We do this by privatizing the exported service mesh

Author: Gucci

introduce

Problems with Microservice Development

There are four common problems we encounter in development under the microservice architecture:

• Multi-language problem: There are multiple programming languages, node.js, JAVA, GoLang... Microservices need to maintain a middleware SDK for each language
• Difficulty in promoting the upgrade: SDK upgrade needs to promote code modification and release of business applications, which disturbs the business and causes high costs under business pressure.
• Slow iteration speed: Due to the existence of multi-language and multi-version, it takes a lot of energy to maintain historical versions, which reduces the iteration speed and slows the upgrade speed (the issue of R&D efficiency is also considered in the selection of data planes).
• Multi-version problem: The SDK of each language faces version upgrades, and there are a large number of different versions accessing each other, and the compatibility and testing maintenance costs are huge

In order to solve these problems, the sidecar + APP mode of service mesh is a good solution

service mesh

A Service Mesh is an infrastructure layer dedicated to handling service communication. Its responsibility is to perform reliable request delivery under complex topologies of services composed of cloud-native applications. In practice, it is a set of lightweight network proxies deployed with the application service and transparent to the application service. The concept of service mesh has been proposed for many years, and there have been many different types of implementations of service mesh, such as Istio, Linkerd, Open Service Mesh, etc., as well as other methods like ebpf + envoy, proxylessMesh, etc. The implementation of service mesh is actually thinking about how to solve the problems in current production and development. The most attention we are familiar with is Istio. The architecture is as follows:

Through the separation of Sidecar and business applications, the control plane Istiod realizes the management and control of the entire traffic. Based on the capabilities of Istio + Envoy, it realizes the connection, security, control and observability of microservices. The service mesh reflects the application solution under the microservice architecture. Coupling platform-level service governance capabilities, launched a unified multi-protocol and multi-language microservice governance, while maintaining the decoupling of infrastructure and applications, reducing the cost of upgrade and operation and maintenance, and realizing safe and reliable communication between microservices. Make the communication of different types of microservices observable.

Alibaba Cloud Proprietary Cloud Service Grid Capability

The advantages of service grids are widely recognized by everyone. Until today, many users have used service grids in their production business systems, but for many common users, it is still too much to use and operate such a system. It is complicated. In normal use, we may only need to do a grayscale release. At this time, the configuration of different rules is involved, which is very error-prone. How to define the rules such as VirtualService and DestinationRule of the application is required for most users. The learning cost is very high. In order to reduce the cost of use and the difficulty of operation and maintenance, Alibaba Cloud's proprietary cloud service grid introduces the capabilities of the service grid through a high degree of productization. It only needs to operate the console according to common ideas, namely Capabilities such as grayscale publishing, label routing, authentication, and full links can be easily accomplished.

The following is a big picture of the capabilities of Alibaba Cloud's proprietary cloud service grid, covering the aspects of protocol, environment, service governance, observability, and safe production:

Next, let's introduce our product capabilities:

Service Governance

• Traffic management

There are many traffic management capabilities, including load balancing, circuit breaker, current limiting, timeout, retry, traffic mirroring, connection pool management, fault injection, same-AZ routing, and service mocking.

The current limiting capability provides single-machine current limiting, header-based current limiting, and Path current limiting.

In addition to the service-level faults of the open source community, fault injection also provides fault injection for a single pod of services, so that a single pod can be tested.

The ability of service Mock can specify the return of the interface for the developer Mock. When the interface has not been developed, the efficiency of development and testing can be improved. In the configuration of the service Mock, the requested path, port number, method, status code, Header, Returns Json data.

• Label routing

Through label routing, you can select the version of the baseline, then select the corresponding routing version, configure routing policies, such as weight-based policies and content-based policies, and easily configure routing rules through simple configuration.

• service registration

Service registration, as the name implies, is to register microservices in the registry. This capability is mainly to help some non-Java services communicate with existing Java services. For example, Spring Cloud services need to communicate with non-Java services. In order to facilitate code writing, Spring Cloud services need to call non-Java services like other Spring Cloud services. Therefore, non-Java services need to be registered in the corresponding registry. Here we support non-Java services to be registered in Nacos and Eureka registry.

• run monitoring

Display service operation monitoring data, such as the average number of requests processed and the success rate of requests.

• grayscale release

You can publish a grayscale version of the image by publishing a version, fill in the corresponding version number and image, configure weights, content routing rules, and use rollback and grayscale success capabilities.

• Zero Trust Security

Two-way authentication, requested JWT authentication, and corresponding authorization policies can be configured.

full link routing

Full-link routing can implement routing in the entire call chain according to specified rules, such as testing whether a service meets expectations, but the test service needs to rely on other services. At this time, the full-link capability can be used to pull out a development environment. Swimlane, the traffic marked with the specified tag is sent to the test service, while other requests are still in the baseline environment. At this time, if there are other services that need to be tested, they can also be added to this swimlane for testing. The advantage of full-link routing is that It can be arbitrarily routed to the intermediate service of the service link, and R&D/testers can easily deploy a set of independent environments outside the baseline environment, which improves the efficiency of R&D and testing and reduces the cost of operation and maintenance.

• Create swimlanes

Create a swimlane that belongs to the corresponding service mesh, which is a different environment (determine the baseline version environment before creating the swimlane).

• Publish Service/Import Service

After creating the swimlane, you can publish a service to the swimlane, or import the deployed service.

Select the application of the entry, and configure the rules (what kind of traffic characteristics requests can enter the swimlane).

Ingress Gateway

Through the ability of the Istio Ingress Gateway of the service grid, the services in the service grid can be exposed. We support HTTP, HTTPS, and GRPC on the protocol. In addition to the exposure, we also support the configuration of routing rules, so that the traffic of the ingress service can be processed. manage.

external service

The services outside the grid can be managed through external service management, and the protocol, address, and EndPoint of the service can be configured, and the labels of different EndPoints of the service can also be configured.

Service topology

Combined with Prometheus + Kiali, the topology of the entire call link can be displayed, including the called service, version and other information.

grid management

• Cluster management

The existing K8s cluster can be added to the existing K8s cluster through the ability to simply access the cluster. After joining, the service grid can be deployed in the corresponding cluster through the ability to create a grid in the grid management. Ability to configure gateway, high availability of control plane Istiod, configure sidecar resources of services in the cluster (can also be configured separately), whether to enable AccessLog logs, etc.

• Grid Configuration Management

After creating a service grid, you need to manage and configure the grid. In the advanced options, you can see common configurations, such as gateway high availability, control plane high availability, gateway resources, control plane resources, service access restrictions, and observability. Wait.

In addition to these, it also provides the ability to connect the service grid to the registry. Here we support the common Nacos, Eureka, Zookeeper, and Consul registries to connect to the service grid.

• Multi-cluster management

A single cluster can meet the requirements of most users, but for disaster tolerance, the management and interoperability of multiple clusters are also very important. The multi-cluster capability of the service mesh is also supported in the community version, but the configuration is complicated. Our products provide The ability to manage multiple clusters with one click, through the ability to configure multiple clusters - manage clusters, easily realize the interoperability and governance of applications between multiple clusters.

Deploy and export

We support output through Alibaba Cloud Hybrid Cloud Enterprise Edition and CNStack, and we also support independent deployment and output. Only one K8s cluster is required, which can quickly and easily pull up the capabilities of proprietary cloud service grids and experience productized service grid capabilities. .