consul/website/content/docs/intro/usecases/what-is-a-service-mesh.mdx

110 lines
9.2 KiB
Plaintext
Raw Normal View History

2022-01-06 20:57:22 +00:00
---
layout: docs
page_title: What is service mesh??
description: >-
2022-01-14 17:09:05 +00:00
Learn what a serive mesh is, it's benefits, and how it works.
2022-01-06 20:57:22 +00:00
---
# What is a Service Mesh?
2022-01-14 21:46:59 +00:00
A _service mesh_ is a dedicated network layer that provides secure service-to-service communication for on-prem, cloud, or multi-cloud infrastructure.
2022-01-14 17:09:05 +00:00
Service meshes are often used with a microservice architectural pattern, but can provide value in any scenario where complex networking is involved.
2022-01-14 21:46:59 +00:00
## Benefits of a Service Mesh
A _service mesh_ provides benefits for all organziations, ranging from security to improved application resiliency.
Some of the benefits of a _service mesh_ include;
- service discovery
- application health monitoring
- load balancing
- automatic failover
- traffic management
- encryption
- observability and tracability,
- authentication and authorization,
- network automation
A common usecase for leveraging a _service mesh_ is to achieve a [_zero trust_ model](/use-cases/zero-trust-networking).
In a _zero trust_ model, applications require identity-based access to ensure all communication within the service mesh is authenticated with TLS certificates and encrypted in transit.
## How does a Service Mesh work?
A _service meshe_ typically consist of a control plane, and a data plane. The control plane maintains a central registry that keeps track of all services and their respective IP addresses, this is called _service discovery_.
2022-01-14 17:09:05 +00:00
As long as the application is registered with the control plane, the control plane will be able to share with other members of the mesh how to communicate with the application and enforce rules for who can communicate with each other.
2022-01-18 22:12:26 +00:00
The control plane is responsible for securing the mesh, facilitating service discovery, health checking, policy enforcement, and other similar operational concerns.
The data plane handles communication between services.
2022-01-14 17:09:05 +00:00
Many _service mesh_ solutions employ a sidecar proxy to handle data plane communications, and thus limit the level of awareness the services need to have about the network environment.
2022-01-06 20:57:22 +00:00
2022-01-14 21:46:59 +00:00
![Overview of a service mesh](/img/what_is_service_mesh_1.png)
## API Gateway vs Service Mesh
2022-01-06 20:57:22 +00:00
2022-01-14 21:46:59 +00:00
An API gateway is a centralized access point for handling incoming client requests and delivering them to services.
The API Gateway acts as a control plane that allows operators and developers to manage incoming client requests and apply different handling logic depending on the request.
The API Gateway will route the incoming requests to the respective service. API Gateways primary function is to handle requests and return the reply from the service back to the client.
2022-01-06 20:57:22 +00:00
2022-01-14 21:46:59 +00:00
A _service mesh_ specializes in the network management of services and the communication between services.
The mesh is responsible for keeping track of services and their health status, IP address, traffic routing, and ensuring all the traffic between services are authenticated and encrypted.
Unlike API Gateways, a _service mesh_ will track all registered services' lifecycle and ensure requests are routed to healthy instances of the service.
API Gateways are frequently deployed alongside a loadbalancer to ensure traffic is directed to healthy and available instances of the service.
The mesh reduces the loadbalancer footprint as routing responsibilities are handled in a decentralized manner.
2022-01-06 20:57:22 +00:00
2022-01-14 21:46:59 +00:00
API Gateways can be used togehter with a _service mesh_ to bridge external networks (non-mesh) with a _service mesh_.
2022-01-06 20:57:22 +00:00
2022-01-14 21:48:54 +00:00
-> **Note**: API Gateways are frequently used to accept north-south based traffic. North-south traffic is networking traffic that either enters or exits a datacenter or a virutal private network (VPC).
A _service mesh_ is primarly used for handling east-west based traffic. East-west traffic traditionaly remains inside a datacenter or a VPC.
2022-01-14 21:46:59 +00:00
A _service mesh_ can be connected to another _service mesh_ in another datacenter or VPC to form a federated mesh.
2022-01-06 20:57:22 +00:00
2022-01-14 22:09:33 +00:00
## What Problems Does a Service Mesh Solve?
2022-01-06 20:57:22 +00:00
Modern infrastructure is transitioning from primarily being static-based to dynamic in nature (ephemeral).
This dynamic infrastructure has a short life cycle, meaning virtual machines (VM) and containers are frequently recycled.
It's difficult for an organization to manage and keep track of application services that live on short-lived resources. A _service mesh_ solves this problem by acting as a central registry of all registered services.
As service instances, either VMs or containers, come up and down, the mesh is aware of their state and availability. The ability to conduct _service discovery_ is the foundation to the other problems a _service mesh_ solves.
As a service mesh is aware of the state of a service and its instances, the mesh can implement more intelligent and dynamic network routing.
Many service meshes offer L7 traffic management capabilities. As a result, operators and developers can create powerful rules to direct network traffic as needed, such as load balancing, traffic splitting, dynamic failover, and custom resolvers.
A service mesh's dynamic network behavior allows application owners to improve application resiliency and availability with no application changes.
Implementing dynamic network behavior is critical as more and more applications are deployed across different cloud providers (multi-cloud) and private datacenters.
Organizations may need to route network traffic to other infrastructure environments. Ensuring this traffic is secure is on top of mind for all organizations.
Service meshes offer the ability to enforce network traffic encryption (mTLS) and authentication between all services. The _service mesh_ can automatically generate an SSL certificate for each service and its instances.
The certificate authenticates with other services inside the mesh and encrypts the TCP/UDP/gRPC connection with SSL.
Fine-grained policies that dictate what services are allowed to communicate with each other is another benefit of a _service mesh_.
Traditionally, services are permitted to communicate with other services through firewall rules.
The traditional firewall (IP-based) model is difficult to enforce with dynamic infrastructure resources with a short lifecycle and frequently recycling IP addresses.
As a result, network administrators have to open up network ranges to permit network traffic between services without differentiating the services generating the network traffic. However, a _service mesh_ allows operators and developers to shift away from an IP-based model and focus more on service to service permissions.
An operator defines a policy that only allows _service A_ to communicate with _service B_. Otherwise, the default action is to deny the traffic.
This shift from an IP address-based security model to a service-focused model reduces the overhead of securing network traffic and allows an organization to take advantage of multi-cloud environments without sacrificing security due to complexity.
2022-01-06 20:57:22 +00:00
2022-01-14 22:09:33 +00:00
## How Do You Implement a Service Mesh?
2022-01-06 20:57:22 +00:00
2022-01-18 22:12:26 +00:00
Service meshes are commonly installed in Kubernetes clusters. There are also platform-agnostic service meshes available for non-Kubernetes-based workloads.
For Kubernetes, most service mesh can be installed by operators through a [Helm chart](https://artifacthub.io/). Additionally, the service mesh may offer a CLI tool that supports the installation and maintenance of the service mesh.
Non-Kubernetes based service meshes can be installed through infrastructure as code (IaC) products such as [Terraform](https://www.terraform.io/), CloudFormation, ARM Templates, Puppet, Chef, etc.
2022-01-06 20:57:22 +00:00
## What is a Multi Platform Service Mesh?
2022-01-18 22:12:26 +00:00
A multi-platform service mesh is capable of supporting various infrastructure environments. This can range from having the service mesh support Kubernetes and non-Kubernetes workloads, to having a service mesh span across various cloud environments (multi-cloud).
## What is Consul?
Consul is a multi-networking tool that offers a fully-featured service mesh solution that solves the networking and security challenges of operating microservices and cloud infrastructure.
Consul offers a software-driven approach to routing and segmentation. It also brings additional benefits such as failure handling, retries, and network observability.
Each of these features can be used individually as needed or they can be used together to build a full service mesh and achieve [zero trust](https://www.hashicorp.com/solutions/zero-trust-security) security. In simple terms, Consul is the control plane of the service mesh.
You can use Consul with virtual machines (VMs), containers, or with container orchestration platforms, such as [Nomad](https://www.nomadproject.io/) and Kubernetes.
Consul is platform agnostic which makes it a great fit for all environments, including legacy platforms.
Consul is available as a [self-install](/downloads) project or as a fully managed service mesh solution called [HCP Consul](https://portal.cloud.hashicorp.com/sign-in?utm_source=consul_docs).
HCP Consul enables users to discover and securely connect services without the added operational burden of maintaining a _service mesh_ on their own.
2022-01-06 20:57:22 +00:00
## Next
2022-01-18 22:12:26 +00:00
Get started today with a _service mesh_ by leveraging [HCP Consul](https://portal.cloud.hashicorp.com/sign-in?utm_source=consul_docs).
Prepare your organization for the future of multi-cloud and embrace a [zero-trust](https://www.hashicorp.com/solutions/zero-trust-security) architecture.