IstioCon 2021

Aspen Mesh to Sponsor IstioCon 2021

Aspen Mesh is excited to join the Istio community as a Platinum sponsor of the very first conference dedicated to Istio; IstioCon 2021.  

IstioCon is a new, community-led event showcasing the lessons learned from running Istio in production, hands-on experiences from the Istio community, and featuring maintainers from across the Istio ecosystem.  

The conference will offer a mix of keynotes, technical talks, lightning talks, workshops and roadmap sessions. 

We're excited for this new Istio community event and we hope you can join us. You'll find several Aspen Meshers scheduled to give presentations, so be sure to stop by:

  • "Using Istio to Build the Next Generation 5G Platform" with Neeraj Poddar (Aspen Mesh) and David Lenrow (Verizon)
  • "Simple Certificate Management (Pilot-Agent Environmental Variables)" with Jacob Delgado (Aspen Mesh)
  • "Istio Project Roadmap" with Neeraj Poddar (Aspen Mesh) and Louis Ryan (Google)
  • "Istio Product Security Working Group - What It Is and Why It's Important" with Jacob Delgado (Aspen Mesh) and Brian Avery (Red Hat)

Find more information about IstioCon here. 

IstioCon 2021


How Service Mesh Helps Application Management Aspen Mesh

How Service Mesh Helps Application Management

Manage Microservices More Efficiently

Microservice-based applications come with some serious upside, but keeping track of every single service is a challenge — especially for the platform teams that can't narrow their vision to a single microservice. If you’re operating or developing in a microservices architecture, there’s a good chance part of your days are spent wondering what your services are up to. It's frustrating to move from service to service and have to relearn everything; how it's configured, what telemetry you'll have, how it manages certs and keys.

With the adoption of microservices, problems can also emerge due to the sheer number of services that exist in large systems. For a monolith, issues like security, load balancing, monitoring and rate limiting only had to be solved once, but for microservices, those issues now have to be handled separately for each service. 

The good news though? A service mesh helps address many of these challenges so engineering teams – and businesses – can deliver applications more quickly and securely.

 

Take Your Digital Transformation Further

There are many things to think about as companies embrace digital transformation by migrating from legacy or monolithic systems to microservices. Starting with, well, microservices. It’s easy to understand why microservice-based applications are becoming more and more common. Through microservice architectures, enterprises are seeing: 

  • Improved scalability
  • Increased development velocity
  • Easier debugging
  • Rapid alignment between development and user requirements 

As companies build or convert to more modern applications, they’re leveraging microservices to drive differentiation and market leadership. As a side effect, they realize that they are increasing complexity and decentralizing ownership and control. These new challenges require new solutions to effectively monitor, manage and control microservice-based applications at runtime.

Keep in mind that Kubernetes has become the defacto method for enterprises to orchestrate containers. Kubernetes is a superb tool when it comes to deploying, scheduling and running containerized applications through a basic approach to networking that doesn't provide rich service-to-service communication.

That’s where service mesh comes in. A service mesh like Aspen Mesh adds observability, security and policy capabilities to Kubernetes. A service mesh helps to ensure resiliency and uptime – it provides solutions that enable engineering teams to more effectively monitor, control and secure the modern application at runtime. Companies are adopting service mesh as a way to enhance Kubernetes, as it provides a toolbox of features that address various microservices challenges that modern enterprises are facing.

 

Get the Most Out of Your Service Mesh

Fill out the form below to get the free eBook "Getting the Most Out of Your Service Mesh" to keep learning about what a service mesh can do to help, and how to get the most out of it.




3 Ways Service Mesh Helps DevOps

3 Ways Service Mesh Helps DevOps Teams

How exactly can a service mesh help DevOps teams? Our three co-founders were each recently interviewed by The New Stack Maker’s podcast, where they each addressed how service mesh can help DevOps teams. Below are some key takeaways that we hope will be useful for your team. 

1. Istio Boosts Engineering Efficiency 

In the first of this three-part podcast series, Neeraj Poddar, Aspen Mesh’s Chief Architect and Dan Berg, IBM Cloud’s Distinguished Engineer, discussed how the core capabilities of Istio can make engineering teams more efficient.

Microservices have provided new benefits for organizations, including better security and increased uptime, but on the flip side, there is also added infrastructure complexity. Service meshes like Istio have emerged as a way to provide better management of this complexity at scale. The core capabilities of the Istio service mesh—connection, security, control, and observability—help make engineering teams more efficient in many ways, and especially when it comes to running multicluster applications. “It’s a natural evolution to fit where we are today with cloud native applications based on containers,” Berg said. 

Providers like Aspen Mesh also play a role in helping DevOps teams take advantage of Istio’s traffic management, security, and general networking capabilities, said Berg. “Generally speaking, there are traffic management capabilities and things like that a developer would use, because you’re defining your routes and characteristics specific to your application, as well as the rollout of your deployment,” Berg said.

The future of Istio in terms of how it builds upon running multicluster applications on Kubernetes should include evolving to “talk to the language of applications,” Poddar said. “That’s where the real value will kick in and service mesh will still be a key player there, but it will be a part of an ecosystem where other pieces are also important and all of them are giving that information and we are correlating it,” Poddar said. “We’re still very early, as people are just getting used to understanding service meshes. So telling them that we need to coordinate all of this information in an automated way is scary — but we will get there.”

Listen to the podcast here.

 

2. The Importance of Knowing When You Need a Service Mesh 

In the second part of the series, Aspen Mesh’s CTO, Andrew Jenkins, and Tetrate’s Founding Engineer, Zack Butcher, talked about how service mesh is the gateway to cloud migration, and when you do—or don’t—need a service mesh.

A service mesh helps organizations migrate to cloud native environments by bridging the management gap between on-premises data center deployments to containerized-cloud environments. Once implemented, a service mesh relieves the complexity of this process. And for many DevOps team members, the switch to a cloud native environment and Kubernetes cannot be done without a service mesh.

In a typical environment split between on-premises servers and multicloud deployments, a service mesh provides the “common substrate,” by enabling “communication of those components that need to communicate across these different environments,” Butcher said.

There are also some cases where a service mesh may not be needed for DevOps. “I don’t think it’s honest to say, ‘hey, everybody absolutely must use this new thing,’” Jenkins said. “There are actually problems where you don’t need Kubernetes and you may not need containers at all or if you look at serverless, for example.”

As organizations consider which technologies to adopt in order to meet their software development and deployment goals, there are many tools and solutions to choose from. Ultimately, organizations are turning to service meshes as an answer for “not just a deployment problem,” but as a way to “integrate all the pieces together” during a cloud native journey, explained Jenkins.

Listen to the podcast here.

 

3. Service Mesh Amplifies Business Value 

Shawn Wormke, Aspen Mesh VP and General Manager, and Tracy Miranda, CloudBees Director of Open Source Community, met with the TNS team to discuss how exactly a service mesh can amplify business value for organizations in the third and final installment of this three-part podcast series.

Service meshes are increasingly providing DevOps teams with new ways to gain observability into the events that cause application deployment and management problems. Ideally, a service mesh should also help DevOps teams determine who should take the appropriate actions.

“What we’ve seen with our customers is they want to move [the maintenance work] down underneath the application, and let the application owners really focus on business-value code,” said Wormke. “They also want to let the operations team that is the ‘Ops’ part of DevOps really work on providing them the tooling and the common infrastructure it takes to run those things in production in a large enterprise environment.”

Service meshes offer powerful capabilities that teams can exploit, once they get past the learning curve. “We just need an easy way to get [service meshes] into folks’ hands and help them steer clear of the pitfalls so that they can get to all the real magic that you can start to do once you’ve got this orchestration and all these things connected,” said Miranda. “You can start to do pretty clever things.”

Listen to the podcast here.


What Are Companies Using Service Mesh For?

We recently worked with 451 Research to identify current trends in the service mesh space. Together, we identified some key service mesh trends and patterns around how companies are adopting service mesh, and emerging use cases that are driving that adoption. Factors driving adoption include how service mesh automates and bolsters security, and a recognition of service mesh observability capabilities to ease debugging and decrease Mean Time To Resolution (MTTR). Check out this video for more from 451 Research's Senior Analyst in Application and Infrastructure Performance, Nancy Gohring, on this topic:

Who’s Using Service Mesh 

According to data and insights gathered by 451 Research, service mesh already has significant momentum, even though it is a young technology. Results from the Voice of the Enterprise: DevOps, Workloads & Key Projects 2020 survey tell us that 16% of respondents had adopted service mesh across their entire IT organizations, and 20% had adopted service mesh at the team level. Outside of those numbers, 38% of respondents also reported that they are in trials or planning to use service mesh in the future. As Kubernetes dominates the microservices landscape, the need for a service mesh to manage layer 7 communication is becoming increasingly clear. 

451 Research Service Mesh Adoption

In tandem with this growing adoption trend, the technology itself is expanding quickly. While the top driver of service mesh adoption continues to be supporting traffic management, service mesh provides many additional capabilities beyond controlling traffic. 451 found that key new capabilities the technology provides includes greatly enhanced security as well as increased observability into microservices.

Service Mesh and Security

Many organizations—particularly those in highly regulated industries such as healthcare and financial services—need to comply with very demanding security and regulatory requirements. A service mesh can be used to enforce or enhance important security and compliance policies more consistently, and across teams, at an organization-wide level. A service mesh can be used to:

  • Apply security policies to all traffic at ingress, and encrypt traffic using mTLS traveling between services
  • Add Zero-Trust networking
  • Govern certificate management for authenticating identity
  • Enforce level of least privilege with role-based access control (RBAC)
  • Manage policies consistently, regardless of protocols and runtimes 

These capabilities are particularly important for complex microservices deployments, and allow DevOps teams to ensure a strong security posture while running in production at global scale. 

Observability and Turning Your Data into Intelligence

In addition to helping enterprises improve their security posture, a service mesh also greatly improves observability through traces and metrics that allow operators to quickly root cause any failures and ensure resilient applications. Enabling the rapid resolution of performance problems allows DevOps teams to reduce mean time to resolution (MTTR) and optimize engineering efficiency

The broader market trends around observability and advanced analytics with open source technologies are also key to the success of companies adopting service mesh. There are challenges around managing microservices environments, and teams need better ways of identifying the sources of performance issues in order to resolve problems faster and more efficiently. Complex microservices-based applications generate very large amounts of data. Many open source projects are addressing this by making it easier for users to collect data from these environments, and advancements in analytics tools are enabling users to extract the signal from the noise, quickly directing users to the source of performance problems. 

Overcoming this challenge is why we created Aspen Mesh Rapid Resolve. It allows users to see any configuration or policy changes made within Kubernetes clusters, which is almost always the cause of failures. The Rapid Resolve timeline view makes it simple for operators to look back in time to pinpoint any changes that resulted in performance degradation. 

Aspen Mesh Rapid Resolve

This enables Aspen Mesh users to identify root causes, report actions and apply fixing configurations all in one place. For example, the Rapid Resolve suite offers many new features including:

  • Restore: a smarter, machine-assisted way to effectively reduce the set of things an operator or developer has to look through to find the root cause of failure in their environment. Root causing in distributed architectures is hard. Aspen Mesh Restore immediately alerts engineers to any performance outside acceptable thresholds and makes it obvious where any configuration, application or infrastructure changes occurred that are likely to be breaking changes.
  • Replay: a one-stop shop for application troubleshooting and reducing time to recovery. Aspen Mesh Replay gives you the current and the past view of your cluster state, including microservices connectivity, traffic and service health, and relevant events like configuration changes and alerts along the way. This view is great for understanding and diagnosing cascading failures. You can easily roll back in time and detect where a failure started. It's also a good tool for sharing information in larger groups where you can track the health of your cluster visually over time.

The Future of Service Mesh

Companies strive for stability with agility, which allows them to meet the market and users where they are, and thrive even in an uncertain marketplace. According to 451 Research,

“Businesses are employing containers, Kubernetes and microservices as tools that allow them to more quickly respond to customer demands and competitive threats. However, these technologies introduce new and potentially significant management challenges. Advanced organizations have turned to service mesh to help solve some of these problems. Service mesh technology can remove infrastructure burdens from developers, enabling them to focus on creating valuable application features rather than managing the mechanics of microservices communications. But managing the communications layer isn’t the only benefit a service mesh brings to the table. Increasingly, users are recognizing the role service meshes can play in collecting and analyzing important observability data, as well as their ability to support security requirements.”

The adoption of containers, Kubernetes and service mesh is continuing to grow, and both security and observability will be key drivers that increase service mesh adoption in the coming years.

 


What is a service mesh Aspen Mesh

What’s a Service Mesh?

What is a service mesh? It’s an infrastructure layer that helps you manage the communication between your microservices.

What is a service mesh

Designed to handle a high volume of service-to-service communications using APIs, a service mesh ensures that communication among your containerized application services is fast, reliable and secure. 

A service mesh helps address many of the challenges that arise when your application is being consumed by your end users. The ability to monitor what services are communicating with each other, knowing if those communications are secure, and being able to control the service-to-service communication in your clusters is key to ensuring your applications are running securely and resiliently. You can think about service mesh as being the lexicon, API and implementation around the next tier of communication patterns for microservices.

Service Mesh Capabilities and Patterns

Some of the capabilities that a service mesh provides include service discovery, load balancing, encryption, observability, traceability, authentication and authorization, and the ability to control policy and configuration in your Kubernetes clusters. 

A service mesh sits at Layer 7, managing and securing traffic between your network and application, unlocking some patterns essential for healthy microservices. Some of these patterns include:

  • Zero-trust security that doesn’t assume a trusted perimeter
  • Tracing that shows you how and why every microservice communicated with another microservice
  • Fault injection and tolerance that lets you experimentally verify the resilience of your application
  • Advanced routing that lets you do things like A/B testing, rapid versioning and deployment and request shadowing

Check out these FAQs for answers to more general questions.

 

What Does a Service Mesh Provide?

A service mesh keeps your company’s services running the way they should. Service meshes designed for the enterprise, like Aspen Mesh, gives you all the observability, security and traffic management you need — plus access to configuration and policy patterns and expert support, so you can focus on adding the most value to your business.

A service mesh can provide many benefits: Security, reliability, observability, engineering efficiency/reduced burden, more holistic insights, operational control, and better tools for your DevOps team. The four main benefits that a service mesh provides include:

  1. Observability: A service mesh takes system monitoring a step further by providing observability. Monitoring reports overall system health, while observability focuses on highly granular insights into the behavior of systems along with rich context. 
  2. Security: A service mesh provides security features aimed at securing the services inside your network and quickly identifying any compromising traffic entering your cluster. 
  3. Operational control: A service mesh allows security and platform teams to set the right macro controls to enforce access controls, while allowing developers to make customizations they need to move quickly within these guardrails.
  4. A better user experience: A service mesh removes the burden of managing infrastructure from the developer, and provides developer-friendly features. But on top of that, the security and reliability that you get from a service mesh creates a smoother, better experience for your end users while they're using your systems or application. Building trust with your customers is invaluable.

Service mesh is new enough that codified standards have yet to emerge, but there is enough experience that some best practices are becoming clear. As early adopters develop their own approaches, it is often useful to compare notes and distill best practices. We’ve seen Kubernetes emerge as the standard way to run containers for production web applications. Standards are emergent rather than forced: It’s definitely a fine art to be neither too early nor too late to agree on common APIs, protocols and concepts.

 

When Do You Need a Service Mesh?

A service mesh provides a great way to help you manage microservices. But how do you know when it's the right time to adopt one? The answer is that it depends on your needs, but many companies we've worked with start needing a service mesh when they run into one or a combination of three things:

  1. You’re starting to run too many microservices for you to effectively manage based on team size or skills
  2. You want to free up application developers from managing infrastructure so they can spend more time adding business value to applications
  3. Your’e scaling or committed to scaling applications on Kubernetes

So how do you make sure that you and your end users get the most out of your applications and services? You need to have the right kind of access, security and support. If that’s true, then you’ve probably realized that microservices come with their own unique challenges, such as: 

  • Increased surface area that can be attacked 
  • Polyglot challenges 
  • Controlling access for distributed teams developing on a single application 

These are all scenarios where a service mesh shines. Service meshes are great at solving operational challenges and issues when running containers and microservices because they provide a uniform and highly observable way to secure, connect and monitor microservices. 

On a broader tech landscape level, we’ve been thinking about how microservices change the requirements from network infrastructure for a few years now. The swell of support and uptake for Istio demonstrated to us that there’s a community ready to develop and coalesce on policy specs, with a well-architected implementation to go along with it.

Thanks for reading! Check out Service Mesh University to learn more about service mesh at your own pace through an on-demand, video series.


Service Mesh University

Service Mesh University

We're Excited to Launch Service Mesh University

There’s a lot of talk -- and even more questions -- about service mesh these days.

Service Mesh University

What is it? Do you really need it? Who should own it? How do you get it running? Will it play nicely with your tech stack? How do you know it's working? How is it evolving?

Service mesh can be complex, so that’s why we’ve created Service Mesh University (SMU). This series of seven short classes enables you to find the answers to these questions, on-demand, at your own pace.

Each class is hosted by a different Aspen Mesh 'meshpert' and is tailored to each topic. In addition, transcripts of the videos, an outline and summary of each class, and extra links and materials where you can find additional related information is posted along with each video for you to take with you.

Why SMU?

Since 2017, Aspen Mesh has been at the forefront of service mesh technology. Aspen Meshers come from a myriad of startups and some of the most recognizable companies in the world, but the one thing we all have in common is a history of solving complex engineering and infrastructure challenges. Our engineers are experts in Istio, Envoy and Kubernetes, and we can help you get the most out of containerized applications. And we don't want to keep all that expertise to ourselves!

As a team intent upon driving improved operations through smarter and more efficient infrastructure, that is also reliable and easy to operate, we hope this new video collection helps you to learn how a service mesh can help you.

What You'll Learn

Class 101: Intro to Service Mesh (with Zach Jory and Rose Sawvel)

  • Learn what a service mesh is
  • Discover the basics of how a service mesh works
  • Explore functionality a service mesh provides

Class 201: Foundations of Service Mesh (with Shawn Wormke)

  • Learn about the service mesh landscape
  • Discover how a service mesh can help your team and your end users
  • Explore prerequisites you’ll need before getting started with a service mesh

Class 301: Service Mesh Architectures (with Andrew Jenkins)

  • Find out more about service mesh as the next tier of communication patterns for microservices
  • Learn about the Istio architecture and how it improves Kubernetes
  • Discover the different service mesh components and how they operate
  • See how service mesh enables more efficient engineering processes

Class 401: Security, Reliability, and Observability (with Granville Schmidt)

  • Learn about security, reliability and observability
  • Discover the power that a service mesh provides by combining these three elements

Class 501: Setting Up Your Service Mesh (with Jacob Delgado)

  • Learn about what you need before you start setting up the Aspen Mesh service mesh
  • Walk through how to set it up
  • Discover what it helps you do

Class 601: Maintaining and Improving Your Service Mesh (with Michael Davis)

  • Learn about common issues to watch out for when operating a service mesh
  • Discover best practices for keeping your service mesh up to date
  • Find out about integrations with other tools that could have an impact on how you use your service mesh

Class 701: The Future of Service Mesh (with Neeraj Poddar)

  • Learn about where service mesh is headed
  • Discover what that means for you if you’re already using a service mesh
  • Find out how technologies like service mesh are helping companies deliver greater value to their end users

We hope you'll join us to learn more about service mesh!

Please fill out the form below to access the classes.




Aspen Mesh digital transformation service mesh

Digital Transformation: How Service Mesh Can Help

Your Company’s Digital Transformation

It’s happening everywhere, and it’s happening fast. In order to meet consumers head on in the best, most secure ways, enterprises are jumping on the digital transformation train (check out this Forrester report). 

Several years ago, digital transformations saw companies moving from monolithic architectures towards microservices and Kubernetes, but service mesh was in its infancy. No one knew they'd need something to help manage service-to-service communication. Now, with increasing complexity and demands coupled with thinly-stretched resources or teams without service mesh expertise, supported service mesh is becoming a good solution for many--especially for DevOps teams.

Service Mesh for DevOps

"DevOps" is a term used to describe the business relationship between development and IT operations. Mostly, the term is used when referring to improving communication and collaboration between the two teams. But while Dev is responsible for creating new functionality to drive business, Ops is often the unsung--but extremely important--hero behind the scenes. In IT Ops, you’re on the hook for strategy development, system design and performance, quality control, direction and coordination of your team all while collaborating with the Dev team and other internal stakeholders to achieve your business’s goals and drive profitability. Ultimately, it’s the Dev and Ops teams who are responsibility to ensure that teams are communicating effectively, systems are monitored correctly, high customer satisfaction is achieved and projects and issue resolution are completed on time. A service mesh can help with this by enabling DevOps.

Integrating a Service Mesh: Align with Business Objectives

As you think about adopting a service mesh, keep in mind that your success over time is largely dependent on aligning with your company’s business objectives. Sharing business objectives like these with your service mesh team will help to ensure you get--and keep--the features and capabilities that you really need, when you need them, and that they stay relevant.

What are some of your company’s business objectives? Here are three we’ve identified that a service mesh can help to streamline:

1. Automating More Process (i.e. Removing Toil)
Automating processes frees up your team from mundane tasks so they can focus on more important projects. Automation can save you time and money.

2. Increasing Infrastructure Performance
Building and maintaining a battle-tested environment is key to your end users experience, and therefore churn or customer retention rates and your company’s bottom line.

In addition, much of your time is spent developing strategies to monitor your systems and working through issue resolution as quickly as possible--whether issues pop up during the workday, or in the middle of the night. Fortunately, because service mesh come with observability, security and resilience features, it can help alleviate these responsibilities, decreasing MTTD and MTTR.

3. Maintaining Delivery to Customers
Reducing friction in the user experience is the name of the game these days, so UX and reliability are key to keeping your end users happy. If you’re looking at a service mesh, you’re already using a microservices architecture, and you’re likely using Kubernetes clusters. But once those become too complex in production--or don’t have all the features you need-- it’s time to add a service mesh into the mix. Service mesh’s observability features like cluster health monitoring, service traffic monitoring, easy debugging and root cause identification with distributed tracing help with this. In addition, an intuitive UI is key to surfacing these features in a way that is easy to understand and manipulate, so make sure you’re looking at a service mesh that’s easy for your Dev team to use. This will help provide a more seamless (and secure) experience for your end users.

Evolution; Not Revolution

How do you actually go about approaching the process of integrating a service mesh? What will drive success is for you to have agility and stability. But that can be a tall order, so it can be helpful to approach integrating a service mesh as evolution, rather than revolution. Three key areas to consider while you’re evaluating a service mesh include:

  1. Mitigating risk
  2. Production readiness
  3. Policy frameworks

Mitigating Risk
Risk can be terrifying, so it’s imperative to take steps to ensure that risk is mitigated as much as possible. The only time your company should be making headlines is because of good news. Ensuring security, compliance, and data integrity is the way to go. With security and compliance at top of mind for many, it’s important to address security head on. 

With a well-designed enterprise service mesh, you can expect plenty of security, compliance and policy features so it’s easy for your company to get a zero-trust network. Features can include anything from ensuring the principle of least privilege and secure default settings to technical features such as fine-grained RBAC and incremental mTLS.

Production Readiness
Your applications are ready to be used by your end users, and your technology stack needs to be ready too. What makes a real impact here is reliability. Service mesh features like dynamic request routing, fast retries, configuration vetters, circuit breaking and load balancing greatly increase the resiliency of microservice architectures. Support is also a feature that some enterprises will want to consider in light of whether service mesh expertise is a core in-house skill for the business. Having access to an expert support team can make a tremendous difference in your production readiness and your end users’ experiences.

Policy Frameworks
While configuration is useful for setting up how a system operates, policy is useful in dictating how a system responds when something happens. With a service mesh, the power of policy and configuration combined provides capabilities that can drive outcome-based behavior from your applications. A policy catalog can accelerate this behavior, while analytics examines policy violations and understands the best actions to take. This improves developer productivity with canary, authorization and service availability policies.

How to Measure Service Mesh Success

No plan is complete without a way to measure, iterate and improve your success over time. So how do you go about measuring the success of your service mesh? There are a lot of factors to take into consideration, so it’s a good idea to talk to your service mesh provider in order to leverage their expertise. But in the meantime, there are a few things you can consider to get an idea of how well your service mesh is working for you. Start by finding a good way to measure 1) how your security and compliance is impacted, 2)  how much you’re able to change downtime and 3) differences you see in your efficiency.

Looking for more specific questions to ask? Check out the eBook, Getting the Most Out of Your Service Mesh for ideas on the right questions to ask and what to measure for success.


Service Mesh Landscape - Aspen Mesh

The Service Mesh Landscape

Where A Service Mesh Fits in the Landscape

Service mesh is helping to take the cloud native and open source communities to the next level, and we’re starting to see increased adoption across many types of companies -- from start-ups to the enterprise. 

For any company, while a service mesh overlaps, complements, and in some cases replaces many tools that are commonly used to manage microservices, many technologies are involved in the service mesh landscape. In the following, we've explained some ways that a service mesh fits with other commonly used container tools.

Service Mesh Landscape - Aspen Mesh

Container Orchestration

Kubernetes provides scheduling, auto-scaling and automation functionality that solves most of the build and deploy challenges that come with containers. Where it leaves off, and where service mesh steps in, is solving some critical runtime challenges with containerized applications. A service mesh adds uniform metrics, distributed tracing, encryption between services and fine-grained observability of how your cluster is behaving at runtime. Read more about why container orchestration and service mesh are critical for cloud native deployments

API Gateway

The main purpose of an API gateway is to accept traffic from outside your network and distribute it internally. The main purpose of a service mesh is to route and manage traffic within your network. A service mesh can work with an API gateway to efficiently accept external traffic then effectively route that traffic once it’s in your network. There is some nuance in the problems solved at the edge with an API Gateway compared to service-to-service communication problems a service mesh solves within a cluster. But with the evolution of cluster-deployment patterns, these nuances are becoming less important. If you want to do billing, you’ll want to keep your API Gateway. But if you’re focused on routing and authentication, you can likely replace an API gateway with service mesh. Read more on how API gateways and service meshes overlap.

Global ADC

Load balancers focus on distributing workloads throughout the network and ensuring the availability of applications and services. Load balancers have evolved into Application Delivery Controllers (ADCs) that are platforms for application delivery, ensuring that an organization’s critical applications are highly available and secure. While basic load balancing remains the foundation of application delivery, modern ADCs offer much more enhanced functionality such as SSL/TLS offload, caching, compression, rate-shaping, intrusion detection, application firewalls and remote access into a single strategic point. A service mesh provides basic load balancing, but if you need advanced capabilities such as SSL/TLS offload and rate-shaping you should consider pairing an ADC with service mesh.

mTLS

Service mesh provides defense with mutual TLS encryption of the traffic between your services. The mesh can automatically encrypt and decrypt requests and responses, removing that burden from the application developer. It can also improve performance by prioritizing the reuse of existing, persistent connections, reducing the need for the computationally expensive creation of new ones. Aspen Mesh provides more than just client server authentication and authorization, it allows you to understand and enforce how your services are communicating and prove it cryptographically. It automates the delivery of the certificates and keys to the services, the proxies use them to encrypt the traffic (providing mutual TLS), and periodically rotates certificates to reduce exposure to compromise. You can use TLS to ensure that Aspen Mesh instances can verify that they’re talking to other Aspen Mesh instances to prevent man-in-the-middle attacks.

CI/CD

Modern Enterprises manage their applications via an agile, iterative lifecycle model.  Continuous Integration and Continuous Deployment systems automate the build, test, deploy and upgrade stages.  Service Mesh adds power to your CI/CD systems, allowing operators to build fine-grained deployment models like canary, A/B, automated dev/stage/prod promotion, and rollback.  Doing this in the service mesh layer means the same models are available to every app in the enterprise without app modification. You can also up-level your CI testing using techniques like traffic mirroring and fault injection to expose every app to complicated, hard-to-simulate fault patterns before you encounter them with real users.

Credential Management 

We live in an API economy, and machine-to-machine communication needs to be secure.  Microservices have credentials to authenticate themselves and other microservices via TLS, and often also have app-layer credentials to serve as clients of external APIs. It’s tempting to focus only on the cost of initially configuring these credentials, but don’t forget the lifecycle – rotation, auditing, revocation, responding to CVEs. Centralizing these credentials in the service mesh layer reduces scope and improves the security posture.

APM

Traditional Application Performance Monitoring tools provide a dashboard that surfaces data that allow users to monitor their applications in one place. A service mesh takes this one step further by providing observability. Monitoring is aimed at reporting the overall health of systems, so is best limited to key business and systems metrics derived from time-series based instrumentation. Observability focuses on providing highly granular insights into the behavior of systems along with rich context, perfect for debugging purposes. Aspen Mesh provides deep observability that allows you to understand current state of your system, and also provide a way to better understand system performance and behavior, even during the what can be perceived as normal operation of a system. Read more about the importance of observability in distributed systems.

Serverless

Serverless computing transforms source code into running workloads that execute only when called. The key difference between service mesh and serverless is that with serverless, a service can be scaled down to 0 instances if the system detects that it is not being used, thus saving you from the cost of continually having at least one instance running. Serverless can help organizations reduce infrastructure costs, while allowing developers to focus on writing features and delivering business value. If you’ve been paying attention to service mesh, these advantages will sound familiar. The goals with service mesh and serverless are largely the same – remove the burden of managing infrastructure from developers so they can spend more time adding business value. Read more about service mesh and serverless computing.

Learn More

If you'd like to learn more about how a service mesh can help you and your company, schedule a time to talk with one of our experts, or take a look at The Complete Guide to Service Mesh.


How Delphi Simplifies Kubernetes Security with Aspen Mesh

Customer Story: How Delphi Simplifies Kubernetes Security with Aspen Mesh

Delphi and Zero-Trust Security

Delphi delivers software solutions that help professional liability insurers streamline their operations and optimize their business processes. Operating in the highly regulated healthcare industry, privacy and compliance concerns such as HIPAA and APRA mandate a highly secure environment. As such, a Zero-trust environment is of utmost importance for Delphi and their customers. 

The infrastructure team at Delphi has fully embraced a cloud-native stack to deliver the Delphi Digital Platform to its customers. The team leverages Kubernetes to effectively manage builds and deploys. Delphi planned to use Kubernetes from the start, but was looking for a simpler security solution for their infrastructure that could be managed without implementations in each service. 

While Delphi was getting tremendous value from Kubernetes, they needed to find an easier way to bake security into the infrastructure. Taking advantage of a service mesh was the obvious solution to address this challenge, as it provides cluster-wide mTLS encryption. 

The team chose Istio to confront this problem, and while the initial solution included setting up a certificate at the load balancer, this had open http between the load balancer and service. Unfortunately, this was not acceptable in a highly regulated healthcare industry with strict requirements to keep personal data secure. 

Achieving Security with a Service Mesh

To solve these challenges, Delphi engaged with Aspen Mesh in order to implement an end-to-end encrypted solution, from Client to back end SaaS applications. This was achieved by enabling mTLS mesh-wide from service to service and creating custom Istio policy manifests to integrate cert-manager and Let's Encrypt for client-side encryption. As a result, Delphi is able to provide secure ingress integration for a multitenant B2C environment, allowing Delphi to deploy a fully scalable solution. 

[Read the Full Case Study Here]

This Aspen Mesh solution lets Delphi use Let’s Encrypt seamlessly with Istio, removing the need to consider building security into application development and placing it into an infrastructure solution that is highly scalable. Leveraging the power of Kubernetes, Istio and Aspen Mesh, the Delphi team is delivering a highly secure platform to their customers without the need to implement encryption in each service. 

“At this point, I look at Aspen Mesh as an extension of my team” 

- Bill Reeder, Delphi Technology Lead Architect


How to Approach Zero-Trust Security with a Service Mesh

How to Approach Zero-Trust Security with a Service Mesh

Last year was challenging for data security. In the first nine months alone, there were 5,183 breaches reported with 7.9 billion records exposed. Compared to mid-year 2018, the total number of breaches was up 33.3 percent and the total number of records exposed more than doubled, up 112 percent.

Zero Trust Security 2019

What does this tell us? That, despite significant technology investments and advancements, security is still hard. A single phishing email, missed patch, or misconfiguration can let the bad guys in to wreak havoc or steal data. For companies moving to the cloud and the cloud-native architecture of microservices and containerized applications, it’s even harder. Now, in addition to the perimeter and the network itself, there’s a new network infrastructure to protect: the myriad connections between microservice containers.

With microservices, the surface area available for attack has increased exponentially, putting data at greater risk. Moreover, network-related problems like access control, load balancing, and monitoring that had to be solved once for a monolith application now must be handled separately for each service within a cluster.

Zero-Trust Security and Service Mesh

Security is the most critical part of your application to implement correctly. A service mesh allows you to handle security in a more efficient way by combining security and operations capabilities into a transparent infrastructure layer that sits between the containerized application and the network. Emerging today to address security in this environment is the convergence of the Zero-Trust approach to network security and service mesh technology.

Here are some examples of attacks that a service mesh can help mitigate:

  • Service impersonation
    • A bad actor gains access to the private network for your applications, pretends to be an authorized service, and starts making requests for sensitive data.
  • Unauthorized access
    • A legitimate service makes requests for sensitive data that it is not authorized to obtain.
  • Packet sniffing
    • A bad actor gains access to your applications private network and captures sensitive data from legitimate requests going over the network.
  • Data exfiltration
    • A bad actor sends sensitive data out of the protected network to a destination of their choosing.

So how can the tenets of Zero-Trust security and how a service mesh enable Zero Trust in the microservices environment? And how can Zero-Trust capabilities help organizations address and demonstrate compliance with stringent industry regulations?

Threats and Securing Microservices

Moat and Castle ApproachTraditionally, network security has been based on having a strong perimeter to help thwart attackers, commonly known as the moat-and-castle approach. With a secure perimeter constructed of firewalls, you trust the internal network by default, and by extension, anyone who’s there already. Unfortunately, this was never a reliably effective strategy. But more importantly, this approach is becoming even less effective in a world where employees expect access to applications and data from anywhere in the world, on any device. In fact, other types of threats -- such as insider threats -- have generally been considered by most security professionals to be among the highest threats to data protected by companies, leading to more development around new ways to address these challenges.

In 2010, Forrester Research coined the term “Zero Trust” and overturned the perimeter-based security model with a new principle: “never trust, always verify.” That means no individual or machine is trusted by default from inside or outside the network. Another Zero-Trust precept: “assume you’ve been compromised but may not yet be aware of it.” With the time to identify and contain a breach running at 279 days in 2019, that’s not an unsafe assumption.

Starting in 2013, Google began its transition to implementing Zero Trust into its networking infrastructure with much success and has made the results of their efforts open to the public in BeyondCorp. Fast forward to 2019 and the plans to adopt this new paradigm have spread across industries like wildfire, largely in response to massive data breaches and stricter regulatory requirements.

While there are myriad Zero-Trust networking solutions available for protecting the perimeter and the operation of corporate networks, there are many new miles of connections within the microservices environment that also need protection. A service mesh provides critical security capabilities such as observability to aid in optimizing MTTD and MTTR, as well as ways to implement and manage encryption, authentication, authorization, policy control and configuration in Kubernetes clusters.

Security Within the Kubernetes Cluster

While there are myriad Zero-Trust networking solutions available for protecting
the perimeter and the operation of corporate networks, there are many new miles of connections within the microservices environment that also need protection. A service mesh provides critical security capabilities such as observability to aid in optimizing MTTD and MTTR, as well as ways to implement and manage encryption, authentication, authorization, policy control and configuration in Kubernetes clusters.

Here are a few ways to approach enhancing your security with a service mesh:

  • Simplify microservices security with incremental mTLS
  • Manage identity, certificates and authorization
  • Access control and enforcing the level of least privilege
  • Monitoring, alerting and observability

A service mesh also adds controls over traffic ingress and egress at the perimeter. Allowed user behavior is addressed with with role-based access control (RBAC). With these controls, the Zero-Trust philosophy of “trust no one, authenticate everyone” stays in force by providing enforceable least privilege access to services in the mesh.

Aspen Mesh can help you to achieve a Zero-Trust security posture by applying these concepts and features. As an enterprise- and production-ready service mesh that extends the capabilities of Istio to address enterprise security and compliance needs, we also provide an intuitive hosted user interface and dashboard that make it easier to deploy, monitor, and configure these features.

Learn More About Zero-Trust Security and Service Mesh

Interested in learning more about how service mesh can help you achieve Zero-Trust security? Get the free white paper by completing the form below.