Confidential │ ©2019 VMware, Inc.
VMware NSX Service Mesh
KubeCon NA
November 2019
Confidential │ ©2019 VMware, Inc. 2
Application Transformation ChallengesHow to consistently connect, secure, and monitor cloud native apps?
Inconsistent operational visibility and remediation policies
Many services to connect and make resilient
App silos—running in multiple platforms and clouds
Disjointed security, auditing, and compliance
Enterprise PKS
Confidential │ ©2019 VMware, Inc. 3
Consistent connectivity, security, and controlThe Ideal Solution: Enterprise-Class Service Mesh
PROTECT OPERATECONNECT
Multi-Cluster & Multi-Cloud
VMsPublic Clouds Kubernetes
Confidential │ ©2019 VMware, Inc. 4
CONNECTNSX Service Mesh
Management
NSX Service MeshLocal Controller
Customer Clusters
NSX Service MeshLocal Controller
NSX Service MeshData Plane
NSX Service MeshData Plane
Multi-Cluster, Multi-Cloud
NSX Service Mesh
Enterprise PKS
NSX Service MeshLocal Controller
NSX Service MeshData Plane
Google KE
PROTECT OPERATE Third-Party Components
5Confidential │ ©2019 VMware, Inc.
Backup Slides
Confidential │ ©2019 VMware, Inc. 6
GNS 2 prod.app1.acme.com
Cluster 1 Cluster 2 Cluster 3
GNS 2
Multi-Cloud ApplicationYou can have any number of global namespaces
Inventory View
Logical View
GNS 1
API GatewayMobile App
Web App
staging.app1.acme.com
GNS 1
Egress GW
Ingress GW
Ingress GW Egress GW
Ingress GWEgress GW
Identity
Policies
Traffic Routing
Discovery / DNS
Enterprise PKS
Confidential │ ©2019 VMware, Inc. 7
Use Cases
NSX Service Mesh
CONNECT PROTECT OPERATE
App Mobility & Migration
Multi-Cloud Application Patterns
High Availability & Failover
E2E Encryption for Compliance
Authn/Authz for Services and VMs
Auditing & Alerting
Visibility for DevOps & SREs
App Deployments & Upgrades
App SLA / SLO Policies
c
NSX Service Mesh
APPLICATIONS across multiple clusters and clouds
Bridge to VM Workloads
Gateway Security
Confidential │ ©2019 VMware, Inc. 8
Services
Data
VMware’s Enterprise-Class Service Mesh Vision
Users
DiscoveryVisibility
Control Security
VMs
Public Clouds Kubernetes
ServerlessSaaS
Confidential │ ©2019 VMware, Inc. 9
How to handle networking and security?
Multi-Cloud Application Pattern
API Gateway
SVC A
SVC C
SVC B
SVC D
Mobile App
Web App
Enterprise PKS
Confidential │ ©2019 VMware, Inc. 10
Why Do We Need Extensible Boundaries
Useful abstraction for multiple heterogenous clusters and clouds
Ideal for highly distributed microservices
Useful for application transformation initiatives
Ideal for enterprise architectures and requirements
Kubernetes Cluster Kubernetes Cluster
Global Namespace 1
Cloud 1 Cloud 2
Confidential │ ©2019 VMware, Inc. 11
Global NamespacesOvercome multi-cloud challenges
Global Namespace 1
Users
SVC A
SVC B
SVC C
SVC D
Mobile App
Web App
Services Data
API Gateway
Confidential │ ©2019 VMware, Inc. 12
Global Namespace Blue
Users
SVC A
SVC B
SVC C
SVC D
Mobile App
Web App
Services Data
Identity
Policies
Traffic Routing
Discovery / DNS
API Gateway
Global Namespace 1
NSX Service Mesh Global NamespacesCapabilities of a GNS
Policies
Traffic Routing
Identity
Discovery / DNS
Users
Mobile App
Web App
SVC D
Services Data
API Gateway
SVC A
SVC B
SVC C
Identity
Confidential │ ©2019 VMware, Inc. 13
Cluster 1 / US-WEST Cluster 2 / US-EAST
High Availability with Cross-Cluster CommunicationActive-Active w/ Failover
Inventory View
Logical View
GNS 1
API GatewayMobile App
Web App
staging.app1.acme.com
GNS 1
Egress GW
Ingress GW Ingress GW
Egress GW
Identity
Policies
Traffic Routing
Discovery / DNS
Enterprise PKS
GLB
DB Synch
Confidential │ ©2019 VMware, Inc. 14
Expansion to VM-based WorkloadsSupports app transformation and migration use cases
GNS 1
Mobile App
Web App
staging.app1.acme.com
Identity
Policies
Traffic Routing
Discovery / DNS
Cluster 1 Cluster 2
GNS 1
NSX Service MeshManagement / Controller
NSX ALBController
Enterprise PKS
API Gateway
NSX Service Mesh Integration with NSX Advanced Load Balancer (Avi Networks)
Confidential │ ©2019 VMware, Inc. 15
NSX Service Mesh
Cluster BCluster A
trustdomain : bar.com trustdomain : foo.com
Mutual TLS
spiffee://bar.com/svcb spiffee://bar.com/svccspiffee://foo.com/svca
Sidecar
SVC A
Sidecar
SVC A
Sidecar
SVC B
Sidecar
SVC B
Sidecar
SVC D
Sidecar
SVC D
Sidecar
SVC C
Sidecar
SVC C
Intermediate CA Intermediate CA Intermediate CAIntermediate CA
GNS Blue GNS Green
Secure Cross-Cloud Internet Traffic
spiffee://foo.com/svcd
Enterprise PKS
Root CA Root CA
Confidential │ ©2019 VMware, Inc. 16
GNS Blue GNS Green
Authorization Policies
Micro Segmentation for Global Namespaces
trustdomain : foo.comtrustdomain : bar.com
mTLS
NSX Service MeshPolicy
AuthN / AuthZ
Confidential │ ©2019 VMware, Inc. 17
Community effort for interoperability
Service Mesh Federation
Interoperability via Federation APIs
Identity, Service Discovery, mTLS
Control and data plane neutral
Service Mesh
NSX Service Mesh
Open Source Community Collaborations and Contributions
Confidential │ ©2019 VMware, Inc. 18
Service Mesh Federation Initiative
Spec Released: SPIFFE Trust Domain & Bundle
Lead: Scytale, Google
Contributors: VMware, Others
Identity Federation Across
Multiple Identity Providers
Service Discovery and
mTLS Communication
Spec will soon be released
Lead: VMware
Contributors: Pivotal, Google, Hashicorp
Open Source Community Collaborations & Contributions
Confidential │ ©2019 VMware, Inc. 19
Enterprise-Grade Service Mesh Across any EnvironmentNSX Service Mesh
across any Platform or any Cloud
Connect, Protect, and Operate
App Developers & Service Owners
DevOps, SREs, PREs, and Platform Owners
Security, SecOps, and Compliance Owners
Development Velocity Consistent Operations Secure by Default
Confidential │ ©2019 VMware, Inc. 20
K8s Pod
Cloud-Native Applications
Client Libraries & App Frameworks
AppContainer
Observability
Connectivity
Control
Discovery
Security
K8s Pod
Service Meshes & Sidecars
Sidecar Proxy
App Container
Observability
Connectivity
Control
Discovery
Security
Client Libraries
Confidential │ ©2019 VMware, Inc. 21
K8s Cluster
Service connectivity, security, control, and observability
Istio Architecture
PodPod
ServiceB
Pod
ServiceA
Control Plane(Istio)
Data Plane(Envoy)
HTTP, gRPC, TCP
with / without mTLS
Controls traffic flow during request processing
Traffic flow
L7 Proxy(Envoy)
L7 Proxy(Envoy)
Source – https://istio.io
TLS Certs(Citadel)
Policy & Telemetry(Mixer)
Config(Pilot)
Confidential │ ©2019 VMware, Inc. 22
Enterprise Application Transformation
Monolithic Application Microservices Application