The war for the service mesh has been on ever since the pattern emerged as a way of routing traffic reliably between cloud-based microservices. While the term originated with tools like HAProxy, it has since expanded to a broader ecosystem that includes hotshot newcomer project from Lyft, Envoy, and the Web server that can actually route and balance anything involving packets, NGINX.
Armon Dadgar, chief technology officer of HashiCorp, offers a more harmonious solution: why not use them all? At HashiDays, the company’s developer conference in Amsterdam last week, Dadgar and the tech team at HashiCorp unveiled the latest updates to their Consul registry and service discovery product.
Consul is now capable of making sense of the service mesh layer within a cloud environment while maintaining a secure network between the services it’s keeping track of. The new feature of Consul Connect allows individual services to be segmented to enable the enforcement of access controls upon them. That means services can be locked down, accessible only to other specific, verified services.
“We’re turning Consul into a full-blown service mesh. Now we can go to Consul and say, ‘The web server can talk to the database, and that server can talk to the database, and Consul sets up a service graph and distributes it efficiently, and caches it on all nodes. Consul provides a workflow around generating certificates, signing them, managing them; the full generation of lifecycle,” said Dadgar.
Consul Connect includes a number of additional capabilities over previous versions of the platform. It now includes certificate-based service identity and encrypted communications between services.
Dadgar said the team at HashiCorp was trying to find a way to secure such between-service traffic over untrusted networks like a public cloud, or a multicloud environment. In the end, they decided on taking their cues from the world’s largest untrusted environment, and thus, they enabled TLS as the encryption layer for their Consul-based service mesh capabilities.
The other challenge Consul now addresses is the problem of configuration. While proxies, load balancers, and security equipment like Web Application Firewalls, all perform important duties within a service mesh and within a cloud-based environment, keeping them all properly configured can be a challenge, as networks move dynamically, and shift from cloud to cloud.
To address this, Consul takes over the configuration management duties for each tool node within the service mesh. Dadgar likens Consul to a control plane for the service mesh, while other systems perform the duty of the data plane, controlling the flow and route of the information being trafficked.
“The Final piece is a plausible data plane. Our goal is something to get you started. Then I can bring in Envoy, HAProxy, NGINX, or whatever that might be and plug that in. At the data plane layer, I have the freedom to pick what works for my system, but Consul is the control plane on top of that. Take any existing application, from mainframe to bare metal and we can make them fit into this modern service mesh model where we’re doing a fine-grained service-to-service model. As we build multicloud environments, we’re not having the problem of, ‘How do I bring my VLAN to all these environments?'” said Dadgar.
Dadgar noted that this control plane functionality is something that seems to be missing in the service mesh world right now. “Envoy is an awesome data plane. It’s super feature rich as a proxy, but it doesn’t ship with a control plane built in. We’ve seen many projects stitch together a control plane for it, but our view is we can’t solve segmentation with just the data plane. It becomes disjointed. You need to have these different pieces of information together so I can do service discovery around it. The control plane has to know where the database is, for example. For us, it’s a natural fit. It solves the discovery piece and the configuration piece,” said Dadgar.
He went on to describe the current multicloud model being explored by enterprises as similar to the old landscape of the data center, with new versions of old tools and end-points redesigned for cloud. One of those changed tools is the firewall, said Dadgar, to which he likens the service mesh.
“The big thing as we’re looking forward is, how do we rethink the broader networking landscape? At HashiCorp, as a whole, transitions from ITIL delivery in VMWare to multicloud provisioning, we think that this networking layer, the provisioning layer… They’re all going through the same transition. When we think of networking, it’s going through a rapid shift from the centralized hardware appliance driven approach to a decentralized software based. All the traditional networking appliances are going to go through this. Consul connect is the firewall going through this. These other components will go through it as well,” said Dadgar.
Feature image via Pixabay.