Network operators are increasingly adopting service mesh architectures, which provide managed, observable, and secure communication between microservices, allowing them to be composed into robust enterprise applications. And as service mesh deployments scale, organizations are asking for fully managed solutions that cover a range of infrastructure and integrate with the rest of the network services, such as global load balancing, centralized health checking, managed rate limiting, traffic driven autoscaling.
Today, we are excited to announce Cloud Service Mesh, a fully managed service mesh across all Google Cloud platform types. Cloud Service Mesh takes the Traffic Director’s control plane and Google’s open-source Istio-based service mesh, Anthos Service Mesh, and combines them into a single offering that provides the best of both worlds.
With Cloud Service Mesh, customers get:
-
Traffic Director control plane with global scale
-
Anthos Service Mesh compatibility
-
Istio APIs (the most widely used open-source APIs for mesh in Kubernetes clusters)
-
Managed data plane for automatic upgrades of Envoy sidecars
-
GKE Fleet integration
-
Hosted certificate authorities for workload identity
-
Service Operations dashboard for service metrics
-
GCP APIs from Traffic Director for
-
Proxyless gRPC support
-
VMs
-
Cloud Run
Cloud Service Mesh will be generally available this quarter.
Cloud Service Mesh benefits
A service mesh manages all the common requirements of running a service: traffic management, observability, and security. This allows application developers and operators to focus on their business, creating and managing great applications for their users without having to invest in managing mesh infrastructure. Let’s take a look at the features that Cloud Service Mesh provides.
Traffic management
Cloud Service Mesh controls the flow of traffic among services in the mesh, into the mesh (ingress), and to outside services (egress), allowing you to configure and deploy resources at the application layer to manage this traffic. With Cloud Service Mesh, you can:
-
Use Google’s global load balancing software to offer automatic capacity and proximity aware global load balancing
-
Finely control routing for your services
-
Configure load balancing among services
-
Create canary and blue-green deployments
-
Set up retries and circuit breakers
Controlling how your services communicate, both in normal and failure scenarios, allows you to build much more reliable applications.
Observability insights
Cloud Service Mesh supports telemetry, logging and tracing. With this data you can track how your service is operating and find the issues when something goes wrong.
The graphical user interface in the Google Cloud console provides insights into your service mesh through this telemetry. These metrics are automatically generated for workloads configured through the Istio APIs.
-
Service metrics and logs for HTTP traffic within your mesh's GKE cluster are automatically ingested to Google Cloud.
-
Preconfigured service dashboards give you the information you need to understand your services.
-
In-depth telemetry — powered by Cloud Monitoring, Cloud Logging, and Cloud Trace — lets you dig deep into your service metrics and logs. You can filter and segment your data on a wide variety of attributes.
-
Service-to-service relationships are visible at a glance, helping you understand the communication and dependencies between services.
-
You can quickly see the communication security posture not only of your service, but its relationships to other services.
-
Service level objectives (SLOs) give you insight into the health of your services. You can easily define an SLO and alert on your own standards of service health.
Security benefits
Service security is the third major component of a service mesh. Each service has its own identity, which is used by mutual TLS (mTLS) to provide strong service-to-service authentication and encryption. Cloud Service Mesh performs the following:
-
Mitigates risk of replay or impersonation attacks that use stolen credentials. Cloud Service Mesh relies on mTLS certificates to authenticate peers.
-
Ensures encryption in transit. Using mTLS for authentication also ensures that all TCP communications are encrypted in transit.
-
Ensures that only authorized clients can access a service with sensitive data, irrespective of the network location of the client and the application-level credentials.
-
Mitigates the risk of user data breach within your production network. You can ensure that insiders can only access sensitive data through authorized clients.
-
Identifies which clients accessed a service with sensitive data. Cloud Service Mesh access logging captures the mTLS identity of the client in addition to the IP address.
Supporting existing service mesh customers
In the short term, we will rebrand Anthos Service Mesh and Traffic Director documentation and SKUs to Cloud Service Mesh, but beyond that, current Anthos Service Mesh and Traffic Director users will see no immediate change to their environment. Your current APIs will continue to work as is, and your mesh will continue to function. Over the coming year, we will work with Anthos Service Mesh and Traffic Director customers to ensure they can leverage all the new capabilities while converging on a common control plane with a choice of APIs.
Get started by using the existing Managed ASM with Istio APis on GKE, or Traffic Director with GCP APIs today. These will automatically be moved to CSM at launch later this quarter.