About the talk
Enterprises are adopting a cloud-native strategy to become more agile, move faster, and innovate new business ideas. Cloud-native technology usually means using containers, Kubernetes, and multiple public clouds. Going cloud native also means changing the way you develop and operate applications, which has enormous implications for the network supporting the applications. Citrix ADC is well adapted to help you on your cloud-native strategy. This session will highlight what it takes to build a comprehensive containers-as-a-service solution for the enterprise using Kubernetes and how Citrix ADC can implement key features in Layer 7 load balancing including ingress, CI/CD, SRE operations, and cluster autoscaling.Note: This session will be available for on-demand viewing post-event on Citrix Synergy TV.
No, good afternoon and product manager for a friend with me to straighten teeth out. So the session is sent two to three. I think it's working. looking for I love you forward from you. Adele talk about talk about White Cloud native and how and why companies are going through this process and how are you doing it and building their platforms and then the stakeholders involved in that form. And then how does Citrix play in the play in this environment and Javi play System of chlorinated / the end? So
why Cloud made him feel about the velocity of the business what's going on is that companies are going through a dramatic change that you're looking for more things are being able to be closer to their customers building what apps custom maps for example and jaguars a lot of requests to VIP team and I think it's a walleye thinking that that was fast as the company so did a lot of regrets, so i d and I did all these processes in place people are in the wrong are oranges are siloed. And so there's a requirement for the company to change to overcome this Gap and at least the transformation
of the company where they look at how do we look at people prophecies and tools and then address be able to move quickly and then that needs to be the transformation where they search for example, I thought process and so on. Part of that is the move to Cloud native infrastructure and what that means is their building apps as microservices was the inspiration for this came from the web scale companies companies like Google for example, like apple fritter made ghost apps and the
dog pulling around us and they do apostrophes in place so that they're able to the most likely the co-optional much faster instead of days. It's in it's in the evenin in hours or minutes. So this is my services platform. This is an open source project that was open Voice by Google and it's been taking a lot of an adoption by many many companies Compass Lake Red Hat IBM, for example Kubernetes, and and these companies have also adopted devil practices so that they have an automated way to deploy app into production and use apis
outside to access the app of the day, you'll find that perhaps 5% of the apps already cloud-native somewhere in Walking. The dreams was only a small amount more than half their app. So it's all Native app. So he's not closer to 75%. So be chlorinated to be a big push and rotating Cloud native culture automation security monitoring and not working. To go with speed so companies trying to adopt both speed and stability by working with vendors and and putting in place production consistent.
So the strategy for the business in looking at it all day. It is really the following to look at the scale and Agility how to think how can I just focus on my business process in my business logic and take everything away and outdoor Gourmet kit for Warren give the less important projects elsewhere and allow me to go to market faster and then helping with that. Can I invite more quickly launch new products there for being able to quickly and enable there for a new business opportunities time to other Platforms
in charge. I need a liability and scale if I want to go fast scale for things like you saying again inspired Technologies, like on demand elastic compute be able to call an API to turn up a complete lack of confusion to buy a nap and being able to Van also deploy after cause multiple availability. I have a trade and I have a Dr. And then being able to get instant feedback traceability in transparency wants me back. What's happening like that form? I don't know what's happening to my apps. Play fall apart of that. Can I drop
my cost at cost? And he's really open-source platforms and there and he needs Engineers through Sundancer. What companies are doing. This instead of focusing on running is not forms or developing Wingstop on sale by Enterprise Baton Rouge in and eliminate the need for developers to focus on developing. The product and the order business instead. So, how did the black cloud native? Did you. By breaking monolith to microservices? So which are multiple processes in place inside with a lot of system called bacon for small microservices didn't like the service can be done by a different team. We can
build on that microservice after speed independent of other microservices Santini's and he's all tied together using API calls. So now you have a way to run independently by themes by apps and it's apply for the largest scale is microservices and use API set the boundary between is microservices so they can put all talk to each other. And the unit that uses containers containers have been around for a long time and Lexie containers with Linux. The more popular one is dr. Bass. They provide us a run time with
systems and tools to be able to deploy a container to container is a unit of measurement that you can run it anywhere little a portable work on it in the flowers on it on top of the next to the dinner is a fathom. That is the year that people use for building microservices. And he's pooping address is a is a kernel for distributed systems. It's like a Dimensions build by initially built by Google. What is a way for you to slap Forum make a request and I can request resources compute memory. For example, I can request scalability want one or more of
these instances to turn up. I can acquire a civil liabilities my Instagram. Can you please pull up another one somewhere else and make sure that my app to use reruns and it's built across a masternode and it worked out of work or no to the master note is the control thing which a the developer to use flax of me that the platform and there's app users who Dan to play apps using it for the boy. Remind me to keep track of where the reports that are across the worker knows the Chilean and the natural and effective you
was hoping that this is just a lot of companies supporting just asked for my mentioned earlier a pivotal VMware. But in kubernetes vs choices, so weed eater on your platform on Fran in the cloud or both by their self service hybrid hybrid Cloud scenario masternode. Do you get master node in carbonado the framework changes everything to six months so I can use a change in the API server in all the components inside. So you are going to buy a managed service that they take care of
all that change or you do it yourself or you buy a distribution from somebody else and they provide you with the updates and you deploy these update yourself that's the case and then the applications with applications with what all of the above. Not that important to take into account when you build a platform and then networking networking is nothing come naked to go bad. If I did have a how do you send traffic from the outside world into the cluster? Do you send HTTP traffic you send TCP traffic if you leave the traffic, how would you do that? It's a constant pain in
grass in kubernetes. And then to send traffic East-West. Do you use the Ingress device for a Catholic to go in stress or need to buy service map which is now the big Buzzard on ServiceMaster has awakened traffic East-West and how do you connect a containers together? There's something called connect a computer network interface and there are several versions of this which one select. They finally security. How do you secure your plan for how do you secure the traffic like coming to the platform? Do you use an API Gateway. Can they still in the traffic? And then I just can't acacian. Do
you have any service smash where you can apply control on applications to us traffic call me. Please of the pods. Do you do you scan containers? So that date before they get deployed to to find out if any of our abilities encryption and decryption and the keys All compartment and looking after people call Dad on speaker. So once you make all these choices when they're running in the public Cloud choosing your industrial what kind of working do what kind of
stories to use are due to security and so on so forth. If you're building on this platform your job is not done and I like to call this Google In This Place Plus where you're also taking care of your stakeholders. So who's going to operate the plaster? And how do you make their life easy? It is to give them the level Automation and book feels that that they need to Smoothie operate these covenants clusters. A devops was interested in moving quote from from the Social Plaza Tree in reproduction. And how do they manage the secrets? How do they manage things
like an Aries and blue-green deploys adelipour so interested in getting traffic into the cluster into the application and then when something goes wrong they want to be able to do some deep tracing to find out where their application to an exceptional read the weather at a problem. And then the Atari who's in charge of meeting in the Civil civil objektiv, let's it had a social logical 99.5% So in order to figure out problems when they happen to need the logs that needs metrics and so how does kubernetes or how does the platform enable them to be faster and be
quicker and be more not build custom of Applause for all these things and just make it easier for them and last but not least the security in wants to make sure that everything is tightly buttoned up. Nothing is leaking. Everybody is falling the best security practices. I'm so when you install kubernetes off to you make all these choices. Now. This is obvious. You still have to build all these things. You still have to make choices on the tooling and the work clothes. I'll let you need to build out to support your stakeholders.
And so that so English route is just the way of saying that if this traffic is coming in the cluster has this or this certificate or this header then send it to that Microsoft is the War of 1812 brake limiting or Authentication and salt to put they want to be able to do tracing in the buggy if you want to get into production. So you're in charge of the CI CD pipeline. How does that happen? How do you think code which is in your repository and then bring it out into containers containers
and then make sure that the newly the pie code actually needs the service of an object. Is that of the old code? So you like Canary and Lo Green's a canary is a technique where you deploy the new code into production for the only send little bit of the traffic to the new code. And then you test the new code with real production traffic you compared with the old version and then you're dead. Then you declare success indicator failure. If you declare success, then you can move a hundred percent of the traffic to the new version. I was looking at something similar
regular trying to do things like brand new version of the application you start sending traffic to the brand new version, but you keep the old one around so in case that the new version fails, they're able to switch back to the old version very easily. Are the cluster Edmond largest operating typical not operating just one cluster some of our customers are operating dozens of pastors. And so again to where it doesn't offer anything out of the box for that. Somebody sent traffic to different classes how to communicate with each other.
And and then V mission service match, so there's a service match which is monitoring and intercepting all the traffic between microservices. How is that? And for the asari who's interested in maintaining Civil Service level objectives, they need the detail Telemetry into the into the applications as well as infrastructure. And Social Security in there faster than making sure that in Ingress traffic is security SSL. They want to make sure that the Epi is are protected against DDOS against wasps attack symptoms for food and they're also interested in the service
match because the service mesh offers a automatic encryption and authentication inside the inside the plaster. so the ciencia pictures of cloud native Computing Foundation that runs the Covenant is Project has recognized the need for a broader solution to do they have a lot of projects for different parts of the solution stack of the talked about do they all say encourage vendors like Citrix to come in and integrate with with with a CNC up Solutions like overnight as we are a partner in La ciencia
foundation and some of the Anansi NC of projects are here like I talked about how do you get cold from repository to Productions of Kennedy Airport from Google around act as a service mesh project again from Google regarding IBM call Linda cncf tekton and Spinnaker are continuous deployment tools to be made and typically if you are trying to do this Session this morning where Duke Energy to cause to to their Journey. It's a pretty involved any text you a couple of months,
maybe several months to figure out all the pieces of a solution stack. So we talked a lot about the kubernetes Ingress because that's one of the primary Solutions offered by Citrix in the space select explain. What is kubernetes ingress is all about. So you want to send traffic from outside the cluster into the cluster, but you don't want you want to be able to control the traffic. So you want to be able to say that if the HTTP header has a certain value want to send it to certain micro micro service. If BSN I certificate has a certificate has an indication of a certain
host want to send it to different Microsoft Liz Cooper and allows you to write. These rules is API object Scott English rules, but doesn't tell you how to actually enforce those rules. So what we do is that we offer the subjects ATC as an enforcer as a proxy that enforces those rules which controls traffic into the plaster. When you can use any form of Citrix ADC Brothers, the VPX all the container icpax, and then we give you a controller controller controller which which area of government is the u.s. Rules and converts them into a TC
configuration. A little bit more about what is a service mesh. So if you have to microservices residing different parts has nothing but a container has terminology. They want to talk to each other over the network. This is a regular pot. So it goes through its own network stack and then reaches out to the network stack of the other part. So if you want to be able to control the traffic here, if you want to relieve the burden of developer interest in doing things like load balancing or
retry II braking and you fit in here security-minded anyone automatic encryption and authentication between microservices, then you might say that he wanted to send the traffic to a proxy not just one proximity send it to two proxies. Amazon all the traffic looks like this and when you want to do this suddenly able to exert a lot of control over the traffic between is microservices and you can do things like Mutual TLS Mutual TLS will ensure that the traffic between them is authenticated and it's encrypted you can if you don't trust your developers to do the
right level of timeouts and retries and go dancing, then you can do that kind of enforcement in the proxy as well and you're tired all together you run a control plane like it's still which will control these proxies and and deliver what you intended, but they wanted encrypted what he wanted the type of load balancing you can deliver that to the proxies. I'm so this is independent of communities but works very well with carbonated. So the control plane is a typically another set of cabinets objects. And it runs as a a covenant is controller. So, how'd it go account needed
with Citrix ATC? So our solution set consists of Ralph. First of all, there is a TC and you can use any form factor of the ADC. Like I said before I would like to see mpx3 pix2pix and now we have the bare metal DLX as well. Does the English control of which control which converts the covenanters if you and the Covenant of commands into? Search ADC configuration. Edit it's a it's a it's an English controller runs inside the kubernetes infrastructure stop. So it takes advantage of cool features like high reliability autoscale and reliability. And
then does the ATM so they did the ATM is where you send your logs there metrics and then you get the things like Subways graph you can deep into your metrics and so we can do things like anomaly detection and you can run this EDM weather on inside the cabinets faster. You can write it in the cloud or you can ride it inside a VM. If you have a broad range of Integrations with the ecosystem, we can integrate with according to American Writers and Destroy like open shift or whether it's a
cloud managed kubernetes like Azure kubernetes service. We will still work with that to provide the green grass with Citrix ATC tools like for me to scrap an affluent and unrelated ecosystem flu-like Spinnaker's to give you all the choices that you need to build up your kubernetes platform. The same mom what I just said in a slightly different form factor. So at the bottom you have the the the kubernetes nodes are the commentators distributions and the containers running on them. And then the solution B provider the Ingress service match
observability and they brought integration with all the open source tuning. So when you do this to me go to talk about the nearest typically is actually specified as HTTP https only with rotting encryption TLS in the right lane Legacy apps for example, and so do you need additional special features such as PCP PCP have to sell UDP Canary routing and then later seven functions like you guys responders to keep abilities authentication and laugh as part of Ingress do not know if you
don't need any more than Ingress anything just pass plus everything billed as part of our solution. yeah, if you look at the other Ingress Solutions out there, it's nobody uses Ingress out of the box as because it's it's so what what's the mathematical necessary but insufficient so you need Ingress but it's not sufficient. So you need to add all these other traditional are 7 proxying functions, which is what does extinguish plus plus provide you with.
So what does it look like once you've chosen to Citrix ABC solution and your children a purple dissolution? What is it all look like So this is it your kobernus cluster weather is running in the cloud or whether you're running it on on the laptop or orange Data Center. Where's the VPX of MPX which is outside the cluster and password because the tier-1 vpso to tr16 are easy and typically used for especially welcome to use it in the MultiCare solution. Are you would use that for their functions are even SSL termination
and then you can run the CPX which is a container phone factor of the Pacific City see inside the plaster and this is why you do all the nearest on functions ice maker was talking about And then these is such a thing as controller runs as a hard or a Akinator kubernetes container inside the plaster and controls the citric CDC. You can stream the transaction logs from the Citrix ABC's into an open source tool called elasticsearch through integration called fluently,
which is part of the cnco. Or you can send the present transaction logs to the Citrix ATM and that's all I was you to draw up to the very nice service graph which gives you the map of all the services that are talking to each other and also provided the licensing. Are we all set for the counters all the detail Matrix encounters right from the TCP layer all the way to layer 7 that we went registry collecting you can export that into 2 into cncf to call the Prometheus and the new beauty is in grafana dashboard of the same counters in metrics Rocco's available in an ATM where you can
do defense Advanced analytics to do things like an hour. If you choose not to use the second tier of the CPX, you can still use your whatever you purchase is the MPX VPX as the load balance of Ingress solution into your covid-19 Glastron investigate the cic of subjects in which controller is controlling the The the outside the cluster and how's the traffic comes in? The datc is able to talk directly to the to the parts the application parts inside the plaster you need to be able to make the Citrix ATC be present in the same network as
the part or set set up some kind of routing and we do have a disintegration. For example, if you use choose to use Calico C&I or fuse for a CNA inside the inside the pasture that should be possible but it does take a little bit of Netflix march to be able to do list. And if you're looking for the traffic inside the cluster kubernetes provides you out of the box it forward to something else to proxy which is nothing but iptables which let's talk inside. The plaster between Microsoft was below balanced using iptables.
You can also use what I what I like what I like and what if I come in all the time is it due to your solution? So the the first chair is against you can do type load balancer, which is a more of a cloud native type of load balancing. RL 4 functions and then distribute traffic into the chair to sit EXs and gxs than how it will distribute traffic to the to the front end parts as well. So that's what you have it. You can continue using Q proxy for East West traffic for traffic within the cluster. Or what you can do is that
for certain traffic if you wanted to be managed by the by the Citrix ATC to be to do the function switch to Ingress does like SSL or rewriting responder. You can send it to the CPX. So we have this is what we call service light because you're not running a proxy next to each part, but you're still getting the proxy functions we able to inspect the traffic and do all the the traditional proxy functions which provides for traffic within the cluster. You can also choose when you're running in the clouds, you can choose to run it with the cloud native load balancer. So if you're running in Amazon
uuclv, if you were running an Azure use Azure load balancer and Google YouTube Google computer load balancer and and then use the cloud native dancer as the other four. So once you do this, once you implemented disrespects ATC Azure Ingress and East-West, you can immediately start seeing the benefits in the suffix ATM. You can see the Service Garage of ourselves graph is something quite unique to search up Stadium. It shows you a real-time map of all the microservices in your custody. Talking to each other and it gives you the details of all the transactions that are going on
for instance the if you click on the Note inside themselves graph, it tells you how busy that notice how many connections are coming to Baton or are there any errors in that note? If you click on the links between the graphs then it tells you all how many transactions are there on the errors. Are there an SRS typically interested in the golden signals as latency availability latency saturacion and errors are immediately visible from the service graph. And sometimes you don't have to click on it. Just a color of the the northern the edges will tell you
what's going on inside the cluster. And because it's been running around being run through as the ATM machine learning we can also detect an armless even before you can see a problem in the inotropic. We can also do an automated Community with those trucks under $20 in the Citrix 80-seat now, it's being done by the basket companies like Netflix explained what it involves. I didn't think I have time to play the demo for you. So listen to download protection version tulip the
code. Is this what you wanted running in production already in the developers check in Jackson a virgin to the other departments system like Spinnaker, which is an open-source deployment tool will detect that Builder artifacts and then find deployed version 2 into production automatically, right? So it's highly automated system. But instead of direct me to blindly to because who knows me to maybe buggy what you do is you departed Canary mode. So what you do is you deploy to versions to new versions of the application you do do you say to new departmental
application are tiny one would we want a tiny one with V2? Next News at Citrix ADC to to send traffic to all these three deployments so you can send you can choose to say that they send 80% of the traffic to the old wasn't running in production already and read a funny person the traffic to the canaries and all the 20% have to be one and have to be to now you can start comparing between B1 and B2 which one is performing better at Vito's performing just as good as we want to or better then you're safe to move the canary
into real production between real production. If it's not then you say okay when I buy on v20 Center ticket back $2 percent. Take me to Saks. Let's try to be three next time. And the way you do that is Citrix atc's observing the traffic between all these applications and is able to send the metrics to something like for me to use for instance. I'm showing you that everyone has more silver busy hours for the b-2s more sober busy errors than be one. And then to like Spinnaker has a plug-in car
to look at the Prometheus metrics and make a judgment call saying that it looks like in a worse than b one based on the metrics on the Citrix ATC. Let's make a call there. Should I kill the canary or should I grow looking into full production? And in this case something kind of what I made the choice to kill the canary and then we'll go back a hundred percent the traffic back to be one. So we also have a an advanced integration where we're able to step the canary past 7 to 10% and the the kind of made a judgment saying that his ass looks good.
Then be able to think reason the traffic to 20% and then 30% 40% highly automated so that there's no human in the loop with the performance of each version and then move our traffic into full production are in automated fashion. And in the next couple of quarters, we can offer summer smash which is pacification is to integration. So the way it works is the singer's traffic coming into the plaster, but once it's in the cluster, how do you control the traffic within the cluster? And you do this by running
tiny ctxs? It's the same CPS actually born So the CPS can be in Ingress or it can be next to each part and this wind is running next to each part because of the sidecar CPX and just like I showed you before if they were to intercept the traffic coming into the parking lot at once you do that you're able to control things like is authenticated as Adventure. Can you do automatic sucking breaking in retries and the traffic grooming? So the so that's the integration with the least. You're so what you
write the your so is smash controller commands into is still and then it's just as the commands to the CP X's and O's cbx Implement these two service match for you. So I have a demo for this first one go through an Ingress service match Duvall. Play yeah, it still has a solution a replacement for English calligraphy still Gateway and we'll show you a demo with the CPS and the standard documentation which comes with which is the booking for the booking for is just really looking for is it called a couple of
microservice the reviews microservice the details Microsoft as you can see that you're so the product page called the reviews and the details on that side. And then it calls the ratings reviews all the ratings on Microsoft. And and then the Ingress Gateway is where you control the traffic into the cluster. Once you're deployed this input into interior plaster, these are the various is two objects that are being deployed. So is your policy is to Pilot is to Ingress Gateway are all the
control plane objects, which I'm going to control of the City, Texas. In the CPX department and you can see that there's a CPS there and there's something called the East your Bridge which country which converts issue commands into CPX configuration details as you click into the any one of these parts, you can see that there is an additional CPX that's running inside that part and as well as the Steel Bridge as a side issue Ridge gun vs. Jiren to CPX
commands. And then you sending the the metrics into Prometheus and grafana and you can see that as you sent traffic into Ingress the leftmost it's in the yellow bars are showing traffic into the other microservices. So I think it was like 20,000 requests spread equally among all of all of microservices. So so that was the demo showing a simple integration office during rest with with Mexicans with CPX. Next is the Maury show you how well we can use this to your to control traffic
between the microservices. And so you really will try and sensory up 75% of the traffic in Ingress traffic to one version of the product page and 25% to the other page and observe this distribution in China. On some sizzurp age does a slight difference in V2. I think it shows you looking for me to fail book. So these are just applying it still commands. And and hear what you see is that in, this is Joe Jama that you're right. You can just buy the waiting between the we wanted me to 7525.
And then you apply those rules interests you. Let me see. There's two versions of the parts of the V1 Parts in the Beater Boards. And then you can see the 75% 25% having their 75% and 25% visible in the dashboard. videos videos videos All right. Payless hell, yeah, this demo shows you how to encrypt and mutually authenticate between a Microsoft. So the green locks with symbols are showing you how the hell we going to automatically ensure that the the traffic is authenticated and interpret using Mutual TLS.
What's the First Realty that Mutual TLS has not been installed. So they know which TP between all the Microsoft vs. And as a result, you run a random container called sleep and inside the from inside the container you're able to call to the reviews Microsoft Office and it says no problem. I can talk to you so that slightly insecure. And so now we'll install the the mutual TLS rules. And then we'll see that you should be blocked. Will you check that the
It's not mutual TLS. enforcement between all the next services and I know from the random part between try and call the review service and the random part is denied. Thanks to be mutual TLS being enforced by the CPX sidecar parts. Get back to the presentation. Next. So in conclusion in a cut when you want to go, your journey is all about you want to go faster with some safety no kubernetes and the science of ecosystem how to build a chlorinator platform. You can make a lot of choices you going to build a
lot of stuff around kubernetes. What what why you do that you're going to make sure that you take care of your stakeholders. Otherwise York Lottery are carne de platanos not going to be very successful. We have several products and tools to help you go chlorinated with Citrix ATC. We have the advanced Ingress Ingress plus Paso Community solutions for devops like a canary control solutions by sorry Alexa was graph the solutions for developers like in grassland and control Solutions of platform and security like certificate management and service measures and last but not
least you in the upcoming couple of quarters. Thank you. So questions, please. Mike's on both sides Jason Epithelium the cic. Could you just explain kind of glossed over the cic and it's usability together with the CPX embedded inside the the pods. Could you just explain a little bit more? It's the same thing you're controlling the VPX of the CPX when you deploy the CPX, it gets injected in talisay car into the CPX. So each CPS gets his own copy of the cic. So they're always running together.
But if you wanted to control something that's outside like a VPX then you run out of the ccic as a part separately. Russian election who's running kubernetes Simon and who's the interested in service matters? Alright, okay. Thank you guys. Just one more than one one three 4:30 and, where is it at? C11 to 116 switch energy to check out it was a regular expiration of Home Duke Energy and ended up running career doesn't production with the Citrix ATC. Cool. Thanks quotes. Thank you guys.
Buy this talk
Access to all the recordings of the event
Buy this video
With ConferenceCast.tv, you get access to our library of the world's best conference talks.