Service Mesh with Consul

Service Mesh

  • A Service Mesh is a modern, cloud friendly, method of coupling services together.
  • A Service Mesh seeks to accomplish the goals of:

    Service Discovery

    Service Configuration

    Service Segmentation

  • A service mesh adds an infrastructure layer for making service-to-service communication safe, fast, and reliable.

  • The service mesh, at least conceptually, is really nothing new. Technical Operation teams have been placing proxies in front of other services for years. Apache httpd being placed in front of tomcat is so commonplace there’s a binary protocol (AJP) to support it.

  • Just like placing Apache in front of Tomcat, the service mesh brings security and authentication to the services deployed inside of it.

The end of load balancer sprawl

  • The service mush uses a service discovery mechanism to determine a request target.
  • Load balancers are great, however if an service has not been written to work with them there can be some unexpected side effects which are very negative.
  • Replacing the load balancers with proxy sidecars certainly can add complexity to a deployment, however if

The true power of a Service Mesh

Often we find ourselves trying to deploy applications that were not designed with the cloud in mind. It’s not unusual since it can be difficult to develop an app for the cloud if you know what you’re doing, and so many apps are developed using legacy paradigms or on somebody’s laptop where the method to operate the application is a great distance a part from what the cloud would look like.

Bridging the gap from the laptop to production is often on the hands of the SRE’s. However, the service mesh provides an out-of-box bridge. The service can provide a simple HTTP interface and the service mesh will ensure that the inter-service communication is encrypted.

Consul as the Service Mesh

  • There are a few different solutions in the Service Mesh field, with varying degrees of complexity. However, one of the easiest and best solutions to the Service Mesh problem is Hashicorp Consul.

  • Consul will provide
    • Service Discovery
    • Configuration
    • Segmentation
  • Vault will provide
    • Secrets Management
  • Traefik will provide
    • Edge Service Proxy

Proxy Sidecar

{
  "service": {
    "name": "web",
    "port": 8080,
    "connect": { "proxy": {} }
  }
}


{
  "service": {
    "name": "web",
    "port": 8080,
    "connect": {
      "proxy": {
        "config": {
          "upstreams": [{
             "destination_name": "db",
             "local_bind_port": 9191
          }]
        }
      }
    }
  }
}

Register a service with Consul Connect

cat <<EOF | sudo tee /etc/consul.d/socat.json
{
  "service": {
    "name": "socat",
    "port": 8181,
    "connect": { "proxy": {} }
  }
}
EOF

Connect to the service

consul connect proxy -service web -upstream socat:9191

Register upstream dependency

cat <<EOF | sudo tee /etc/consul.d/web.json
{
  "service": {
    "name": "web",
    "port": 8080,
    "connect": {
      "proxy": {
        "config": {
          "upstreams": [{
             "destination_name": "socat",
             "local_bind_port": 9191
          }]
        }
      }
    }
  }
}
EOF

Intentions

Allow web to connect to db

consul intention create -allow web db
consul intention create -allow web socat
categories: consul | servicemesh | devops | docker |