在一个集中点对外部访问进行控制） • Service discovery • Load balancing • Time out • Retries • Circuit breaker • Routing • Auth • Telemetry collecting 外部流量出口 外部流量入口 Pilot 2 Istio 流量管理 – 控制面 两类数据： q 服务数据（Mesh 中有哪些服务？缺省路由） } ] } ], } Envoy Filter AwesomeRPC Filter • Decoding/encoding • Parsing header • Routing • Load balancing • Circuit breaker • Fault injection • Telemetry collecting Reviews v1 Reviews v2 代码中维护众多七层协议的代价较大 12 Istio 协议扩展：常见七层协议的路由 Protocol Destination service Parameters could be used for routing HTTP 1.1 host host, path，method headers HTTP 2 pseudo header: authority pseudo header: authority

microservices ● Majority of services written in Go #IstioCon Architecture Overview - Discovery and Routing ● Service Discovery and Configuration using Consul ● HTTP/TCP traffic via HAProxy ● gRPC blast radius ● Discover Pods for controlled and predictable routing/load balancing ● Improve performance and resilience ● Stricter zonal routing ● Capability for service authentication and authorisation Export metrics to central prometheus ● Outlier detection for better reliability ● Enable Zonal routing, zonal deployment and HPA ● Endpoint accessed by service via config #IstioCon Latency improvement

with updated ip routing rules Networking lifecycle (Istio CNI) Kubelet Start a pausing pod Kubelet invoke CNI plugins CNI plugins setup ip for pod Istio CNI install isidecar network routing rule to workload started in here and bypassing istio sidecar proxy(race condition) Istio CNI install sidecar network routing rule to workload iptable Issue in Istio CNI Kubelet Start a pausing pod Kubelet invoke CNI plugins started in here and bypassing istio sidecar proxy(race condition) Istio CNI install sidecar network routing rule to workload iptable Issue in Istio CNI Could happen in suddenly increased nodes and premptable

but this could not be reproduced. Description Istio VirtualServices define the sets of traffic routing rules to apply when a host is addressed. They support matching on various criteria including URI control plane client, per finding NCC-GOIST2005-022 on page 36 — would be able to obtain sensitive routing metadata for Gateways and possibly other resources declared in other namespaces. However, due to information about the Cluster such as pods, services, IPs as well as specific Istio configurations such as routing policies, networking rules, and the configuration of the Istio sidecar injected into each workload

Application-Tier LBs ● Web-Tier LB to control - ○ Percentage of traffic sent to an AZ, region, etc. ○ L7 routing ○ Hardware Firewalls (not shown) in front of Application-Tier LBs ● Client connects to closest ● Service Mesh ○ An architectural pattern to implement common Security, Observability, Service Routing & Discovery functions as features of the infrastructure - ○ Functions: TLS Termination, Traffic Security Current Status #IstioCon Step 1: Access Point Spec ● Capture Traffic Management & Routing intent as “Access Point” Specs ○ Leverage Istio object model: Gateway, VirtualService, DestinationRules

Observability) #IstioCon What Do We Expect From a Service Mesh? 为了将基础设施的运维管理从应用代码中剥离，我们需要七层的流量管 理能力： ● Routing based on layer-7 header ○ Load balancing at requet level ○ HTTP host/header/url/method, ○ Thrift mentioned on the previous slide Traffic Management for non-HTTP/gRPC - only layer-3 to layer-6 ● Routing based on headers under layer-7 ○ IP address ○ TCP Port ○ SNI ● Observability - only TCP metrics VirtualService API ● Generate LDS/RDS for Envoy Filter AwesomeRPC Filter ● Decoding/Encoding ● Routing ● Load balancing ● Circuit breaker ● Fault injection ● Stats ● ... Pros: ● It’s relatively easy

Gateway? What is a Service Mesh? Common Features Common Features ● Load Balancing ● Request Routing ● Service Discovery ● JWT Authentication ● Traffic Splitting ● Canary Deployment ● Traffic Mirroring

management at scale What Do You Get From Istio? Traffic Management Powerful Layer 7 (HTTP/2) routing 8 ©2021 Aspen Mesh. All rights reserved. Architecture Options 9 ©2021 Aspen Mesh. All rights