ServiceMeshCon North America 2020

The service mesh is too cool to keep it HTTP-only! Despite the increasing use of HTTP as a common application transport protocol, there are tons of legacy non-HTTP applications that would greatly benefit from the traffic management and monitoring capabilities provided by a service mesh. Primary examples are anything that runs on top of UDP or SCTP, including telco apps, VPN, IoT, video-gaming, or DNS. Currently, these applications are left behind by the cloud-native community. Taking a real telco media-plane use case as demonstrator, this talk makes the case for l7mp, a joint industry-academy effort to build a service mesh prototype with first-class support for legacy applications. L7mp aspires to serve as an incubator project to experiment with radically new service mesh designs and features, including full multi-protocol support, programmable protocol L7 parsing, native stream-management, and kernel-based offload for sidecar proxy acceleration. 

The session covers covers the production use case of Oyster Financial on using Istio service mesh for handling traffic. The testing in non-production environment and rolling out to live users was not effective for fintech product where the usage is critical. Also, due to the inconsistent in third party, there was need to test traffic in live environment for internal user and that has to be for selective or all services.  The usage of Istio feature on routing traffic based on header as well as percentage rollout was used effectively which has made deployment to Prod0 seamless. Also measuring the performance as well as real use case test of newer version helped in providing a good end user experience for evolving fintech startup in Mexico.  But the management complexity rises when number of services increases and there are too may configs to be managed. Combination of helm helped a lot throughout the process.

Security is one of the greatest challenges in the cloud-native world today. Service meshes promise several benefits including better connectivity, and observability, and most importantly security. Securing a cloud-native service involves securing it at several levels i.e. at the perimeter (ingress/egress gateways), when accessing other services, when persisting data, when processing requests, etc., and using a service mesh one can address several of these issues in a consistent and maintainable manner.  In this talk, we will present some of the key patterns that one can use for securing cloud-native services when working with north-south and east-west traffic. We will talk about available TLS choices (passthrough, mTLS, etc.), AuthN/AuthZ constructs, JWT support, and extension mechanisms within Envoy/Istio that you can leverage for building customized policy frameworks. We will also discuss application security in the context of multi-cluster service mesh deployments. Come join us!