Mesh 中的七层流量管理能力 ❏ 几种扩展 Istio 流量管理能力的方法 ❏ Aeraki - 在 Isito 服务网格中管理所有七层流量 ❏ Demo - Dubbo Traffic Management ❏ MetaProtocol - Service Mesh 通用七层协议框架 #IstioCon Protocols in a Typical Microservice Application Database: mySQL, PostgreSQL, MongoDB ... ● Other Layer-7 Protocols: ... Control Plane (Traffic Management, Security, Observability) #IstioCon What Do We Expect From a Service Mesh? 为了将基础设施的运维管理从应用代码中剥离，我们需要七层的流量管 Header Layer-7 Header Data Traffic Management for HTTP/gRPC - all good ● We get all the capabilities we mentioned on the previous slide Traffic Management for non-HTTP/gRPC - only layer-3 to layer-6

complexity ○ Need consistent policy enforcement ○ Need consistent metrics aggregation ● Traffic management ○ Load balancing for VMs, failover, A/B testing, modern rollouts for VM services ● Security case: Telco & Edge computing ○ where VMs play a crucial role now and later ○ where service mesh is a key paradigm for solving challenges [1] ■ Traffic steering (network slicing) ■ Fault injection (resilience pick extensions) [1] Service Mesh use cases for Telco and Edge – Google, ServiceMeshCon NA 2020 Key Drivers [1] #IstioCon What Do We Need Else to Augment Istio? ● Strong security and privacy guarantees

c51fe751a17441b5ab3f5487c37e129e44eec823 • github.com/istio/istio.io – 26dacdde40968a37ba9eaa864d40e45051ec5448 Key Findings • There was a lack of validation on the VirtualService Gateway fields that could allow route Exposure 3 Data Validation 2 Component Breakdown Istio 10 Istio Sidecar 3 Istioctl 2 Pilot 3 Key Critical High Medium Low Informational 3 | Google Istio Security Assessment Google / NCC Group Confidential { return fmt.Errorf( "the input private key, cert chain, and root cert are nil") } if privateKey != nil { if err := ioutil.WriteFile(path.Join(dir, "key.pem"), privateKey, 0777); err != nil { return

● More than 5,000 Microservices ranging from ○ API services, Search Engine, etc. ○ Databases, Key-Value stores - Oracle, MySQL, etc. ○ Big data systems & Pipelines - Hadoop, Apache Spark, Apache Flink Why Service Mesh? ● Current challenges include - ○ Manageability of Hardware Devices ■ Traffic Management & Security Enforcement ■ Updating hardware devices is slow ○ Achieving micro-segmentation at Discovery functions as features of the infrastructure - ○ Functions: TLS Termination, Traffic Management, Tracing, Rate Limiting, Protocol Adapter, Circuit breaker, Caching, etc. #IstioCon Service

ased-architecture-sba-47900b0ded0a 5G Architecture 4 ©2021 Aspen Mesh. All rights reserved. Key Platform Requirements Multi-Vendor Real-Time (RAN) Workload Mobility Networking outside CNF Encryption traffic via mTLS Autonomous PKI service for certificate lifecycle management at scale What Do You Get From Istio? Traffic Management Powerful Layer 7 (HTTP/2) routing 8 ©2021 Aspen Mesh. All

used on top of Kubernetes. It offers users easy access to features such as observability, traffic management and security without requiring users to add these to their application code. It also offers more ● Certificate management ● Authentication ● Authorization ● Policy Enforcement Points (PEPs) ● A set of Envoy proxy extensions to manage telemetry and auditing Certificate management Alongside each each Envoy proxy, an instance of the Istio agent is located and communicates with Istiod to automate key and certificate rotation, like so: Istio-agent has two functions: 1. To receive SDS requests from

TSB: The Application-Aware Networking Platform Istio: Control Plane Tetrate Service Bridge: Management Plane Envoy: Data Plane Workload (Service) POD Workload (Service) POD Workload (Service) POD Workload Architecture ● Multi cluster ● Multi mesh ● Components ○ Management plane ○ Global control plane ○ Local control plane TSB Management Plane ● Front Envoy ● Multi Cluster support ● XCP Central -> Kubernetes Gateway API Use Case: A Financial Company Istio: Control Plane Tetrate Service Bridge: Management Plane Envoy: Data Plane Workload (Service) POD Workload (Service) POD Workload (Service) POD Workload

Agenda ● GoPay & Istio ● Before mutual TLS ● Implementing mutual TLS ○ Centralized Certificate Management ○ Ingress mutual TLS ○ Egress mutual TLS ● Challenge & Future Works GoPay & Istio About ● IP that used by all services) Implementing Mutual TLS Centralized Certificate Management ● Central certificate management manage our certificate lifecycle for HTTPS and mutual TLS communication. ●

在Google：microservices become API Apigee API Management complements Istio with the robust features of Google Cloud's Apigee API management platform, Apigee Edge, by extending API management natively into the microservices

ιστία) 1. sail What about the rest of the boat? Upcoming Talks: Aperture - Load Management Meshery - WASM plugin management Argo - Multi-cluster orchestration JP Morgan SLO Generation Reflecting on the