How to Re-Architect without Breaking Stuff (too much) Owen Garrett March 2018

Similar documents
NGINX: From North/South to East/West

Delivering Microservices Securely and at Scale with NGINX in Red Hat OpenShift. November, 2017

ENHANCE APPLICATION SCALABILITY AND AVAILABILITY WITH NGINX PLUS AND THE DIAMANTI BARE-METAL KUBERNETES PLATFORM

Kubernetes Ingress Virtual Service Configuration

Kuber-what?! Learn about Kubernetes

Continuous delivery while migrating to Kubernetes

Note: Currently (December 3, 2017), the new managed Kubernetes service on Azure (AKS) does not yet support Windows agents.

Zero to Microservices in 5 minutes using Docker Containers. Mathew Lodge Weaveworks

Efficiently exposing apps on Kubernetes at scale. Rasheed Amir, Stakater

Kubernetes Ingress Virtual Service Configuration

A Comparision of Service Mesh Options

Containers, Serverless and Functions in a nutshell. Eugene Fedorenko

BUILDING MICROSERVICES ON AZURE. ~ Vaibhav

Service Mesh and Microservices Networking

Dynamic App Services in Containerized Environments

Deployment Strategies on Kubernetes. By Etienne Tremel Software engineer at Container February 13th, 2017

Knative: Building serverless platforms on top of Kubernetes

DevOps Anti-Patterns. Have the Ops team deal with it. Time to fire the Ops team! Let s hire a DevOps unit! COPYRIGHT 2019 MANICODE SECURITY

Managing your microservices with Kubernetes and Istio. Craig Box

10 Kube Commandments

Kubernetes made easy with Docker EE. Patrick van der Bleek Sr. Solutions Engineer NEMEA

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

Kubernetes deep dive

Kubernetes. Introduction

Services and Networking

WHITE PAPER. RedHat OpenShift Container Platform. Benefits: Abstract. 1.1 Introduction

Advanced Continuous Delivery Strategies for Containerized Applications Using DC/OS

Microsoft Exchange Server 2013 and 2016 Deployment

NSX Data Center Load Balancing and VPN Services

This document (including, without limitation, any product roadmap or statement of direction data) illustrates the planned testing, release and

Application Centric Microservices Ken Owens, CTO Cisco Intercloud Services. Redhat Summit 2015

Container in Production : Openshift 구축사례로 이해하는 PaaS. Jongjin Lim Specialist Solution Architect, AppDev

MSB to Support for Carrier Grade ONAP Microservice Architecture. Huabing Zhao, PTL of MSB Project, ZTE

From development to production

NGINX in a serverless world. How to keep control while moving to the cloud - Oliver Gutperl

F5 BIG-IP Access Policy Manager: SAML IDP

TIBCO Cloud Integration Security Overview

Kubernetes on Openstack

Service Mesh with Istio on Kubernetes. Dmitry Burlea Software FlixCharter

Building a Kubernetes on Bare-Metal Cluster to Serve Wikipedia. Alexandros Kosiaris Giuseppe Lavagetto

OpenShift 3 Technical Architecture. Clayton Coleman, Dan McPherson Lead Engineers

Think Small to Scale Big

The four forces of Cloud Native

To Kill a Monolith: Slaying the Demons of a Monolith with Node.js Microservices on CloudFoundry. Tony Erwin,

Red Hat OpenShift Roadmap Q4 CY16 and H1 CY17 Releases. Lutz Lange Solution

Apica ZebraTester. Advanced Load Testing Tool and Cloud Platform

Deploying and Operating Cloud Native.NET apps

Qualys Cloud Platform

Microservice Powered Orchestration

Enabling Multi-Cloud with Istio Stretching an Istio service mesh between Public & Private Clouds. John Joyce Robert Li

A10 HARMONY CONTROLLER

gcp / gke / k8s microservices

CONTINUOUS DELIVERY WITH DC/OS AND JENKINS

Ingress Kubernetes Tutorial

Sunil Shah SECURE, FLEXIBLE CONTINUOUS DELIVERY PIPELINES WITH GITLAB AND DC/OS Mesosphere, Inc. All Rights Reserved.

OPENSHIFT 3.7 and beyond

Wolfram Richter Red Hat. OpenShift Container Netzwerk aus Sicht der Workload

Containers & Microservices For Realists. Karthik

Kuberiter White Paper. Kubernetes. Cloud Provider Comparison Chart. Lawrence Manickam Kuberiter Inc

Accenture Cloud Platform Serverless Journey

DevOps Tooling from AWS

The Long Road from Capistrano to Kubernetes

AWS Reference Design Document

Microservice Bus Tutorial. Huabing Zhao, PTL of MSB Project, ZTE

Nevin Dong 董乃文 Principle Technical Evangelist Microsoft Cooperation

AGILE RELIABILITY WITH RED HAT IN THE CLOUDS YOUR SOFTWARE LIFECYCLE SPEEDUP RECIPE. Lutz Lange - Senior Solution Architect Red Hat

Logging, Monitoring, and Alerting

Using AWS to Build a Large Scale Dockerized Microservices Architecture. Dr. Oliver Wahlen moovel Group GmbH Frankfurt, 30.

70-532: Developing Microsoft Azure Solutions

How to Leverage Containers to Bolster Security and Performance While Moving to Google Cloud

Murray Goldschmidt. Chief Operating Officer Sense of Security Pty Ltd. Micro Services, Containers and Serverless PaaS Web Apps? How safe are you?

Creating a Hybrid Gateway for API Traffic. Ed Julson API Platform Product Marketing TIBCO Software

Deploying and Operating Cloud Native.NET apps

Learn. Connect. Explore.

Docker and Oracle Everything You Wanted To Know

DevOps Course Content

SERVERLESS APL. For now this is just research in Cloud technologies in SimCorp A/S.

Wrapp. Powered by AWS EC2 Container Service. Jude D Souza Solutions Wrapp Phone:

Orchestration: Accelerate Deployments and Reduce Operational Risk. Nathan Pearce, Product Development SA Programmability & Orchestration Team

Industry-leading Application PaaS Platform

FAST, FLEXIBLE, RELIABLE SEAMLESSLY ROUTING AND SECURING BILLIONS OF REQUESTS PER MONTH

AWS Integration Guide

Microservices. Chaos Kontrolle mit Kubernetes. Robert Kubis - Developer Advocate,

Container-Native Applications

SCALE AND SECURE MOBILE / IOT MQTT TRAFFIC

Implementing Container Application Platforms with Cisco ACI

WHITEPAPER AMAZON ELB: Your Master Key to a Secure, Cost-Efficient and Scalable Cloud.

RECap: RunEscape Capsule for On-demand Managed Service Delivery in the Cloud

Cloud Native Security. OpenShift Commons Briefing

Accelerate at DevOps Speed With Openshift v3. Alessandro Vozza & Samuel Terburg Red Hat

Which compute option is designed for the above scenario? A. OpenWhisk B. Containers C. Virtual Servers D. Cloud Foundry

OpenShift on Public & Private Clouds: AWS, Azure, Google, OpenStack

IBM Watson Content Hub. Architecture Overview

Istio. A modern service mesh. Louis Ryan Principal

São Paulo. August,

Enabling Cloud Adoption. Addressing the challenges of multi-cloud

RED HAT OPENSHIFT A FOUNDATION FOR SUCCESSFUL DIGITAL TRANSFORMATION

Azure DevOps. Randy Pagels Intelligent Cloud Technical Specialist Great Lakes Region

Secure Kubernetes Container Workloads

Clover Overview: Gambia release. April 16, 2018

Transcription:

How to Re-Architect without Breaking Stuff (too much) Owen Garrett March 2018 owen@nginx.com

All problems in computer science can be solved by another layer of indirection --- David Wheeler, FRS

This giant piece of software that made our company successful... is now a problem.

The transition to a Modern Application Architecture From Monolith... A giant piece of software Silo ed teams (Dev, Test, Ops) Big-bang releases Persistent deployments Fixed, static Infrastructure Complex protocols (HTML, SOAP)... to Microservices Small, loosely connected Services DevOps Culture Continuous delivery VMs, Containers, Functions Infrastructure as code Lightweight, Programmable (REST, JSON)

Disruption is happening at the speed of software

NGINX as a Shock Absorber App (static cluster) Internet App B (static cluster) Other web and application services

NGINX as an Insulator App (static cluster) Internet App B (static cluster) Other web and application services

The busiest sites in the world use NGINX open source 60% 50% 40% 30% 20% 10% 0% 06/2012 12/2012 06/2013 12/2013 06/2014 12/2014 06/2015 12/2015 06/2016 12/2016 06/2017 12/2017

Four steps to non-disruptive rearchitecting

Be a hero make changes all while keeping the lights on!

Change the tyres while the car is moving

Roadmap to rearchitecting 1. Plan 2. Prepare 3. Package 4. Proceed

1. Your global architecture will be fluid Application Datacenter Load Balancer Per-Application Load Balancer Per-Service Load Balancer On-Prem Datacenter Distribute traffic using DNS and redirects Funnel traffic through concentrators Distribute these stateless concentrators Cloud Platform Load Balancer Per-Application Load Balancer Per-Service Load Balancer Cloud Datacenter

Plan your global architecture for change Plan how you route traffic to the correct datacenter: 1. Segment with DNS 2. Use External Redirects Clients connect directly to the location of the service they are using Use the proxy to push out redirects 3. Route traffic internally 4. Use X-Accel-Redirect All traffic is handled through the same NGINX cluster, and internally routed to cloud

Get started with X-Accel-Redirect A more sophisticated alternative to a simple proxy_pass GET /resource GET /resource X-Accel-Redirect Request goes to local server Local server internally redirects to remote server GET /resource Ideal for moving content to cloud storage or serverless, while retaining NGINX-based authentication and logging. Client can never access remote server directly.

2. Prepare to execute the change Remove or streamline dependencies outside the core devops pipeline Hardware replace External business or technical processes Don t underestimate the strength of we ve always done it this way

Example Hardware Replace

Example Hardware Replace Datacenter Load Balancer Application-specific Proxy

Example Hardware Replace with NGINX Cost savings Save more than 80% and run on commodity hardware Modernize Get the flexibility to move to the cloud, microservices, Devops, and more No limits No artificial bandwidth or throughput caps to slow you down

3. Package your Applications Package as VMs or Containers; full-stack CI & CD should be your goal

Agile Methodology AGILE DEVELOPMENT code deploy CONTINUOUS INTEGRATION build DEV plan release OPS operate CONTINUOUS DELIVERY test monitor CONTINUOUS TESTING

Automation Tools code deploy plan Bazel Buck build DEV release OPS operate test monitor Bamboo

4. Proceed to operate the deployment Internet

4. Proceed to operate the deployment Internet Blue-green Deployments Split Clients / A B testing Auto-Scaling Canary Releases Health Checks and Slow Start

Split Clients configuration http { upstream blue_servers { server 10.0.0.100:3001; server 10.0.0.101:3001; } upstream green_servers { server 10.0.0.104:6002; server 10.0.0.105:6002; } Split traffic to multiple servers based on, for example, source IP address Just one example of the many ways to route traffic in NGINX: By user cookie or authentication token By source geography } split_clients "${remote_addr}" $appversion { 5% green_servers; * blue_servers; } server { listen 80; location / { proxy_pass http://$appversion; } } Forms the basis of blue-green deployments Monitor NGINX access logs or extended status to measure health of new, green server

Service Discovery with Consul https://github.com/nginxinc/nginx- Demos/tree/master/consul-template-demo NGINX open source can be configured using an agent that is triggered by changes to the service database resolver consul:53 valid=10s; upstream service1 { zone service1 64k; server service1.service.consul service=http resolve; } NGINX Plus will look up consul in /etc/hosts/ file if using links or using Docker embedded DNS server. By default Consul uses this format for services: [tag.]<service>.service[.d atacenter].<domain>

Active Health Checks upstream my_upstream { zone my_upstream 64k; server server1.example.com slow_start=30s; } server { #... location /health { internal; health_check interval=5s uri=/test.php match=statusok mandatory; d proxy_set_header HOST www.example.com; proxy_pass http://my_upstream; } } match statusok { # Used for /test.php health check status 200; header Content-Type = text/html; body ~ "Server[0-9]+ is alive"; } NGINX open source passively detects application failures NGINX Plus provides Active Health Checks Polls /URI every 5 seconds If response is not 200, server marked as failed If response body does not contain ServerN is alive, server marked as failed Recovered/new servers will slowly ramp up traffic over 30 seconds

Move to Microservices As we moved to microservices we realized that we needed a much smarter way of routing pages to our applications. The big benefits of NGINX Plus were firstly the support, the DNS configuration which allowed us to use sophisticated services in AWS, and the metrics told us which servers were failing. - John Cleveley, Senior Engineering Manager

Two proven microservices delivery patterns

1. Managing north-south traffic with an Ingress Controller

Starting from your Monolith

1. Containerise your Monolith Load Balancer

2. Decompose your Monolith Photo Uploader Load Balancer Photo Resizer User Data Content Service Orders

3. Rearchitect your Monolith User Manager Photo Uploader Load Balancer Auth Proxy Pages Photo Resizer Content Service Album Manager

Deploy on, for example, Kubernetes K8s API Server Auth Proxy Content Service Photo Uploader User Manager

Kubernetes Ingress Resource 1. apiversion: extensions/v1beta1 2. kind: Ingress 3. metadata: 4. name: hello-ingress 5. spec: 6. tls: 7. - hosts: 8. - hello.example.com 9. secretname: hello-secret 10. rules: 11. - host: hello.example.com 12. http: 13. paths: 14. - path: / 15. backend: 16. servicename: hello-svc 17. serviceport: 80 Ingress: Built-in Kubernetes resource Automates configuration for an edge load balancer (or ADC) Ingress features: L7 routing based on the host header and URL TLS termination

Application Delivery on Kubernetes Subscribe to Ingress Resources K8s API Server Ingress Controller Auth Proxy Content Service Photo Uploader User Manager

Limitations of the Kubernetes Ingress Resource 1. kind: Ingress 2. metadata: 3. name: hello-ingress 4. spec: 5. tls: 6. - hosts: 7. - hello.example.com 8. secretname: hello-secret 9. rules: 10. - host: hello.example.com 11. http: 12. paths: 13. - path: / 14. backend: 15. servicename: hello-svc 16. serviceport: 80 Only does: Routing on the host header and URL TLS termination What about: Session persistence JWT validation Rewriting the URL of a request Enabling HTTP/2 Choosing a load balancing method Changing the SSL parameters

Extending the Kubernetes Ingress Resource Annotations Vendor-specific configuration settings 1. apiversion: extensions/v1beta1 2. kind: Ingress 3. metadata: 4. name: hello-ingress 5. annotations: 6. nginx.org/lb-method: "ip_hash" Configuration Snippets Embed NGINX configuration directives directly into config contexts 1. apiversion: extensions/v1beta1 2. kind: Ingress 3. metadata: 4. name: hello-ingress 5. annotations: 6. nginx.org/location-snippets: 7. proxy_set_header X-Custom-Header-1 foo; 8. proxy_set_header X-Custom-Header-2 bar; or Edit Ingress Controller template directly

Ingress Controller: where to find out more GitHub: https://github.com/nginxinc/kubernetes-ingress NGINX Documentation: https://www.nginx.com/blog/introducing-nginx-kubernetesingress-controller/ NGINX offers a fully-supported Ingress Controller implementation based on NGINX Plus and the Open Source IC Detailed metrics Faster, more reliable reloads Full support

2. Managing east-west traffic with an internal router

Limitations of the Ingress Controller alone User Manager Photo Uploader Auth Proxy Pages Photo Resizer Ingress Controller Content Service Album Manager

Introducing the Router Mesh model Pages User Manager Photo Uploader Ingress Controller Router Mesh Photo Resizer Auth Proxy Content Service Album Manager

Router Mesh relies on Service Discovery Required when: New Services are added Instances of existing services are added Proxies are configured using triggers: Ansible Roles Consul templates A B C... DNS?

Router Mesh relies on Service Discovery Required when: New Services are added Instances of existing services are added Proxies are configured using triggers Ansible Roles Consul templates resolver consul:53 valid=10s; NGINX Plus uses DNS Vanilla DNS server Consul, kube-dns, Mesos-dns upstream service1 { zone service1 64k; server service1.service.consul service=http resolve; }

Router Mesh provides internal Load Balancing Provides: Scalability High-Availability Circuit-breaker pattern A A B B C D D D D

Router Mesh provides internal Load Balancing Provides: Scalability High-Availability Circuit-breaker pattern NGINX Plus adds: Application-level health checks Slow-start on new server Extended Status telemetry

Roadmap to rearchitecting Plan Prepare Package Proceed for parallelism for the process of change positioning yourself for CI/CD agility using a proxy to orchestrate and insulate changes Solutions: NGINX Ingress Controller, internal Router Mesh

Non-disruptive Microservices Adoption Roadmap C C C C C C C C C C C C Router Router C C C C Ingress Controller C C C C Ingress Controller C C C C Ingress Controller C C C C Kubernetes Simple Ingress Controller Kubernetes Ingress Controller with Router Mesh Router C C C C Kubernetes Scaling to Multiple Apps

All problems in computer science can be solved by another layer of indirection --- David Wheeler, FRS

All problems in computer science can be solved by another layer of indirection...except too many levels of indirection --- David Wheeler, FRS

Very complex application-delivery pipelines Network Firewall Load Balancer SSL Reverse Proxy Web Application Firewall Web Cache Authentication Gateway Load Balancer Application

NGINX Plus minimizes the amount of indirection Network Firewall Load Balancer SSL Reverse Proxy Web Application Firewall Web Cache Authentication Gateway Load Balancer Application NGINX Plus with: ModSecurity Web Application Firewall OAuth2 and JWT validation Third-party Certified Authentication Modules

Where to next? You can get NGINX from nginx.org, your OS vendor or favourite PPA Find us on floor 3, near the keynote theatre Interested in getting more from NGINX: NGINX Plus developer subscription Thank you!

Thank you owen@nginx.com

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback