Jason Webb Vrushali Joshi Istio Service Mesh at Enterprise Scale Feb, 2021 Who are we? Founded 5,000 Developers 50M Customers 1993 IPO $6.8B FY19 Revenue 20 Locations 1983 Why Service

Legacy Scenarios ● Stateful applications ○ Data store ● Legacy software ○ Financial services ○ Enterprise/Workshop applications ○ Hard to lift and shift ● Packaged software ○ Non-Linux ○ unikernels the mesh ● Traffic flow (Container -> VM) 1. Manual registration istioctl -n onprem register mysql 1.2.3.4 3306 #IstioCon V1.1 Introducing Service Entry Service Entry v.s. Service v.s. Endpoints

OSS to Enterprise Service Mesh 宋净超（Jimmy Song） September 24, 2022 Shanghai, China Cloud Native Application Networking Secure, Observe and manage microservices Outline ● Background ● Enterprise Service Istio ● Why not Istio OSS? ● Problems unsolved ○ Multi-cluster and VM (lower onboarding cost) ○ Enterprise team structure gap (Workspace, Tenants, etc) ○ UI&UX Background ● Leads to complexity and lack Proxy as a standalone or Kubernetes-based application gateway ● Tetrate Istio Distro: Simple, safe enterprise-grade Istio distro ● Func-e: Make running Envoy easy Wazero ● wazero is the only zero dependency

security Operation security 3. Monitor audit log. 3 Lifecycle of service mesh security and demo Secure Monitor Enforce Verify Security Lifecycle Concepts Secure Monitor Enforce Verify Deploy comprehensive mechanisms are not tampered. Verify that the security mechanisms are working as expected. Monitor security status. Lifecycle of service mesh security Edge Cluster Workload Operation GitOps Concepts Secure Monitor Enforce Verify Demo: mesh security lifecycle Sleep Proxy Httpbin Proxy Namespace foo mTLS Demo Security Lifecycle Concepts Secure Monitor Enforce Verify

build the next generation 5G platform I want to sketch a mesh for you Istio service mesh at enterprise scale Improving security with Istio What Envoy hears when Istio speaks Company presenting

enable service mesh, it uses Istio as an Ingress Gateway. • Enable Secret Discovery Service (SDS) to monitor and mount secrets under istio-system to ingress gateway which contains credentials for https support optimization of pilot resolved this issue. • Tune CPU/MEM to ensure enough capacity Leveraged Metrics to monitor Istio & Knative components’ CPU and MEM under workload to avoid CPU throttling and OOM and ensure

Microservices ranging from ○ API services, Search Engine, etc. ○ Databases, Key-Value stores - Oracle, MySQL, etc. ○ Big data systems & Pipelines - Hadoop, Apache Spark, Apache Flink, etc. ○ Machine Learning

Proprietary RPC Protocol … ● Messaging: Kafka, RabbitMQ … ● Cache: Redis, Memcached ... ● Database: mySQL, PostgreSQL, MongoDB ... ● Other Layer-7 Protocols: ... Control Plane (Traffic Management, Security

routing [Todo] Rate limit [Todo] RDS 需数据面配合 Redis [Todo] Sharding [Todo] Traffic mirroring [Todo] MySql [Todo] MongoDB [Todo] Postgres [Todo] RocketMQ [Todo] ZooKeeper 16 THANK YOU! 感谢聆听！

监听过滤器（Network::ListenerFilter） • onAccept接收新连接，判断协议类型，TLS握手，HTTP协议自动识别、提取连接地址信息 • L4 网络过滤器 • HTTP、Mysql、Dubbo协议处理、元数据交换，四层限流，开发调试支持等。 • onNewConnection新连接建立，可以决定是否拒绝 • onData处理连接数据到达 • onWrite处理连接数据发送