Istio and manually register the services running #IstioCon V0.2 Mesh Expansion (cont.) ● Traffic flow (VM -> Container) 1. Dnsmasq accepts DNS queries 2. Access the built-in Kube DNS (exposed by ILB) intercepted by the sidecar proxy 5. xDS ■ Traffic forwarded to ingress in the mesh ● Traffic flow (Container -> VM) 1. Manual registration istioctl -n onprem register mysql 1.2.3.4 3306 #IstioCon Network #IstioCon VM Support – Multiple Networks #IstioCon Current State of VM Support ● Traffic flow ○ VM connects up to the Istio control plane through a Gateway ○ WorkloadEntry created ■ VM sidecar

edge and route traffic to the mesh- managed services inside the cluster. Two-tier Gateway Traffic Flow Cloud Vendor Gateway Consolidation TSB allows service discovery and communication via the NodePort XCP Edge ● Upstream Istio ● XCP Central -> Edge ● TSB CR -> Istio CR TSB Config Data Flow Cluster Onboarding Flow 1. Creating cluster object 2. Deploy Operators: Control plane & data plane 3. Configuring

Envoy overload issue still exits 800 Knative Services #IstioCon o 1400 total with dev release with flow control fix looks great, ingress_ready p100 < 30s o [Istio 1.9.x] Support for backpressure on XDS configuration churn. This is disabled by default and can be enabled by setting the PILOT_ENABLE_FLOW_CONTROL environment variable in Istiod. o Final solution is envoy delta-XDS push in future Istio release leveraging Istio features in Knative with service mesh enabled • Enable Istio mesh on Knative – Data flow with Istio mesh/mTLS #IstioCon o Init-container added which cost ~5 seconds for Knative application

protocol #IstioCon Istio Traffic Flow – inner cluster svcA svcB envoy envoy Pod1：10.244.0.20 Pod2：10.244.0.25 Dest: 127.0.0.1 Src：127.0.0.1 #IstioCon Istio Traffic Flow - ingress svcB envoy envoy

App container Sidecar container All incoming traffic must flow through the sidecar first when entering the pod All outgoing traffic must flow through the sidecar before leaving the pod 12 What happens

Istio As An API Gateway Discussion Flow ● What is an API Gateway? ● What is a Service Mesh? ● Common Features ● API Gateway + Service Mesh together! ● Istio as the API Gateway ● Advantages ●

state ● Accessed from eBPF programs as well as from applications in user space #IstioCon Work Flow of Acceleration ● Attach SOCK_OPS program to global cgroup ● Capture socket in established state

determine its destination socket ➢ Help functions: BPF_MSG_REDIRECT_HASH Istio Meetup China Work Flow of Acceleration ● sock_ops o Capture socket in specific states and populate the maps ● sk_msg

Integrates 800+ transportation providers across Europe and North America #IstioCon Our developer flow Develop -> PR -> master -> deploy QA -> deploy Production #IstioCon Our clusters #IstioCon The

Google Inc, 2020 Envoy is an edge and service proxy that allows traffic in an infrastructure to flow in a mesh, allowing you to visualize problem areas, tune performance, and add substrate features.