1. The document discusses microservices architecture and the challenges of managing independent microservices, including issues like latency, failures, and lack of visibility.
2. It introduces service meshes like Istio and Envoy as a way to automate operational tasks across microservices and reduce friction, as well as API gateways like Ambassador that can provide routing, authentication, and other capabilities for microservices.
3. Ambassador is presented as a self-service API gateway that uses Envoy and can work both standalone and with Istio to provide capabilities like routing, TLS termination, and authentication in a way that reduces operational overhead for development teams.
4. 4
Interesting Times: Microservices
Ditch your Monolith
No more huge apps where you build everything into one
binary
Instead, split up your app into tiny, single-function
microservices
Each microservice team does development - and release! -
totally independently
5. 5
The good
Velocity, Velocity, Velocity
Ownership
Freedom
Velocity
The bad
Lots of cats to herd
independent releases
and deployments
Inherently a distributed
system!
Fragility, latency,
nonobservability,
cascading failures…
Interesting Times: Microservices
6. 6
Interesting Times: Microservices
The ugly
Fixing “the bad” is really hard.
Example: retry on network failure
Sounds simple but there are a lot of details!
Not too quickly, not too many times, should
often do exponential backoff…
It’s just not feasible for all devs to independently
get it right.
7. 7
What Do We Do About This?
Reduce operational friction
Automate or eliminate needless operational touchpoint
Move the Hard Stuff™ down into your infrastructure layer
Get it right once
Let everyone use it
This is the concept of a service mesh
9. 9
Service Mesh
Service mesh is about collecting services into an application
Give dev & ops the experience they had with a single host
Visibility, resiliency, control, security, policy
Envoy (from Lyft) and Istio (from IBM & Google) manage this
pretty well
10. 10
Envoy
C++ L4/L7 reverse proxy
Built at Lyft, and brutally battle-tested
hundreds of services, tens of
thousands of VMs, millions of requests
per second
includes support for many mesh
features
increasingly active community
HTTP/2 & gRPC
Zone-aware load balancing w/
failover
Health checks, circuit breakers,
timeouts, retry budgets
No hot reloads - API driven
config updates
11. 11
Istio
“Network for services instead of bytes”
Built by IBM and Google using Envoy
2003 GitHub stars, 40+ engineers 😀
rather than having libraries, just put an
Envoy sidecar next to each service
load balancing
retries
rate limiting
telemetry and monitoring
12. 12
API Gateway
API gateways are also about collecting services into an
application
Gives the application as a whole consistency for clients &
devs
Put critical things like authentication, routing, TLS termination
in one central place
14. 14
Ambassador
Self-service API gateway
Also built on Envoy
Built for Kubernetes
Built for microservices
Supports standalone or Istio
Provides routing, TLS termination, authentication
Early days yet – more to come
15. 15
Ambassador: Routing
Self-service routing, TLS, and authentication
Understands HTTP(s) URLs
route resource to service
“resource” identified by URL path prefix
“service” is… a Kubernetes service
routes all HTTP methods
16. 16
Ambassador: Self Service
Self-service routing, TLS, and authentication
Developer can route resources to their service on their own
Simple REST interface for routing control
“Move fast and make things”
reduce friction, so no ops gate for a new release
…but also no ops gate for a rollback!
17. 17
Ambassador: TLS
Self-service routing, TLS, and authentication
Ambassador can terminate TLS
Tell Ambassador about certificates
Ambassador will accept HTTPS connections
Currently cleartext to services
Watch this space!
TLS client-certificate authentication, too
18. 18
Ambassador: Custom Authentication
Self-service routing, TLS, and authentication
REST API to outboard authentication service:
auth service gets HTTP request headers
return HTTP status code
Applies to all microservices
if a microservice gets a connection, auth said OK
of course, the auth service could allow public access to
some microservices!
Supplied auth service for HTTP Basic Auth
19. 19
Ambassador and Istio
Natural fit, though still early days of working together
Istio provides service mesh
Ambassador provides a control mechanism for ingress, etc.
Again, watch this space.
20. 20
Ambassador Roadmap
Ambassador under active development
Better integration with Istio
still support standalone ops
First-class custom filters
embedded interpreter
Rate limiting, authorization, etc.
http://getambassador.io/ for more