Building a Secure, Performant Network Fabric for Microservice Applications

August 24, 2016

MORE INFORMATION AT NGINX.COM

Christopher Stetson

Chief Architect,

Professional Services NGINX

MORE INFORMATION AT NGINX.COM

Agenda

•  A little NGINX History •  The Big Shift •  The Networking Problem

•  Service Discovery •  Load Balancing •  Secure & Fast Intercommunication

•  Architectures •  Issues

MORE INFORMATION AT NGINX.COM

NGINX History and Products

MORE INFORMATION AT NGINX.COM

•  First team to crack C10K •  OSS NGINX released in 2004 •  Company founded in 2011 •  Launched product late 2013 •  3x bookings growth last year

Igor Sysoev, NGINX creator and founder

NGINX, Inc. Confidential Information 6

170+ million total sites

running on NGINX

7 Source: http://news.netcraft.com/archives/category/web-server-survey/

50% of the Top 10,000

most visited websites

8 Source: W3Techs Web Technology Survey

750+ Commercial Customers

on NGINX Plus

9

MORE INFORMATION AT NGINX.COM

High Performance Webserver

10

Web Server

MORE INFORMATION AT NGINX.COM

Flawless Application Delivery for the Modern Web

11

Load Balancer Monitoring & Management

Web Server Content Cache Security Controls

Small Binary is 1.2 MBs

12

Fast 100,000’s of connections/sec

13

Reliable Stablest part of the stack.

14

MORE INFORMATION AT NGINX.COM

The Big Shift

MORE INFORMATION AT NGINX.COM

Architectural Changes: Monolith to Microservices

MORE INFORMATION AT NGINX.COM

Architectural Changes: Monolith to Microservices

MORE INFORMATION AT NGINX.COM

An Anecdote

MORE INFORMATION AT NGINX.COM

The tight loop problem •  Rest calls •  1000’s of requests •  Looped data

MORE INFORMATION AT NGINX.COM

Mitigation •  Group requests •  Cache data •  Optimize the network

MORE INFORMATION AT NGINX.COM

NGINX Microservices

MORE INFORMATION AT NGINX.COM

Microservices Reference Architecture •  Docker containers •  Polyglot services •  12-Factor App(-esque)

design

MORE INFORMATION AT NGINX.COM

The Networking Problem

MORE INFORMATION AT NGINX.COM

Service Discovery •  Services needs to know

where other services are •  Service registries work in

many different ways •  Register and read service

information

MORE INFORMATION AT NGINX.COM

Load-balancing

•  High Quality Load Balancing

•  Developer Configurable

MORE INFORMATION AT NGINX.COM

Secure & Fast Communication •  Encryption at the

transmission layer is becoming standard

•  SSL communication is slow

•  Encryption is CPU intensive

MORE INFORMATION AT NGINX.COM

Solution • Service discovery • Robust load balancing • Fast encryption

MORE INFORMATION AT NGINX.COM

Network Architectures

MORE INFORMATION AT NGINX.COM

Proxy Model •  In bound traffic is

managed through a reverse proxy/load balancer

•  Services are left to themselves to connect to each other.

•  Often through round-robin DNS

MORE INFORMATION AT NGINX.COM

Proxy Model • Focus on internet traffic • A shock absorber for your app • Dynamic connectivity

MORE INFORMATION AT NGINX.COM

Router Mesh Model •  In-bound routing through

reverse proxy •  Centralized load

balancing through a separate load balancing service

•  Deis Router work like this.

MORE INFORMATION AT NGINX.COM

Circuit Breakers •  Active health checks •  Retry •  Caching

MORE INFORMATION AT NGINX.COM

Router Mesh • Robust service discovery • Advanced load balancing • Circuit breaker pattern

MORE INFORMATION AT NGINX.COM

Inter-Process Communication •  Routing is done at the

container level •  Services connect to each

other as needed •  NGINX Plus acts as the

forward and reverse proxy for all requests

MORE INFORMATION AT NGINX.COM

Normal Process •  DNS service discovery •  Relies on round robin

DNS •  Each request creates a

new SSL connection which fully implemented is 9 requests

MORE INFORMATION AT NGINX.COM

Detail •  NGINX Plus runs in each

container •  Application code talks to

NGINX locally •  NGINX talks to NGINX •  NGINX queries the

service registry

MORE INFORMATION AT NGINX.COM

Service Discovery •  DNS is a clear way to

manage service discovery •  NGINX Plus

Asynchronous Resolver •  SRV records allow you to

effectively use your resources

MORE INFORMATION AT NGINX.COM

Load-balancing •  Proper request

distribution •  Flexibility based on the

backing service •  Different load-balancing

schemes

MORE INFORMATION AT NGINX.COM

Persistent SSL Connections •  Applications generate

thousands of connections •  9 steps in SSL

negotiation •  Persistent SSL upstream

keepalive

MORE INFORMATION AT NGINX.COM

Circuit Breaker Plus •  Active health checks •  Retry •  Caching

MORE INFORMATION AT NGINX.COM

The solution •  Service discovery •  Container-based load-

balancing •  Persistent SSL

connections •  Circuit-breaker

functionality

MORE INFORMATION AT NGINX.COM

Issues

MORE INFORMATION AT NGINX.COM

Docker Recommendation: 1 service per container •  Keeps docker images

simple •  Process failure means

container failure •  Only a recommendation

1 *

MORE INFORMATION AT NGINX.COM

Complexity •  Adding another layer to

the stack •  Lots of power to give to

dev team •  Tooling to make the

Fabric Model simple to create and deploy

MORE INFORMATION AT NGINX.COM

Conclusion