O slideshow foi denunciado.
Utilizamos seu perfil e dados de atividades no LinkedIn para personalizar e exibir anúncios mais relevantes. Altere suas preferências de anúncios quando desejar.

HashiCorp 2019: "Secure Routing and Traffic Management with Ambassador and Consul"

352 visualizações

Publicada em

Ambassador is a Kubernetes-native API gateway that serves as a common point of ingress to applications and services that are running both inside and outside of Kubernetes, and provides common cross-cutting functionality such as user authentication, API management, and TLS termination. Consul service mesh provides the source of truth for the entire datacenter, tracking available services, keeping runtime configurations, and enforcing secure end-to-end communication via mTLS encryption. In this architecture, Ambassador leverages Consul’s service discovery to provide routing to service and obtains the appropriate TLS certificate from Consul to originate encrypted TLS connection to the end service.

Publicada em: Tecnologia
  • Seja o primeiro a comentar

HashiCorp 2019: "Secure Routing and Traffic Management with Ambassador and Consul"

  1. 1. Copyright © 2019 HashiCorp Secure Routing and Traffic Management with Ambassador and Consul Daniel Bryant Product Architect, Datawire Nic Jackson Developer Advocate, HashiCorp
  2. 2. tl;dr ▪ We’re seeing an increase in application modernisation/hybrid platforms ▪ Decoupling apps and infrastructure is key: incrementally and securely ▪ Ambassador handles north-south “ingress” traffic ▪ Consul handles east-west “service-to-service” traffic ▪ Ambassador + Consul bridge legacy apps to the new world – Dynamic routing, TLS, and other cross-cutting concerns
  3. 3. Who are we? Nic Jackson Developer Advocate, HashiCorp @sheriffjackson Daniel Bryant Product Architect, Datawire @danielbryantuk
  4. 4. So, we don’t want to scare you, but...
  5. 5. So, we don’t want to scare you, but... 214 Records containing personal data are exploited every second
  6. 6. So, we don’t want to scare you, but... 2.2% Of compromised records are protected by encryption
  7. 7. So, we don’t want to scare you, but... 65% Of cases are linked to identity theft
  8. 8. So, we don’t want to scare you, but... $3,860,000 Is the average cost of a data breach
  9. 9. So, we don’t want to scare you, but... $350,00,000 Is the cost of a breach containing over 50 million records
  10. 10. So, we don’t want to scare you, but... 72% Increase in attacks between 2017 and 2018 Gemalto Breach Level Index: https://breachlevelindex.com/ IBM Cost of a Data Breach Study: https://www.ibm.com/security/data-breach
  11. 11. We’re assuming that you have secured your data at rest… ...and hardened compute
  12. 12. But what about data in motion? Are your comms vulnerable?
  13. 13. And what about during application modernisation? Network heterogeneity typically increases: - Private DC, cloud, k8s...
  14. 14. https://www.rgoarchitects.com/Files/fallacies.pdf
  15. 15. Ambassador + Consul
  16. 16. API Gateway: Edge proxy, ingress, ADC... ▪ Exposes internal services to end-users (via multiple domains) ▪ Encapsulates backends (k8s, VMs, bare metal etc) ▪ TLS termination (enforcing minimum TLS version) ▪ End-user authentication/authorization ▪ Rate limiting (DDoS protection, etc)
  17. 17. Service Mesh: Proxy mesh, Fabric model... ▪ Exposes internal services to internal consumers ▪ Encapsulates service infra (across k8s, VMs, bare metal etc) ▪ mTLS: service identity and traffic encryption ▪ ACLs and intentions: who can do what, and to whom ▪ Implements cross-functional concerns (out-of-process)
  18. 18. Exploring end-to-end communication
  19. 19. © 2019 HashiCorp 23 Bypass the perimeter by attacking services
  20. 20. © 2019 HashiCorp 24 We need internal network isolation
  21. 21. © 2019 HashiCorp 25 Network segmentation
  22. 22. © 2019 HashiCorp 26 Service segmentation
  23. 23. © 2019 HashiCorp 27 Problem: Dynamic environments...
  24. 24. © 2019 HashiCorp 28 Network / Service segmentation with intention-based security
  25. 25. Ambassador + Consul: end-to-end solution
  26. 26. Exploring end-to-end communication
  27. 27. https://blog.envoyproxy.io/service-mesh-data-plane-vs-control-plane-2774e720f7fc Control planes and data planes Data plane Control plane
  28. 28. Control planes: Differing use cases ▪ North-south – Unknown / untrusted clients – Limited exposure of services (Mapping) – Centralised ops ingress defaults + decentralised product team cfg ▪ East-west – Dynamic service information update required (multiple sources) – Identity required for all services (mTLS + ACLs) – “Sane” internal defaults + decentralised dev cfg
  29. 29. Ambassador + Consul
  30. 30. Copyright © 2019 HashiCorp Demo
  31. 31. Ambassador + Consul
  32. 32. Conclusion ▪ Whether greenfield or part of app modernisation... – Decoupling apps and infrastructure is key – We need to do this incrementally and securely ▪ Handling north-south/east-west traffic requires different control planes – But an integrated solution is required (mind the gap!) ▪ Ambassador + Consul bridge legacy apps to the new world – Dynamic routing, mTLS, segmentation, cross-cutting concerns
  33. 33. Copyright © 2019 HashiCorp Questions?
  34. 34. Copyright © 2019 HashiCorp Thanks! @sheriffjackson | @danielbryantuk

×