vmware nsx service mesh · nsx service mesh connect protect operate app mobility & migration...

Confidential │ ©2019 VMware, Inc.

VMware NSX Service Mesh

KubeCon NA

November 2019

Confidential │ ©2019 VMware, Inc. 2

Application Transformation ChallengesHow to consistently connect, secure, and monitor cloud native apps?

Inconsistent operational visibility and remediation policies

Many services to connect and make resilient

App silos—running in multiple platforms and clouds

Disjointed security, auditing, and compliance

Enterprise PKS


Consistent connectivity, security, and controlThe Ideal Solution: Enterprise-Class Service Mesh

PROTECT OPERATECONNECT

Multi-Cluster & Multi-Cloud

VMsPublic Clouds Kubernetes


CONNECTNSX Service Mesh

Management

NSX Service MeshLocal Controller

Customer Clusters


NSX Service MeshData Plane


Multi-Cluster, Multi-Cloud

NSX Service Mesh

Enterprise PKS



Google KE

PROTECT OPERATE Third-Party Components

5Confidential │ ©2019 VMware, Inc.

Backup Slides


GNS 2 prod.app1.acme.com

Cluster 1 Cluster 2 Cluster 3

GNS 2

Multi-Cloud ApplicationYou can have any number of global namespaces

Inventory View

Logical View

GNS 1

API GatewayMobile App

Web App

staging.app1.acme.com

GNS 1

Egress GW

Ingress GW

Ingress GW Egress GW

Ingress GWEgress GW

Identity

Policies

Traffic Routing

Discovery / DNS

Enterprise PKS


Use Cases

NSX Service Mesh

CONNECT PROTECT OPERATE

App Mobility & Migration

Multi-Cloud Application Patterns

High Availability & Failover

E2E Encryption for Compliance

Authn/Authz for Services and VMs

Auditing & Alerting

Visibility for DevOps & SREs

App Deployments & Upgrades

App SLA / SLO Policies

c

NSX Service Mesh

APPLICATIONS across multiple clusters and clouds

Bridge to VM Workloads

Gateway Security


Services

Data

VMware’s Enterprise-Class Service Mesh Vision

Users

DiscoveryVisibility

Control Security

VMs

Public Clouds Kubernetes

ServerlessSaaS


How to handle networking and security?

Multi-Cloud Application Pattern

API Gateway

SVC A

SVC C

SVC B

SVC D

Mobile App

Web App

Enterprise PKS


Why Do We Need Extensible Boundaries

Useful abstraction for multiple heterogenous clusters and clouds

Ideal for highly distributed microservices

Useful for application transformation initiatives

Ideal for enterprise architectures and requirements

Kubernetes Cluster Kubernetes Cluster

Global Namespace 1

Cloud 1 Cloud 2


Global NamespacesOvercome multi-cloud challenges

Global Namespace 1

Users

SVC A

SVC B

SVC C

SVC D

Mobile App

Web App

Services Data

API Gateway


Global Namespace Blue

Users

SVC A

SVC B

SVC C

SVC D

Mobile App

Web App

Services Data

Identity

Policies

Traffic Routing

Discovery / DNS

API Gateway

Global Namespace 1

NSX Service Mesh Global NamespacesCapabilities of a GNS

Policies

Traffic Routing

Identity

Discovery / DNS

Users

Mobile App

Web App

SVC D

Services Data

API Gateway

SVC A

SVC B

SVC C

Identity


Cluster 1 / US-WEST Cluster 2 / US-EAST

High Availability with Cross-Cluster CommunicationActive-Active w/ Failover

Inventory View

Logical View

GNS 1

API GatewayMobile App

Web App


GNS 1

Egress GW

Ingress GW Ingress GW

Egress GW

Identity

Policies

Traffic Routing

Discovery / DNS

Enterprise PKS

GLB

DB Synch


Expansion to VM-based WorkloadsSupports app transformation and migration use cases

GNS 1

Mobile App

Web App


Identity

Policies

Traffic Routing

Discovery / DNS

Cluster 1 Cluster 2

GNS 1

NSX Service MeshManagement / Controller

NSX ALBController

Enterprise PKS

API Gateway

NSX Service Mesh Integration with NSX Advanced Load Balancer (Avi Networks)


NSX Service Mesh

Cluster BCluster A

trustdomain : bar.com trustdomain : foo.com

Mutual TLS

spiffee://bar.com/svcb spiffee://bar.com/svccspiffee://foo.com/svca

Sidecar

SVC A

Sidecar

SVC A

Sidecar

SVC B

Sidecar

SVC B

Sidecar

SVC D

Sidecar

SVC D

Sidecar

SVC C

Sidecar

SVC C

Intermediate CA Intermediate CA Intermediate CAIntermediate CA

GNS Blue GNS Green

Secure Cross-Cloud Internet Traffic

spiffee://foo.com/svcd

Enterprise PKS

Root CA Root CA


GNS Blue GNS Green

Authorization Policies

Micro Segmentation for Global Namespaces

trustdomain : foo.comtrustdomain : bar.com

mTLS

NSX Service MeshPolicy

AuthN / AuthZ


Community effort for interoperability

Service Mesh Federation

Interoperability via Federation APIs

Identity, Service Discovery, mTLS

Control and data plane neutral

Service Mesh

NSX Service Mesh

Open Source Community Collaborations and Contributions


Service Mesh Federation Initiative

Spec Released: SPIFFE Trust Domain & Bundle

Lead: Scytale, Google

Contributors: VMware, Others

Identity Federation Across

Multiple Identity Providers

Service Discovery and

mTLS Communication

Spec will soon be released

Lead: VMware

Contributors: Pivotal, Google, Hashicorp

Open Source Community Collaborations & Contributions


Enterprise-Grade Service Mesh Across any EnvironmentNSX Service Mesh

across any Platform or any Cloud

Connect, Protect, and Operate

App Developers & Service Owners

DevOps, SREs, PREs, and Platform Owners

Security, SecOps, and Compliance Owners

Development Velocity Consistent Operations Secure by Default


K8s Pod

Cloud-Native Applications

Client Libraries & App Frameworks

AppContainer

Observability

Connectivity

Control

Discovery

Security

K8s Pod

Service Meshes & Sidecars

Sidecar Proxy

App Container

Observability

Connectivity

Control

Discovery

Security

Client Libraries


K8s Cluster

Service connectivity, security, control, and observability

Istio Architecture

PodPod

ServiceB

Pod

ServiceA

Control Plane(Istio)

Data Plane(Envoy)

HTTP, gRPC, TCP

with / without mTLS

Controls traffic flow during request processing

Traffic flow

L7 Proxy(Envoy)

L7 Proxy(Envoy)

Source – https://istio.io

TLS Certs(Citadel)

Policy & Telemetry(Mixer)

Config(Pilot)


Enterprise Application Transformation

Monolithic Application Microservices Application

vmware nsx service mesh · nsx service mesh connect protect operate app mobility & migration...

Documents