Istio As An API Gateway Discussion Flow ● What is an API Gateway? ● What is a Service Mesh? ● Common Features ● API Gateway + Service Mesh together! ● Istio as the API Gateway ● Advantages ● ● Challenges ● Where It Isn’t a Good Fit? What is an API Gateway? What is a Service Mesh? Common Features Common Features ● Load Balancing ● Request Routing ● Service Discovery ● JWT Authentication Logging, Monitoring, Tracing API Gateway + Service Mesh together! Limitations of This Approach ● Maintaining Two Tools ● Maintaining Two Expert Pools Istio as the API Gateway Advantages Advantages

Creating API Tests Low Effort API Testing for Microservices | CONFIDENTIAL • What has changed? – Migration to microservices triggering need for extensive API tests • Problem: – Creating API tests • What is our solution? – Leverage Istio sidecar to listen to API traffic data and create tests from the data – 10x speed in creating API tests • Can also be sped up by just navigating the application Significantly reduced time and cost for API testing for microservices architectures with Istio – Fewer failures higher up the test pyramid as a result of improved API tests • Istio benefits – Venky / Prasad

服务等各种环境和不同的K8S版本 5 集群 服务网格实践进展5/25 Istio Community 服务网格实践进展6/25 Knative FAAS实践进展7/25 Faas(函数即服务)基础设施 FAAS实践进展8/25 Istio 的价值和问题 /02 酷家乐在使用 Istio 作为服务网格解决方案时的相关实践和经验9/25 隔离中间件 Istio 的价值和问题10/25 兼容新旧调用链体系 Istio 的价值和问题13/25 灰度发布 Istio 的价值和问题14/25 性能损耗 Istio 的价值和问题 每 pod 多占用内存 20 MB -8 毫秒 测试 API 平均响应时 间变化量 吞吐量提升 5 %15/25 Pilot、Mixer 性能瓶颈 Istio 的价值和问题16/25 总结 Istio 的价值和问题 • 已经可以稳定用在生产环境

用集群管理器的postThreadLocalClusterUpdate方法 • 5. 此方法将延迟调用所有线程内ThreadLocalClusterManagerImpl slot的回调函数 • 6. 此函数内将保存新clusterEntry对象的引用。 • 7. 下一轮请求解析时将从头TLS中获取到更新后的集群可用状态。 Copyright © Huawei Technologies Co ttp_connection_manager网络过滤器。 • http_connection_manager使用http codec解码http协议header/body/tailer等并触发回调函数。 • http header/body处理回调中将调用L7层HTTP过滤器处理（可修改http原始请求等）最后调用Router过滤器。 • Router过滤器负责根据配置中路由部分及请求内url等进行匹配并找到目标cluster。

Istio control plane along with a set of TCP services that it exposes. One of which is the “/debug” API hosted on 15014/TCP by default. This service exposes a web interface that is accessible without authentication remote: multi-cluster remote control plane setup • default: default settings of the IstioOperator API • demo: enables a variety of extra features • empty: provides a template • minimal: minimal config names- pace. If, in the future, a privilege escalation vector is identified for any of the Kubernetes API Groups, escape from a specific namespace is possible. Description Istio documentation in the above

1 Istiod Cluster 2 API server API server Ingress Ingress Service A Service B Service B Mirror Simplified Istio Multicluster Model #IstioCon Istiod Cluster API server Gateway Service #IstioCon Istio Standardize APIs Adopt Kubernetes service API Protocol declaration in Kubernetes service descriptor Transform informal API to formal API External authz #IstioCon analyze describe bug-report

(Service) POD Workload (Service) POD Workload (Service) VM Workload (Service) VM Workload (Service) VM API Gateway Ingress & Egress Mesh can include VMs ● Multi tenancy ● Traffic shaping and canary controls reporting ● Service discovery across multiple clusters ● Fine-grained ingress & egress controls ● API GW is part of the mesh ● Workflows for collaborative agility More About Multi Cluster ● Multi tenancy zero dependency WebAssembly runtime written in Go. ● Contribute to Go/TinyGo/Rust ● Using WasmPlugin API to extend Istio ● GitHub: tetratelabs/wazero Istio Security Scanner ● Make Istio Security Best Practices

svcB svcA Rules API Pilot 80% Istio 灰度发布：基于请求内容 Version2 Envoy SVC Envoy SVC Pod1 Pod2 Pod3 Envoy SVC Pod1 Pod2 Version1(canary) group=dev svcB svcA Rules API Pilot apiVersion: 在Google：microservices become API Apigee API Management complements Istio with the robust features of Google Cloud's Apigee API management platform, Apigee Edge, by extending API management natively into

: Istio Mixer authz adapt Implement role-based authorization – whether this user can access this api based on its role => Version 2: Envoyfilter ext_authz #IstioCon Wise Platform #IstioCon Wise Excellent Observability - Access logs Log Files Parse Istio-proxy Log • Each API Access Count • Each API Fail Rate • Each API Latency Easy to debug Easy to report Easy to alert Elastalert #IstioCon Istio-proxy log showed in kibana after parse #IstioCon Excellent Observability - Access logs API Error In last 30 days #IstioCon Thank you! WeChat: johnzhengaz Github: johnzheng1975

#IstioCon eBay Applications eBay is powered by ● More than 5,000 Microservices ranging from ○ API services, Search Engine, etc. ○ Databases, Key-Value stores - Oracle, MySQL, etc. ○ Big data systems in AZ K8s Cluster K8s Cluster #IstioCon Step 2: Replace Hardware LBs with Software K8s API Server NLB Controllers Istiod Network Load Balancer (NLB) Network Load Balancer (NLB) Ingress within an AZ AZ AZ Cluster Ingress Gateways API Server Istiod East-West Gateway watch API Server Pods, Services Workload Cluster API Server Pods, Services Workload Cluster watch