deep dive on configuring aws app mesh€¦ · httproute/paths routes.httproute/api mesh application...
TRANSCRIPT
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Mridula Grandhi, Sr Technical Account ManagerAWS
Deep Dive on Configuring AWS App Mesh
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
What we’ll cover today• Service Mesh
o Why ? What ?
• AWS App Mesho Constructs
• Demo Application – Yelbo How do I Mesh an existing microservice ?o Service Discovery – How does it work ?o Security – TLS via ACM
• Resources & Roadmap
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Service Mesh
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Compute workloads have evolved
• From a three-tier architecture to complex microservice-based architectures• Service-to-Service Communication becomes more challenging• Product teams becoming self-sufficient
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
UI Microservice
Search Payments Reviews & Ratings
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Service Mesh
A service mesh provides a means of monitoring all interservice traffic and abstracting its configuration
The mesh is aware of all data on the wire, and we can leverage that to solve for many needs
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS App Mesh
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS App Mesh: Application Level Networking
Envoy
• Fully Managed service• Integrated with Envoy• Standardizes Service Communication• Simplifies Observability Solutions• Compatible with AWS Compute Primitives
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
How does App Mesh work?
HTTP, HTTP2gRPC, TCP
Service Yelb-UI Service Yelb-App
Proxy
Sits between all servicesManages and observes traffic
Control plane
Translates intent to proxy configDistributes proxy config
Envoy
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
App Mesh Constructs
MeshVirtual NodeVirtual ServiceVirtual RouterRoutesVirtual Gateway (now GA)Gateway Routes (now GA)
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Mesh
Mesh: Logical boundary for network traffic between the services that reside within it
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Virtual Node
A logical pointer to a discoverable service in your application.For each virtual service, you will have at least one virtual node.
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Virtual Node
Task/pod/instance(Yelb-UI)
A logical pointer to a discoverable service in your application.For each virtual service, you will have at least one virtual node.
Task/pod/instance(Yelb-App)
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Virtual Service
An abstraction of an actual service that is provided by a virtual node, directly or indirectly.
Task/pod/instance(Yelb-UI)
Task/pod/instance(Yelb-App)
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Virtual Router
Handles traffic for one or more virtual services within your mesh. Routes are associated to a virtual router.
Task/pod/instance(foo-svc)
Task/pod/instance(bar-svc)
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Route
routes.httpRoute /foo
routes.httpRoute /api
Used to match requests for a virtual router and to distribute traffic to the routers associated virtual nodes.
Task/pod/instance(foo-svc)
Task/pod/instance(bar-svc)
routes.httpRoute /ui
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Virtual Gateway (GA!!!)
routes.httpRoute /foo
routes.httpRoute /api
Allows resources outside your mesh to communicate to resources that are inside your mesh.
Task/pod/instance(foo-svc)
Task/pod/instance(bar-svc)
routes.httpRoute /ui
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Gateway Route (GA!!!)
routes.httpRoute /ui
routes.httpRoute /api
Virtual Gateway: Allows resources outside your mesh to communicate to resources that are inside your mesh.
httpRoute /paths
Task/pod/instance(foo-svc)
Task/pod/instance(bar-svc)
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Putting it all together…
routes.httpRoute /ui
routes.httpRoute /apihttpRoute /paths
MeshApplication
VirtualGatewayIngress rules
Virtual ServiceLogical Name
Virtual RouterDirects Traffic to Nodes
Virtual NodeService Endpoints
RoutesRouting Rules
Task/pod/instance(foo-svc)
Task/pod/instance(bar-svc)
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Service Discovery
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Discover via DNS or CloudMap
Amazon EC2
Amazon Elastic
Kubernetes Service (EKS)
Amazon Elastic
Container Service (ECS)
discovery via Cloud Map
discovery via dns
Register IP addressesof the task or pods orinstances
Register dns name of the specific task or podor instance
yelb-appserver.yelb.local
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Security
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Goal: TLS at mesh to encrypt traffic between services
Yelb UI
Task
Task
Yelb App
Task
Task
TLS
Virtual node
Virtual ServiceYelb UI
Virtual node
Virtual ServiceYelb App
Traffic Encryption
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Certificate Sources: ACM or Customer Provided Certs
Yelb UI
Task
Task
Yelb App
Task
TaskTLS
Private Cert Authority
Client Policy: (Which CAs will I trust)• A set of ACM Private Certificate Authorities.• A reference to the local file system where the
collection of root certificate authorities (i.e. the trust bundle) is installed.
Virtualnode
Virtual ServiceYelb UI
Virtual node
TLS: # Mode determines whether or not TLS is negotiated on this Virtual Node. # STRICT - TLS is required. # PERMISSIVE - TLS is optional (plain-text allowed). # DISABLED - TLS is disabled (plain-text only). Mode: STRICT
# Use a certificate from ACM or from a fileCertificate: ACM: CertificateArn: !Ref CertificateArn
Certificate: File: CertificateChain: "/keys/colorteller_white_cert_chain.pem" PrivateKey: "/keys/colorteller_white_key.pem"
AWS App Mesh
AWS Certificate Manager
Virtual ServiceYelb App
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Demo – App Mesh Use CasesYelb
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Yelb – Microservices Application
Ø Yelb UI – Frontend
Ø Yelb App – Reads and Writesto Yelb-DB and Yelb-Cache
Ø Yelb Cache – Tracks number of page views
Ø Yelb DB – Persists the votesfor each restaurant
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Demo of the App Mesh Configurations
tcp:80
tcp:5432 tcp:6379
tcp:4567
Ø Create a Mesh
Ø Create Virtual Node and Virtual Service for each microservice
Ø Configure Service Discovery and backends
Ø Encrypt the traffic between Yelb-UI and Yelb-App usingACM
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
• App Mesh Workshop - https://www.appmeshworkshop.com
• Walkthroughs of App Mesh Features - https://github.com/aws/aws-app-mesh-examples/tree/master/walkthroughs
• Troubleshooting Guide - https://docs.aws.amazon.com/app-mesh/latest/userguide/troubleshooting.html
• App Mesh Use Case Driven Blogposts -https://aws.amazon.com/search/?searchQuery=aws+appmesh#facet_blog_name=Containers&facet_type=blogs&page=1
Resources & Links
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Roadmap
Kubernetes Controller GAIngress Gateway GATimeout Policies GAExternal AuthZmTLS
Check in with our public roadmap and suggest new features:https://github.com/aws/aws-app-mesh-roadmap/projects/1
https://github.com/aws/containers-roadmap/projects/1
Support for AWS Lambda invocationScaling/Limit increasesOutlier DetectionCircuit Breakers
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Thank You!
[email protected]@gmridula1