Consul 1.6: Layer 7 Traffic Management and Mesh Gateways
1 like2,385 views
This document provides an overview of Consul L7, a multi-cloud service networking platform. It discusses background on the transition to multi-cloud, Consul's approach to cloud networking, and principles around API-driven configuration, running services anywhere, and extending integrations. The rest of the document outlines basic Consul configuration, traffic routing, shifting, multi-cluster gateways, service failover, and using metrics and tracing with Envoy proxies.
![© 2019 HashiCorpCONSUL PRINCIPLES 10
API Driven
Codify and automate service
definitions, health checks,
service authorization
policies, failover logic, and
more.
1 2 3
Consul
Principles
$ curl http://localhost:500/v1/kv/deployment
[
{
"LockIndex": 1,
"Session": "1c3f5836-4df4-0e26-6697-90dcce",
"Value": "Zm9v",
"Flags": 0,
"Key": "deployment",
"CreateIndex": 13,
"ModifyIndex": 19
}
]
TERMINAL](https://image.slidesharecdn.com/consull7-webinar-190829171750/85/Consul-1-6-Layer-7-Traffic-Management-and-Mesh-Gateways-10-320.jpg)
![CODE EDITOR
kind = "service-router"
name = "api"
routes = [
{
match {
http {
path_prefix = "/v1"
}
}
destination {
service = "api-v1"
}
}
]](https://image.slidesharecdn.com/consull7-webinar-190829171750/85/Consul-1-6-Layer-7-Traffic-Management-and-Mesh-Gateways-23-320.jpg)
![CODE EDITOR
kind = "service-splitter",
name = "api"
splits = [
{
weight = 50,
service_subset = "v1"
},
{
weight = 50,
service_subset = "v2"
}
]](https://image.slidesharecdn.com/consull7-webinar-190829171750/85/Consul-1-6-Layer-7-Traffic-Management-and-Mesh-Gateways-27-320.jpg)
![CODE EDITOR
kind = "service-resolver"
name = "api"
failover = {
"*" = {
datacenters = ["dc2"]
}
}
Service Failover
Cross cluster / cross cloud service failover](https://image.slidesharecdn.com/consull7-webinar-190829171750/85/Consul-1-6-Layer-7-Traffic-Management-and-Mesh-Gateways-34-320.jpg)
![CODE EDITOR
envoy_extra_static_clusters_json = <<EOL
{
"connect_timeout": "3.000s",
"dns_lookup_family": "V4_ONLY",
"lb_policy": "ROUND_ROBIN",
"load_assignment": {
"cluster_name": "jaeger_9411",
"endpoints": [
{
"lb_endpoints": [
{
"endpoint": {
"address": {
"socket_address": {
"address": "jaeger",
"port_value": 9411,
"protocol": "TCP"
}
}
}
}
]
}
]
},
"name": "jaeger_9411",
"type": "STRICT_DNS"
}
EOL](https://image.slidesharecdn.com/consull7-webinar-190829171750/85/Consul-1-6-Layer-7-Traffic-Management-and-Mesh-Gateways-38-320.jpg)
Consul 1.6: Layer 7 Traffic Management and Mesh Gateways
- 1. © 2018 HashiCorp Consul L7 A multi-cloud service networking platform to connect and secure any service across any runtime platform and public or private cloud 1
- 2. © 2018 HashiCorp Agenda 2 1. Background 2. Basic Configuration 3. Traffic Routing 4. Traffic Shifting 5. Multi-Cluster Gateways 6. Service Failover 7. Metrics / Tracing
- 3. © 2018 HashiCorp 3 Background
- 4. Copyright © 2019 HashiCorp ⁄ The Transition to Multi-Cloud Copyright © 2019 HashiCorp ⁄ 4 Traditional Datacenter “Static” SYSTEMS OF RECORD SYSTEMS OF ENGAGEMENT Dedicated Infrastructure Modern Datacenter “Dynamic” AWS Azure GCP+ + +Private Cloud + “Ticket-based” “Self-service”
- 5. Copyright © 2018 HashiCorp ⁄Copyright © 2018 HashiCorp ⁄ 5 The Cloud Landscape DYNAMICSTATIC Dedicated vCenter CloudFormation Resource Manager Cloud Deployment Manager vCenter vSphere EKS / ECS Lambda AKS / ACS Azure Functions GKE Cloud Functions vSphere Various Hardware Proprietary Proprietary ProprietaryHardware Identity: AD/LDAP Identity: AWS IAM Identity: AzureAD Identity: GCP IAM IP: Hardware Private Cloud AWS Azure GCP Provision Operations Secure Security Run Development Connect Networking
- 6. Copyright © 2018 HashiCorp ⁄Copyright © 2018 HashiCorp ⁄ 6 Cloud Networking With Consul Connect Networking Private Cloud AWS Azure GCP A Common Cloud Operating Model
- 7. USING CONSUL IN DYNAMIC INFRASTRUCTURE 7© 2019 HashiCorp Market trend from monoliths to microservices Single, Physical Server Dynamic Virtual Machines Smaller, Ephemeral Containers
- 8. © 2018 HashiCorp Dynamic Infrastructure Service-based networking The shift from static to dynamic networking Static Infrastructure Host-based networking USING CONSUL IN DYNAMIC INFRASTRUCTURE 8
- 9. © 2018 HashiCorpUSING CONSUL IN DYNAMIC INFRASTRUCTURE Dynamic Infrastructure Service-based networking The shift from static to dynamic networking Private datacenters with static IPs, primarily north-south traffic, protected by perimeter security and coarse-grained network segments. Traditional Approach ▪ Static connectivity between services ▪ A fleet of load balancers to route traffic ▪ Ticket driven processes to update network middleware ▪ Firewall rule sprawl to constrict access and insecure flat network zones Multiple clouds and private datacenters with dynamic IPs, dominated by east-west traffic, no clear network perimeters. Consul Approach ▪ Centralized registry to locate any service ▪ Services discovered and connected with centralized policies ▪ Network automated in service of applications ▪ Zero trust network enforced by identity-based security policies Static Infrastructure Host-based networking 9
- 10. © 2019 HashiCorpCONSUL PRINCIPLES 10 API Driven Codify and automate service definitions, health checks, service authorization policies, failover logic, and more. 1 2 3 Consul Principles $ curl http://localhost:500/v1/kv/deployment [ { "LockIndex": 1, "Session": "1c3f5836-4df4-0e26-6697-90dcce", "Value": "Zm9v", "Flags": 0, "Key": "deployment", "CreateIndex": 13, "ModifyIndex": 19 } ] TERMINAL
- 11. © 2019 HashiCorpCONSUL PRINCIPLES 11 Run and Connect Anywhere Connect services across any runtime platform and public or private cloud. Connect services from Kubernetes to VMs, Containers to Serverless functions. 1 2 3 Consul Principles
- 12. © 2019 HashiCorpCONSUL PRINCIPLES 12 Extend and Integrate ▪ Provision clusters on any infrastructure. ▪ Connect to services over TLS via proxy integrations. ▪ Serve TLS certificates with pluggable Certificate Authorities. 1 2 3 Consul Principles
- 13. CHALLENGE SOLUTION RESULTS Feature: Service Segmentation - Proxies 13© 2019 HashiCorpUSE CASE: SERVICE SEGMENTATION Sidecar proxy to secure traffic for any application Consul provides sidecar proxies running alongside applications to transparently wraps traffic in TLS and enforces the intentions. ● No code modification required ● Minimal performance overhead ● Pluggable data plane: Built-in Layer 4 proxy, native Envoy integration or other third-party proxy integration ● Operational flexibility, decoupling security concern from the application itself
- 14. © 2018 HashiCorp Basic Configuration 14
- 15. CODE EDITOR services { name = "web" port = 9090 connect { sidecar_service { port = 20000 proxy { local_service_address = "127.0.0.1" local_service_port = 9090 upstreams { destination_name = "api" local_bind_port = 8003 } upstreams {
- 16. CODE EDITOR Kind = "service-defaults" Name = "web" Protocol = "http" Central Configuration Centrally manage service mesh configuration
- 17. CODE EDITOR Kind = "service-defaults" Name = "web" Protocol = "http" Central Configuration Centrally manage service mesh configuration
- 18. CODE EDITOR { "kind": "service-defaults", "name": "web", "protocol": "http" } Central Configuration Centrally manage service mesh configuration
- 19. Central Configuration Types of Configuration Entries ● Proxy Defaults - controls proxy configuration ● Service Defaults - configures defaults for all the instances of a service ● Service Router - defines where to send layer 7 traffic ● Service Splitter - defines how to divide requests for a single HTTP route ● Service Resolver - matches service instances with Consul upstreams
- 21. Traffic Routing
- 22. Traffic Routing Route requests based on HTTP parameters
- 23. CODE EDITOR kind = "service-router" name = "api" routes = [ { match { http { path_prefix = "/v1" } } destination { service = "api-v1" } } ]
- 24. Traffic Shifting
- 25. Traffic Shifting Percentage based traffic routing
- 26. CODE EDITOR kind = "service-resolver" name = "api" subsets = { v1 = { filter = "Service.Meta.version == 1" } v2 = { filter = "Service.Meta.version == 2" } }
- 27. CODE EDITOR kind = "service-splitter", name = "api" splits = [ { weight = 50, service_subset = "v1" }, { weight = 50, service_subset = "v2" } ]
- 29. Multi-Cluster Gateways Cross cluster / cross cloud service routing
- 30. CODE EDITOR Kind = "service-defaults" Name = "api" Protocol = "http" MeshGateway = { mode = "local" } Multi-Cluster Gateways Cross cluster / cross cloud service routing
- 31. CODE EDITOR Kind = "service-defaults" Name = "api" Protocol = "http" MeshGateway = { mode = "remote" } Multi-Cluster Gateways Cross cluster / cross cloud service routing
- 32. Service Failover
- 33. Service Failover Cross cluster / cross cloud service failover
- 34. CODE EDITOR kind = "service-resolver" name = "api" failover = { "*" = { datacenters = ["dc2"] } } Service Failover Cross cluster / cross cloud service failover
- 36. CODE EDITOR kind = "proxy-defaults" name = "global" config { envoy_prometheus_bind_addr = "0.0.0.0:9102" Metrics Globally configuring Envoy metrics
- 37. CODE EDITOR kind = "proxy-defaults" name = "global" config { envoy_extra_static_clusters_json = {} Envoy_tracing_json = {} } Tracing Globally configuring Envoy tracing
- 38. CODE EDITOR envoy_extra_static_clusters_json = <<EOL { "connect_timeout": "3.000s", "dns_lookup_family": "V4_ONLY", "lb_policy": "ROUND_ROBIN", "load_assignment": { "cluster_name": "jaeger_9411", "endpoints": [ { "lb_endpoints": [ { "endpoint": { "address": { "socket_address": { "address": "jaeger", "port_value": 9411, "protocol": "TCP" } } } } ] } ] }, "name": "jaeger_9411", "type": "STRICT_DNS" } EOL
- 39. CODE EDITOR envoy_tracing_json = <<EOL { "http": { "config": { "collector_cluster": "jaeger_9411", "collector_endpoint": "/api/v2/spans" }, "name": "envoy.zipkin" } } EOL