DevOps Teams Seek Help From Network Platform Service Mesh


Companies under pressure to deploy cloud-native applications face daunting complexity due to the network architectures required by these applications, and some have purchased service mesh platforms from vendors to help them.

Kubernetes container orchestration and microservices have become the new status quo as businesses digitally transform. Microservices applications are distributed across a network of machines, disrupting traditional networking conventions and increasing scrutiny of network performance, security, and resiliency. These trends have helped popularize the service mesh architecture in microservices environments, which provide granular control over network paths and can collect deeper observability data than networks.

Istio, an open-source service mesh created by IBM, Google, and Lyft, and its associated sidecar proxy project Envoy, offer sophisticated network automation and security features, but their operational complexity has created opportunities for more accessible alternatives such as Linkerd, HashiCorp Consul, F5 and Kong.

However, as Kubernetes deployments evolved from single clusters to multiple clusters spanning multiple data centers, more layers of network automation became necessary to tie them together. Then, a wave of increasingly severe cyberattacks prompted new regulations, including a 2021 presidential decree that mandated the deployment of zero-trust architectures. Istio, for all its complexity, can facilitate large-scale multi-cluster management and has had strong security advantages since its inception.

“[Security is] which is driving many companies to make very quick decisions to adopt service mesh,” said Louis Ryan, one of Istio’s co-creators at Google, during a keynote presentation at SoloCon this week. “They want mTLS [mutual TLS] and zero trust capabilities, and… the cost of maintenance [strong security is much higher than for] observability, traffic management and application frameworks. … So people are looking for out-of-the-box solutions.” turns heads amid service mesh struggles

Most large companies don’t have the in-house technical expertise to handle the raw open source version of Istio. This gap between technology functionality and expertise presents a ripe opportunity for IT vendors such as Istio-based network platform startup Over the past year, has amassed around 100 customers, including USAA, Chick-fil-A, T-Mobile, and Constant Contact, along with a $135 million Series C funding round and valuation. a billion dollars.

“If we took the same amount of money that we would allocate to an enterprise agreement with and hired engineers, would we be able to make the same product with the same complexity meeting all of our stringent requirements.. . and [do it] said Thomas Howard, head of cloud networking at Invitae, a biotech company in San Francisco, during a presentation this week at the virtual SoloCon conference. “Would we have access to the same knowledge specific to a very highly technical field [that we get] engineers? And would we be able to retain them permanently?”

For Howard, whose company deployed’s Gloo Mesh Enterprise after struggling with AWS App Mesh, the answer to all of those questions was no.

“AWS App Mesh…was simple, relatively easy to use, and well integrated,” he said. “The blockers we ran into boiled down to… edge cases related to external authorization and our federated trust model that we’re trying to implement with SPIFFE and SPIRE, and we found that we don’t don’t get the [access] that we should send [within AWS App Mesh] to implement this.”

Gloo Mesh Enterprise offered a balance between access to the Istio and Envoy APIs where Invitee needed to customize certain components and a packaged experience that allowed Howard’s company to more easily deploy mTLS and automate authentication and authorization between microservices, with the ultimate goal of implementing zero trust. .

Gloo Mesh Enterprise 2.0 API Updates Seamless Multitenancy

The first version of Gloo Mesh Enterprise, which became generally available in early 2021, looked promising to T-Mobile, which had also rolled out’s Gloo Edge API gateway. But this week’s Gloo Mesh Enterprise 2.0 added multi-tenant functionality that the mobile operator was waiting for before it wanted to put the product into production.

“We have been in a holding pattern with our existing upstream generic vanilla open source Istio setups [waiting for] a service mesh that exists in a logical context that can traverse multiple Kubernetes clusters and manage and orchestrate configurations for end users,” said Joe Searcy, T-Mobile Distributed Systems Technical Staff, in an interview this week. .

Gloo Mesh Enterprise 2.0 introduced the concept of workspaces, a set of logical boundaries that can be jointly provisioned and maintained by IT operations, platform engineering, application management, and enterprise development teams. software and shared between several Kubernetes clusters. Platform operators can grant application owners and developers specific access to the Kubernetes infrastructure, as well as modification permissions. Gloo Mesh Enterprise then automatically synchronizes the underlying physical clusters with traffic management and administrator security policies as applications change.

“[Developers] don’t have to manage their service mesh configurations on cluster B as separate artifacts from either cluster A or cluster C — they’re managing an artifact,” Searcy said. “And Gloo Mesh kind of helped determine what it should look like in each cluster on their behalf. There’s huge operational overhead being cut.”

Move to DevOps Platforms, Here Come Network Platforms

The abstraction of infrastructure into logical services that developers can directly access is in line with broader industry trends toward DevOps platforms. Products such as Red Hat OpenShift, VMware Tanzu, and cloud provider services such as Google Kubernetes Engine (GKE) and Amazon EC2 Kubernetes Service (EKS) also offer integrated sets of components that can be managed by multiple IT teams and developers, some of which also encompass the service mesh.

“We are currently seeing a consolidation of almost every technology sector, driven as much by customer demands for a better development experience and fewer business relationships to cross as by commercial vendors seeing adjacent market opportunities,” Stephen said. O’Grady, analyst. at RedMonk.

Network platforms are not necessarily mutually exclusive DevOps platforms, but for some large enterprises, a separate network platform such as allows them to avoid lock-in with the network stack of any infrastructure provider.

“We use Gloo Mesh on EKS, OpenShift and soon, GKE,” said David Ortiz, principal software engineer at martech firm Constant Contact, in an online interview after his SoloCon presentation this week. “One of the reasons why multi-clustering was such an early requirement for us is that we needed a way to ensure that workloads could communicate with and ideally be moved between each other. … We try to avoid doing things specific to all cloud providers.”

Yet some of the vertical integration that provides within the network layer, like Gloo Edge, which combines the functions of an API Gateway, Kubernetes Ingress Controller, and Istio Gateway, is also welcome, Ortiz said. isn’t alone in targeting customers looking for help with the service mesh. Kong Mesh is part of a larger platform that also includes the Kong API Gateway and offers multi-cluster management capabilities. Linkerd, which prioritized simplicity in earlier releases at some of the finer points of multi-tenant service mesh security, has caught up in recent releases, including this week’s early support for automated failover. multi-cluster, which is expected to be generally available in the upcoming 2.12 release.

“You can see how a consolidation and simplification effort is taking place at and other vendors, including but not limited to the integration of ingress and API gateways with the service mesh , virtual machine support, improved user interfaces and observability, and better workload protection and isolation to support multitenancy,” said Brad Casemore, analyst at IDC.” There’s still healthy competition in the service mesh market, but the Istio camp, including, has definitely worked hard to make it easier to deploy and use the technology and it’s starting to pay off. tangible dividends.”

Beth Pariseau, Senior Writer at TechTarget, is an award-winning veteran of IT journalism. She can be reached at [email protected] or on Twitter @PariseauTT.


Comments are closed.