deep dive on configuring aws app mesh€¦ · httproute/paths routes.httproute/api mesh application...
TRANSCRIPT
![Page 1: Deep Dive on Configuring AWS App Mesh€¦ · httpRoute/paths routes.httpRoute/api Mesh Application VirtualGateway Ingress rules Virtual Service Logical Name Virtual Router Directs](https://reader036.vdocuments.us/reader036/viewer/2022062608/6081f5316e917a379a42d5e2/html5/thumbnails/1.jpg)
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Mridula Grandhi, Sr Technical Account ManagerAWS
Deep Dive on Configuring AWS App Mesh
![Page 2: Deep Dive on Configuring AWS App Mesh€¦ · httpRoute/paths routes.httpRoute/api Mesh Application VirtualGateway Ingress rules Virtual Service Logical Name Virtual Router Directs](https://reader036.vdocuments.us/reader036/viewer/2022062608/6081f5316e917a379a42d5e2/html5/thumbnails/2.jpg)
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
What we’ll cover today• Service Mesh
o Why ? What ?
• AWS App Mesho Constructs
• Demo Application – Yelbo How do I Mesh an existing microservice ?o Service Discovery – How does it work ?o Security – TLS via ACM
• Resources & Roadmap
![Page 3: Deep Dive on Configuring AWS App Mesh€¦ · httpRoute/paths routes.httpRoute/api Mesh Application VirtualGateway Ingress rules Virtual Service Logical Name Virtual Router Directs](https://reader036.vdocuments.us/reader036/viewer/2022062608/6081f5316e917a379a42d5e2/html5/thumbnails/3.jpg)
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Service Mesh
![Page 4: Deep Dive on Configuring AWS App Mesh€¦ · httpRoute/paths routes.httpRoute/api Mesh Application VirtualGateway Ingress rules Virtual Service Logical Name Virtual Router Directs](https://reader036.vdocuments.us/reader036/viewer/2022062608/6081f5316e917a379a42d5e2/html5/thumbnails/4.jpg)
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Compute workloads have evolved
• From a three-tier architecture to complex microservice-based architectures• Service-to-Service Communication becomes more challenging• Product teams becoming self-sufficient
![Page 5: Deep Dive on Configuring AWS App Mesh€¦ · httpRoute/paths routes.httpRoute/api Mesh Application VirtualGateway Ingress rules Virtual Service Logical Name Virtual Router Directs](https://reader036.vdocuments.us/reader036/viewer/2022062608/6081f5316e917a379a42d5e2/html5/thumbnails/5.jpg)
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
UI Microservice
Search Payments Reviews & Ratings
![Page 6: Deep Dive on Configuring AWS App Mesh€¦ · httpRoute/paths routes.httpRoute/api Mesh Application VirtualGateway Ingress rules Virtual Service Logical Name Virtual Router Directs](https://reader036.vdocuments.us/reader036/viewer/2022062608/6081f5316e917a379a42d5e2/html5/thumbnails/6.jpg)
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Service Mesh
A service mesh provides a means of monitoring all interservice traffic and abstracting its configuration
The mesh is aware of all data on the wire, and we can leverage that to solve for many needs
![Page 7: Deep Dive on Configuring AWS App Mesh€¦ · httpRoute/paths routes.httpRoute/api Mesh Application VirtualGateway Ingress rules Virtual Service Logical Name Virtual Router Directs](https://reader036.vdocuments.us/reader036/viewer/2022062608/6081f5316e917a379a42d5e2/html5/thumbnails/7.jpg)
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS App Mesh
![Page 8: Deep Dive on Configuring AWS App Mesh€¦ · httpRoute/paths routes.httpRoute/api Mesh Application VirtualGateway Ingress rules Virtual Service Logical Name Virtual Router Directs](https://reader036.vdocuments.us/reader036/viewer/2022062608/6081f5316e917a379a42d5e2/html5/thumbnails/8.jpg)
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS App Mesh: Application Level Networking
Envoy
• Fully Managed service• Integrated with Envoy• Standardizes Service Communication• Simplifies Observability Solutions• Compatible with AWS Compute Primitives
![Page 9: Deep Dive on Configuring AWS App Mesh€¦ · httpRoute/paths routes.httpRoute/api Mesh Application VirtualGateway Ingress rules Virtual Service Logical Name Virtual Router Directs](https://reader036.vdocuments.us/reader036/viewer/2022062608/6081f5316e917a379a42d5e2/html5/thumbnails/9.jpg)
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
How does App Mesh work?
HTTP, HTTP2gRPC, TCP
Service Yelb-UI Service Yelb-App
Proxy
Sits between all servicesManages and observes traffic
Control plane
Translates intent to proxy configDistributes proxy config
Envoy
![Page 10: Deep Dive on Configuring AWS App Mesh€¦ · httpRoute/paths routes.httpRoute/api Mesh Application VirtualGateway Ingress rules Virtual Service Logical Name Virtual Router Directs](https://reader036.vdocuments.us/reader036/viewer/2022062608/6081f5316e917a379a42d5e2/html5/thumbnails/10.jpg)
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
App Mesh Constructs
MeshVirtual NodeVirtual ServiceVirtual RouterRoutesVirtual Gateway (now GA)Gateway Routes (now GA)
![Page 11: Deep Dive on Configuring AWS App Mesh€¦ · httpRoute/paths routes.httpRoute/api Mesh Application VirtualGateway Ingress rules Virtual Service Logical Name Virtual Router Directs](https://reader036.vdocuments.us/reader036/viewer/2022062608/6081f5316e917a379a42d5e2/html5/thumbnails/11.jpg)
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Mesh
Mesh: Logical boundary for network traffic between the services that reside within it
![Page 12: Deep Dive on Configuring AWS App Mesh€¦ · httpRoute/paths routes.httpRoute/api Mesh Application VirtualGateway Ingress rules Virtual Service Logical Name Virtual Router Directs](https://reader036.vdocuments.us/reader036/viewer/2022062608/6081f5316e917a379a42d5e2/html5/thumbnails/12.jpg)
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Virtual Node
A logical pointer to a discoverable service in your application.For each virtual service, you will have at least one virtual node.
![Page 13: Deep Dive on Configuring AWS App Mesh€¦ · httpRoute/paths routes.httpRoute/api Mesh Application VirtualGateway Ingress rules Virtual Service Logical Name Virtual Router Directs](https://reader036.vdocuments.us/reader036/viewer/2022062608/6081f5316e917a379a42d5e2/html5/thumbnails/13.jpg)
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Virtual Node
Task/pod/instance(Yelb-UI)
A logical pointer to a discoverable service in your application.For each virtual service, you will have at least one virtual node.
Task/pod/instance(Yelb-App)
![Page 14: Deep Dive on Configuring AWS App Mesh€¦ · httpRoute/paths routes.httpRoute/api Mesh Application VirtualGateway Ingress rules Virtual Service Logical Name Virtual Router Directs](https://reader036.vdocuments.us/reader036/viewer/2022062608/6081f5316e917a379a42d5e2/html5/thumbnails/14.jpg)
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Virtual Service
An abstraction of an actual service that is provided by a virtual node, directly or indirectly.
Task/pod/instance(Yelb-UI)
Task/pod/instance(Yelb-App)
![Page 15: Deep Dive on Configuring AWS App Mesh€¦ · httpRoute/paths routes.httpRoute/api Mesh Application VirtualGateway Ingress rules Virtual Service Logical Name Virtual Router Directs](https://reader036.vdocuments.us/reader036/viewer/2022062608/6081f5316e917a379a42d5e2/html5/thumbnails/15.jpg)
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Virtual Router
Handles traffic for one or more virtual services within your mesh. Routes are associated to a virtual router.
Task/pod/instance(foo-svc)
Task/pod/instance(bar-svc)
![Page 16: Deep Dive on Configuring AWS App Mesh€¦ · httpRoute/paths routes.httpRoute/api Mesh Application VirtualGateway Ingress rules Virtual Service Logical Name Virtual Router Directs](https://reader036.vdocuments.us/reader036/viewer/2022062608/6081f5316e917a379a42d5e2/html5/thumbnails/16.jpg)
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Route
routes.httpRoute /foo
routes.httpRoute /api
Used to match requests for a virtual router and to distribute traffic to the routers associated virtual nodes.
Task/pod/instance(foo-svc)
Task/pod/instance(bar-svc)
routes.httpRoute /ui
![Page 17: Deep Dive on Configuring AWS App Mesh€¦ · httpRoute/paths routes.httpRoute/api Mesh Application VirtualGateway Ingress rules Virtual Service Logical Name Virtual Router Directs](https://reader036.vdocuments.us/reader036/viewer/2022062608/6081f5316e917a379a42d5e2/html5/thumbnails/17.jpg)
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Virtual Gateway (GA!!!)
routes.httpRoute /foo
routes.httpRoute /api
Allows resources outside your mesh to communicate to resources that are inside your mesh.
Task/pod/instance(foo-svc)
Task/pod/instance(bar-svc)
routes.httpRoute /ui
![Page 18: Deep Dive on Configuring AWS App Mesh€¦ · httpRoute/paths routes.httpRoute/api Mesh Application VirtualGateway Ingress rules Virtual Service Logical Name Virtual Router Directs](https://reader036.vdocuments.us/reader036/viewer/2022062608/6081f5316e917a379a42d5e2/html5/thumbnails/18.jpg)
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Gateway Route (GA!!!)
routes.httpRoute /ui
routes.httpRoute /api
Virtual Gateway: Allows resources outside your mesh to communicate to resources that are inside your mesh.
httpRoute /paths
Task/pod/instance(foo-svc)
Task/pod/instance(bar-svc)
![Page 19: Deep Dive on Configuring AWS App Mesh€¦ · httpRoute/paths routes.httpRoute/api Mesh Application VirtualGateway Ingress rules Virtual Service Logical Name Virtual Router Directs](https://reader036.vdocuments.us/reader036/viewer/2022062608/6081f5316e917a379a42d5e2/html5/thumbnails/19.jpg)
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Putting it all together…
routes.httpRoute /ui
routes.httpRoute /apihttpRoute /paths
MeshApplication
VirtualGatewayIngress rules
Virtual ServiceLogical Name
Virtual RouterDirects Traffic to Nodes
Virtual NodeService Endpoints
RoutesRouting Rules
Task/pod/instance(foo-svc)
Task/pod/instance(bar-svc)
![Page 20: Deep Dive on Configuring AWS App Mesh€¦ · httpRoute/paths routes.httpRoute/api Mesh Application VirtualGateway Ingress rules Virtual Service Logical Name Virtual Router Directs](https://reader036.vdocuments.us/reader036/viewer/2022062608/6081f5316e917a379a42d5e2/html5/thumbnails/20.jpg)
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Service Discovery
![Page 21: Deep Dive on Configuring AWS App Mesh€¦ · httpRoute/paths routes.httpRoute/api Mesh Application VirtualGateway Ingress rules Virtual Service Logical Name Virtual Router Directs](https://reader036.vdocuments.us/reader036/viewer/2022062608/6081f5316e917a379a42d5e2/html5/thumbnails/21.jpg)
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Discover via DNS or CloudMap
Amazon EC2
Amazon Elastic
Kubernetes Service (EKS)
Amazon Elastic
Container Service (ECS)
discovery via Cloud Map
discovery via dns
Register IP addressesof the task or pods orinstances
Register dns name of the specific task or podor instance
yelb-appserver.yelb.local
![Page 22: Deep Dive on Configuring AWS App Mesh€¦ · httpRoute/paths routes.httpRoute/api Mesh Application VirtualGateway Ingress rules Virtual Service Logical Name Virtual Router Directs](https://reader036.vdocuments.us/reader036/viewer/2022062608/6081f5316e917a379a42d5e2/html5/thumbnails/22.jpg)
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Security
![Page 23: Deep Dive on Configuring AWS App Mesh€¦ · httpRoute/paths routes.httpRoute/api Mesh Application VirtualGateway Ingress rules Virtual Service Logical Name Virtual Router Directs](https://reader036.vdocuments.us/reader036/viewer/2022062608/6081f5316e917a379a42d5e2/html5/thumbnails/23.jpg)
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Goal: TLS at mesh to encrypt traffic between services
Yelb UI
Task
Task
Yelb App
Task
Task
TLS
Virtual node
Virtual ServiceYelb UI
Virtual node
Virtual ServiceYelb App
Traffic Encryption
![Page 24: Deep Dive on Configuring AWS App Mesh€¦ · httpRoute/paths routes.httpRoute/api Mesh Application VirtualGateway Ingress rules Virtual Service Logical Name Virtual Router Directs](https://reader036.vdocuments.us/reader036/viewer/2022062608/6081f5316e917a379a42d5e2/html5/thumbnails/24.jpg)
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Certificate Sources: ACM or Customer Provided Certs
Yelb UI
Task
Task
Yelb App
Task
TaskTLS
Private Cert Authority
Client Policy: (Which CAs will I trust)• A set of ACM Private Certificate Authorities.• A reference to the local file system where the
collection of root certificate authorities (i.e. the trust bundle) is installed.
Virtualnode
Virtual ServiceYelb UI
Virtual node
TLS: # Mode determines whether or not TLS is negotiated on this Virtual Node. # STRICT - TLS is required. # PERMISSIVE - TLS is optional (plain-text allowed). # DISABLED - TLS is disabled (plain-text only). Mode: STRICT
# Use a certificate from ACM or from a fileCertificate: ACM: CertificateArn: !Ref CertificateArn
Certificate: File: CertificateChain: "/keys/colorteller_white_cert_chain.pem" PrivateKey: "/keys/colorteller_white_key.pem"
AWS App Mesh
AWS Certificate Manager
Virtual ServiceYelb App
![Page 25: Deep Dive on Configuring AWS App Mesh€¦ · httpRoute/paths routes.httpRoute/api Mesh Application VirtualGateway Ingress rules Virtual Service Logical Name Virtual Router Directs](https://reader036.vdocuments.us/reader036/viewer/2022062608/6081f5316e917a379a42d5e2/html5/thumbnails/25.jpg)
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Demo – App Mesh Use CasesYelb
![Page 26: Deep Dive on Configuring AWS App Mesh€¦ · httpRoute/paths routes.httpRoute/api Mesh Application VirtualGateway Ingress rules Virtual Service Logical Name Virtual Router Directs](https://reader036.vdocuments.us/reader036/viewer/2022062608/6081f5316e917a379a42d5e2/html5/thumbnails/26.jpg)
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Yelb – Microservices Application
Ø Yelb UI – Frontend
Ø Yelb App – Reads and Writesto Yelb-DB and Yelb-Cache
Ø Yelb Cache – Tracks number of page views
Ø Yelb DB – Persists the votesfor each restaurant
![Page 27: Deep Dive on Configuring AWS App Mesh€¦ · httpRoute/paths routes.httpRoute/api Mesh Application VirtualGateway Ingress rules Virtual Service Logical Name Virtual Router Directs](https://reader036.vdocuments.us/reader036/viewer/2022062608/6081f5316e917a379a42d5e2/html5/thumbnails/27.jpg)
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Demo of the App Mesh Configurations
tcp:80
tcp:5432 tcp:6379
tcp:4567
Ø Create a Mesh
Ø Create Virtual Node and Virtual Service for each microservice
Ø Configure Service Discovery and backends
Ø Encrypt the traffic between Yelb-UI and Yelb-App usingACM
![Page 28: Deep Dive on Configuring AWS App Mesh€¦ · httpRoute/paths routes.httpRoute/api Mesh Application VirtualGateway Ingress rules Virtual Service Logical Name Virtual Router Directs](https://reader036.vdocuments.us/reader036/viewer/2022062608/6081f5316e917a379a42d5e2/html5/thumbnails/28.jpg)
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
• App Mesh Workshop - https://www.appmeshworkshop.com
• Walkthroughs of App Mesh Features - https://github.com/aws/aws-app-mesh-examples/tree/master/walkthroughs
• Troubleshooting Guide - https://docs.aws.amazon.com/app-mesh/latest/userguide/troubleshooting.html
• App Mesh Use Case Driven Blogposts -https://aws.amazon.com/search/?searchQuery=aws+appmesh#facet_blog_name=Containers&facet_type=blogs&page=1
Resources & Links
![Page 29: Deep Dive on Configuring AWS App Mesh€¦ · httpRoute/paths routes.httpRoute/api Mesh Application VirtualGateway Ingress rules Virtual Service Logical Name Virtual Router Directs](https://reader036.vdocuments.us/reader036/viewer/2022062608/6081f5316e917a379a42d5e2/html5/thumbnails/29.jpg)
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Roadmap
Kubernetes Controller GAIngress Gateway GATimeout Policies GAExternal AuthZmTLS
Check in with our public roadmap and suggest new features:https://github.com/aws/aws-app-mesh-roadmap/projects/1
https://github.com/aws/containers-roadmap/projects/1
Support for AWS Lambda invocationScaling/Limit increasesOutlier DetectionCircuit Breakers
![Page 30: Deep Dive on Configuring AWS App Mesh€¦ · httpRoute/paths routes.httpRoute/api Mesh Application VirtualGateway Ingress rules Virtual Service Logical Name Virtual Router Directs](https://reader036.vdocuments.us/reader036/viewer/2022062608/6081f5316e917a379a42d5e2/html5/thumbnails/30.jpg)
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Thank You!
[email protected]@gmridula1