Duration 26:59
16+
Play
Video

Integrating VM workloads into Anthos Service Mesh

Chris Crall
Product Manager at Google
+ 1 speaker
  • Video
  • Table of contents
  • Video
Google Cloud Next 2020
July 14, 2020, Online, San Francisco, CA, USA
Google Cloud Next 2020
Request Q&A
Video
Integrating VM workloads into Anthos Service Mesh
Available
In cart
Free
Free
Free
Free
Free
Free
Free
Free
Add to favorites
768
I like 0
I dislike 0
Available
In cart
Free
Free
Free
Free
Free
Free
Free
Free
  • Description
  • Transcript
  • Discussion

About speakers

Chris Crall
Product Manager at Google
Sven Mawson
Principal Engineer at Google

Experienced technologist with expertise in systems infrastructure: cloud, HPC security and networking systems. I've led small and medium size teams to design, develop and deliver solutions in these technologies.

View the profile

Experienced technologist with expertise in systems infrastructure: cloud, HPC security and networking systems. I've led small and medium size teams to design, develop and deliver solutions in these technologies.

View the profile

About the talk

VMs are used to run the majority of services in enterprises. Whether due to specific technical requirements, developer preferences, or simply time and budget constraints, many applications are not moving to containers and Kubernetes yet. Learn how to incorporate these existing VM workloads into Anthos Service Mesh. Also, see how to use Compute Engine to simplify the installation and management of the Envoy proxy and how to add VMs to the mesh. Lastly, explore how you can modernize your VMs in place or develop a strategy to migrate your VMs to containers. Regardless of the path chosen, we show how the VMs can participate in the mesh and get all the same benefits of security, policy, and telemetry that Anthos Service Mesh provides to Kubernetes workloads.

Speakers: Chris Crall, Sven Mawson

Watch more:

Google Cloud Next ’20: OnAir → https://goo.gle/next2020

Subscribe to the GCP Channel → https://goo.gle/GCP

#GoogleCloudNext

APP211

product: Anthos, Istio on Google Kubernetes Engine; fullname: Chris Crall, Sven Mawson;

event: Google Cloud Next 2020; re_ty: Publish;

Share

Welcome to today's session on, integrating VMware clothes into an Tow Service. Smash. I'm a product manager, Google cloud and I've been focusing on Services must that time and for the last two years, specifically on that the service mesh, And I'm spending awesome software. Engineering Google Cloud. I'm one of the founders of the aesir project and I've been focused really on expanding the reach of messages to multiple clusters. And in this case, So before we get into the details of how were integrating few more clothes into service Mash.

I want to give a little background on a little motivation on why we're doing it. So one of the factors behind this is the micro service Trend. This is a big Topic in the industry. It has been for some time and people talk about a lot of things about microservices how when you break the monolithic application up into smaller service faster. They can even decide which language each team wants to write in some, I tried in Java, some, my ride in Python, it doesn't matter because the broken apart and operate independently / 80, I think, I roll out new

versions on their own, they don't need to roll out the whole application. At one time, it might be more scalable. They can swap out something that's been purpose-built for, maybe a sass service, so tons of benefits behind microservices. But the bottom line is, what you're trying to do is roll out new solutions for your customers, you trying to get those Solutions out there faster and make them better either higher reliability, more functionality, whatever it is you're trying to roll out solutions to your customers. However, this new architecture comes with some drawbacks as

well, right? As you break things apart and now your services are doing a lot more communication than they used to. So you have to know how they're communicating may need to secure that communication. Since the services are independent, then you may have them logging in different places with harder to do. So all these things can can lead to some confusion, some down time and ultimately unhappy customers. So what can we do to solve this? Well, 1 things we can do is introduce the service smash now at a service mashup Define here in generic terms,

and it provides several applicants. One is first off, it should be transparent, it should allow us to roll out a mesh and not have to go in and change application code. So you don't have to Lincoln libraries in and things like that. As we talked about with microservices, it should be language, independent. So it shouldn't matter. Whether you're Capone has written in go or Java, it should work in the Super Smash and then you want that ServiceMaster to be able to automate a bunch of things for you. Whether it's Network traffic or logging or whatever

it is, it should be automatic. So, those are the kind of things a service mesh can give you. So let's talk about the anthro service mesh, and what it does provide for you. Now, answering service Mash, sometimes we use the acronym, ASMR is built on top of this to it's powered by his PO, which is an open source project that Google started and it works on with multiple partners. We talked about three main attributes of amethyst service, mash, the first thing is, uniform, observability. So, the idea is that we can collect metrics on all communication going on in the match, we know which

services are talking to which other services. We know what the request for second are between those Services. We can find the air rates and that can be done. Just it instantaneously as well as over a Time series. We can even set SLO both on availability and latency. So we have lots of information about what is going on in the dash from a traffic perspective. Second, we have operational agility, so we are in the network and we can control that Network traffic. So we can do lots of things we can do Canary, deployments, or Bluegreen deployment, we can do load balancing and we can

do load balancing with a variety of algorithms for testing purposes. We can even do fault injection so you can make sure your services are resilient and we can even The third attribute is security. So first, we have identities for the different services and with those identities, we can get certificates. Once we have those certificates, then we can enable mcls. So with mcls, now we know what services are talking to to which services and secure cryptographic Manner and all that data can be encrypted, what's going on. With

mtls then. On top of that we can set Access Control policies. We have simple things like allow and to do tonight but we have lots of other three big areas Samantha service map. So let's talk about how that plays with the ends. Now, so we've known from the very beginning that GM's were critical in the service Mash, because the 90% of the workload seeing that customer environment are running on PM's are there metal machine containers in kubernetes provide, a lot of wonderful.

Most of the critical, we integrate those into the environment. Miss diagram, I'm showing a high-level architecture of what the mesh looks. Like it's on. The left is a kubernetes cluster, and there's some control, plane departed, spreading their main objective, which puts proxies beside the pods for the service is running in the cluster. Across the bottom. I'm also representing manage control plane components. These are stackdriver for logging and metrics traffic director for controlling the traffic in the Messier for

certificates. But in the middle are the VM sin again. This is what the session is about is how we incorporate these peons into the smash that were closer on PM's in some cases. That's just where they need to run databases have been tuned and run very well. Auntie Em's. Moving those two containers may or may not give you the same kind of performance. So a lot of sexy customers that are still running their data stores in VM, so that makes a lot of sense. Second we have packaged applications so some

vendors don't support their applications running in containers. So this particular company may have a Yorkie or a CRM application and I have to run it on the DM and talk to usually the vendor will tell them exactly what distro on what version of the p.m. they have to run. Most importantly, they were probably the Legacy applications. These are the applications that you've built to run your business and those are still running on GM's. They probably will be for a long time. There's no way that a company has the budget the time and the engineers to move everything over to container this.

Even if that made sense, sodium's are going to be around for a long time after incorporate those into the match. So let's start diving into how we're going to do that and we can talk about me. Next instance groups. Now management groups are feature of g c and they are said, if he comes around the globe, example of web for 10 p.m. is running that web front-end scale, you're doing load balancing things like that. So, the way that man is Jensen scripture created in GCE, is your first create a template that defines what the vam looks like. How much memory do I

do? I want what kind of storage all of those things? Once they're in there to manage this group is created and the user tells the the Management Group how many VM should be created? I want 20 DM. So I want a hundred p.m. or you can even do autoscaling. I want somewhere between fifteen and thirty 5 p.m. so the manager Scruples spin up the DM's and control how they're created. The wonderful thing about Meg's is because that means since its group is controlling the life cycle, it can do health checks on the DM's and kill the ends that aren't working correctly and then restart them again.

Auto-scaling events if you have a lot of Skilling turn on it, will start and stop the in depending on the load. So, what we're doing and spend will go into a lot more detail on. This is we're adding some features to the, the instant template so that the Vincent's group creates the yams, it adds that the best software to them and allows them to join. The match is going to go into more detail now. So I'm going to try to give a brief overview of the architecture of the system. And I'm going to use an example for actually going to be using a demo later. So here we have a Jacuzzi

cluster that's running at the service mesh 1.6. It has the online boutiques application installed in. It actually took out the product catalog service and they move that over into a make instead of being running in a neti pot. And I want to talk a little bit about kind of how and the service mesh works, and the services, it relies on, because I think it's important to understand, just how many different services are involved in making the Nash. So, the first thing that happens when the Meg starts up is that it starts up this agent that's running in that in the Meg in the BM. And that agent

connects over to the DNS server running and communities to be an accident proxy for the DNS server. And this is used to give service Discovery to the VM just like you get service Capri in pots for the same type of Mass services will be resolved to the second service at talks to is the mash CA which is used to Mint certificates for the GM and the way that the this works in practice is that the agent is actually acting. Kind of epoxy do it runs a secret Discovery service over to the VA

and it gets this year. So the agent then starts at this time, what proxy, that's running inside the end, and the proxy is configured to talk to her control plan to put it in here. In this picture gets used to D running in the cluster and it's also configured to send Telemetry over to Spectra. So this sends all of the logs metrics traces and actually also edges which we use for an apology crap over to Spectrum agent for those certificates. ASM is also relying on the server for configuration storage. That's actually not pictured here, but that's also another key component of the system,

you need a place to store your computer, some things like service authorization to use the routing information, basically, all the configuration for the features that Anthem service offers is provided in that configuration. Okay, so what's walk through how we actually had this made and where to look at the four differents types here. So Step One is configuring the damn that than me except to is starting at the Meg and connecting it to the service, the needs. And then the screen for a registering that GM has an endpoint in the in the mash and selecting that

implant or all the inference that are relevant into the woods walkthrough The first thing we're to look at is the identity space, and this gets a little bit complicated because on gcp, the VMAs are actually running as gcp service account, not as community service, and he's have a different form. So juicy deserves account is really two different main ways that you can run a VM. You can either use the default service account or you can use the nameservers account that you created, which is service account name.

These would be the identity that the game starts up with and is available through the metadata server built into June. But any other service mashed we want to use message and he's so measured in, these are basically three parts. They are a trusted name, or a workload pool, which identifies the source of the, and then the rain in space on a Surface cat with him. And so we need to map between these two and asm4 juicy, provide a default mapping the whole map. Those service accounts over into service accounts in Apple's, we are also working on making this

configurable so you can tap into the name of places that you want to rather than you. Okay, so now we need to actually get that instance group started and verify that everything is okay. So we do this, using the mechanisms that Chris was just talking about earlier, using instant template that we can figure with the service proxy. We give it the configuration, it needs to know what animate needs to use and then we can update to the control Point Apartments that I was just Once it's running, we can verify that it works correctly, we can

check that it's catching the control plane and is getting configuration. We can verify it has a certificate and rotation is set properly and we can make sure the driver and even going to look at that looks like We have this running but we aren't able to actually call the VM yet so we can wrap traffic to it yet. So to get traffic to the VM, we need to register it. And in Nampa ServiceMaster we do this through very similar to how pods and the equivalent in

his workload, entry entry is basically a named a point in space. It gives us a way to attach labels and attach a service account to an end point. And then nothing can be selected by the next thing. We're not talking about. Service Centre basically lets us crate named mapping standpoints in the same way that you do with my services except that I can also select do just like it has a port or set of points actually it has it work with sweater that says what and points are selected

and in SM we also let you specify the host as a generic extreme doesn't have to just be a GroupMe service, we can actually using the same service as a community is one. You can just stop by the house. So that's how this all works in architecture. Let's look at a demo next show in the demo. We're actually going to set up exactly sure. I just talked about and we're going to show off the three colors of the observability features. The agility networking and Sir traffic management features and the surgery.

So, let's see our demo of the engine running with him. We're going to show That's kind of three main colors of a serviceman observability features here. In the form of the dashboards, they traffic management capabilities and the security features to end here and show off their asses. So, let's get into it. So the first thing we can do is, look at what we have created so far. So, we have a cluster here at gke cluster, running at the service mesh. This cluster also has the online boutique sample application installed except we don't have We're also

running a Management Group with two mediums in it, and they are running out the product catalog service from Run DMC. Right now, we don't have these things together. The right now. This is failing because Nash doesn't know about this weekend. So the first thing, a workload entry and a service entry for the p.m. listen to work, late entry for the product catalog Service B1 of it. And that's also look at the service Centre. This new Service Centre basically says the product catalog service

is all of the workload and fries with the label selector blow. So, let's go ahead and create that. Now that we've created that are online boutique. Should you working again? I notice it's working and running. First thing we get is all the time because there's no going through. This service is going to be over and we can actually see it in. You can also use all the other great features of a thesaurus, make dashboards the health bility to create Us close, look at detail metrics

all the same features you expect, but now available for a service running, Okay, so the next step is let's do some traffic management. So we want to roll out the two of our service. The only difference in B1 and B2 is, we're going to have a slightly different product catalog have different product description, and a different price. So let's go ahead and do that. So, the way we do this is we're going to create another work. And here we use be to as the Virgin,

spend a few one, and otherwise it's the same. And we don't have to actually change the service center. We just have any work right after which basically I didn't do anything. So it's great that and then we also need to create a destination Rule and a virtual service at our destination for which service. There's a and let's do a split split traffic. 50/50 between he's not normally, you'd want to do like a 1%. And now if we go back to her typewriter, we were fresh. We should be able to see. Yep. There it is. A different person

and if you keep refreshing, you can see sometimes a little bit if you want to go full-on B2. So we can do that. We have a virtual service that says yes, send it all the subset. And now we go to our petique or typewriter should always be amputated. I guess that's a really basic. Look at some of the final area here, security and so we already have them to us at upright. So these services are all talking to each other over Mitchell to last until we want to do is be able to say no only the services, we expect to be calling you

first. We're going to do is show an authorization policy that just locked it down completely. So that's a good first date. And all we have to do is create an authorization policy and as a selector that matches that product catalog service, but it has new rules. So it doesn't allow any traffic in just enough. So let's go ahead and do that. once we deny everything, if we go look at a boutique, A chemist and access denied their which is what we'd expect. Okay. So what about actually allowing the traffic that we do well? So here we have a different rule.

This is again, very simple. we have a rule that just says, it's a principle that is calling is the default service account in the shop namespace, like now, if we could look at a shop, it works. It's so that is basically what security looks like. and so between that and the, Traffic management that you got for me at the service mesh and the graves are really future. As you can see, just how useful this can be for using virtual machines with thanks. But I have a couple questions I received from

customers. The first one is what about a single BM? How do I handle that? Most of the great thing about Meg's aside, from all the great features they offer is that actually, they're free. So you can just take your BM and you can extract an image from a twitch and you can run that as a single VM in a single charge that and it's very easy to do. And then you can get all the right pictures of Meg's including the ability to run the management. Okay. And this is all great on GCE

but I have answers on Prim and I want to integrate my own. Prim GM's. How do I do that? So we are actively working on making that both supported and very very easy, it won't be quite as easy as we've managed to make it on Tuesday because we don't have the equivalent of Madison. But we do have plans in place to release a version of Apple. Service mesh with p.m. support for on from, where you take a couple more steps than what we got lines here. You would be responsible for generating the configuration that goes on IBM and installing the HM proxy there.

But then once you have that, everything else will be the same as it connects the controller, I'm the same way and you get all the great after service. And one last question. What if I have just be ends my department or division isn't using kubernetes right now? I just have VM, how do I set up the mess? That is a excellent question. So, During the, the architecture overview that I was giving earlier I was talking about the different services that we need to connect to.

And so three of those Services were still running in the cluster though. There was, there was the cube, DNS, DNS resolver, and there was a PS River used for configuration store and the great losses were working on manage versions of all the control playing, the men's version is traffic director which is already available through gcps apis and working on making it available for DNS. We're actively working with the cloudiness teamed actually in a great, the Cuban Eddie's DNS surveying & g. C s e, a serving into a single system. So

actually that will all be built in. You won't need to do anything extra. And again, Cyrus and then finally were working on making it a managed version of the AP a server. So again, you don't need to run anything, you can just use them as they pass over and used to be. With all those components. Great. Okay. Well, thank you very much. Yeah, great questions and this was a lot of fun. Thanks very much.

Cackle comments for the website

Buy this talk

Access to the talk “Integrating VM workloads into Anthos Service Mesh”
Available
In cart
Free
Free
Free
Free
Free
Free
Free
Free

Ticket

Get access to all videos “Google Cloud Next 2020”
Available
In cart
Free
Free
Free
Free
Free
Free
Free
Free
Ticket

Similar talks

Kelsey Hightower
Principal Engineer at Google
+ 1 speaker
Stewart Reichling
Product Manager, Networking at Google
+ 1 speaker
Available
In cart
Free
Free
Free
Free
Free
Free
Free
Free
Jerzy Foryciarz
Senior Product Manager at Google
+ 1 speaker
Ivan Gusev
DevOps and cloud architect at OpenX
+ 1 speaker
Available
In cart
Free
Free
Free
Free
Free
Free
Free
Free
Dino Chiesa
Solutions Architect at Google
+ 1 speaker
Greg Kuelgen
Principal Architect Google Cloud Platform at Google
+ 1 speaker
Available
In cart
Free
Free
Free
Free
Free
Free
Free
Free

Buy this video

Video

Access to the talk “Integrating VM workloads into Anthos Service Mesh”
Available
In cart
Free
Free
Free
Free
Free
Free
Free
Free

Conference Cast

With ConferenceCast.tv, you get access to our library of the world's best conference talks.

Conference Cast
635 conferences
26170 speakers
9693 hours of content
Chris Crall
Sven Mawson