Nginx Pairs with Istio to Simplify the Service Mesh
The Nginx Inc. company behind the open-source Nginx high-speed web server software, brought forth a line of new products at its nginx.conf in Portland, with the aim of expanding into the world of containers and management.
Owen Garrett, head of product at Nginx, said that the goal is to provide a configurable and manageable platform for using Nginx as web server, load balancer, HTTP cache, and reverse proxy server in containerized environments.
To this end, the company is cozying up to the Istio project, and offering up Nginx as an ingress controller. Istio offers a cloud-based service mesh for Kubernetes instances, and Nginx’s load balancing and proxy features can now be used to handle all of the traffic coming into such an environment. Kubernetes is an open-source container orchestration tool developed by Google and now managed by the Cloud Native Computing Foundation.
“The Istio project is composed of innovative companies and developers who are collaborating on the next generation of services based architectures,” said Varun Talwar, product management lead for Istio at Google. “We are excited to have Nginx join the Istio community as it is a widely used, highly performant and trusted product, and many Nginx customers would like to make securing, monitoring, and managing microservices easier using Istio. We welcome them to the community and look forward to their contributions to the Istio project.”
“If you design microservices,” said Garrett, “there are two approaches you can take. One, you can deploy a services bus, where you process them one at a time, or you need a mesh topology. You need a controller to setup that mesh topology for you, to set up communications. It is a necessary component if you’re deploying in that environment. We had a microservices reference architecture which encouraged our users to take multiple servers and run proxies out there alongside them, but we have not built the control plane. Now, Istio has done that.”
“It’s about control,” said Garrett. “It’s about removing the complexity of setting up routing to applications. It’s one thing to have an application and have multiple services, it’s another to have containers all over the place, and the containers can talk to each other whenever they want. If one is compromised it can compromise everything else. In a services mesh, you can setup mutual TLS. You can manage the services that communicate to one another, and services don’t have to know if it’s one service or two behind that IP. We found that Nginx is a perfect fit for that.”
“Kubernetes has the concept of an ingress controller,” said Garrett. “The ingress controller implements load balancing rules in responses to changes in topology. Our Ingress Controller Solution is a fully supported project from Nginx Inc.”
Garrett said that Nginx has also offered up its own replacement for Lyft’s Envoy, the proxy included with Istio. “We’ve replaced Envoy with Nginx running as the side proxy. We’re working closely with the Google team. Istio was built with Google and IBM joining forces, and Lyft to some extent.” Garrett said that Nginx will also be joining the Istio project in a formal manner.
The Istio news is only one piece of the larger puzzle for Nginx, however. The company announced Nginx Controller, and Nginx Unit, and a new web application firewall.
Said Garrett, “Nginx Controller stems from the fact a lot of companies were building custom tooling to link to business needs, like auto-scaling and updates. This is a single pane of glass that can manage the configurations, and pull data and stats off the Nginx devices. Nginx Controller can manage a broad fleet of Nginx devices and apply policies, such as blue/green deployments and updates.”
Controller comes to Nginx through its late 2016 acquisition of Zokets. The end goal is to build a set of autonomous capabilities that administrators will be able to reuse as their deployments mature and require manipulation at scale.
Controller will be started an extended beta test in October, with the production ready version arriving in early 2018.
For microservices environments, Garrett said that Nginx Unit provides a lightweight application server for use in dynamically built containers and virtual machines.
Garrett said that modern application servers should not take their queues from the past. Instead of thinking of an application server as a monolithic, long-running process, they should be smaller, configurable via API, and short-lived, like containers.
“What we’ve done is rethought what it means to be an app server. Nginx Unit can support a range of different application runtimes; PHP, Python, and Go. We’ll be adding Java and Node.js in the next few months,” said Garrett.
“Unit is a persistent app server configured through an API. All changes are performed dynamically by reprogramming the server internally. You change routes or permissions through an API. Unit will include a proxy module that will act as a load balancer, handling incoming and outgoing traffic, and allow app servers to build a mesh network with other apps servers that provides networking and discovery,” said Garrett.
“We’ve got a lot of experience working with app servers,” said Garrett. “That experience is informing what we’re doing with Unit. It was started by our founder, Igor Sysoev. He’s been thinking on this for four years. Unit will be open source, first offering beta language support, then later additional language support and service mesh networking.”
Those additional languages, Java and Node.js, will arrive later this year, with service mesh coming sometime next year. Unit still requires regular old Nginx or commercially supported Nginx Plus to handle incoming traffic and increase security.
To better help administrators get their hands around security and stability concerns, Nginx began working n a new monitoring solution called Amplify. This SaaS monitoring solution can aggregate all of the logs generated by Nginx servers, and present them in a sensible fashion. This includes graphs, charts and the ability to generate reports. The service is now officially generally available as of today and is free for the first five servers monitored.