1 - Cisco Service Mesh Manager

What is Service Mesh Manager?

Service Mesh Manager helps you to confidently scale your microservices over single- and multi-cluster environments and to make daily operational routines standardized and more efficient. The componentization and scaling of modern applications inevitably leads to a number of optimization and management issues:

  • How do you spot bottlenecks? Are all components functioning correctly?
  • How are connections between components secured?
  • How does one reliably upgrade service components?

Service Mesh Manager helps you accomplish these tasks and many others in a simple and scalable way, by leveraging the Istio service mesh and building many automations around it. Our tag-line for the product captures this succinctly:

Service Mesh Manager operationalizes the service mesh to bring deep observability, convenient management, and policy-based security to modern container-based applications.

What are the key features?

  • Service Mesh Manager not only handles the automated installation, operation and upgrade of service mesh infrastructure, but also provides a rich, high-level, multi-modal user experience that eliminates the complexity associated with service meshes.
  • High-level functionality, such as deep observability, Zero-Trust security, canary deployments, traffic routing, ingress / egress exposure, or fault injection can be conveniently managed and visualized through its user interface.
  • Service Mesh Manager’s automation engine reduces the risk inherent in the performance of complex tasks such as canary upgrades of microservice components, thereby cutting operational risk and cost.
  • The system provides a detailed real-time dashboard for debugging.

What does the Service Mesh Manager architecture look like?

Service Mesh Manager architecture

Why is Service Mesh Manager using Istio?

Istio is still the most feature complete and mature service mesh solution by far. It may have its shortcomings, especially around complexity, but it has a great community around it that continuously works towards making it better. We also aim to solve some of these problems with Service Mesh Manager. One of the main use cases of Service Mesh Manager is the ability to connect multiple clusters even across different networks, and Istio has several flexible topologies for different use cases to achieve this.

What is the Cisco Istio operator?

We developed the open source Cisco Istio operator to solve the first tier of problems related to the installation, management and upgrade of the Istio infrastructure components. The operator continuously reconciles the state of the Istio components to keep them healthy, and facilitates multi-cluster federation. We offer community and paid support for the Istio operator.

Should I use Service Mesh Manager or the Istio operator?

The Cisco Istio operator is an open-source component of the commercial Service Mesh Manager product. In addition to the Cisco Istio operator, Service Mesh Manager:

  • includes a battle-hardened Istio distribution,
  • installs and manages the observability infrastructure, including Prometheus, Grafana, Jaeger
  • provides a UI (Web UI, CLI, API) for developers and ops to easily observe and configure all the service mesh components
  • picks up user roles from native Kubernetes RBAC
  • provides UI-based automation to carry out complex management tasks such as canary upgrades, traffic routing, and so on.

All Service Mesh Manager features work in multi-cluster configurations as well, and a unified cross-cluster application view is provided.

How do I integrate Service Mesh Manager with my application?

After you’ve installed Service Mesh Manager, and want to put your application in the mesh, you need to inject a sidecar in the pods of your application. You can do that manually, or by enabling automatic injection for your namespaces, and restarting your pods. While in theory it’s usually that simple, we know that in practice an application can have some problems running a sidecar, and won’t behave the same anymore. We have a deep domain knowledge of Istio and have seen a lot of these problems. When integrating your application, we can help you overcome these issues.

What’s the overhead of Service Mesh Manager?

Most of the overhead of Service Mesh Manager is coming from Istio itself, and it’s there in two different layers.

  • First, it has some CPU and memory resource requirements. It needs to have a control plane running in a cluster that handles the discovery of services, injects sidecars to pods, pushes down configuration to them, and manages certificates for handling service-to-service security.
  • The sidecars themselves also consume some CPU and memory. If the mesh is configured properly, this overhead shouldn’t be significant.
  • The second layer of the overhead appears in network requests. Because all traffic flows through Envoy proxies, it means 2 additional hops for every request, and that adds some minimal latency. Other than for a few very latency-critical applications, this shouldn’t be significant, but see latency overheads for details.

Should I worry about latency overheads?

In general, no. There is some latency overhead added for every request because of the sidecar proxies, but if the mesh is configured properly it shouldn’t be more than a few milliseconds. Per Istio’s own measurements, with 16 concurrent connections and 1000 RPS, Istio adds 3ms over the baseline (P50) when a request travels through both a client and server proxy. At 64 concurrent connections, Istio adds 7ms over the baseline, with Mixer disabled. There could be some latency critical applications where it matters, but for most apps it won’t make a difference.

How does Service Mesh Manager keep my mesh healthy?

Service Mesh Manager provides a few handy features to keep a mesh healthy. The most important of these is the mesh validation feature. Other than doing basic validation of Istio configuration, Service Mesh Manager analyses the whole mesh state and tries to find ambiguous or invalid configs. For example, a label selector that points to an invalid service, or there is some shadowed or ambiguous routing config present.

Service Mesh Manager also provides debugging features like tapping an Envoy proxy and analyzing requests. You can also keep track of real-time metrics on the dashboard and check if your latency or error rate values are increasing.

Is this a new abstraction layer over Istio?

No, we’ve designed Service Mesh Manager in a way that it doesn’t add a new abstraction layer. We thought that Istio is complicated enough in itself and it wouldn’t do any good introducing a few new CRDs. Service Mesh Manager can help you configure your mesh through a CLI or the dashboard, but those commands are always translated to plain old Istio CRs. Doing it this way enables Service Mesh Manager to be completely compatible with all Istio configuration changes. If you write Istio config directly, Service Mesh Manager will still be able to detect it, display it, and validate it properly.

Does Service Mesh Manager support GitOps?

Yes. Since there is no additional abstraction layer involved, Service Mesh Manager is able to interpret your Istio configurations. If your virtual services, service entries, and other Istio resources are deployed through a CI/CD flow, Service Mesh Manager will instantly parse them and display your configuration on the dashboard.

2 - Service mesh FAQ

What is a service mesh?

Service mesh is a software layer used for handling all communications between services. It is independent of each service’s code so that it can work with multiple service management systems and across network boundaries without a problem. Its new features connect and manage connections between services effortlessly.

What problem does a service mesh solve?

By enabling independence between applications and infrastructure, containers facilitated a shift in architectures from monolithic to microservice. This came with a multitude of challenges. Container orchestration tools solved deploy issues and microservices build, but many runtime challenges were left unaddressed. A service mesh offers solutions for these runtime issues by providing a bundling of capabilities like security, policy configuration, ingress and egress control, load balancing, distributed tracing, traffic shaping, or metrics collection.

Can I use my existing Istio deployment with Service Mesh Manager?

Yes, if you are already using the Cisco Istio operator. If not, we can help you migrate to Service Mesh Manager from existing Istio installations. It is a manual process, where the mesh configuration needs to be migrated to match the Istio operator’s custom resources.

Are you using upstream Istio?

Our Istio distribution is very close to upstream Istio, but contains a few stability fixes and enhancements, especially around multi-cluster topologies and telemetry. For a detailed list of changes compared to upstream Istio, see Istio distribution.

Do I have to change my applications to use Istio?

In most cases you don’t need to change anything. But we have experience with putting a lot of different applications in Istio, and know that sometimes there are special cases when an application doesn’t handle having a sidecar well. It could be some special HTTP headers, or mTLS configuration that conflicts with an Envoy sidecar. In these cases there could be some slight changes involved and we can help you solve these kind of issues.

Do Service Mesh Manager and Streaming Data Manager use the same mesh?

Currently Service Mesh Manager and Streaming Data Manager use separate service meshes with separate control planes. The Streaming Data Manager service mesh is used only for the Apache Kafka brokers and the control-plane services of Streaming Data Manager. They are tied together in the sense that they are managed by the same Istio operator and use the same version of Istio.

Note that currently you cannot manage the Streaming Data Manager service mesh from the Service Mesh Manager UI, only from the command line.

3 - Observability and debugging

What can I observe?

One of the main goals of Service Mesh Manager is to give you an overview of your service mesh. You’ll see the topology of the services running in the mesh with real-time monitoring information of

  • error rate,
  • RPS,
  • throughput, and
  • latency.

You also get one-click access to distributed tracing with Jaeger, and Grafana dashboards if you want to further explore metrics provided by the service mesh. Service Mesh Manager completes the service mesh metrics with a drill-down view of your services and workloads from their mesh configuration to pod and node-level info and metrics of resource utilization.

Service Mesh Manager observability

How do you help me debug my services?

A lot of different features exist in Service Mesh Manager that help debugging your services. Usually you start by checking real-time error rates and latency values on the topology view, then go on with mesh validations, and the drill-down view of a service or workload. You also have 1-click access to Jaeger and Grafana dashboards if you want to further explore your traces and metrics. If you need to check requests flowing through an Envoy proxy, Service Mesh Manager provides you a tapping feature to see access logs, or a detailed view of the requests.

4 - Security and compliance

How are my services secured?

Service Mesh Manager uses the mutual TLS feature of Istio for service-to-service authentication and traffic encryption. In Service Mesh Manager, you can manage mTLS settings between services with the CLI or on the UI, mesh-wide, namespace-wide, and on the service-specific level.

Does Service Mesh Manager use its own authentication system?

No, Service Mesh Manager leverages Kubeconfig, the official client libraries, and the Kubernetes API to perform authentication and authorization for its users.

If you’re allowed to add, edit, or delete specific Istio custom resources, you’ll have the same permissions from Service Mesh Manager as well.

The Service Mesh Manager installer provides a way - mainly for demo/tryout purposes - to disable user authentication and use its own service account token for all communication with the Kubernetes API server.

What’s the story on access and visibility control?

By default, authentication is needed to access Service Mesh Manager UI. The observability features are granted for every authenticated users, the control features allowance is based on the authenticated user’s RBAC permissions.

5 - Multi-cluster support

What do you mean by multi-cluster support?

Service Mesh Manager helps you manage multi-cluster service meshes in three different layers.

  • First, multi-cluster meshes can easily be built using the Service Mesh Manager CLI, avoiding the need to manually manage complex Istio configurations on all of the clusters.
  • Second, our Istio distribution contains important changes from upstream Istio to collect cluster-aware metrics.
  • Third, multi-cluster support is natively built in the Service Mesh Manager dashboard and CLI. They are able to display and seamlessly manage services across clusters with a shared Istio control plane.

Can you add clusters dynamically?

Yes, attaching and detaching clusters from a service mesh can easily be done through the Service Mesh Manager CLI. These CLI commands are backed by the Istio operator that manages remote clusters through Kubernetes custom resources and secrets that hold the Kubeconfigs of those clusters.

What are some key multi-cluster use-cases?

Perhaps the most common use case for a multi-cluster service mesh is to connect on-premises and cloud environments easily. For example, using a multi-cluster mesh you can securely connect your cloud services to the legacy services running in on-prem clusters.

Public clouds are also often used to scale out from an on-premises datacenter during particular events when your services need to handle an increased load.

Some common load balancing and high availability patterns can easily be implemented using a multi-cluster mesh as well. You can have multiple clusters in different regions using locality-based load balancing, and driving traffic to another region during a failure event in a specific region.

Why does the istio injection label disappear from a namespace on a remote cluster?

Service Mesh Manager synchronizes the istio injection labels for all namespaces from the cluster where Service Mesh Manager is installed to all other remote clusters in the mesh. That way you can add (or remove) the istio injection label only on the cluster where Service Mesh Manager is installed, and Service Mesh Manager automatically adds (or removes) namespace labels on every cluster in the mesh.

If you see disappearing istio injection labels from namespaces on remote clusters, it is because:

  • the namespace does not exist, or
  • the cluster where Service Mesh Manager is installed does not have the istio injection label on the namespace. The solution is to create the namespace in that cluster and add the label there. Refer to this link for more info on how to Deploy custom application in a multi-cluster setup.

6 - Licensing

Is there a free version?

Yes, you can use Service Mesh Manager after a free registration on a limited number of nodes. For details, see Licensing options.

How can I check how many nodes I use?

The easiest way is to open the dashboard, select the user account in the top right, then select License.

Displaying the license usage

Can I buy commercial support?

Yes, you can buy pro and enterprise licenses that include commercial support. For details, see our pricing page, or contact your Cisco sales representative.

7 - Streaming Data Manager

What is Streaming Data Manager?

Cisco Streaming Data Manager (Streaming Data Manager) is the deployment tool for setting up and operating production-ready Apache Kafka clusters on Kubernetes, leveraging a Cloud Native technology stack. Streaming Data Manager includes Zookeeper, Koperator, Envoy, and many other components hosted in a managed service mesh. All components are automatically installed, configured, and managed in order to operate a production-ready Kafka cluster on Kubernetes.

Streaming Data Manager is an optional add-on of Service Mesh Manager.

What are the key features?

  • Designed for Cloud Natives, Streaming Data Manager provides declarative topic and user management through custom resources (CRs), and automates the setup and management of Apache Kafka on Kubernetes. It also allows you to fine-tune the configurations of your brokers individually for heterogeneous cluster layouts.
  • You can deploy managed Kafka in your own environment, including on-premises, cloud, multi-cloud, and hybrid-cloud scenarios. Streaming Data Manager can automatically scale and self-heal your cluster based on Prometheus alerts. To minimize downtime and keep your operations functional, Streaming Data Manager provides rolling upgrades and advanced Grafana dashboards to monitor all Streaming Data Manager components.
  • Our products focus on secure operations, so Streaming Data Manager automatically uses mTLS-based encrypted and authenticated communication between all components. It also provides Kubernetes-native RBAC access control, integration with Kafka ACLs, and supports multi-tenant operation.
  • To keep your services highly availability, you can deploy and manage cross-cluster replication using MirrorMaker2, and also use Kubernetes-native volume snapshots for disaster recovery. Up- and down-scaling your brokers and volumes automatically allows you to use optimal resources for the incoming traffic without manual intervention.

Further information

For further details on Streaming Data Manager, see the Streaming Data Manager documentation and the Streaming Data Manager FAQ.