Building a Secure, Performant Network Fabric for Microservice Applications August 24, 2016
Christopher Stetson Chief Architect, Professional Services NGINX MORE INFORMATION AT NGINX.COM
Agenda Agenda • A little NGINX History • The Big Shift • The Networking Problem • Service Discovery • Load Balancing • Secure & Fast Intercommunication • Architectures • Issues MORE INFORMATION AT NGINX.COM
NGINX History and NGINX History and Products Products MORE INFORMATION AT NGINX.COM
• First team to crack C10K • OSS NGINX released in 2004 • Company founded in 2011 • Launched product late 2013 • 3x bookings growth last year Igor Sysoev, NGINX creator and founder MORE INFORMATION AT NGINX.COM
NGINX, Inc. Con fi dential Information 6
170+ 170+ million million total sites running on NGINX Source: 7 http://news.netcraft.com/archives/category/web-server-survey/
50% of the Top 10,000 most visited websites Source: W3Techs Web Technology Survey 8
750+ 750+ Commercial Customers on NGINX Plus 9
Web Server High Performance Webserver MORE INFORMATION AT NGINX.COM 10
Monitoring & Load Balancer Content Cache Web Server Security Controls Management Flawless Application Delivery for the Modern Web MORE INFORMATION AT NGINX.COM 11
Small Small Binary is 1.2 MBs 12
Fast Fast 100,000’s of connections/sec 13
Reliable Reliable Stablest part of the stack. 14
The Big Shift The Big Shift MORE INFORMATION AT NGINX.COM
Architectural Changes: Monolith to Microservices MORE INFORMATION AT NGINX.COM
Architectural Changes: Monolith to Microservices MORE INFORMATION AT NGINX.COM
An Anecdote An Anecdote MORE INFORMATION AT NGINX.COM
The tight loop problem • Rest calls • 1000’s of requests • Looped data MORE INFORMATION AT NGINX.COM
Mitigation • Group requests • Cache data • Optimize the network MORE INFORMATION AT NGINX.COM
NGINX NGINX Microservices Microservices MORE INFORMATION AT NGINX.COM
Microservices Reference Architecture • Docker containers • Polyglot services • 12-Factor App(-esque) design MORE INFORMATION AT NGINX.COM
The Networking The Networking Problem Problem MORE INFORMATION AT NGINX.COM
Service Discovery • Services needs to know where other services are • Service registries work in many different ways • Register and read service information MORE INFORMATION AT NGINX.COM
Load-balancing • High Quality Load Balancing • Developer Configurable MORE INFORMATION AT NGINX.COM
Secure & Fast Communication • Encryption at the transmission layer is becoming standard • SSL communication is slow • Encryption is CPU intensive MORE INFORMATION AT NGINX.COM
Solution • Service discovery • Robust load balancing • Fast encryption MORE INFORMATION AT NGINX.COM
Network Network Architectures Architectures MORE INFORMATION AT NGINX.COM
Proxy Model • In bound traffic is managed through a reverse proxy/load balancer • Services are left to themselves to connect to each other. • Often through round-robin DNS MORE INFORMATION AT NGINX.COM
Proxy Model • Focus on internet traffic • A shock absorber for your app • Dynamic connectivity MORE INFORMATION AT NGINX.COM
Router Mesh Model • In-bound routing through reverse proxy • Centralized load balancing through a separate load balancing service • Deis Router work like this. MORE INFORMATION AT NGINX.COM
Circuit Breakers • Active health checks • Retry • Caching MORE INFORMATION AT NGINX.COM
Router Mesh • Robust service discovery • Advanced load balancing • Circuit breaker pattern MORE INFORMATION AT NGINX.COM
Inter-Process Communication • Routing is done at the container level • Services connect to each other as needed • NGINX Plus acts as the forward and reverse proxy for all requests MORE INFORMATION AT NGINX.COM
Normal Process • DNS service discovery • Relies on round robin DNS • Each request creates a new SSL connection which fully implemented is 9 requests MORE INFORMATION AT NGINX.COM
Detail • NGINX Plus runs in each container • Application code talks to NGINX locally • NGINX talks to NGINX • NGINX queries the service registry MORE INFORMATION AT NGINX.COM
Service Discovery • DNS is a clear way to manage service discovery • NGINX Plus Asynchronous Resolver • SRV records allow you to effectively use your resources MORE INFORMATION AT NGINX.COM
Load-balancing • Proper request distribution • Flexibility based on the backing service • Different load-balancing schemes MORE INFORMATION AT NGINX.COM
Persistent SSL Connections • Applications generate thousands of connections • 9 steps in SSL negotiation • Persistent SSL upstream keepalive MORE INFORMATION AT NGINX.COM
Circuit Breaker Plus • Active health checks • Retry • Caching MORE INFORMATION AT NGINX.COM
The solution • Service discovery • Container-based load- balancing • Persistent SSL connections • Circuit-breaker functionality MORE INFORMATION AT NGINX.COM
Issues Issues MORE INFORMATION AT NGINX.COM
Docker 1 Recommendation: 1 service per * container • Keeps docker images simple • Process failure means container failure • Only a recommendation MORE INFORMATION AT NGINX.COM
Complexity • Adding another layer to the stack • Lots of power to give to dev team • Tooling to make the Fabric Model simple to create and deploy MORE INFORMATION AT NGINX.COM
Conclusion Conclusion MORE INFORMATION AT NGINX.COM
Recommend
More recommend