Home
Contribute Contact Us Browse all meetings
Home Contribute Contact Us Browse all meetings
solo.io / Application Networking Day - Detroit 2022 / 13 Dec 2022
solo.io / Application Networking Day - Detroit 2022 / 13 Dec 2022
Previous Meeting Next Meeting
Add meeting Rate page Subscribe
youtube image
From YouTube: Application Networking Day Session #5: What Does Ambient Mesh Mean for Your Wallet?

Description

Featuring Will McKinley and Marino Wijay. Istio’s new ambient feature, a sidecar-less operational mode, makes service mesh a first-class citizen of the cloud-native platform. What this means for your services is a friction-less entry into automatically providing zero-trust networking with minimal operational burden to the developer. In this talk, we take a look at resource usage and detail the differences between allocation and utilization and how best to optimize for costs when using ambient.

A

Foreign.

A

Cost of resources that you might save with ambient mesh so first off um I want to give a little shout out to my colleague who couldn't be here today, because he had his son was sick last night he was actually here at the rejects conference and had to fly home, uh but he'll be he'll, be here uh later today, and hopefully you can run into him if you, if you do he's a great guy, um definitely talk to him. Well, myself.

A

I'm will McKinley I'm a director here at Solo in the field engineering team um and also a thank you to Christian and Greg, who are on Lynn's hoot recently talking about this subject. They did all the research here so I'm just here to talk about it, but definitely go in and take a listen to that YouTube video, um it's quite good. You'll get you'll get info straight from the people that worked on this.

A

So first of all, I'll talk about something that you've probably never heard of right, just a level set. What is what is ambient mesh?

A

um And you know ambient mesh really is just a separation of L4 traffic and L7 traffic. You know a couple of different proxies right, so we're going to look at the Z tunnel right, which is your L4 traffic and then something called a waypoint proxy.

A

um Now the Z tunnel will use identity.

A

So if you're, if you're looking at just deploying a bunch of microservices- and you want those micro services to be secured identity wise within istio- the traditional way that you would see with spiffy IDs, then Z tunnel will work for you and you can see you know through this talk how beneficial that will be for you now if you are doing more kind of advanced traffic management with L7 between your services, we'll talk about that as well, but um you'll you get all the richness of that with a lot more flexibility with ambient.

A

So just looking at at how ambient works right with the with the Z tunnel, you can see that the Z tunnel is deployed as a node-based proxy right so uh going from a service on your cluster one to Cluster two. They need to call through each other, there's going to be service identity, that's transferred through mtls between each sea tunnel.

A

um This also works on the same node as well. It will still go through the Z tunnel to establish that identity, so you can still use your authorization policies that you would have normally used with with service smash.

A

Now the Waypoint proxy obviously is going to give you the kind of advanced functionality above what you're, seeing with that Z tunnel and we'll talk about how you deploy those um you know it gives you a lot of configurability in in terms of deployment, architectures and and we'll just show you how you know we did this within our testing.

A

So there are some resource implications of taking a sidecar based approach, and it's not that it it, you know, isn't very useful um because it is a very uniform approach right. But if you think about you know like the traditional book info application uh that comes with comes with istio and it's a polyglot application, it's a microservices-based application, and you know if, if you wanted to scale this up to handle a bunch of traffic, well you would need to do is determine what number of replicas you needed to run for each of these back-end services.

A

So maybe you know, like reviews is, is a little bit. You know non-performant, and you wanted to scale that up each time. You do that, though you're going to carry along another replica of the sidecar along with that, so you can.

A

You can quickly see that if you're scaling up, you know 3x, and this in this situation, where I've got you know four applications, um one of them has three different versions and so, on the left hand, side I've got you know six proxies when you scale that up you're going to have 18 right if you're, assuming you're scaling that up in a uniform way.

A

So, on the other hand, um looking at this same application in ambient mode, what you see is with the Z tunnel being a node-based proxy and then the Waypoint proxy. Let's assume that you're only doing L7 to one of the services right, maybe maybe between reviews and ratings you're gonna do some kind of traffic, um maybe circuit breakers retry, something like that right, and so you need L7 there. In that case, you can separate the deployment strategies between scaling up the application which may not be as performant and that L7 proxy, so the Waypoint proxy.

A

You may only need one. um You know seeing that it's based on service identity right, so um so that gives you a lot better. I I, think functionality and configurability.

A

So, let's just talk about how we ran these tests first um and and how we got the graphs that you're going to see towards the end of this talk.

A

So, first of all, we wanted to have an application that um we did. We didn't we weren't trying to you, know kind of fight against it when we're running a load against it right so book info, unfortunately, is not a great example of something that you can run load against, because it's not terribly responsive. So what we did instead was to use HTTP bin application. So it's a very lightweight python, based server that just responds back with whatever request, headers and body that that you sent it.

A

um We deployed three different versions of this, and then we used the the istio test 20o to um to test load against all of these okay, and each of these versions had 10 replicas uh within the cluster. The cluster is a three node cluster. uh It has eight CPU and 24 gigs of memory per node.

A

um So you can. You could sort of take that, as you know, our standard that we ran against uh and extrapolate. You know for your conditions right um and then we ran it in three modes, so we ran it in the sidecar model.

A

Then we ran it with just using the l4z tunnel and then we ran these same tests with both the Z tunnel and L7 Waypoint proxies okay, so that you could compare each of these.

A

So the first thing you'll see is that if you look at the charts for total CPU, um you can see already there's a pretty dramatic difference between you know running as a sidecar and running as just Z tunnel or even Z tunnel with the Waypoint proxy right um and the green line. There is actually the total CPU of all workloads where the the yellow line actually is pretty hard to distinguish those colors, but I'll say the the Top Line is, is all workloads and then the bottom line.

A

Is your data path proxies right, so you can see what kind of load is coming from the application versus? What's coming from, you know, just your proxies and you know again, you know dramatic dramatic difference here. I think it was I think it was like roughly 75 difference here.

A

uh One thing I'll note: you probably have a question about is: what's this little Spike at the beginning, right um so I'll I'll mention that when we get to um after these, these slides is kind of the the future of of ambient, but you will notice that it's consistent between sidecar model, as well as ambient model, looking at total memory again you're going to see this- probably roughly, you know 50 60 Improvement here.

A

um Obviously, if you're using Z tunnel, dramatic, Improvement and and the L7 comes in pretty pretty well as well.

A

I think this is um also if, when we're talking about deployment strategies, looking at the Stacked view is very helpful, because now you can see just how many sidecars you know you're running in and even though they take up a small amount of CPU, all that aggregated uh it turns out to be quite a bit right, and so, when you're thinking about now, I'm going to need to go and um do do some cost research for what kind of cluster do I need to actually purchase right.

A

This should help you with making that determination and there's also the the memory stacked View there. So if you, if you start testing with your applications- and you see that you know one- it I may not need L7 everywhere.

A

Right, I also know that, from a standpoint of the data path, all the way through L7, maybe you know that proxy may be a lot more performant than um than my application, and so I may have to scale up my application, whereas my actual Waypoint proxy I could still leave it as a single replica or maybe just you know, h a you know have a couple of them available.

A

I will mention also that those Waypoint proxies are based on the service account. So if you have, you know multiple services and they all have their own service account that you would need multiple Waypoint proxies to handle that L7 traffic on the on the server side.

A

um So that's that's something to consider as well.

A

Looking at this just in a table format um you can see here, like the contain the number of containers required in our setup. You know 31 with sidecars, um whereas even with the L4 and L7 you're at six containers.

A

Okay um in terms of CPU again, you know you're, looking at three bcpu for running this entire example versus you know just a fraction of a CPU like roughly a half a CPU in The, L4 plus L7 case and then total memory. Again, you know we're talking fractions here right.

A

So just kind of key takeaways here is that one you know ambient is is pretty new right. We also already can see dramatic improvements in terms of reduced cost.

A

um Obviously it's going to give you that increased flexibility, because when you're thinking about you know your deployment strategies, you're going to be able to separate concerns pretty easily, along with the reduced complexity that you get, which you probably already heard about. Where you know you can roll out your new applications, you can upgrade.

A

um You know istio without having to interrupt your applications, and so those are all key benefits.

A

um And now, let's talk a little bit about the future of ambient mesh, so I mentioned before you know this is this is relatively new right, um so there's still optimizations that we're looking at so, for instance, when you look at the Z tunnel today, that's being implemented with an Envoy proxy right that was done in terms of expedience getting into the market, because we already had all those filters built in right.

A

We could already establish mtls with with Envoy proxy, most likely that is going to be Rewritten um and and to be more performant and specialized just to handle that L4 traffic right and so you'll expect to see even more performance gains uh in the future.

A

All right and there's there's just additional information. I think these slides are going to be available after so you'll actually get these links. So so don't worry. If you know you can't see links here, that's okay, we'll make sure you get those and I think that's the end of my talk. So it's nice and short.