Fundamentals

Service meshes are an addressable infrastructure layer that allow you to manage both modernizing existing monolithic (or other) workloads as well as wrangling the sprawl of microservices. Service meshes are an addressable infrastructure layer brought to bear in full force. They’re beneficial in monolithic environments, but we’ll blame the microservices and containers movement—the cloud native approach to designing scalable, independently delivered services—for their brisk emergence. Microservices have exploded what were internal application communications into a mesh of service-to-service remote procedure calls (RPCs) transported over networks. Among their many benefits, microservices provide democratization of language and technology choice across independent service teams—teams that create new features quickly as they iteratively and continuously deliver software (typically as a service).

The field of networking being so vast, it’s no surprise that there are many subtle, near-imperceptible differences between similar concepts. At their core, service meshes provide a developer-driven, services-first network: one primarily concerned with obviating the need for application developers to build network concerns (e.g., resiliency) into their code; and one that empowers operators with the ability to declaratively define network behavior, node identity, and traffic flow through policy.

This might seem like software-defined networking (SDN) reincarnate, but service meshes differ here most notably by their emphasis on a developer-centric approach, not a network administrator–centric one. For the most part, today’s service meshes are entirely software based (although hardware-based implementations might be coming). Though the term intent-based networking is used mostly in physical networking, given the declarative policy-based control service meshes provide, it’s fair to liken a service mesh to a cloud native SDN. Figure 1-1 shows an overview of the service mesh architecture. (We outline what it means to be cloud native in Chapter 2.)

Figure 1-1. If it doesn’t have a control plane, it ain’t a service mesh.

Service meshes are built using service proxies. Service proxies of the data plane carry traffic. Traffic is transparently intercepted using iptable rules in the pod namespace.

This uniform layer of infrastructure combined with service deployments is commonly referred to as a service mesh. Istio turns disparate microservices into an integrated service mesh by systemically injecting a proxy among all network paths, making each proxy cognizant of one another, and bringing these under centralized control; thus forming a service mesh.

Client Libraries: The First Service Meshes?

To deal with the complicated task of managing microservices, some organizations have started using client libraries as frameworks to standardize implementations. These libraries are considered by some to be the first service meshes. Figure 1-2 illustrates how the use of a library requires that your architecture has application code either extending or using primitives of the chosen library(ies). Additionally, your architecture needs to accommodate the potential use of multiple language-specific frameworks and/or application servers to run them.

Figure 1-2. Services architecture using client libraries coupled with application logic

The two benefits of creating client libraries are that resources consumed are locally accounted for each and every service, and that developers are empowered to self-service their choice of an existing library or building a new language-specific library. Over time, however, the disadvantages of using client libraries brought service meshes into existence. Their most significant drawback is the tight coupling of infrastructure concerns with application code. Client libraries’ nonuniform, language-specific design makes their functionality and behavior inconsistent, which leads to poor observability characteristics, bespoke practices to augment services that are more or less controllable by one another, and possibly compromised security. These language-specific resilience libraries can be costly for organizations to adopt wholesale, and they can be either difficult to wedge into brownfield applications or entirely impractical to incorporate into existing architectures.

Networking is hard. Creating a client library that eliminates client contention by introducing jitter and an exponential back-off algorithm in the calculation of timing the next retry attempt isn’t necessarily easy, and neither is attempting to ensure the same behavior across different client libraries (with the varying languages and versions of those libraries). Coordinating upgrades of client libraries is difficult in large environments as upgrades require code changes, rolling a new release of the application and, potentially, application downtime.

Figure 1-3 shows how with a service proxy next to each application instance, applications no longer need to have language-specific resilience libraries for circuit breaking, timeouts, retries, service discovery, load balancing, and so on. Service meshes seem to deliver on the promise that organizations implementing microservices could finally realize the dream of using the best frameworks and language for their individual jobs without worrying about the availability of libraries and patterns for every single platform.

Figure 1-3. Services architecture using service proxies decoupled from application logic

Don’t We Already Have This in Our Container Platforms?

Containers simplify and provide generic, non-language-specific, application packaging and essential life cycle management. As a generic, non-language-specific platform, container orchestrators take responsibility for forming clusters, efficiently scheduling their resources, and managing higher-level application constructs (deployments, services, service-affinity, anti-affinity, health checking, scaling, etc.). Table 1-1 shows how container orchestrators generally have service discovery mechanisms—load balancing with virtual IP addresses built in. The supported load-balancing algorithms are typically simplistic in nature (round robin, random) and act as a single virtual IP to communicate with backend pods.

Kubernetes handles the registration/eviction of instances in the group based on their health status and whether they match a grouping predicate (labels and selectors). Then, services can use DNS for service discovery and load balancing regardless of their implementation. There’s no need for special language-specific libraries or registration clients. Container orchestrators have allowed us to move simple networking concerns out of applications and into the infrastructure, freeing the collective infrastructure technology ecosystem to advance our focus to higher layers.

Now you understand how service meshes complement underlying layers: what about other layers?

Landscape

How should you select a service mesh? Of the many service meshes currently available, their significant differences don’t make it easy for people to discern what actually is a service mesh and what isn’t. Over time, more of their capabilities are converging, making it easier to characterize and compare them.

Interestingly, but not surprisingly, many service meshes have been based on some of the same proxies, such as Envoy and NGINX.

Ecosystem

As far as how a service mesh fits in with other ecosystem technologies, we’ve already looked at client libraries and container orchestrators. API gateways address some similar needs and are commonly deployed on a container orchestrator as an edge proxy. Edge proxies provide services with Layer 4 (L4) to Layer 7 (L7) management while using the container orchestrator for reliability, availability, and scalability of container infrastructure.

API gateways interact with service meshes in a way that puzzles many, given that API gateways (and the proxies they’re built upon) range from traditional to cloud-hosted to microservices API gateways. The latter can be represented by a collection of microservices-oriented, open source API gateways, which use the approach of wrapping existing L7 proxies that incorporate container orchestrator native integration and developer self-service features (e.g., HAProxy, Traefik, NGINX, or Envoy).

With respect to service meshes, API gateways are designed to accept traffic from outside your organization or network and distribute it internally. API gateways expose your services as managed APIs, focused on transiting north-south traffic (in and out of the service mesh). They aren’t as well suited for traffic management within the service mesh (east-west) necessarily, because they require traffic to travel through a central proxy, and add a network hop. Service meshes are designed primarily to manage east-west traffic internal to the service mesh.

Given their complementary nature, you’ll often find API gateways and service meshes deployed in combination. API gateways wotk with other API management functions to handle analytics, business data, adjunct provider services, and implementation of versioning control. Today, there is overlap as well as gaps between service mesh capabilities, API gateways, and API management systems. As service meshes gain new capabilities, use cases overlap more.

The Critical, Fallible Network

As noted, in microservices deployments, the network is directly and critically involved in every transaction, every invocation of business logic, and every request made to the application. Network reliability and latency are among the chief concerns for modern, cloud native applications. One cloud native application might comprise hundreds of microservices, each with many instances that might be constantly rescheduled by a container orchestrator.

Understanding the network’s centrality, you want your network to be as intelligent and resilient as possible. It should:

• Route traffic away from failures to increase the aggregate reliability of a cluster.

• Avoid unwanted overhead like high-latency routes or servers with cold caches.

• Ensure that the traffic flowing between services is secure against trivial attack.

• Provide insight by highlighting unexpected dependencies and root causes of service communication failure.

• Allow you to impose policies at the granularity of service behaviors, not just at the connection level.

Also, you don’t want to write all of this logic into your application.

You want Layer 5 management, a services-first network; you want a service mesh.

The Value of a Service Mesh

Currently, service meshes provide a uniform way to connect, secure, manage, and monitor microservices.

Decoupling at Layer 5

An important consideration when digesting the value of a service mesh is the phenomenon of decoupling service teams and the delivery speed this enables, as demonstrated in Figure 1-5.

Figure 1-5. Layer 5 (L5), where Dev and Ops meet

Just as microservices help decouple feature teams, creating a service mesh helps decouple operators from application feature development and release processes, in turn giving operators declarative control over how their service layer is running. Creating a service mesh doesn’t just decouple teams, it eliminates the diffusion of responsibility among them and enables uniformity of practice standards across organizations within our industry. Consider this list of tasks:

• Identify when to break a circuit and facilitate it.

• Establish end-to-end service deadlines.

• Ensure distributed traces are generated and propagated to backend monitoring systems.

• Deny users of “Acme” account access to beta versions of your services.

Whose responsibility is this—the developer or the operator? Answers likely would differ from organization to organization; as an industry, we don’t have commonly accepted practices. Service meshes help keep these responsibilities from falling through the cracks or from one team blaming the other for lack of accountability.

The Origin of Istio

Istio is an open source implementation of a service mesh first created by Google, IBM, and Lyft. What began as a collaborative effort among these organizations has rapidly expanded to incorporating contributions from many other organizations and individuals. Istio is a vast project; in the cloud native ecosystem, it’s second in scope of objectives to Kubernetes. It ingests a number of Cloud Native Computing Foundation (CNCF)–governed projects like Prometheus, OpenTelemetry, Fluentd, Envoy, Jaeger, Kiali, and many contributor-written adapters.

Akin to other service meshes, Istio helps you add resiliency and observability to your services architecture in a transparent way. Service meshes don’t require applications to be cognizant of running on the mesh, and Istio’s design doesn’t depart from other service meshes in this regard. Between ingress, interservice, and egress traffic, Istio transparently intercepts and handles network traffic on behalf of the application.

Using Envoy as the data-plane component, Istio helps you to configure your applications to have an instance of the service proxy deployed alongside it. Istio’s control plane is composed of a few components that provide configuration management of the data-plane proxies, APIs for operators, security settings, policy checks, and more. We cover these control-plane components in later chapters of this book.

Although it was originally built to run on Kubernetes, Istio’s design is deployment-platform agnostic. So, an Istio-based service mesh can also be deployed across platforms like OpenShift, Mesos, and Cloud Foundry, as well as traditional deployment environments like VMs and bare-metal servers. Consul’s interoperability with Istio can be helpful in VM and bare-metal deployments. Whether running monoliths or microservices, Istio is applicable—the more services you run, the greater the benefit.

The Current State of Istio

As an evolving project, Istio has a healthy release cadence, this being one way in which open source project velocity and health are measured. Figure 6-1 presents the community statistics from May 2017, when Istio was publicly announced as a project, to February 2019. During this period, there were roughly 2,400 forks (GitHub users who have made a copy of the project—either in the process of contributing to the project or using its code as a base for their own projects) and around 15,000 stars (users who have favorited the project and see project updates in their activity feed).

Figure 1-6. Istio contribution statistics

A simple number of stars, forks, and commits is moderately indicative of project health in terms of velocity, interest, and support. Each of these raw metrics can be improved upon. Reporting the rates of commits, reviews, and merges over time perhaps better indicates project velocity, which is most accurately measured relative to itself, and relative to its own timeline. When determining a project’s health, you should look at whether the rates of these activities are increasing or decreasing, whether the the release cadence is consistent; and how frequently and how many patches are released to improve a low-quality major or minor feature release?

Cadence

Like many software projects, Istio’s versioning semantics are laid out in a familiar (to Semantic Versioning) style (e.g., version 1.1.1), and, like other projects, Istio defines its own nuances to release frequency, setting expectations of longevity of support (see Table 1-1). Though daily and weekly releases are available, these aren’t supported and might not be reliable. However, as Table 1-1 shows, the monthly snapshots are relatively safe and are usually packed with new features. But, if you are looking to use Istio in production, look for releases tagged as “LTS” (Long-Term Support). As of this writing, 1.2.x is the latest LTS release.

As a frame of reference, Kubernetes minor releases occur approximately every three months, so each minor release branch is maintained for approximately nine months.

By comparison, because it is an operating system, Ubuntu quite necessarily needs to prioritize stability over speed of feature release, and thus publishes its LTS releases every two years in April. It’s worth noting that the LTS releases are much more heavily used (something like 95% of all Ubuntu installations are LTS releases).

Docker uses a time-based release schedule, with time frames generally as follows:

• Docker CE Edge releases happen monthly.

• Docker CE Stable releases happen quarterly, with patch releases as needed.

• Docker EE releases happen twice per year, with patch releases as needed.

Updates and patches release as follows:

• Docker EE releases receive patches and updates for at least one year after they are released.

• Docker CE Stable releases receive patches and updates for one month after the next Docker CE Stable release.

• Docker CE Edge releases do not receive any patches or updates after a subsequent Docker CE Edge or Stable release.

Releases

The original plan was that Istio would have one point release every quarter, followed by n patch releases. Snapshots were intended as monthly releases that would mostly meet the same quality bar as a point release, except that it’s not a supported release and can have breaking changes. A history of all releases is available on Istio’s Releases page on GitHub. Table 1-2 presents Istio’s release cadence over a 10-month period.

Feature Status

In true Agile style, Istio features individually go through their own life cycle (dev/alpha/beta/stable). Some features are stabilizing while others are being added or improved upon, as demonstrated in Table 1-3.

Future

Working groups are iterating on designs toward a v2 architecture, incorporating learnings from running Istio at scale and usability feedback from users. With more and more people learning about service meshes in the future, ease of adoption will be key to helping the masses successfully reach the third phase of their cloud native journey → containers → orchestrators → meshes.

What Istio Isn’t

Istio doesn’t account for specific capabilities that you might find in other service meshes, or offered by management plane software. This is because it’s subject to change or to be commonly augmented with third-party software.

With the prominent exception of facilitating distributed tracing, Istio is not a white-box application performance monitoring (APM) solution. The generation of additional telemetry surrounding and introspecting network traffic and service requests that is available with Istio does provide additional black-box visibility. Of the metrics and logs available with Istio, these provide insight into network traffic flows, including source, destination, latency, and errors; top-level service metrics, not custom application metrics exposed by individual workloads or cluster-level logging.

Istio plug-ins integrate service-level logs with the same backend monitoring system you might be using for cluster-level logging (e.g., Fluentd, Elasticsearch, Kibana). Also, Istio uses the same metrics collection and alarming, which might well be the same utility (e.g., Prometheus) that you’re using already.

It’s Not Just About Microservices

Kubernetes doesn’t do it all. Will the infrastructure of the future be entirely Kubernetes-based? Not likely. Not all applications, notably those designed to run outside of containers, are a good fit for Kubernetes (currently, anyway). The tail of information technology is quite long considering that mainframes from decades ago are still in use today.

No technology is a panacea. Monoliths are easier to comprehend, because much of the application is in one place. You can trace the interactions of its different parts within one system (or a limited more or less stagnant set of systems). However, monoliths don’t scale, in terms of development teams and lines of code.

Nondistributed monoliths will be around for a long time. Service meshes help in their modernization and can provide facades to facilitate evolutionary architecture. Deployment of a service mesh gateway as an intelligent facade in front of the monolith will be an approach many take to strangle their monolith by siphoning path-based (or otherwise) requests away. This approach is gradual, leading to migrating parts of the monolith into modern microservices, or simply acting as a stopgap measure pending a fully cloud native redesign.