The document discusses the challenges of microservices and how a service mesh and API gateway can help address them. It introduces Envoy, a proxy that can be used to build a service mesh like Istio. A service mesh provides resilience, observability, and security within a cluster. An API gateway like Ambassador can extend these benefits to external clients by terminating TLS and providing routing, authentication, and other capabilities. Ambassador is self-service, works with Kubernetes, and integrates with Istio for a unified approach to managing microservices deployments.

1. 1
Don’tassumeyourAPIGatewayisready
formicroservices
Flynn
flynn@datawire.io

2. 2
Poll:Areyoudevelopment,
operations,orsomethingelse?

3. 3
Microservices
Long Release Cycle of
Monolithic Apps
Faster Release Cycles of
Microservices

4. 4
The good
• Velocity, Velocity, Velocity
• Ownership
• Freedom
• Velocity
The bad
• Lots of cats to herd
• independent releases and
deployments
• Inherently a distributed system!
• Fragility, latency,
nonobservability, cascading
failures…
InterestingTimes:Microservices

5. 5
InterestingTimes:Microservices
The ugly: fixing “the bad” is really hard.
• Example: retry on network failure
• Sounds simple but there are a lot of details!
• Not too quickly, not too many times, should often do exponential
backoff…
• It’s just not feasible for all devs to independently get it right.

6. 6
WhatDoWeDoAboutThis?
Reduce operational friction
• Automate or eliminate needless operational touchpoint
Move the Hard Stuff™ down into your infrastructure layer
• Get it right once
• Let everyone use it
• This is the concept of a service mesh

7. 7
ServiceMesh
Service mesh is about collecting services into an application
• Give dev & ops the experience they had with a single host
• Visibility, resiliency, control, security, policy
So how does a service mesh work?

8. 8
WestartwiththeEnvoyproxy…
C++ L4/L7 reverse proxy
Built at Lyft, and brutally battle-tested
• hundreds of services, tens of thousands of
VMs, millions of requests per second
• includes support for many mesh features
• increasingly active community
HTTP/2 & gRPC
Zone-aware load balancing w/
failover
Health checks, circuit breakers,
timeouts, retry budgets
No hot reloads - API driven config
updates

9. 9
AndthenusesomethingtomanageafleetofEnvoys
…Istio
“Network for services instead of bytes”
Built by IBM and Google using Envoy
• ~2200 GitHub stars, 40+ engineers 😀
• rather than having libraries, just put an
Envoy sidecar next to each service
• load balancing
• retries
• rate limiting
• telemetry and monitoring

10. 10
Recap:ServiceMesh
Service
Service
Service
Service
Service
Service
 Resilience
 Observability
 Security

11. 11
Butwhataboutexposing(some)of
yourserviceAPIstotheInternet?

12. 12
APIGateway
API Gateway
Service
Service
Service
Client

13. 13
Withmicroservices,youwanttoextendresilience,
observability,andsecuritytotheedge.
API Gateway
Service
Service
Service
Client
 Resilience
 Observability
 Security

14. 14
Poll:DoyoucurrentlyuseanAPI
Gateway?

15. 15
Ambassador
Self-service API gateway, built on Envoy
• Built for Kubernetes
• Provides routing, TLS termination, authentication
• Istio integration for observability, security, resilience
• HTTP/2 & gRPC support

16. 16
Ambassador:Routing
Self-service routing, TLS, and authentication
• Understands HTTP(s) URLs
• route resource to service
• “resource” identified by URL path prefix
• “service” is… a Kubernetes service
• routes all HTTP methods

17. 17
Ambassador:SelfService
Self-service routing, TLS, and authentication
• Developer can route resources to their service on their own
• Simple REST interface for routing control
• “Move fast and make things”
• reduce friction, so no ops gate for a new release
• …but also no ops gate for a rollback!

18. 18
Ambassador:TLS
Self-service routing, TLS, and authentication
• Ambassador can terminate TLS
• Tell Ambassador about certificates
• Ambassador will accept HTTPS connections
• TLS client-certificate authentication, too

19. 19
Ambassador:CustomAuthentication
Self-service routing, TLS, and authentication
• REST API to outboard authentication service:
• auth service gets HTTP request headers
• return HTTP status code
• Applies to all microservices
• if a microservice gets a connection, auth said OK
• of course, the auth service could allow public access to some
microservices!
• Supplied auth service for HTTP Basic Auth

20. 20
AmbassadorRoadmap
Ambassador under active development
Better integration with Istio
• still support standalone ops
First-class custom filters
• embedded interpreter
Rate limiting, authorization, etc.
http://getambassador.io/ for more

21. 21
DemoandQ&A
http://getambassador.io/
ambassador@datawire.io
@datawire.io