A Service Mesh simplifies the communication life cycle of microservices. Making service-to-service:
- networking
- secure communication
- service discovery
- failover and multi-region deployment
much easier to manage, improving your development experience.
Who is it for?
A Service Mesh is designed for:
- Developers and architects who are building or maintaining microservices-based applications.
- Teams that need to manage complex, distributed systems.
- Organizations that want to simplify the communication between their microservices.
A Service Mesh is particularly useful for:
- Microservices architectures: It provides a layer of abstraction that handles many of the complexities of communication between microservices.
- Distributed systems: It simplifies the management of service discovery, load balancing, and fault tolerance.
- Security-conscious organizations: It provides features for secure communication between microservices.
How to use it?
Prerequisites
- Join our support Slack channel: #devx-service-mesh-support
- Your AWS VPC is managed by TSF. Non-TSF-managed VPCs are considered legacy and cannot be onboarded with the Service Mesh. The easiest way to determine whether your VPC is TSF-managed is to look up the Platform attribute on the TSF tenant via a TSF Management Page
- Your service is located in the Public or Protected Rail of a TSF-Internal or TSF-DMZ Cloud/Network.
- Your application is onboarded to DevHub
- Ability to add two sidecars for Containerized Deployments or two processes for Virtual Machines.
Note
- The Service Mesh is operational in the following AWS regions:
- USA: us-east-1, us-east-2, and us-west-2.
- EU: eu-central-1 and eu-west-1.
- We plan to add Comcast National Data centers to the architecture upon request (If necessary, however it does run in DX Architecture, and as such, latency is incredibly low).
Self-Service Onboarding
Register Application to DevX Service Mesh via DevHub
Fill out the onboarding form
Step 1. Application Details
Applications Available– pick the application name from the list. In order to see the list of applications, you must have anApplication Owner,Owner AssistantoriTRC Approverrole for your application.Application Component Name– think microservice name in the context of the application, for instance if your application is Velox, the application Component name can be RNS.Documentation Link– provide a link to any documentation, which may describe how your application behaves in terms of monitoring, traffic/scaling strategies etc.
Step 2. Application Ownership Details
Organization Name– abbreviated name of your organization, i.e. CL – Connected Living, GTO – Global Technology Organization, etc.Team Name– abbrefiated name for the team, which owns the application, i.e. Velox, Person, Coverage, Breeze, etc.Team Distribution Email Address– group email address for your team.Groups Available– Active Directory Security Group name to grant Team an access to Consul UI. Start typing to show the list of the AD groups matching your input.
Step 3. Runtime Details
In this step you can provide runtime details for your application. By default you would need to provide PROD Environment runtime details. If you have addiotinal application runtime environments, like DEV or STAGE, you can provide those in Additional Runtimes section.
Runtime Type– runtime information for your application, i.e.AWS ECS Fargate,AWS EC2, etc.
Depending on your selection you will be asked to provide additional information:AWS Account– AWS account number, where your application runs, i.e.395284687305in the specific EnvironmentAWS Service User ARN– Service User ARN, which is used by your application CI/CD. Used to authenticate to Service Mesh for Management Operations in CI/CD. Example: arn:aws:iam::1234567890:user/service-userAWS Execution Role ARNs– AWS Execution Role ARNS, associated with your application, i.e.arn:aws:iam::1234567890:role/CustomerManagedBasic/ecs-task-execution-roleLambda Ingress– will be displayed forAWS LambdaRuntime Type. You can provide multiple Lambda Ingress details for different AWS regions, if your application is deployed there. It will ask for:Region– AWS Region where the your application is deployedIngress FQDN– Fully Qualified Domain Name of the ingress in the specific AWS Region, i.e. my-awesome-service.us-east-1.dh.comcast.com.
If you are using the same latency-based global DNS record for all AWS Regions, specify it here, i.e. my-awesome-service.dh.comcast.com.Health Check Endpoint– A path to the endpoint, which provides a health for your application, i.e. /healz
Step 4. Create
By pressing the Create button you will be submitting a PR into DevX Service Mesh Tenant Management Github repository. The PR informnation and link will be displayed on the confirmation page.
Expectations
- PR reviewed and approved (or a request for additional info)
- Upon a PR approval
- Consul Management token created and stored in AWS Secrets Manager (One management token per Team – see Step 2.)
- Consul Application token created and stored in AWS Secrets Manager (Unique per application – see Step 1.)
- Cross Account Policy attached to your Application Execution Role (see Step 3.), which allows your application to access Consul tokens, Consul CA root certificate, Consul gossip key, AWS KMS encryption key and any additional information, required for your application to be bootstrapped with DevX Service Mesh
Apply “DevX Service Mesh” Ruleset
Navigate to TSF Management Console, select the TSF Tenant, which owns your application and click Apply Ruleset button. Then select DevX Service Mesh ruleset, provide business justification and any additional information, click Apply ruleset
Bootstrap Application for DevX Service Mesh
Depending on your Application Runtime, the bootstrapping procedure may look different. Navigate to Deployment Patterns and choose one of
- AWS ECS Fargate
- AWS Lambda
- AWS EC2 (coming soon)
Support & Feedback
Get in touch and learn more about Service Mesh.
in Philadelphia
