERVER SERVER SERVER

REPLICATION REPLICATION WAN GOSSIP

@anubhavm 

Service Mesh for Microservices

Service Discovery. Connect services with a dynamic registry Service Configuration. Configure services with runtime configs Service Segmentation. Secure services based on identity

@anubhavm 

Service Discovery

Registry of Nodes, Services, Checks DNS API HTTP API Web UI

T E R M I N A L

$ dig llama.node.consul ; <<>> DiG 9.10.3-P4-Ubuntu <<>> testing-llama.node.consul ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64443 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1280 ;; QUESTION SECTION: ;testing-llama.node.consul.IN A ;; ANSWER SECTION: testing-llama.node.consul. 0 IN A 10.1.1.148

@anubhavm 

@anubhavm 

Service Configuration

Hierarchical Key/Value Store HTTP API Long-polling / Edge trigger Locking

Exercises

@anubhavm 

Workstations

Claim your workstation! https://hashi.co/velocity-new-york

@anubhavm 

Excercise: SSH into your workstations

SSH into your workstation using the provided credentials. ssh servicemesh@<your.ip.address>
 password: veloc1ty2018 Run consul members command to see what happens! Your tutorial working directory will be /workstation/consul

T E R M I N A L

$ consul members Node Address Status Type Build Protocol DC Segment velocity-server-0 10.1.1.73:8301 alive server 1.2.3 2 dc1 <all> velocity-server-1 10.1.2.16:8301 alive server 1.2.3 2 dc1 <all> velocity-server-2 10.1.1.164:8301 alive server 1.2.3 2 dc1 <all> velocity-ant 10.1.1.82:8301 alive client 1.2.3 2 dc1 <default> velocity-badger 10.1.2.22:8301 alive client 1.2.3 2 dc1 <default>

WA R N I N G

You are sharing a cluster

Let’s be nice to each other.

Service Discovery (DNS)

@anubhavm 

Service Discovery - DNS Interface

Consul's DNS interface is zero touch Randomized Round-Robin DNS Filters on Health Checks

T E R M I N A L

$ dig llama.node.consul ; <<>> DiG 9.10.3-P4-Ubuntu <<>> testing-llama.node.consul ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64443 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1280 ;; QUESTION SECTION: ;testing-llama.node.consul.IN A ;; ANSWER SECTION: testing-llama.node.consul. 0 IN A 10.1.1.148

@anubhavm 

Exercise: Query Service

Query for consul service information using dig and the DNS interface. HINT: Remember the DNS naming format is {service_name}.service.consul

T E R M I N A L

$ dig consul.service.consul ; <<>> DiG 9.10.3-P4-Ubuntu <<>> consul.service.consul ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9334 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 4 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;consul.service.consul. IN A ;; ANSWER SECTION: consul.service.consul. 0 IN A 10.1.1.164 consul.service.consul. 0 IN A 10.1.1.73 consul.service.consul. 0 IN A 10.1.2.16 ;; ADDITIONAL SECTION: consul.service.consul. 0 IN TXT "consul-network-segment=" consul.service.consul. 0 IN TXT "consul-network-segment=" consul.service.consul. 0 IN TXT "consul-network-segment=" ;; Query time: 1 msec

T E R M I N A L

$ dig +short consul.service.consul 10.1.1.164 10.1.2.16 10.1.1.73

@anubhavm 

Registering Services

Services are registered using JSON definition or via the HTTP API. JSON files are put into a dot-d directory and loaded by Consul.

{ "service": { "name": "my-service", "tags": ["tag-1", "tag-2"], "port": 1234 } }

C O D E E D I T O R

{ "service": { "name": "my-service", "tags": ["tag-1", "tag-2"], "port": 1234 } }

C O D E E D I T O R

Exposed via DNS and HTTP APIs Referred to as the "logical service" name dig my-service.service.consul

{ "service": { "name": "my-service", "tags": ["tag-1", "tag-2"], "port": 1234 } }

C O D E E D I T O R

Exposed via DNS and HTTP APIs dig tag-1.my-service.service.consul

{ "service": { "name": "my-service", "tags": ["tag-1", "tag-2"], "port": 1234 } }

C O D E E D I T O R

Exposed via DNS and HTTP APIs dig SRV my-service.service.consul

Service Discovery (CLI)

@anubhavm 

Service Discovery - Consul CLI

Consul CLI provides basic interactions with service discovery Do not use the CLI to build tooling (use API instead) Allows easily querying services Currently only supports the catalog

@anubhavm 

Exercise: Get Help

Run consul catalog -h to see the list of available CLI service discovery commands.

T E R M I N A L

$ consul catalog -h Usage: consul catalog <subcommand> [options] [args] This command has subcommands for interacting with Consul's catalog. The catalog should not be confused with the agent, although the APIs and responses may be similar. Here are some simple examples, and more detailed examples are available in the subcommands or the documentation. List all datacenters: $ consul catalog datacenters List all nodes: $ consul catalog nodes List all services: $ consul catalog services .....

@anubhavm 

Exercise: List Services with Tags

List all registered services with their tags using the service discovery CLI.

T E R M I N A L

$ consul catalog services -tags consul counting velocity counting-proxy dashboard velocity dashboard-proxy fabio http nomad http,rpc,serf nomad-client http

K/V Store

@anubhavm 

K/V Store

Highly-available, globally accessible key-value store Folder-like architecture allows for easy organization Optional ACLs can enforce policy and access Accessible via HTTP API (no DNS interface) Can be used via the CLI or via a tool like curl

K/V Store: Use Cases

@anubhavm 

K/V Store: Use Cases

Runtime configuration data Secrets or sensitive application data (eg. Vault’s encrypted data)

@anubhavm 

K/V Store: Use Cases

Runtime configuration data Secrets or sensitive application data (eg. Vault’s encrypted data)

T E R M I N A L

$ consul kv put <KEY> <DATA> Success! Data written to: <KEY> $ curl -X PUT -d <DATA> http://localhost:8500/v1/kv/<KEY> true

T E R M I N A L

$ consul kv get <KEY> <DATA> $ curl http://localhost:8500/v1/kv/<KEY>

@anubhavm 

Exercise: Create KV Data

Create two new key-value pairs in the store. Keep in mind that everyone is using the same Consul servers, so choose a unique name that won't conflict with another user. Read those values back out.

T E R M I N A L

$ consul kv put anubhavmishra/velocity hello Success! Data written to: anubhavmishra/velocity $ consul kv get anubhavmishra/velocity hello

Consul Template

@anubhavm 

Consul Template: A Helper tool for Consul

Consul Template handles the HTTP API flow with Consul Retrieves keys and services from Consul and renders them into a template Optionally integration with HashiCorp Vault as well

@anubhavm 

Consul Template: Architecture

{{ key “hello/world“ }}

CONSUL TEMPLATE

CONSUL

value

FILE

1 2 3

@anubhavm 

Exercise: Validate Consul Template

Validate Consul Template is installed and configured.

T E R M I N A L

$ consul-template -h Usage: consul-template [options] Watches a series of templates on the file system, writing new changes when Consul is updated. It runs until an interrupt is received unless the -once flag is specified. Options:

• config=<path>

Sets the path to a configuration file or folder on disk. This can be specified multiple times to load multiple files or folders. If multiple values are given, they are merged left-to-right, and CLI arguments take the top-most precedence.

• consul-addr=<address>

Sets the address of the Consul instance

@anubhavm 

Exercise: Create Template

Create and execute a Consul Template template that iterates over all the healthy services named "consul" and prints out the IP address. HINT: Consul Template's documentation is very verbose and probably has examples that you can follow.

{{ range service “consul" }} {{ .Address }} {{ end }}

C O D E E D I T O R

T E R M I N A L

$ consul-template -dry —template=in.tpl > 10.1.1.13 10.1.2.250 10.1.1.36

@anubhavm 

“Smart Proxy” with NGINX and Consul

Similar to AirBnB’s “Smart Stack” Configure NGINX dynamically using Consul’s service catalog Make the simplest form of a “Smart Proxy” Use Consul Template as the helper tool to achieve this

@anubhavm 

“Smart Nginx”

server { listen 5051; server { listen 5050; .....

NGINX

@anubhavm 

“Smart NGINX”

server { listen 5051; server { listen 5050; .....

NGINX

SERVICE A

server { listen 5051; server { listen 5050; .....

NGINX

SERVICE B

:8080

10.0.0.1 10.0.0.2

@anubhavm 

“Smart NGINX”

server { listen 5051; server { listen 5050; .....

NGINX

SERVICE A

server { listen 5051; server { listen 5050; .....

NGINX

SERVICE B

:8080

https://10.0.0.2:5051/service/service-b/hello

10.0.0.1 10.0.0.2

@anubhavm 

“Smart NGINX”

server { listen 5051; server { listen 5050; .....

NGINX

SERVICE A

server { listen 5051; server { listen 5050; .....

NGINX

SERVICE B

:8080

https://10.0.0.2:5051/service/service-b/hello

10.0.0.1 10.0.0.2

@anubhavm 

Exercise: Validate NGINX

Validate NGINX is installed and configured.

T E R M I N A L

$ nginx -v nginx version: nginx/1.10.3 (Ubuntu)

@anubhavm 

Exercise Goal

{{ key “hello/world“ }}

CONSUL TEMPLATE

CONSUL

server { .....

NGINX

SERVICE

@anubhavm 

Counting Application

For the purpose of this tutorial we will be using a simple Golang application called “counting-service” . The application is already installed on your workstations can be started by typing the following command in your shell: sudo service counting start

T E R M I N A L

$ sudo service counting start $ curl http://localhost:9001 {“count":8,"hostname":"velocity-ant.node.consul"}
 
 $ curl http://localhost:9001/health
 Hello, you've hit /health

@anubhavm 

Exercise: Register Counting Service in Consul

Register a new service named “counting” with tags “velocity” , running on port 9001. Query that service using the DNS interface. 
 Note: Use consul reload command to reload Consul.

T E R M I N A L

$ vim /workstation/consul/counting.json
 
 # INSERT PORT AND HEALTH CHECK ENDPOINT
 
 $ sudo mv /workstation/consul/counting.json /etc/consul.d/counting.json $ ls /etc/consul.d/

{ "service": { "name": “counting", "tags": [“velocity-ant"], "port": 9001, "check": { "id": "counting-check", "http": "http://localhost:9001/health", "method": "GET", "interval": "1s", "timeout": "1s" } } }

C O D E E D I T O R

T E R M I N A L

$ consul reload Configuration reload triggered $ dig $(identity).counting.service.consul

@anubhavm 

Exercise: Create a NGINX Template

Create and execute a Consul Template template that iterates over all services that are tagged as “velocity” and create NGINX backends for them.

T E R M I N A L

$ cd /workstation/consul/nginx $ vim nginx.conf.tpl

T E R M I N A L

$ consul-template -template=nginx.conf.tpl -dry

{ "service": { "name": "counting", "tags": ["velocity-ant", "velocity"], "port": 9001, "check": { "id": "counting-check", "http": "http://localhost:9001/health", "method": "GET", "interval": "1s", "timeout": "1s" } } }

C O D E E D I T O R

T E R M I N A L

$ consul-template -template=nginx.conf.tpl -dry

@anubhavm 

Exercise: Create Consul Template Config file

Create a config file for Consul Template that can be used to supply NGINX with the dynamic configuration and then reload it.

T E R M I N A L

$ sudo vim /etc/consul.d/templates/nginx-smart-router.json

log_level = "info" wait { min = "5s" max = "600s" } max_stale = "1m" template { source = "/etc/consul.d/templates/template/nginx.conf.tpl" destination ="/etc/nginx/sites-available/nginx-smart-router.conf" command = "nginx -s reload" }

C O D E E D I T O R

T E R M I N A L

# Move nginx.conf.tpl to /etc/consul.d/templates/template/nginx.conf.tpl $ sudo mv nginx.conf.tpl /etc/consul.d/templates/template/nginx.conf.tpl # Open consul-template systemd configuration and supply it the configuration
 $ sudo vim /etc/systemd/system/consul-template.service

[Unit] Description=Template rendering, notifier, and supervisor for HashiCorp Consul and Vault data Requires=network-online.target After=network-online.target [Service] ExecStart=/usr/local/bin/consul-template -config /etc/consul.d/templates/nginx- smart-router.json ExecReload=/bin/kill -HUP KillSignal=SIGINT Restart=on-failure LimitNOFILE=65536 [Install] WantedBy=multi-user.target

C O D E E D I T O R

[Unit] Description=Template rendering, notifier, and supervisor for HashiCorp Consul and Vault data Requires=network-online.target After=network-online.target [Service] ExecStart=/usr/local/bin/consul-template -config /etc/consul.d/templates/nginx- smart-router.json ExecReload=/bin/kill -HUP KillSignal=SIGINT Restart=on-failure LimitNOFILE=65536 [Install] WantedBy=multi-user.target

C O D E E D I T O R

T E R M I N A L

$ sudo systemctl daemon-reload $ sudo service consul-template start

T E R M I N A L

$ cd /etc/nginx/sites-enabled $ sudo ln -s /etc/nginx/sites-available/nginx-smart-router.conf nginx-smart-router $ sudo service nginx restart

@anubhavm 

Exercise: Request Counting Service via “Smart NGINX”

Make a request to the counting service using the newly configured NGINX router. HINT: Use the local port 5050

T E R M I N A L

$ curl http://localhost:5050/service/counting/ {“count":1,"hostname":"velocity-badger.node.consul"}

T E R M I N A L

# Try the -i flag in curl to include the protocol headers $ curl -i http://localhost:5050/service/counting/

@anubhavm 

Exercise: Use the Dashboard Service to Connect to Counting Service

Explore the Dashboard service on your workstations. Start the service and register it in Consul.

T E R M I N A L

$ vim /etc/systemd/system/dashboard.service

[Unit] Description=An simple dashboard service Requires=network-online.target After=network-online.target [Service] Environment=PORT=9002 Environment=COUNTING_SERVICE_URL=http://localhost:5050/service/counting/ ExecStart=/usr/local/bin/dashboard-service ExecReload=/bin/kill -HUP $MAINPID KillSignal=SIGINT Restart=on-failure LimitNOFILE=65536 [Install] WantedBy=multi-user.target

C O D E E D I T O R

[Unit] Description=An simple dashboard service Requires=network-online.target After=network-online.target [Service] Environment=PORT=9002 Environment=COUNTING_SERVICE_URL=http://localhost:5050/service/counting/ ExecStart=/usr/local/bin/dashboard-service ExecReload=/bin/kill -HUP $MAINPID KillSignal=SIGINT Restart=on-failure LimitNOFILE=65536 [Install] WantedBy=multi-user.target

C O D E E D I T O R

T E R M I N A L

$ cp /workstation/consul/dashboard.json /etc/consul.d/dashboard.json $ vim /etc/consul.d/dashboard.json

{ "service": { "name": "dashboard", "tags": ["velocity-ant"], "port": 9002, "check": { "id": "dashboard-check", "http": "http://localhost:9002/health", "method": "GET", "interval": "1s", "timeout": "1s" } } }

C O D E E D I T O R

T E R M I N A L

$ sudo service dashboard start $ consul reload

@anubhavm 

Exercise: Verify Dashboard Application

Open the dashboard application and make sure it is able to connect to the counting service via “Smart NGINX” . Your dashboard application will be available at the following URL: http://{workstation_ip}:9002

@anubhavm 

Use Consul K/V as a Control Plane for NGINX

Consul K/V store can be used to store runtime configuration for the proxy. Consul Template will watch for these values to change, if they do then it will immediately make them available for the proxy.

T E R M I N A L

$ while true;do curl -i http://localhost:5050/service/counting/;sleep 0.5;done

T E R M I N A L

$ consul kv put config/global/router/prefer-local-routing 1

@anubhavm 

Runtime Configuration

Consul K/V store can be used to store runtime configuration for the proxy. These can extend to things like storing values for request retries, rate limits, etc.

@anubhavm 

“Smart Proxy” with X and Consul

This approach can be extended to other proxies like HAProxy, Apache2, etc. This approach will also work with containers.

Fabio

@anubhavm 

Fabio: A Consul Load Balancer

Fabio integrates with Consul and acts as a load balancer for all healthy services in a given name. HTTP(S) and TCP router Developed at Ebay and used by Ebay, kijiji Github Repository: https://github.com/fabiolb/fabio Website: https://fabiolb.net/

@anubhavm 

Exercise: Use Fabio as an Ingress into Nomad

Run the counting service using a cluster scheduler (in this case we will use Nomad). Use Fabio to get to the counting service using host headers.

T E R M I N A L

$ cd /workstation/nomad $ vim counting-service.nomad

job "counting-service-velocity-badger" { datacenters = ["dc1"] group "counting-service" { count = 1 task "web" { driver = "docker" config { image = "anubhavmishra/counting-service" port_map = { http = 9001 } } ..... service { name = "counting-service" port = "http" tags = [ "velocity-badger", "velocity", "urlprefix-counting-service.hashicorp.live/", ]

C O D E E D I T O R

job "counting-service-velocity-badger" { ..... service { name = "counting-service" port = "http" tags = [ "velocity-badger", "velocity", "urlprefix-counting-service.hashicorp.live/", ] check { type = "http" path = "/health" interval = "2s" timeout = "2s" } } } } }

C O D E E D I T O R

T E R M I N A L

$ nomad run counting-service.nomad $ nomad status counting-service

T E R M I N A L

$ curl -i -H 'Host: counting-service.hashicorp.live' http://localhost:9999 HTTP/1.1 200 OK Content-Length: 37 Content-Type: text/plain; charset=utf-8 Date: Fri, 28 Sep 2018 19:09:01 GMT {“count":2,"hostname":"09cb1e97a2bf"}
 # Access your application using the internet
 $ curl -i -H 'Host: counting-service.hashicorp.live' http://fabio.hashicorp.live


@anubhavm 

Fabio: A Consul Load Balancer

Fabio feels like a “global” load balancer since it spans both, VMs and Containers!

@anubhavm 

Service Mesh for Microservices

Service Discovery. Connect services with a dynamic registry Service Configuration. Configure services with runtime configs Service Segmentation. Secure services based on identity

@anubhavm 

Service Mesh for Microservices

Service Discovery. Connect services with a dynamic registry Service Configuration. Configure services with runtime configs Service Segmentation. Secure services based on identity

@anubhavm 

Service Mesh for Microservices

Service Discovery. Connect services with a dynamic registry Service Configuration. Configure services with runtime configs Service Segmentation. Secure services based on identity Zero Trust Networks!

Consul Connect

@anubhavm 

Consul Connect

Service Access Graph Certificate Distribution Application Integration

@anubhavm 

Service Access Graph

Intentions to Allow/Deny Communication Source and Destination Service Scale Independent Managed with CLI, API, UI, Terraform

T E R M I N A L

$ consul intention create -deny web '*' Created: web => * (deny) $ consul intention create -allow web db Created: web => db (allow)

@anubhavm 

@anubhavm 

Certificate Distribution

Transport Layer Security (TLS) Service Identity Encryption of all traffjc

@anubhavm 

Certificate Format

X.509 Certificate SPIFFE Compatible

@anubhavm 

Application Integration

Consul Client for Service Graph and Certificates Sidecar Proxies Native Integrations

@anubhavm 

Sidecar Proxy Integration

No Code Modification Minimal Performance Overhead Operational Flexibility

@anubhavm 

Sidecar Proxies

Client Proxy App

Configure Connect

Proxy Client App

Configure Connect

@anubhavm 

Pluggable Proxies

Client App

Configure Connect

Client App

Configure Connect

@anubhavm 

Pluggable Proxies

Client App

Configure Connect

Client App

Configure Connect Coming soon!

{ "service": "web", "connect": { "proxy": { "config": { "upstreams": [{ "destination_name": "redis", "local_bind_port": 1234 }] } } } }

C O D E E D I T O R

@anubhavm 

Proxy Client App

Configure Connect localhost:1234 Connect to upstream redis

T E R M I N A L

$ consul connect proxy \

• service web \
• upstream postgresql:8181

$ psql -h 127.0.0.1 -p 8181 -U mitchellh mydb >

@anubhavm 

Exercise: Connect Two Service via Consul Connect

Take two services, dashboard and counting service and connect them over TLS using Consul’s Connect feature.

dashboard counting

mTLS

@anubhavm 

Exercise: Connect Two Service via Consul Connect

Edit the dashboard and counting Consul service files to enable connect.

T E R M I N A L

$ sudo vim /etc/consul.d/counting.json

{ "service": { "name": "counting", "tags": ["velocity"], "port": 9001, "connect": { "proxy": {} }, "check": { "id": "counting-check", "http": "http://localhost:9001/health", "method": "GET", "interval": "1s", "timeout": "1s" } } }

C O D E E D I T O R

T E R M I N A L

$ sudo vim /etc/consul.d/dashboard.json

{ "service": { "name": "dashboard", "port": 9002, "tags": [“velocity-ant"], "connect": { "proxy": { "config": { "upstreams": [ { "destination_name": "counting", "local_bind_port": 9003 } ] } } }, "check": { "id": "dashboard-check", "http": "http://localhost:9002/health", "method": "GET", "interval": "1s", "timeout": "1s" }

C O D E E D I T O R

@anubhavm 

Exercise: Connect Two Service via Consul Connect

Edit the dashboard systemd config file to point to the local_bind_port 9003.

T E R M I N A L

$ vim /etc/systemd/system/dashboard.service

[Unit] Description=An simple dashboard service Requires=network-online.target After=network-online.target [Service] Environment=PORT=9002 Environment=COUNTING_SERVICE_URL=http://localhost:5050/service/counting/ ExecStart=/usr/local/bin/dashboard-service ExecReload=/bin/kill -HUP $MAINPID KillSignal=SIGINT Restart=on-failure LimitNOFILE=65536 [Install] WantedBy=multi-user.target

C O D E E D I T O R

[Unit] Description=An simple dashboard service Requires=network-online.target After=network-online.target [Service] Environment=PORT=9002 Environment=COUNTING_SERVICE_URL=http://localhost:9003 ExecStart=/usr/local/bin/dashboard-service ExecReload=/bin/kill -HUP $MAINPID KillSignal=SIGINT Restart=on-failure LimitNOFILE=65536 [Install] WantedBy=multi-user.target

C O D E E D I T O R

@anubhavm 

Exercise: Connect Two Service via Consul Connect

Reload Consul. Restart dashboard service.

T E R M I N A L

$ consul reload Configuration reload triggered $ sudo systemctl daemon-reload $ sudo service dashboard restart

@anubhavm 

Exercise: Verify Dashboard and Counting Services

Use the Consul UI to verify that both, dashboard and counting services are healthy and running. Consul UI is located at http://consul.hashicorp.live HINT: Navigate the “services” tab in the Consul UI and filter for your node.

T E R M I N A L

$ open http://consul.hashicorp.live

@anubhavm 

Exercise: Verify Dashboard Application

Open the dashboard application and make sure it is able to connect to the counting service via Consul Connect. Your dashboard application will be available at the following URL: http://{workstation_ip}:9002

@anubhavm 

Exercise: Use “Intentions” to Deny All Access

Use the Consul UI to deny all access to all services.

@anubhavm 

Exercise: Connect to a Database Using Consul Connect

Use Consul Connect to open a encrypted connection to a database running on a VM. Client will use Consul Connect to spin up a proxy masquerading as the “web” service, connecting to the “redis-db” service, binding on local port 8081

T E R M I N A L

$ sudo apt-get install -y redis-tools $ redis-cli -h

T E R M I N A L

# Instructor will run this command. $ sudo apt-get install redis-server # Register redis service in Consul # Show traffic without Consul Connect. # Enable Consul Connect.

T E R M I N A L

$ consul connect proxy \

• service web \
• upstream redis-db:6379 &

$ redis-cli

@anubhavm 

Data Planes for L4

Encrypted Connections to Databases (TCP) Proxy Masquerading

@anubhavm 

Native Integration

Standard TLS Negligible Performance Overhead Requires Code Modification

// Create a Consul API client client, _ := api.NewClient(api.DefaultConfig()) // Create an instance representing this service. svc, _ := connect.NewService("my-service", client) defer svc.Close() // Creating an HTTP server that serves via Connect server := &http.Server{ Addr: ":8080", TLSConfig: svc.ServerTLSConfig(), // ... other standard fields } // Serve! server.ListenAndServeTLS("", "")

C O D E E D I T O R

@anubhavm 

Consul Connect Lambda Integration

Consul’s Connect feature can be used to connect AWS Lambda functions to services running inside a datacenter (EC2 instances, RDS databases etc). DISCLAIMER: THIS IS NOT PRODUCTION READY!

Github Repository: https://github.com/anubhavmishra/consul-connect-lambda

@anubhavm 

Consul Connect Lambda Integration

SERVER

Internal Loadbalancer

SERVER SERVER LB App App App App

VPC

Lambda Function SDK API GATEWAY

Internet

@anubhavm 

Consul Connect Lambda Integration

SERVER

Internal Loadbalancer

SERVER SERVER LB App App App App

VPC

Lambda Function SDK API GATEWAY

Internet Mutual TLS

Demo

@anubhavm 

Consul Connect

Service Access Graph. Intentions allow or deny communication of logical services. Certificate Distribution. Standard TLS certificates with SPIFFE compatibility. Application Integration. Native integrations or side car proxies.

Conclusion

@anubhavm 

Consul for Service Mesh Control Plane

Service Discovery. Connect services with a dynamic registry Service Configuration. Configure services with runtime configs Service Segmentation. Secure services based on identity Pluggable Control Plane and Data Plane.

@anubhavm 

Useful Links

• Envoy Consul Service Discovery Service: https://github.com/

anubhavmishra/envoy-consul-sds

• Consul Connect Lambda Integration: https://github.com/

anubhavmishra/consul-connect-lambda

Thanks! I have stickers!

Consul: https://consul.io @anubhavm