updated introduction and service mesh styling
This commit is contained in:
Karl Cardenas
parent
80172cf15e
commit
05a41a079a
|
|
@ -1,8 +1,9 @@
|
|||
---
|
||||
layout: docs
|
||||
page_title: What is service mesh?
|
||||
page_title: What is a service mesh?
|
||||
description: >-
|
||||
Learn what a service mesh is, it's benefits, and how it works.
|
||||
Learn what a service mesh is, it's benefits, and how it works.
|
||||
A service mesh can solve many of the modern challenges that exist in multi-platform and multi-cloud application architectures, ranging from security to application resiliency.
|
||||
---
|
||||
|
||||
# What is a Service Mesh?
|
||||
|
|
@ -13,7 +14,7 @@ Service meshes are often used with a microservice architectural pattern, but can
|
|||
## Benefits of a Service Mesh
|
||||
|
||||
A service mesh provides benefits for all organizations, ranging from security to improved application resiliency.
|
||||
Some of the benefits of a _service mesh_ include;
|
||||
Some of the benefits of a service mesh include;
|
||||
|
||||
- service discovery
|
||||
- application health monitoring
|
||||
|
|
@ -25,18 +26,18 @@ Some of the benefits of a _service mesh_ include;
|
|||
- authentication and authorization,
|
||||
- network automation
|
||||
|
||||
A common use case for leveraging a _service mesh_ is to achieve a [_zero trust_ model](/use-cases/zero-trust-networking).
|
||||
A common use case for leveraging a service mesh is to achieve a [_zero trust_ model](/use-cases/zero-trust-networking).
|
||||
In a _zero trust_ model, applications require identity-based access to ensure all communication within the service mesh is authenticated with TLS certificates and encrypted in transit.
|
||||
|
||||
## How does a Service Mesh work?
|
||||
|
||||
A _service mesh_ typically consist of a control plane, and a data plane. The control plane maintains a central registry that keeps track of all services and their respective IP addresses, this is called _service discovery_.
|
||||
A service mesh typically consist of a control plane, and a data plane. The control plane maintains a central registry that keeps track of all services and their respective IP addresses, this is called [service discovery](https://www.hashicorp.com/products/consul/service-discovery-and-health-checking).
|
||||
As long as the application is registered with the control plane, the control plane will be able to share with other members of the mesh how to communicate with the application and enforce rules for who can communicate with each other.
|
||||
|
||||
The control plane is responsible for securing the mesh, facilitating service discovery, health checking, policy enforcement, and other similar operational concerns.
|
||||
|
||||
The data plane handles communication between services.
|
||||
Many _service mesh_ solutions employ a sidecar proxy to handle data plane communications, and thus limit the level of awareness the services need to have about the network environment.
|
||||
Many service mesh solutions employ a sidecar proxy to handle data plane communications, and thus limit the level of awareness the services need to have about the network environment.
|
||||
|
||||
|
||||
|
||||
|
|
@ -46,24 +47,24 @@ An API gateway is a centralized access point for handling incoming client reques
|
|||
The API Gateway acts as a control plane that allows operators and developers to manage incoming client requests and apply different handling logic depending on the request.
|
||||
The API Gateway will route the incoming requests to the respective service. API Gateways primary function is to handle requests and return the reply from the service back to the client.
|
||||
|
||||
A _service mesh_ specializes in the network management of services and the communication between services.
|
||||
A service mesh specializes in the network management of services and the communication between services.
|
||||
The mesh is responsible for keeping track of services and their health status, IP address, traffic routing, and ensuring all the traffic between services are authenticated and encrypted.
|
||||
Unlike API Gateways, a _service mesh_ will track all registered services' lifecycle and ensure requests are routed to healthy instances of the service.
|
||||
Unlike API Gateways, a service mesh will track all registered services' lifecycle and ensure requests are routed to healthy instances of the service.
|
||||
API Gateways are frequently deployed alongside a load balancer to ensure traffic is directed to healthy and available instances of the service.
|
||||
The mesh reduces the load balancer footprint as routing responsibilities are handled in a decentralized manner.
|
||||
|
||||
API Gateways can be used together with a _service mesh_ to bridge external networks (non-mesh) with a _service mesh_.
|
||||
API Gateways can be used together with a service mesh to bridge external networks (non-mesh) with a service mesh.
|
||||
|
||||
-> **Note**: API Gateways are frequently used to accept north-south based traffic. North-south traffic is networking traffic that either enters or exits a data center or a virtual private network (VPC).
|
||||
A _service mesh_ is primarily used for handling east-west based traffic. East-west traffic traditionally remains inside a data center or a VPC.
|
||||
A _service mesh_ can be connected to another _service mesh_ in another data center or VPC to form a federated mesh.
|
||||
A service mesh is primarily used for handling east-west based traffic. East-west traffic traditionally remains inside a data center or a VPC.
|
||||
A service mesh can be connected to another service mesh in another data center or VPC to form a federated mesh.
|
||||
|
||||
## What Problems Does a Service Mesh Solve?
|
||||
|
||||
Modern infrastructure is transitioning from primarily being static-based to dynamic in nature (ephemeral).
|
||||
This dynamic infrastructure has a short life cycle, meaning virtual machines (VM) and containers are frequently recycled.
|
||||
It's difficult for an organization to manage and keep track of application services that live on short-lived resources. A _service mesh_ solves this problem by acting as a central registry of all registered services.
|
||||
As service instances, either VMs or containers, come up and down, the mesh is aware of their state and availability. The ability to conduct _service discovery_ is the foundation to the other problems a _service mesh_ solves.
|
||||
It's difficult for an organization to manage and keep track of application services that live on short-lived resources. A service mesh solves this problem by acting as a central registry of all registered services.
|
||||
As service instances, either VMs or containers, come up and down, the mesh is aware of their state and availability. The ability to conduct _service discovery_ is the foundation to the other problems a service mesh solves.
|
||||
|
||||
As a service mesh is aware of the state of a service and its instances, the mesh can implement more intelligent and dynamic network routing.
|
||||
Many service meshes offer L7 traffic management capabilities. As a result, operators and developers can create powerful rules to direct network traffic as needed, such as load balancing, traffic splitting, dynamic failover, and custom resolvers.
|
||||
|
|
@ -71,13 +72,13 @@ A service mesh's dynamic network behavior allows application owners to improve a
|
|||
|
||||
Implementing dynamic network behavior is critical as more and more applications are deployed across different cloud providers (multi-cloud) and private data centers.
|
||||
Organizations may need to route network traffic to other infrastructure environments. Ensuring this traffic is secure is on top of mind for all organizations.
|
||||
Service meshes offer the ability to enforce network traffic encryption (mTLS) and authentication between all services. The _service mesh_ can automatically generate an SSL certificate for each service and its instances.
|
||||
Service meshes offer the ability to enforce network traffic encryption (mTLS) and authentication between all services. The service mesh can automatically generate an SSL certificate for each service and its instances.
|
||||
The certificate authenticates with other services inside the mesh and encrypts the TCP/UDP/gRPC connection with SSL.
|
||||
|
||||
Fine-grained policies that dictate what services are allowed to communicate with each other is another benefit of a _service mesh_.
|
||||
Fine-grained policies that dictate what services are allowed to communicate with each other is another benefit of a service mesh.
|
||||
Traditionally, services are permitted to communicate with other services through firewall rules.
|
||||
The traditional firewall (IP-based) model is difficult to enforce with dynamic infrastructure resources with a short lifecycle and frequently recycling IP addresses.
|
||||
As a result, network administrators have to open up network ranges to permit network traffic between services without differentiating the services generating the network traffic. However, a _service mesh_ allows operators and developers to shift away from an IP-based model and focus more on service to service permissions.
|
||||
As a result, network administrators have to open up network ranges to permit network traffic between services without differentiating the services generating the network traffic. However, a service mesh allows operators and developers to shift away from an IP-based model and focus more on service to service permissions.
|
||||
An operator defines a policy that only allows _service A_ to communicate with _service B_. Otherwise, the default action is to deny the traffic.
|
||||
This shift from an IP address-based security model to a service-focused model reduces the overhead of securing network traffic and allows an organization to take advantage of multi-cloud environments without sacrificing security due to complexity.
|
||||
|
||||
|
|
@ -101,9 +102,9 @@ You can use Consul with virtual machines (VMs), containers, or with container or
|
|||
Consul is platform agnostic which makes it a great fit for all environments, including legacy platforms.
|
||||
|
||||
Consul is available as a [self-install](/downloads) project or as a fully managed service mesh solution called [HCP Consul](https://portal.cloud.hashicorp.com/sign-in?utm_source=consul_docs).
|
||||
HCP Consul enables users to discover and securely connect services without the added operational burden of maintaining a _service mesh_ on their own.
|
||||
HCP Consul enables users to discover and securely connect services without the added operational burden of maintaining a service mesh on their own.
|
||||
|
||||
## Next
|
||||
|
||||
Get started today with a _service mesh_ by leveraging [HCP Consul](https://portal.cloud.hashicorp.com/sign-in?utm_source=consul_docs).
|
||||
Get started today with a service mesh by leveraging [HCP Consul](https://portal.cloud.hashicorp.com/sign-in?utm_source=consul_docs).
|
||||
Prepare your organization for the future of multi-cloud and embrace a [zero-trust](https://www.hashicorp.com/solutions/zero-trust-security) architecture.
|
||||
|
|
|
|||
Loading…
Reference in New Issue