Introduction to Microservices, Containers, Kubernetes, Amazon Elastic Kubernetes Service (EKS) and AWS App Mesh
Uday Katakam (Solution Architect — Public Sector) and Josh Petla (Enterprise Cloud Leader — Public Sector)
Introduction
Enterprise systems, in both public and private sectors, have been evolving and embracing several architectural patterns and best practices. Currently, microservices based architecture is gaining popularity. In this architectural style software is built as small independently deployable services. In essence, enterprise applications are divided into a group of services that are:
- Easily maintainable
- Independently deployable
- Highly observable
- Resilient
- Scalable
What are the containers?
Containers provide a fantastic way to provision and run microservices. Containers images are standalone lightweight executable packages that have everything (runtime, system tools, system libraries, and settings) to run application code. Application code that has single responsibility is packaged into a container and deployed as a microservice.
Although containers are a great way to deploy and run microservices, the number of containers increases if the number of services increases and for high availability, we may have multiple load-balanced containers running for serving a single service. And maintenance/orchestration of containers becomes a challenge with this increased number of containers.
What is container orchestration?
Container orchestration is the full life cycle management of containers deployed in application environments. Container orchestration tools come to our rescue for orchestrating the containers. These tools help us in the following ways:
- Load balance the containers
- Monitor the health of the containers
- Deploy the containers
- Scale up or down the containers.
- Route traffic between containers.
There are many container orchestration tools such as Kubernetes, Docker Swarm, Apache Mesos, and Rancher.
What is Kubernetes or K8S?
Kubernetes or K8S is a container orchestration tool developed by Google. K8S is open-source and currently maintained by the Cloud Native Computing Foundation. K8S runs across all the platforms (On-Premises, VMs, Containers, and Cloud). Kubernetes is a great platform to host applications in the cloud as it works well with hybrid cloud environments too.
Kubernetes cluster is divided into Control Plane and Data Plane
Control Plane
The control plane is the brain of the Kubernetes cluster. The Control plane controls all the components of the Kubernetes cluster and also persists state and configuration information. There is two-way communication between the control and data planes. Below are the key components of the Control Plane:
Kube-Apiserver
The Kubernetes API is an interface into the Kubernetes control plane, Kube-Apiserver is used by kubectl for communication with the cluster. Kubectl is the way to communicate with the Kubernetes cluster using the command line.
Kube-Scheduler
Kube scheduler handles the deployment of pods in the cluster. It deploys pods with the right CPU and memory into the cluster by the scheduler.
Kube-Controller-Manager
Kubernetes cluster is run by multiple controllers. The controller manager makes sure the controllers perform their functions and also remediate in case there are any issues.
Etcd
Etcd is a key-value store that keeps track of the state and configuration of the cluster. This is the single source of truth and contains the current status of the cluster.
Data Plane
Nodes
Compute instances (VMs, Physical Hardware, or AWS Fargate) where the actual container workloads run are called nodes. Usually, there is at least one node to run the workload. Pods enclose the containers which are deployed by the scheduler on compute nodes.
Pods
A Kubernetes pod is the smallest unit in the Kubernetes cluster, which has at least one container running inside it. Pods run the containers which have the application code for microservice. Pods may have other containers running as sidecars for providing additional functionality such as load balancing, tracing or metrics.
Container runtime engine
Containers need container runtimes such as Docker to run the containers. Compute nodes need to have container run time installed. Kubernetes support Docker and other container runtimes such as rkt and CRI-O.
Kubelet
Kubelet is the primary communication channel with Control Plane. It applies changes via Kubectl and communicated to compute nodes via Kubelet. Also, Kubelet makes sure that the containers are up and running inside the pods and communicates about the health of containers to the Control Plane.
Kube-Proxy
Kube-Proxy is a network proxy facilitating K8S networking services. This handles the communication of the services both inside and outside the cluster.
External components
Persistent storage
Kubernetes, besides orchestrating containers, helps manages persistent data attached to the cluster. This persistent storage is used for the storage needs of the cluster and it is at the cluster level, not at the pod level.
Container registry
Kubernetes pulls containers from the container registry. We can configure K8S with Elastic Container Registry (ECR) or any other 3rd party container registries such as Docker Hub, JFrog, etc.
What is Elastic Kubernetes Service (EKS)?
Now that we have an understanding of containers, microservices, container orchestration tools, and Kubernetes now the question is what is EKS? If you talk to any Kubernetes administrator who sets up and maintenance of Kubernetes on VMs or containers, they will tell you how complicated the entire process is. This is where AWS comes to our rescue.
EKS is a managed version of Kubernetes that makes setting up and running Kubernetes in the AWS cloud easy. EKS takes care of the installation, operation, and maintenance of the control plane in the cluster. We are only responsible for data plane/worker nodes that run the application code as services inside the EKS cluster. AWS EKS is the best place to run Kubernetes workloads because:
- Amazon EKS is a managed version of Kubernetes, so maintenance, high availability, scalability, reliability, and performance are taken care of by AWS.
- Amazon EKS clusters run in an Amazon VPC, allowing us to use VPC security groups and network ACLs Amazon EKS integrates with native Kubernetes RBAC and IAM. Also, allows the assignment of IAM permissions to Kubernetes service accounts to provide access to other AWS services.
- Amazon EKS is compliant with SOC, PCI, ISO, FedRAMP-Moderate, IRAP, C5, K-ISMS, ENS High, OSPAR, HITRUST CSF, and is a HIPAA eligible service.
- Amazon EKS works with Application Load Balancers, Classic Load Balancers, and Network Load Balancers for exposing the services.
- Amazon EKS works with EC2, Containers, on-premises, and AWS Fargate.
- Amazon EKS AWS CloudTrail and CloudWatch for audit trail and logging.
There are a lot of benefits of using Amazon EKS instead of deploying and managing Kubernetes ourselves. Once we have the cluster up and running, how can we manage the networking, observability, traceability, zero trust, and many other features needed to operate the services? That is where Service Mesh comes into the picture.
What is a service mesh?
A service mesh is a pattern that improves inter-service connectivity. Service network requests must be secure, observable, and traceable. We can add service mesh pattern to patterns on any platforms such as VMs, On-Premises systems, or containers.
A service mesh provides capabilities such as service discovery, load balancing, encryption, observability, traceability, authentication, and authorization and support for the circuit breaker pattern. A service mesh is normally implemented by running a proxy instance or a sidecar that handles inter-service communications, monitoring, and security running alongside application services.
Below are some of the popular service meshes:
- Istio
- Kuma/Kong Mesh
- Consul
- SuperGloo
- Linkerd
- AWS App Mesh
What is an AWS App Mesh?
AWS App Mesh is a managed service mesh offering provided by AWS. AWS App Mesh uses Envoy, an open-source service proxy, as a sidecar alongside the microservices. Below are advantages of using AWS App Mesh:
Managed Service
AWS App Mesh is a fully managed service offered by AWS. So, as with other managed services provided by AWS, upgrades, and maintenance of App Mesh is performed by AWS.
Pricing
AWS App Mesh itself is free. We only pay for the resources created in the EKS cluster.
High Availability
App Mesh helps route traffic flow across services in the microservice environment. So, it helps us create custom routes during the new deployment or service failures.
Easy Integration with other AWS Services
AWS App Mesh integrates really well with other AWS services such as ECS, EC2, and Elastic Bean Stalk.
Observability
App Mesh integrates with Amazon CloudWatch and XRay. Logs, metrics, and the traces obtained by XRay can help us identify and fix the issues. App Mesh also integrates with a partner and open-source monitoring and tracing tools.
Zero trust
App Mesh integrates with AWS Certificate Manager (ACM) or 3rd party certificates for traffic encryption between the services. This ensures zero trust and compliance with security requirements.
Conclusion
In this blog post, we introduced Microservices, Containers, Kubernetes, Amazon Elastic Kubernetes Service (EKS), and AWS App Mesh. This is an attempt to get you a high-level understanding of where things fall in place in a microservice-based architecture using containers, EKS, and App Mesh. We have included the links to references that helped us immensely.
This blog post is for educational purposes only. Please leave your comments and suggestions.
References
https://aws.amazon.com/eks/features/
https://konghq.com/blog/the-difference-between-api-gateways-and-service-mesh/
https://www.redhat.com/en/topics/containers/what-is-kubernetes
https://www.docker.com/resources/what-container
https://www.appmeshworkshop.com/introduction/appmesh_benefits/