Post on 09-Jun-2018
Building a Secure, Performant Network Fabric for Microservice Applications
August 24, 2016
MORE INFORMATION AT NGINX.COM
Christopher Stetson
Chief Architect,
Professional Services NGINX
MORE INFORMATION AT NGINX.COM
Agenda
• A little NGINX History • The Big Shift • The Networking Problem
• Service Discovery • Load Balancing • Secure & Fast Intercommunication
• Architectures • Issues
MORE INFORMATION AT NGINX.COM
NGINX History and Products
MORE INFORMATION AT NGINX.COM
• First team to crack C10K • OSS NGINX released in 2004 • Company founded in 2011 • Launched product late 2013 • 3x bookings growth last year
Igor Sysoev, NGINX creator and founder
NGINX, Inc. Confidential Information 6
170+ million total sites
running on NGINX
7 Source: http://news.netcraft.com/archives/category/web-server-survey/
50% of the Top 10,000
most visited websites
8 Source: W3Techs Web Technology Survey
750+ Commercial Customers
on NGINX Plus
9
MORE INFORMATION AT NGINX.COM
High Performance Webserver
10
Web Server
MORE INFORMATION AT NGINX.COM
Flawless Application Delivery for the Modern Web
11
Load Balancer Monitoring & Management
Web Server Content Cache Security Controls
Small Binary is 1.2 MBs
12
Fast 100,000’s of connections/sec
13
Reliable Stablest part of the stack.
14
MORE INFORMATION AT NGINX.COM
The Big Shift
MORE INFORMATION AT NGINX.COM
Architectural Changes: Monolith to Microservices
MORE INFORMATION AT NGINX.COM
Architectural Changes: Monolith to Microservices
MORE INFORMATION AT NGINX.COM
An Anecdote
MORE INFORMATION AT NGINX.COM
The tight loop problem • Rest calls • 1000’s of requests • Looped data
MORE INFORMATION AT NGINX.COM
Mitigation • Group requests • Cache data • Optimize the network
MORE INFORMATION AT NGINX.COM
NGINX Microservices
MORE INFORMATION AT NGINX.COM
Microservices Reference Architecture • Docker containers • Polyglot services • 12-Factor App(-esque)
design
MORE INFORMATION AT NGINX.COM
The Networking Problem
MORE INFORMATION AT NGINX.COM
Service Discovery • Services needs to know
where other services are • Service registries work in
many different ways • Register and read service
information
MORE INFORMATION AT NGINX.COM
Load-balancing
• High Quality Load Balancing
• Developer Configurable
MORE INFORMATION AT NGINX.COM
Secure & Fast Communication • Encryption at the
transmission layer is becoming standard
• SSL communication is slow
• Encryption is CPU intensive
MORE INFORMATION AT NGINX.COM
Solution • Service discovery • Robust load balancing • Fast encryption
MORE INFORMATION AT NGINX.COM
Network Architectures
MORE INFORMATION AT NGINX.COM
Proxy Model • In bound traffic is
managed through a reverse proxy/load balancer
• Services are left to themselves to connect to each other.
• Often through round-robin DNS
MORE INFORMATION AT NGINX.COM
Proxy Model • Focus on internet traffic • A shock absorber for your app • Dynamic connectivity
MORE INFORMATION AT NGINX.COM
Router Mesh Model • In-bound routing through
reverse proxy • Centralized load
balancing through a separate load balancing service
• Deis Router work like this.
MORE INFORMATION AT NGINX.COM
Circuit Breakers • Active health checks • Retry • Caching
MORE INFORMATION AT NGINX.COM
Router Mesh • Robust service discovery • Advanced load balancing • Circuit breaker pattern
MORE INFORMATION AT NGINX.COM
Inter-Process Communication • Routing is done at the
container level • Services connect to each
other as needed • NGINX Plus acts as the
forward and reverse proxy for all requests
MORE INFORMATION AT NGINX.COM
Normal Process • DNS service discovery • Relies on round robin
DNS • Each request creates a
new SSL connection which fully implemented is 9 requests
MORE INFORMATION AT NGINX.COM
Detail • NGINX Plus runs in each
container • Application code talks to
NGINX locally • NGINX talks to NGINX • NGINX queries the
service registry
MORE INFORMATION AT NGINX.COM
Service Discovery • DNS is a clear way to
manage service discovery • NGINX Plus
Asynchronous Resolver • SRV records allow you to
effectively use your resources
MORE INFORMATION AT NGINX.COM
Load-balancing • Proper request
distribution • Flexibility based on the
backing service • Different load-balancing
schemes
MORE INFORMATION AT NGINX.COM
Persistent SSL Connections • Applications generate
thousands of connections • 9 steps in SSL
negotiation • Persistent SSL upstream
keepalive
MORE INFORMATION AT NGINX.COM
Circuit Breaker Plus • Active health checks • Retry • Caching
MORE INFORMATION AT NGINX.COM
The solution • Service discovery • Container-based load-
balancing • Persistent SSL
connections • Circuit-breaker
functionality
MORE INFORMATION AT NGINX.COM
Issues
MORE INFORMATION AT NGINX.COM
Docker Recommendation: 1 service per container • Keeps docker images
simple • Process failure means
container failure • Only a recommendation
1 *
MORE INFORMATION AT NGINX.COM
Complexity • Adding another layer to
the stack • Lots of power to give to
dev team • Tooling to make the
Fabric Model simple to create and deploy
MORE INFORMATION AT NGINX.COM
Conclusion