« Previous 1 2 3 4
A versatile proxy for microservice architectures
Traffic Control
Envoy Control Plane
From an architectural point of view, Contour is not so different from Istio. Contour also acts as a control plane for Envoy and is controlled in Kubernetes by means of custom resource definitions (CRDs). Once users have set up their pods accordingly, Envoy runs as a proxy instance and is dynamically controlled by Contour.
Contour has a comprehensive feature set. If a component of an application is automatically scaled horizontally because of high load, for example, Contour Envoy adapts autonomously. If so desired, Contour can also automatically configure Envoy's TLS capabilities after simply specifying the appropriate certificates when rolling out the pod definitions. However, all these functions are just the daily grind from Envoy's point of view.
Freestyle also supports Envoy. As described, Envoy can monitor traffic directly from a virtual monitor port, various upstream servers can be configured dynamically in Contour, and admins can define error conditions according to the parameters of a setup.
Having an Envoy instance for several namespaces in Kubernetes is also possible. In this way, traffic from a shared URL can be distributed to different pods in Kubernetes, which are then operated by different teams.
Also Ran: Consul Connect
Another possible way to roll out Envoy as a sidecar is offered by the Consul cluster consensus algorithm. Dubbed Connect, Envoy becomes part of the Consul service mesh for Kubernetes. Envoy essentially takes care of connecting clients outside the setup to services within it. Moreover, Envoy is responsible for SSL termination if the admin wants to use these features.
Almost in passing, Connect also configures Envoy to act as a basic security barrier. Two services that are not authorized to communicate with each other according to Connect cannot do so through the proxy server either. The proxy would reject any connection attempts in collaboration with Connect.
Without a running Consul instance, the use of Connect makes only limited sense. If you use Consul anyway, you can set up Connect as a service and use it without too much additional overhead. If you do not use Consul, you are probably better off with Istio or Contour, depending on your area of responsibility (Figure 5).
Conclusions
Modern app architectures present admins and developers with some new challenges regarding the management of many parallel connections. Envoy proves to be a fantastic tool that mediates between clients and applications as well as between the parts of an application. Its performance is impressive. In addition to simple proxy connections, complex setups are no problem. SSL termination is one of the easier tasks for Envoy. At the moment, the program faces competition from one direction, with Linkerd being the only serious alternative to Envoy. Anyone developing apps for Kubernetes will want to take a good look at Envoy and carefully compare it with Linkerd.
Infos
- "A service mesh for microarchitecture components" by Martin Loschwitz, ADMIN , issue 54, pg. 28, https://www.admin-magazine.com/Archive/2019/54/A-service-mesh-for-microarchitecture-components/
- Envoy: https://www.envoyproxy.io/
- APIs: https://www.envoyproxy.io/docs/envoy/v1.15.0/api/api
« Previous 1 2 3 4
Buy this article as PDF
(incl. VAT)