O'Reilly logo
live online training icon Live Online training

Advanced Istio

Decoupling at layer 5

Topic: System Administration
Lee Calcote

Organizations that have adopted containers and are running a handful (or more) of microservices often find tools to provide observability, control, and security lacking. Service meshes—the third phase in the microservices journey—have quickly entered the cloud native landscape, filling unmet service-level needs and providing a substrate of secure connectivity, uniform visibility, and granular control over service requests. Operating at layer 5, service meshes offer great value.

Lee Calcote walks you through advanced service mesh concepts and each and every aspect of the open source service mesh Istio. Over three hours, you’ll gain hands-on experience with this popular tool as you learn how to deploy Istio alongside microservices running in Kubernetes.

What you'll learn-and how you can apply it

By the end of this live online course, you’ll understand:

  • Istio's methods for managing telemetry, monitoring, and reporting
  • Advanced traffic management scenarios
  • Approaches to canary deployments and securing communication with Istio

And you’ll be able to:

  • Configure and operate Istio in context of an example workloads and their common use cases
  • Manage traffic through load balancing and resilient communications
  • Enforce policies and rate limiting
  • Be confident in the third step of your cloud native journey with ongoing management of your service mesh

This training course is for you because...

  • You’re an operator who wants uniform observability irrespective of the different languages and libraries that run your services.
  • You’re a developer who wants to affect application behavior without code changes.
  • You want to become a cloud native architect or level up as one.

Prerequisites

  • A working knowledge of Istio and Kubernetes
  • Familiarity with Docker Desktop, Minikube, or kind
  • A computer with Docker and Meshery installed locally
  • Access to local or remote Kubernetes cluster of any size, with cluster admin privileges (Either of these two local single-node clusters will work: Docker Desktop or Minikube.)

Recommended preparation

Recommended follow-up

About your instructor

  • Lee Calcote is an innovative product and technology leader, passionate about developer platforms and management software for clouds, containers, functions and applications. Advanced and emerging technologies have been a consistent focus through Calcote’s tenure at SolarWinds, Seagate, Cisco and Pelco. As founder of Layer5, he is also an advisor and author. Calcote is active in the community as a Docker Captain and Cloud Native Ambassador.

Schedule

The timeframes are only estimates and may vary according to how the class is progressing

Setting up Kubernetes and Istio; setting up an app on the mesh (30 minutes)

  • Presentation: Service mesh deployment architectures; Istio’s canonical sample application; Istio’s requirements for onboarding an application onto the service mesh
  • Hands-on exercises: Set up Kubernetes; use Meshery to deploy Istio on your local machine; deploy and explore Istio’s control and data plane components—Pilot, Mixer, Galley, Citadel, gateways and sidecar proxy, and Envoy; use Meshery to deploy the sample application and review its configuration for exposure through gateways and sidecar proxy
  • Q&A

Advanced service mesh concepts (20 minutes)

  • Presentation: WebAssembly and intelligent data planes
  • Hands-on exercise: Use Wasm with JWTs to manipulate your application logic
  • Q&A

Break (10 minutes)

Traffic control (50 minutes)

  • Presentation: Traffic management with a service mesh
  • Hands-on exercises: Utilize traffic mirroring to facilitate the dark launch of a new version of the sample application; prevent denial-of-service attacks by blocking excessive requests using rate limiting; configure timeouts and retries to make a sample application more resilient to failure; understand and configure pool ejection so that outliers are detected and removed as available backends; define circuit breaker limits and test their behavior; implement traffic steering between mobile and desktop; manipulate Istio’s traffic routing and control capabilities using examples of fault injection, circuit breaking, and canary testing; control your egress traffic
  • Q&A

Break (10 minutes)

Observability and performance (20 minutes)

  • Presentation: Available types of telemetry within a service mesh
  • Hands-on exercise: Implement performance tuning; distinguish between value and overhead; debug Envoy and Istio
  • Q&A

Security (30 minutes)

  • Presentation: Istio’s service security capabilities
  • Exercise: Employ mutual TLS to secure east-west traffic between services; use Istio role-based access control (RBAC) to identify and authorize service requests; perform context-based routing with JWTs; define simple access controls using denylists and allowlists; enable mutual TLS between services and perform service identity verification

Wrap-up and Q&A (10 minutes)