Anthos Service Mesh
Hey everyone, I hope you all are doing well. In this article, I wanted to give you an overview of Anthos Service Mesh.
For a career in tech, subscribe to The Cloud Pilot
But before diving into Anthos Service Mesh, we need to know what a service mesh is.
A service mesh is a dedicated and configurable infrastructure layer that handles the communication between services without having to change the code in a microservice architecture. Using a service mesh, it’s easy to handle security, manage traffic, control observability, and discover services.
To know more about Istio, read this
Anthos Service Mesh
Anthos Service Mesh is a suite of tools that helps you monitor and manage a reliable service mesh on-premises or on Google Cloud.
Anthos Service Mesh is built on top of Istio, a highly configurable and powerful open-source service mesh platform, with tools and features that enable industry best practices. It is deployed as a uniform layer across your entire infrastructure. It also provides an Anthos-tested and supported distribution of Istio, that lets you create and deploy a service mesh on GKE on Google Cloud and other platforms.
Anthos Service Mesh Architecture
Features
Anthos offers a set of features that helps us observe and manage secure and reliable services in a unified format. The key features of Anthos Service Mesh are:
Traffic Management
Anthos Service Mesh controls the traffic flow between services, both ingress (into the service mesh) and egress (to external services). You can configure and deploy custom resources compatible with Istio to manage the traffic at the application (L7) layer.
For more reference, check out my article on Istio Traffic Management
Observability
Anthos Service Mesh provides many insights into your service mesh. Some of them are:
Service metrics and logs for HTTP traffic within mesh’s GKE cluster
Preconfigured service dashboard to understand the services
In-depth telemetry to dig deep into service metrics and logs
Service-to-service relationships
Service Level Objectives (SLOs) to give insight into the health of the services
Security
Anthos Service Mesh provides security features implemented on Istio and Google Cloud. Some of them are:
Mitigating the risk of impersonation by using an mTLS certificate for authentication
Encryption in transit
Ensuring only authorized clients can access a service with sensitive data
Identifying which clients accessed a service with sensitive data
Read more about observability and security in my article on Istio
Deploying Anthos Service Mesh
There are two different options for deploying Anthos Service Mesh. They are:
In-cluster control plane
In an in-cluster control plane, you install Anthos Service Mesh components and its features for the in-cluster control plane and sidecar proxies using the asmcli tool. This will help you install or upgrade Anthos Service Mesh on your GKE On-Prem or on-premises platform.
Managed Anthos Service Mesh
With managed Anthos Service Mesh, Google will handle upgrading, scaling, and security for your cluster, to minimize user maintenance. It consists of a managed control plane. When the managed data plane is enabled, you will be able to add annotations to the namespaces that install an in-cluster controller that manages sidecar proxies.
You can optionally enable managed data plane in Anthos Service Mesh 1.10.4 or later.
Observability in Anthos Service Mesh
Anthos Service Mesh provides visibility into the health and performance of services. For obtaining telemetry data, it relies on sidecar proxies which you inject into the pods as a separate container. These proxies intercept all ingress and egress traffic and report back to Anthos Service Mesh. By default, when you install Anthos Service Mesh, Cloud Monitoring and Logging are automatically enabled.
Anthos Service Mesh also provides several preconfigured service dashboards in the Google Cloud Platform console. This will reduce the task of manually creating or setting up charts or dashboards. This telemetry detailing will also enable the operators to observe the behavior of the service and helps them to troubleshoot, maintain and optimize their application workloads.
Security in Anthos Service Mesh
Anthos Service Mesh also helps in mitigating security threats such as insider threats and reducing the risk of data breaching. This is done by enabling communication through encryption, mutual authentication, and authorization. It also lets us adopt a defense-in-depth posture that is consistent with the security principles of Zero Trust through declarative policies which can be done without modifying the application code.
It uses mTLS or mutual TLS for peer authentication. This ensures that workloads can verify identities of each other and authenticate. Some of the security features that Anthos Service Mesh provides are:
Automatic certificate and key rotation
Anthos Service Mesh certificate authority (Mesh CA)
User authentication with Identity-Aware Proxy
User authentication with your existing Identity Provider
Access logging and monitoring
Read my article on GKE On-Prem
Follow me on LinkedIn
That’s a high-level overview of Anthos Service Mesh. I hope this helps you. Thank you for reading. See you soon!
