Service mesh companies facing a multitude of competitors are introducing SaaS products to make the complex technology more attractive to new users.
Service mesh existed before Kubernetes and container orchestration became popular, but in the midst of that trend, it has attracted attention to address container networking issues. Container-based microservices applications can be difficult to monitor without the deep view service mesh frameworks affecting the traffic between their individual components.
In addition, Service Mesh distributes security guidelines to a network of software modules known as sidecar proxies. This helps enforce these guidelines among distributed microservices more effectively than is possible with traditional network security tools.
The downside is that running a service mesh can be daunting in its complexity, even for seasoned IT professionals. There is also no agreed industry standard for service mesh that matches Kubernetes’ dominance in container orchestration. In part, this is because mainstream service meshes are still very early on in the making. Gartner estimates that only 5% of companies have a service mesh in production.
“The rise of service mesh technology follows the rapid adoption of containers and Kubernetes in manufacturing,” said Arun Chandrasekaran, Gartner analyst. “However, the service mesh technology ecosystem is quite fragmented, with multiple competing projects and products, each with different degrees of maturity.”
In addition, service mesh is not the only way to add observability and security to container networks. Service Mesh is not mutually exclusive with other methods ranging from Container Network Interfaces (CNI) to AIOps tools to specialized container monitoring and runtime security software. Users who do not need all of the advanced features of Service Mesh may prefer one of the following methods to use these alternatives instead.
“When you have seven different options [container security architectures] There is no critical mass, “said IDC analyst Frank Dickson.” No [user] want to invest all that money in something like that [service mesh security] when there is not a large enough market. “
Service Mesh SaaS makes it easy for companies to get started
In the midst of these turbulent conditions, SaaS options for service mesh have emerged over the past two months. Others are in the pipeline to handle sensitive administrative details on behalf of users. For some, this will make service mesh less intimidating to production. Others can use such services to try their hand at the service network without taking over the entire network infrastructure.
In February, HashiCorp made its Consul Service Mesh generally available on its HashiCorp Cloud Platform (HCP) in addition to the Consul Services that are already available for Microsoft Azure and AWS. Tigera also launched its Calico Cloud, a security-oriented service mesh SaaS, in February and in March Solo.io announced his istio– –based Gloo Cloud would come soon public beta.
Buoyant, the commercial backer of Istio rival Linkerd, will offer Buoyant Cloud later this year, and Istio management provider Tetrate is also planning a SaaS launch in the coming months. Cloud service providers and network providers such as Kong, Google Kubernetes Engine and AWS were already offering managed service meshes at the beginning of 2021.
In this shared responsibility model, we have accepted that our providers can do things better than we can.
Frank DicksonAnalyst, IDC
The growth of service mesh SaaS also reflects organizations’ overall confidence in cloud services and their shared responsibility security model, Dickson said. After years of familiarization with IaaS services, they are ready to hand over higher-level IT functions to service providers as well.
“We have accepted in this shared responsibility model that our vendors can do things better than we do,” said Dickson. In particular with complex architectures such as service mesh “we also make our mistakes with the configuration and [providers] can now provide advanced analytics, review configurations and settings, and ensure they are correct. “
The HCP consul subtracts the operating expenses
HCP Consul is one of the service mesh SaaS products that are offered by a provider that does not offer its own public cloud platform. Hence, this is touted as a way to simplify multi-cloud networking and to simplify service mesh management in general.
A beta user at HCP Consul said the service performed well in proof-of-concept testing earlier this year, demonstrating the value of handing over management of an infrastructure component that is both critical and complicated.
“Deploying HCP Consul is easy because you create an account, provision the HashiCorp virtual network, and review my AWS VPNs,” said Anderson Carvalho, senior location reliability engineer at Veerum, a SaaS provider for asset management in Canada. “We don’t have to write Terraform either [infrastructure as code] separately for the cloud service. “
At the time of the interview with Carvahlo in February, the company had not yet decided whether to switch from the self-governing consul to the HCP consul. As the company expands, a cloud-independent service mesh operated by one provider is attractive for multi-cloud management, Carvalho said.
“We use TLS certificates from Amazon, but we could use mTLS in HCP Consul to encrypt without relying on a cloud provider,” he said. “We want to make sure that our app supports every client environment.”
Carvalho said his company is still weighing HCP Consul’s pricing, which was released on March 16. Other consul users said when the service was announced last year that pricing would be a key evaluation point.
Tigera SaaS handles Layer 7 security
Tigera’s Calico project began five years ago as a Kubernetes CNI plugin, and the company’s engineers helped maintain the Istio service mesh project. Istio’s complexity, especially before it transitioned from microservice to monolithic architecture for its control plane with version 1.5, delayed its takeover and sent Tigera back on a separate path to build its own cloud-native network security project.
The result is Calico Cloud, a SaaS-based service mesh that became generally available on February 16. It supports encryption of data in motion, security auditing, and service-level policy controls for applications running in both containers orchestrated with Kubernetes and VMs.
Calico Cloud covers layers 3 to 7 in the Open Systems Interconnection model. However, the main incentive for an early adopter is to support Layer 7 security policies.
“The main thing we get with Calico Cloud is control over all of the endpoints we manage,” said Jeffrey Puccinelli, chief DevOps engineer at Mulligan Funding, a fintech company in San Diego. “Before we had no way with Linkerd to control which pods communicate with which services and which can be accessed externally, apart from the firewall rules.”
Linkerd will soon be adding support for Layer 7 policies, which Puccinelli says is open. But Calico Cloud came first.
The company had been running an open source version of Calico Service Mesh for about 8 months before joining the commercial Calico Cloud SaaS. However, the open source version did not support the use of DNS names to enforce security policies on the network.
“We had to rely on IP addresses, which is pretty fragile, so we didn’t want to incorporate that into our production environment,” said Puccinelli. “We spoke to them about Calico Enterprise and Calico Cloud.”
The benefits of Calico Cloud also include a traffic flow visualizer that Puccinelli and his team can use to view traffic between specific endpoints and services for troubleshooting.
“You can limit yourself to a specific flow of traffic … to find out why traffic is allowed or blocked,” he said. “The fix is a huge step forward from using the open source version.”
The Calico Cloud user interface also supports staging policies to test their impact on the network before deploying them to production. This is another feature Puccinelli liked, as well as being easy to set up during beta testing.
“We worked with Tigera engineers when we first set up the beta. It was a one-line Kubectl command to get the manifest, configure everything, and set up licensing,” said Puccinelli.
Puccinelli said he looks forward to supporting direct Calico Cloud upgrades for Azure Kubernetes Service. In the first version they were only supported by AWS. Tigera officials said the feature will ship in late April.
Solo.io takes over the Istio multi-cluster management
At the end of March, cloud-native network provider Solo.io announced plans to launch a public beta version of Gloo Cloud, an Istio service mesh SaaS product, in the second quarter of 2021. Solo.io already has a self-managed service mesh product based on Istio called Gloo Mesh, but Gloo Cloud will appeal to the broader section of the industry that is now ready to test service mesh but needs help to get started, according to Founders and CEO Idit Levine.
“I think the market is ready … and Istio has made a very important step with the cleaner architecture [in version 1.5]So the product is ready, “she said.” The product is getting better and the market is definitely demanding it. “
Like Tigera, Solo.io started out with a focus on network components other than service mesh. In Solo.io’s case, the first product was an API gateway now known as Gloo Edge 2.0, which is based on the same Envoy sidecar proxy that underpins Istio. Gloo Mesh, which was announced in 2018, has features on open source Istio such as: B. Support for namespace-based multi-tenancy and built-in rate limiting. It also has built-in management functions across clusters, such as virtual targets that direct failover traffic to clusters closest to the original workload. Gloo Cloud takes over these functions and takes over the administration of the control planes for the customers.
“It will open the market for smaller businesses, including customers who are already running in the cloud but who manage the service mesh themselves,” said Levine.
Beth Pariseau, senior news writer at TechTarget, is an award-winning IT journalism veteran. She can be reached at [email protected] or on Twitter @PariseauTT.