Upload
others
View
17
Download
0
Embed Size (px)
Citation preview
Containers TodayAnton Gyllenhammar DevOps SE – Northeastern Europe
| ©2019 F52
A trip through time
Eli WhitneyReplaceable Parts
Henry FordAssembly Lines
Toyota“Just in Time”
The history of …?The history of lean
| ©2019 F53
Lean is creating the most value at the minimum cost, achieved by minimizing
resources, time, energy and effort
| ©2019 F54
A trip through time
Eli WhitneyReplaceable Parts
Henry FordAssembly Lines
Toyota“Just in Time”
Lean Manufacturing
Lean Enterprises
Lean IT
| ©2019 F55
Application Capital
No material capital expenses~5500 employees
$175 billion
Iconic brandsOperator of massive theme parksOwner of a vast media empire
$160 billion
Source: https://www.f5.com/company/blog/application-capital
| ©2019 F56
MONTHS DAYS HOURS
Application Lifecycle ChallengesClassic enterprise Transforming enterprise Web scale
PEOPLE AUTOMATION AI-ASSISTED
Visibility / Security & Privacy / Customer Experience / Data & Intelligence
3-tier or Monolithic 3-tier or Monolithic + Microservices
10s 100s 1000s
Microservices
How fast can you go from code to customer?
How many apps are you able to take from code to customer in the next year?
How do you secure & govern your application portfolio?
| ©2019 F57
APPLICATIONSDEVELOPER
Speed to market creates a divide
• Containers and microservices• Open source CI/CD tooling• Freedom to choose a cloud
Code Customer
| ©2019 F58
Application services along the data path
Code Load balancer
DNSAPI gateway
App Security
DDoS CDNIngress Controller
App / webserver
Customer
App Dev DevOps NetOps SecOps Business Owner
| ©2019 F59
API gateway
CDNIngress Controller
App / webserver
CustomerLoad balancer
DNSApp Security
DDoSCode
Containers Purpose-builthardware
Public cloud
Virtual machines
Softwareas a Service
Commodityhardware
EcosystemsNGINX Controller BIG-IQ
PLATFORM CONTROL PLANES
All-encompassing application platform
BIG-IP NGINX
ECOSYSTEM INTEGRATIONS
| ©2019 F510
API gateway
CDNIngress Controller
App / webserver
CustomerLoad balancer
DNSApp Security
DDoSCode
Containers Purpose-builthardware
Public cloud
Virtual machines
Softwareas a Service
Commodityhardware
EcosystemsNGINX Controller BIG-IQ
PLATFORM CONTROL PLANES
What about containers?
BIG-IP NGINX
ECOSYSTEM INTEGRATIONS
| © F5 NETWORKS11
What direction?
North – South Load Balancing and Ingress
• Nginx Plus
• Big-IP LTM (CIS)
East – West & North – SouthService Mesh
• Aspen Mesh
• Nginx Plus & Unit
| ©2019 F512
Ingress
CONFIDENTIAL
| ©2019 F513
Service Type Load Balancer
• Available on AWS, Azure, GCP, VMWare and OpenStack
• Any traffic type: HTTP, TCP, UDP, Web Sockets, gRPC, Kafka, …
• Each service get its own Edge LB ($$$)
Load Balancer vs IngressGETTING THE DEFINITIONS RIGHT
| ©2019 F514
Services over Ingress / Route
• Many type of ingress controllers
• HTTP(s) focused: URL or Path
• SSL, Routing, Authentication, …
• You only pay for one Edge LB
Load Balancer vs IngressGETTING THE DEFINITIONS RIGHT
| ©2019 F515
Our Ingress Controller landscape
Default community options:
NGINX Ingress Controller for Kubernetes
Standalone Ingress Controllers:
NGINX’s Kubernetes Ingress Controller (OSS)
NGINX’s Kubernetes Ingress Controller (Plus)
F5 K8s BIGIP Ctlr (aka CIS)
| ©2019 F516
AWS ALB + NGINX PLUS INGRESS CONTROLLERExample scenario
| ©2019 F517
Summary: What makes NGINX KIC Different?
• Long-term stability and consistency
• Avoid breaking backward compatibility
Development Philosophy• Every release built and
maintained to a supportable, production standard.
• Enterprise grade focus
Continual Production Readiness
• NGINX is the authoritative source for all components of Ingress Controller.
Security
• Based on native NGINX capabilities and directives
• No reliance on 3rd party Lua modules
Integrated codebase
• Award winning support available
Support
| ©2019 F518
F5 BIG-IP + F5 CONTAINER INGRESS SERVICE (CIS)Example scenario
| © F5 NETWORKS19
CONTAINER INGRESS SERVICEBig-IP + CIS
• No daisy chaining of LB and Ingress solutions = easier to configure and debug
• Multi-cloud consistent security policies
• Access on the POD level to other Big-IP modules/features
• LTM
• ASM
• AFM
• APMhttps://github.com/F5Networks/k8s-bigip-ctlr
| ©2019 F520
East - West
CONFIDENTIAL
| ©2019 F521
Modern Apps Require a Modern Architecture
... to Dynamic
Three-tier, J2EE-style architecturesComplex protocols (HTML, SOAP)Persistent deploymentsFixed, static InfrastructureBig-bang releasesSilo’ed teams (Dev, Test, Ops)
MicroservicesLightweight (REST, JSON)Containers, VMs, FunctionsInfrastructure as CodeContinuous deliveryDevOps Culture
From Monolithic ...
| ©2019 F522
Operating a distributed application is hard
Dynamic, Distributed App:
Fast, reliable function callsLocal debuggingLocal profilingCalendared, big-bang upgrades‘Integration hell’ contained in dev
Slow, unreliable API callsDistributed fault findingDistributed tracingIn-place dynamic updates‘Continuous integration’ live in prod
More things can go wrong, it’s harder to find the faults, everything happens live
Static, Predictable Monolith:
| ©2019 F523
By controlling communications between pods, Service Meshes can do four main things:
What does a Service Mesh do?
Security: End-to-end encryption (Mutual TLS / mTLS)
Traffic Management: Load Balance, Circuit breaker, BG, Rate Limit…
Instrumentation: Measure and accumulate metrics (Prometheus)
Debugging: Generate transaction traces (OpenTracing)
| ©2019 F524
A service mesh is an invisible, autonomous, L7 routing layer for distributed, multi-service applications.
How is a Service Mesh implemented?
Most commonly implemented as a ‘sidecar proxy’
Implementations:
• Istio/Envoy• Aspen Mesh• Consul Connect• Linkerd2
• Maesh, Kuma• NGINX Service Mesh• … and many others
to followSidecar Proxy
Service A
Sidecar Proxy
Service B
Sidecar Proxy
Service C
Sidecar Proxy
Service D
Control Plane
| ©2019 F525
F5 and NGINX solutions
Aspen Mesh provides an easy-to-use distribution of Istio with added enterprise features.
• Enterprise Service Mesh• Observability and Insights• Expert Support
NGINX provides an advanced Ingress Controller, Microservices Proxy and innovative App Server:
• K8s Ingress Controller• NGINX Router• Future service mesh initiatives
| ©2019 F526
Aspen Mesh
CONFIDENTIAL
| ©2019 F527
Full support : ensures users get production-ready Istiodeployment with easy access to experts and safe upgrades
Simple dashboard : surfaces data in a way you don’t have to be an Istio expert to understand
Policy framework : allows specification, measurement and enforcement of business goals instead of nerd knobs
Security and compliance : features make it easy to confidently create a compliant and auditable zero-trust network
Aspen MeshSIMPLIFIES AND IMPROVES ISTIO
https://aspenmesh.iohttps://aspenmesh.io/invite
| ©2019 F528
Jaeger (CNCF backed) for distributed tracing and microservice plotting
Prometheus (CNCF backed) for metrics collection and alerting
Grafana for metrics dashboarding
Custom Management UI
Aspen MeshINTERNALS
API Server
| ©2019 F529
Nginx & microservices
| ©2019 F530
In our assessment, you may benefit from a service mesh once:
You have a mature, fully-automated CI/CD pipeline (GitOps-enabled) You are deploying frequently to production (at least once per day) You are fully invested in Kubernetes You have a zero-trust production environment (so need mTLS) Your application is complex
− 20+ different services, a service graph that is 3 levels deep or more
You have operational maturity and an appetite for risk
A checklist for readiness
| ©2019 F531
Production Patterns for MicroservicesTHERE ARE MULTIPLE, PROVEN PRODUCTION PATTERNS FOR NGINX IN A MICROSERVICE APP
NGINX Ingress Controller
NGINX per-Service ProxyNGINX per-Pod Proxy NGINX Simple Mesh Proxy
| ©2019 F532
Polyglot app server
• Python, PHP, Go, Perl, Ruby, JavaScript (Node.js), Java
REST API Driven
Uniform App Configuration
App runs on same server (container), no sidecar
Built-in SSL/TLS support
Nginx UnitAPPLICATION SERVER AS CONTROL PLANE
https://unit.nginx.org
| ©2019 F533
Why the overlap?
CONFIDENTIAL
| ©2019 F534
App Services – Shifting Control
CloudArchitect
DevOps
Consume and monitor app services
TRADITIONAL APP SERVICES DEPLOYMENT
NetOps
SecOps
AppDev
Consult, validate, and review app services
CLOUD-NATIVE APP SERVICES DEPLOYMENT
NetOps
SecOps
CloudArchitect
DevOps AppDev
| ©2019 F535
Broadest portfolio of advanced application services that deliver superior app performance, security and availability across multi-cloud environments.
Lightweight, agile ADC and API software for container-built apps, CI/CD workflows, and microservices, deployed as subscription.
Composable, extensible, and self-serve App Services globally available as a SaaS model.
NGINXF5 Cloud Services
BIG-IP
Overlaying F5’s platform Use Cases
Control Centralized with NetOps
Hybrid
Cloud-native
Application architecture
Decentralized to Developers
Traditional
| © F5 NETWORKS36
With each service provided by different vendors
Code Load balancer
DNSAPI gateway
App Security
DDoS CDNIngress Controller
App / webserver
Customer
| © F5 NETWORKS37
Code Load balancer
DNSAPI gateway
App Security
DDoS CDNIngress Controller
App / webserver
Customer
Monolithic
3-tier
Microservice
And a different set of vendors foreach application architecture
| © F5 NETWORKS38
Code Load balancer
DNSAPI gateway
App Security
DDoS CDNIngress Controller
App / webserver
Customer
Different need for everyone
App Developers App Architects DevOps Cloud Architects NetOps SecOps IT Leadership Support Customer Experience
| © F5 NETWORKS39
Code Load balancer
DNSAPI gateway
App Security
DDoS CDNIngress Controller
App / webserver
Customer
Choose lean tech for each app
• NGINX OSS• NGINX+• NGINX Unit
• NGINX OSS • NGINX+• F5 CIS
• NGINX OSS • NGINX+
• NGINX OSS • NGINX+• BIG-IP LTM• F5 Cloud
Services GSLB
• NGINX / Mod Sec
• NGINX+ App Protect
• BIG-IP ASM• F5 Adv. WAF• F5 Cloud
services
• F5 Cloud Services DNS
• BIG-IP DNS
• BIG-IP AFM• F5 Silverline
• NGINX
| © F5 NETWORKS40
API gateway
CDNIngress Controller
App / webserver
CustomerLoad balancer
DNSApp Security
DDoSCode
Containers Purpose-builthardware
Public cloud
Virtual machines
Softwareas a Service
Commodityhardware
EcosystemsNGINX Controller BIG-IQ
PLATFORM CONTROL PLANES
All-encompassing application platform
BIG-IP NGINX
ECOSYSTEM INTEGRATIONS
| © F5 NETWORKS41
MICR
OSER
VICE
S AP
PS
This Complexity Is All Too Common…
Web
App
KIC
SP MS
SP MS
SP MS
SP MS
MONO
LOTH
IC A
PPS
Mgr.
RP
Mgr.
DDoSWAF
Mgr.Mgr.Mgr. Mgr.
L4LB
APIGW
L7LB
L4LB
Mgr.
DNS
Mgr.
CDN
Mgr.
CODECUSTOMER
| © F5 NETWORKS42
MICR
OSER
VICE
S AP
PS
Together We Make It Much Easier
Web
App
KIC
SP MS
SP MS
SP MS
SP MS
MONO
LOTH
IC A
PPS
Mgr.
WAFL7LB DNS
NGINX PlusReverse proxyL4-7 LBAPI gatewayPer-app WAF
NGINX Controller F5 BIG IQ
NGINX PlusK8s IC
NGINX PlusSidecar proxy
NGINX PlusWeb server
NGINX UnitApp server
F5 Cloud Services & SilverlineDNSDDoSWAFNGINX Plus CDN
Infrastructure & OpsAppDev & DevOps
F5 BIG IPLocal L4-7 LBGlobal L4-7 LBSSL offloadAdvanced WAFAccess mgmt.L4 firewallSSL orchestrationAnti-DDoSBot detectionCGNAT
CODECUSTOMER
| ©2019 F543
Technology principles to guide our design
Platform-independent
API firstIntegratedsecurity
Open source at our core
Analytics built-in and AI enabled
Applicationcentric
Modular and reusable
| © F5 NETWORKS44
| © F5 NETWORKS45
Follow up material
3 Ways to Connect F5 BIG-IP to Istio : https://youtu.be/dSmjY3flIq4
Sorting Kubernetes with Container Ingress Services : https://youtu.be/Df8FcQ6QSo8
Aspen Mesh Demo : https://youtu.be/jx76WY5On4M
Canary Deployments with Flagger and Aspen Mesh : https://vimeo.com/356766933
The Next Generation of Nginx Ingress Controller : https://youtu.be/k7mpY0YTe7U
Nginx on do you need a service mesh : https://youtu.be/CaCB_PK83AM
Nginx Unit Demo : https://youtu.be/izcCI_TXCYk
DEMOS ONLINE