Intel Haoyuan Ge #IstioCon Quick Summary (from Google Cloud Next ’19 [1]) VM works on Istio! [1] Istio Service Mesh for VM Native, Chris Crall, Jianfei Hu, Google Cloud Next ‘19 #IstioCon Why Add failover, A/B testing, modern rollouts for VM services ● Security ○ Enforce the same policies in the same way, across compute environments ● Observability ○ See VM metrics alongside containers ● Extensibility specific workloads ○ Network Functions (NFV) #IstioCon Hybrid and Multi Clouds #IstioCon Istio VM Integration is? A Tumultuous Odyssey… [1] Istio 1.8: A Virtual Machine Integration Odyssey, Jimmy

product build on top of the upstream Istio ● Why not Istio OSS? ● Problems unsolved ○ Multi-cluster and VM (lower onboarding cost) ○ Enterprise team structure gap (Workspace, Tenants, etc) ○ UI&UX Background (Service) POD Workload (Service) POD Workload (Service) POD Workload (Service) VM Workload (Service) VM Workload (Service) VM API Gateway Ingress & Egress Mesh can include VMs ● Multi tenancy ● Traffic Management Plane ● Front Envoy ● Multi Cluster support ● XCP Central -> XCP Edge TSB Control Plane ● VM integration ● XCP Edge ● Upstream Istio ● XCP Central -> Edge ● TSB CR -> Istio CR TSB Config Data

Model #IstioCon Istiod Cluster API server Gateway Service A VM Service VM Service VM Service Istio simplify VM onboarding #IstioCon Istio Standardize APIs Adopt Kubernetes service installation Simplified control plane New extension Model Unified multicluster model Simplified VM onboarding Simplified troubleshooting #IstioCon 2021: Year of Istio Adoption #IstioCon Thank you

since 2016 ● GoPay had services running on VM and decided to using Envoy XDS and Consul for migration & load balancing the traffic across container and VM. ● Over time, managing Envoy and Consul became and mutual TLS communication. ● Renew & sync to our Kubernetes cluster, also support syncing to VM with an agent installed, this is also used by our partners as well. Ingress Mutual TLS ● Using

for OCP & Kubernetes • Multi-cluster Service Topology • Cloud-Native Event Hub • Full Support for VM-Based Workloads • UX Simplification CONTACT US Head of integration department Igor Gustomyasov

Filters are written in C++ and Wasm expands to any language Secure and Reliable: Wasm runs in isolated VM, can dynamically update w/o Envoy restarts, no hard dependencies or cascading failures Speed: Near

SolarMesh的架构设计 Copyright © 2021 Cloud To Go SolarMesh的架构设计 负载均衡 服务发现 弹性伸缩 k8s 应用 自我修复 基础设施 | VM/DOCKER 熔断限流 流量观测 超时重试 服务网格 流量安全 SolarMesh Copyright © 2021 Cloud To Go •轻量 核心组件少安装简单

可维护性：不必更改Envoy自身基础代码库即可扩展其功能。 ○ 多样性：可以将流行的编程语言（例如C/C++和Rust）编译为WASM，因此开发人员可 以选择实现过滤器的编程语言。 ○ 可靠性和隔离性：过滤器会被部署到VM沙箱中，因此与Envoy进程本身是隔离的；即使 当WASM Filter出现问题导致崩溃时，它也不会影响Envoy进程。 ○ 安全性：过滤器通过预定义API与Envoy代理进行通信，因此它们可以访问并只能修改有

Microservices ranging from ○ API services, Search Engine, etc. ○ Databases, Key-Value stores - Oracle, MySQL, etc. ○ Big data systems & Pipelines - Hadoop, Apache Spark, Apache Flink, etc. ○ Machine