当前位置:网站首页>Managed service network: application architecture evolution in the cloud native Era

Managed service network: application architecture evolution in the cloud native Era

2022-07-04 20:39:00 InfoQ

author : Wang Xining

The content of this article is based on the author's  2022  The speech at the cloud native industry conference in .

background

Review the evolution of application service architecture . Judging from the processing methods of service callers and providers ,  Can be divided into  3  Stages .

1.png
The first stage is
Centralized load balancing
,  That is to say, the service caller routes to the corresponding service provider through an external load balancing . The advantages are obvious ,   No intrusion into the application itself ,  It can support multi language and multi framework to develop and implement the application itself ,  Load balancing unified and centralized management ,  The whole deployment is simple . But the disadvantages are also very significant ,  Because it is centralized, the scalability is limited ,  At the same time, the service governance ability of centralized load balancing is relatively weak .

The second stage refers to
Distributed governance of microservices
,  That is, the built-in governance capability of the service caller ,  With  SDK  The way of library is integrated into the application . The advantage is that the whole system has good scalability ,  Strong service management ability ,  But at the same time, we will notice its disadvantages ,  Including intrusion into the application itself 、 Because it depends on  SDK  Therefore, it is difficult to support multiple languages 、 The complexity of distributed management deployment .

The third stage is now
Service grid technology
. Through the ability to manage these services  Sidecar  turn , The ability of service governance can be understood and coupled with the application itself , It can better support multiple programming languages 、 At the same time these  Sidecar  Capabilities do not need to depend on a specific technical framework . these  Sidecar  Agents form a mesh data plane , Through this data plane, we can process and observe the traffic between all services . Control faces these  Sidecar  Agent for unified management . But it brings a certain degree of complexity .

The following figure shows the architecture of the service grid . Mentioned earlier ,  Under the service grid technology ,  Every application service instance is accompanied by  Sidecar  agent ,  Business code is not aware of  Sidecar  The existence of . This  Sidecar  The agent is responsible for intercepting the traffic of the application , And provide traffic management 、 Security 、 Three functions can be observed .

2.png
In the cloud native application model , An application may contain several services , Each service is composed of several instances , So these hundreds of applications  Sidecar  The agent forms a data surface ,  That is, the data plane layer in the figure .

And how to manage these  Sidecar  agent ,  This is the problem to be solved in the control plane part of the service grid . The control plane is the brain of the service grid , Responsible for data plane  Sidecar  The agent issues the configuration ,  How do the components of the management data plane execute ,  At the same time, it also provides a unified  API, In order to easily manipulate grid management capabilities .

Generally speaking ,  After enabling the service grid ,   Developer 、 Operation and maintenance personnel and  SRE  The team will work in a unified manner 、 Solve the problem of application service management in a declarative way .

Cloud native application infrastructure supported by service grid

Service grid is a basic and core technology used to manage application service communication ,   It brings security to the calls between application services 、 reliable 、 Fast 、 Apply non aware traffic routing 、 Security 、 Observable ability .

You can see ,  The cloud native application infrastructure supported by the service grid brings important advantages ,  It is divided into six aspects .

3.png

One of the advantages : Unified management of heterogeneous services

•  Multi language and multi framework interoperability and governance 、 Dual mode architecture integrated with traditional micro service system

•  Refined multi protocol flow control 、 Unified management of East-West and North-South flows

•  Automatic service discovery of unified heterogeneous computing infrastructure

The second advantage : End to end observable

•  journal 、 Integrated intelligent operation and maintenance system integrating monitoring and tracking

•  Intuitive and easy-to-use visual grid topology 、 Health recognition system based on color identification

•  Built in best practices 、 Self service grid diagnosis

The third advantage : Zero trust security

•  End to end  mTLS  encryption 、 Property based access control  (ABAC)

• OPA  Declarative policy engine 、 Globally unique workload identity (Identity)

•  Complete audit history and insight analysis with dashboard

The fourth advantage : Optimize the combination of software and hardware

•  The first one is based on  Intel Multi-Buffer  Technology upgrading  TLS  Encryption and decryption service grid platform

• NFD  Automatically detect hardware features ,  Adaptive support such as  AVX  Instruction set 、QAT  Acceleration and other characteristics

•  The first batch passed the advanced certification of trusted cloud service grid platform and performance evaluation

The fifth advantage :SLO  Driven application flexibility

•  Service level goals  (SLO)  Strategy

•  Automatic elastic scaling of application services based on observable data

•  Automatic switching and fault tolerance under multi cluster traffic burst

The sixth advantage : Out of the box extensions & Ecological compatibility

•  Out of the box  EnvoyFilter  Plug in market 、WebAssembly  Plug in lifecycle management

•  And  Proxyless  Unified integration of modes ,  Support  SDK、 kernel  eBPF  The way

•  compatible  Istio  The ecological system ,  Support  Serverless/Knative, AI Serving/KServe

The following figure shows the service grid  ASM  The current architecture of the product . As the industry's first fully managed  Istio  Compatible service grid products  ASM, From the beginning, we have maintained the relationship with the community in terms of architecture 、 Consistency of industry trends , The components of the control plane are hosted on the alicloud side , It is independent of the user cluster on the data side .ASM  The product is open source based on the community  Istio  Custom implemented , The managed control surface provides component capabilities to support refined traffic management and security management . Through the hosting mode , Decoupled  Istio  Components and managed  K8s  Life cycle management of clusters , Make the architecture more flexible , It improves the scalability of the system .

5.png
Managed services grid  ASM  In the infrastructure of unified management of various heterogeneous types of computing services ,  It provides a unified traffic management capability 、 Unified service security capability 、 Unified service observability 、 And based on  WebAssembly  Realize unified agent scalability ,  So as to build enterprise level capabilities .

How to develop the next station of service grid technology

Sidecar Proxy  And  Proxyless  The integration of patterns is summed up in one sentence , Namely
The same control surface ,  Support different data surface forms
. The same control surface refers to the use of  ASM  The managed side component serves as a unified standard form of control entry ,   This control surface runs on Alibaba cloud , Belong to  hosted  Hosting mode .

6.png
The data side supports  Sidecar Proxy  And  Proxyless  Integration of modes ,  Although the components of the data plane are not  hosted  Hosting mode ,  But also  managed  Pattern ,  In other words, the life cycle of these components is also determined by  ASM  To manage ,  Including distribution to the data side 、 upgrade 、 Unloading, etc .

say concretely ,  stay  Sidecar Proxy  In mode ,  In addition to the current standard Envoy Outside the agency ,  Our architecture can easily support other  Sidecar,  for example  Dapr Sidecar,  Current Microsoft  OSM+Dapr  It is this kind of double  Sidecar  Pattern .

stay  Proxyless  In mode ,   In order to improve  QPS  Reduce delay ,  have access to  SDK  The way ,  for example  gRPC  Has supported  xDS  Protocol client ,  our  Dubbo  The team is also on this road . I think we can make some breakthroughs at this point together this year .

Another one  proxyless  Pattern ,  Is refers to -  kernel  eBPF + Node  level  Proxy  The way . This pattern is right  sidecar  A fundamental change in the pattern ,  There is only one node  Proxy, And ability  offload  Go to the node . In this part, we will also launch some products this year .

Around service grid technology ,  There are a series of application centered ecosystems in the industry ,  among ,  Alibaba cloud managed services grid  ASM  It supports the following ecosystems . List the following :

Modern software development life cycle management and  DevOps  innovation

The core principles of service grid ( Security 、 Reliability and observability ) It supports the life cycle management of modern software development and  DevOps  innovation ,  For how to design the architecture in the cloud computing environment 、 Development 、 Automated Deployment and operation and maintenance provide flexibility 、 Scalability and testability .  thus it can be seen ,  Service grid provides a solid foundation for dealing with modern software development , Anything for  Kubernetes  Teams building and deploying applications should seriously consider implementing service grids .

DevOps  One of the important components of is to create continuous integration and deployment  (CI/CD), Deliver containerized application code to production systems faster and more reliably . stay  CI/CD  Pipeline  Enabling Canary or blue-green deployment in can provide more powerful testing for new application versions in the production system , And adopt a safe rollback strategy . under these circumstances , The service grid helps Canary deployment in the production system . Current Alibaba cloud service grid  ASM  Supported and  ArgoCD、Argo Rollout、KubeVela  And cloud effect 、Flagger  The integration of such systems realizes the blue-green or Canary release of the application ,  As follows :

ArgoCD 
[
 
1]
  The main responsibility is to monitor  Git  Changes in the application layout in the warehouse , And compare the real running state of the application in the cluster , Automatically / Manually desynchronize and pull the changes of application orchestration into the deployment cluster . How to use Alibaba cloud service grid  ASM  In the integration  ArgoCD  Publish the application 、 to update , Simplify operation and maintenance costs .

Argo Rollouts 
[
 
2]
  Provides a more powerful blue-green 、 Canary deployment capability . In practice, the two can be combined to provide a service based on  GitOps  Incremental delivery capability .

KubeVela 
[
 
3]
  It's an out of the box 、 Modern application delivery and management platform . Use service grid  ASM  combination  KubeVela  It can realize the progressive gray-scale publishing of applications , Achieve the purpose of gently upgrading the application .

Alibaba cloud cloud efficiency pipeline  Flow 
[
 
4]
  Alibaba cloud service grid  ASM  complete  Kubernetes  Blue and green release of applications .

Flagger 
[
 
5]
  Is another progressive delivery tool , Can be automatically executed in  Kubernetes  The release process of the application running on . It passes while measuring indicators and running consistency tests , Gradually transfer traffic to the new version , Reduces the risk of introducing new software versions into production . Alicloud service grid  ASM  Has been supported through  Flagger  Achieve this progressive release capability .

Microservice framework compatible [6]

Support  Spring Boot/Cloud  Applications are seamlessly migrated to the service grid for unified management and governance ,  It provides the ability to solve typical problems in the integration process ,  Including how the services inside and outside the container cluster interact 、 Common scenarios such as how to interconnect different language services .

Serverless  Container and automatic expansion and contraction based on flow mode [7]

Serverless  and  Service Mesh  Are two popular cloud native technologies , Customers are exploring how to create value from it .  As we explore these solutions with our customers , The problem often arises in the intersection between these two popular technologies and how they complement each other . Can we take advantage of  Service Mesh  To protect the 、 Observe and disclose our  Knative  Server less applications ? In a managed service grid  ASM  Support on the technology platform based on  Knative  Of  Serverless  Containers ,  And automatic expansion and contraction capability based on flow mode ,  It can replace how to simplify the complexity of users' maintaining the underlying infrastructure through the managed service grid ,  Let users easily build their own  Serverless  platform .

AI Serving 
[
 
8]



Kubeflow Serving  It is a project based on  Kubernetes  Community projects that support machine learning , Its next generation name is changed to  KServe,  The purpose of this project is to support different machine learning frameworks in a cloud native way , Based on the service grid, we can realize the flow control and update and rollback of the model version .

Zero trust security and  Policy As Code[9]

In the use of  Kubernetes Network Policy  Realize three-layer network security control , Service Grid  ASM  Provides capabilities including peer-to-peer identity and request identity authentication 、Istio  Authorization policy and more refined management based on  OPA(Open Policy Agent)  Strategic control capability .

say concretely ,  Building a zero trust security capability system based on service grid includes the following aspects :

  • The foundation of zero trust :
    Workload identity
    ; How to provide a unified identity for cloud native workloads ;ASM  The product provides an easy-to-use identity definition for each workload under the service grid , It also provides a customized mechanism for extending the identity construction system according to specific scenarios ,  Also compatible with the community  SPIFFE  standard ;
  • The carrier of zero trust :
    A security certificate
    ,ASM  The product provides how to issue certificates and manage the life cycle of certificates 、 Rotation and other mechanisms , adopt  X509 TLS  Certificates establish identity , Each agent uses this certificate . And provide certificate and private key rotation ;
  • Zero trust engine :
    Strategy execution
    , Policy based trust engine is the key core of building zero trust ,ASM  In addition to supporting  Istio RBAC  Outside the authorization policy , It also provides a  OPA  Provide finer grained authorization policies ;
  • Zero trust insight :
    Visualization and analysis
    ,ASM  The product provides an observable mechanism to monitor the logs and indicators of policy implementation , To judge the implementation of each strategy, etc ;

The transformation of cloud native applications brings a lot of business value , One of them is elastic expansion and contraction , It can better cope with peak and trough traffic , Achieve the purpose of reducing cost and improving efficiency . Service Grid  ASM  It provides a non-invasive ability to generate telemetry data for the communication between application services ,  The index acquisition does not need to modify the application logic itself .

7.png
According to the four gold indicator dimensions monitored ( Delay 、 Traffic 、 Error and saturation ), Service Grid  ASM  Generate a series of indicators for managed services ,  Support multiple protocols ,  Include  HTTP,HTTP/2,GRPC,TCP  etc. .

Besides ,  The service grid has  20  Multiple monitoring tags ,  Support all  Envoy  Proxy indicator attribute definition 、 General expression language  CEL,   Support customization  Istio  Generated metrics .

meanwhile , We are also exploring new scenarios to broaden the service grid drive , Here is an example AI Serving An example of  
[
 
1****0]
  .

8.png
This demand source also comes from our actual customers ,  The customer's use scenario is to run on the service grid technology  KServe  To achieve  AI  service .KServe  Run smoothly on the service grid ,  Implement the blue of model service / Green and Canary deployment 、 The ability to distribute traffic between revisions . Support automatic scaling  Serverless  Reasoning workload deployment 、 Support high scalability 、 Intelligent load routing based on concurrency .

summary

As the industry's first fully managed Istio Compatible Alibaba cloud service grid products  ASM, From the beginning, we have maintained the relationship with the community in terms of architecture 、 Consistency of industry trends , The components of the control plane are hosted on the alicloud side , It is independent of the user cluster on the data side .ASM  The product is community-based Istio Custom implemented , The managed control surface provides component capabilities to support refined traffic management and security management . Through the hosting mode , Decoupled  Istio   Components and managed K8s  Life cycle management of clusters , Make the architecture more flexible , It improves the scalability of the system .

from  2022  year  4  month  1  The date of , Alicloud service grid  ASM  Officially launched a commercial version ,  Provides richer capabilities 、 Larger scale support and better technical support , Better meet the different needs of customers .

Reference link :

[1] ArgoCD:

https://developer.aliyun.com/article/971976

[2] Argo Rollouts:

https://developer.aliyun.com/article/971975

[3] KubeVela:

https://help.aliyun.com/document_detail/337899.html

[4]  Alibaba cloud cloud efficiency pipeline  Flow:

https://help.aliyun.com/document_detail/160071.html

[5] Flagger:

https://docs.flagger.app/install/flagger-install-on-alibaba-servicemesh

[6]  Microservice framework compatible :

https://developer.aliyun.com/article/974941

[7] Serverless  Container and automatic expansion and contraction based on flow mode :

https://developer.aliyun.com/article/975639

[8] AI Serving:

https://developer.aliyun.com/article/971974

[9]  Zero trust security and  Policy As Code:

https://developer.aliyun.com/article/787187

[10] AI Serving An example of :

https://developer.aliyun.com/article/971974
原网站

版权声明
本文为[InfoQ]所创,转载请带上原文链接,感谢
https://yzsam.com/2022/185/202207041858422834.html

随机推荐