discovery. • Istio Ingress/Egress: Networking controls allowing inbound and outbound access of Istio services. • Istio Envoy Usage: The configuration and implemen- tation of Envoy within Istio (NOTE: Envoy assessment). • Istio Control Plane: Istio operator, side car injector, and other Istio control plane services • Istio Documentation: The documentation and secu- rity guides hosted on istio.io. NCC Group started either by the controlPlaneSecuri ty configuration directive or other means. This left all default services exposed within the cluster. • The default istio profile that is labeled for produc- tion lacks

same application. ● Tier-2 Gateways sit at the cluster edge and route traffic to the mesh- managed services inside the cluster. Two-tier Gateway Traffic Flow Cloud Vendor Gateway Consolidation TSB Egress Mesh include VMs Before using service mesh: 100+ Kubernetes cluster ● VM integration ● On-prem, AWS, Azure, GCP, OpenShift ● 10000+ core business apps ● Plan to move to public cloud in 18 months ●

proxy svc proxy svc Logging Backend Quota Backend Auth Backend Metric Backend Prometheus AWS New Relic Huawei-APM apiVersion: "config.istio.io/v1alpha2" kind: metric metadata: name: requestduration 即可使用Istio服务治 理功能 Istio在华为云： 灰度发布流程 Y N Y N Istio在华为云： 灰度发布 Istio & Kubernetes 在Google Cloud Services Platform: bringing the best of the cloud to you Copyright©2018 Huawei Technologies Co., Ltd. All

proxy svc proxy svc Logging Backend Quota Backend Auth Backend Metric Backend Prometheus AWS New Relic Huawei-APM apiVersion: "config.istio.io/v1alpha2" kind: metric metadata: name: requestduration 即可使用Istio服务治 理功能30 Istio在华为云： 灰度发布流程 Y N Y N31 Istio在华为云： 灰度发布32 Istio & Kubernetes 在Google Cloud Services Platform: bringing the best of the cloud to you3334 Copyright©2018 Huawei Technologies Co., Ltd

Deploy Debug Debug in Production Cluster 1 Acco unt User Cluster 2 Istiod Order s User AWS EKS Istiod Order s User Acco unt Ingre ss Ingre ss Ingre ss Gloo Mesh Management Plane SRE

First release in production Feb 2021 ~25% production services ~50% development services migrated to Istio End of 2021 100% services migrated to Istio 8 Features currently used: ● HTTP/2 Stabilizing Istio The reality: ● The control plane is burning down when pushing your thousand services updates to the hundreds of proxies running ● Proxies are OOM Killed every X minutes since they Istiod average CPU usage 37 The Sidecar CRD to save the mesh Stabilizing Istio Main drawback Services must know their dependencies, document and update them. If this wasn’t the case before, Istio

Jianfei Hu, Google Cloud Next ‘19 #IstioCon Why Add VMs to the Mesh? ● = Why Service Mesh? ○ More services = more complexity ○ Need consistent policy enforcement ○ Need consistent metrics aggregation ● Traffic management ○ Load balancing for VMs, failover, A/B testing, modern rollouts for VM services ● Security ○ Enforce the same policies in the same way, across compute environments ● Observability #IstioCon Legacy Scenarios ● Stateful applications ○ Data store ● Legacy software ○ Financial services ○ Enterprise/Workshop applications ○ Hard to lift and shift ● Packaged software ○ Non-Linux

#rollbacks, MTTR, #bugs-in-production, Reduced eng effort for testing, velocity) – Early testing of services components auto-generated from end-to-end tests – Significantly reduced time and cost for API testing Testing E2E API Tests Engineering effort grows superlinearly as #APIs grow Customer services Order services Catalog Customer history … Order details Payments Audit Search Suggest … Order service in isolation. All producer services are mocked. 4 Terminology Component testing Test a set of services as a single sub-system while isolating them from other services, for example payment processing

#IstioCon eBay Applications eBay is powered by ● More than 5,000 Microservices ranging from ○ API services, Search Engine, etc. ○ Databases, Key-Value stores - Oracle, MySQL, etc. ○ Big data systems & an AZ ○ Each K8s cluster ~ 200 - 5,000 nodes ○ Upto 100,000 Pods in a cluster ○ 10,000+ K8s services - including prod, pre-prod, staging, etc. ● Applications deployment for HA ○ In all regions Hosts global services - Global IPAM, Access-control Policy store, etc. ● AZ Control Plane ○ Syncs specs to workload K8s clusters in the AZ ○ Shared-Nothing Architecture ■ Hosts services catering to

in mesh traffic ● Summary #IstioCon Istio Architecture Connect, secure, control, and observe services. #IstioCon Security Architecture #IstioCon Bookinfo architecture without service mesh ● Reviews-v1 calls ratings, black stars ● Reviews-v3 ○ calls ratings, red stars Initializing services 1) Deploy bookinfo services with istio sidecar without reviews-v2 2) Deploy bookinfo gateway 3) Deploy reviews-v2 kubectl label namespace default istio-injection=disabled/enabled ） Initializing services 1) Deploy bookinfo services with istio sidecar without reviews-v2 2) Deploy bookinfo gateway 3) Deploy reviews-v2