Sergey Nivens - Fotolia
Service mesh companies facing a crowd of competitors are rolling out SaaS products to make the complex technology more appealing to new users.
Service mesh existed before Kubernetes and container orchestration became popular, but it has gained attention amid that trend as a way to solve container networking issues. Container-based microservices applications can be difficult to monitor without the deep view service mesh frameworks have into traffic between their individual components.
In addition, service mesh distributes security policies among a web of software modules called sidecar proxies, which helps enforce those policies more effectively among distributed microservices than is possible with traditional network security tools.
The downside is that running a service mesh can be daunting in its complexity, even for experienced IT ops pros. There is also no agreed-upon industry standard for service mesh that matches the dominance of Kubernetes in container orchestration. This is in part because it's still very early for mainstream service mesh adoption -- Gartner estimates just 5% of enterprises have a service mesh in production.
"The rise of service mesh technology is following the rapid adoption of containers and Kubernetes in production," said Gartner analyst Arun Chandrasekaran. "However, the service mesh technology ecosystem is quite fragmented, with several competing projects and products, each with varying degrees of maturity."
Moreover, service mesh is not the only way to add observability and security to container networks. Service mesh isn't mutually exclusive with other methods ranging from Container Network Interfaces (CNI) to AIOps tools to specialized container monitoring and runtime security software, but users that don't need all the advanced features service mesh provides may prefer to use one of those alternatives instead.
"When you have seven different ways to do [container security architectures], there's no critical mass," said IDC analyst Frank Dickson. "No [user] wants to invest all the money into doing something like [service mesh security] if there's not a big enough market."
Service mesh SaaS smooths entry for enterprises
Amid these tumultuous conditions, SaaS options have emerged for service mesh in the last two months, with more on the way, to handle thorny management details on behalf of users. For some, this will make service mesh less intimidating to run in production; others can use such services to dabble in service mesh without taking on the full network infrastructure.
In February, HashiCorp made its Consul service mesh generally available on its HashiCorp Cloud Platform (HCP), in addition to Consul services already available for Microsoft Azure and AWS. Also in February, Tigera launched its Calico Cloud, a security-focused service mesh SaaS, and in March, Solo.io announced its Istio-based Gloo Cloud would soon enter public beta.
Frank DicksonAnalyst, IDC
Buoyant, the commercial backer for Istio rival Linkerd, will offer Buoyant Cloud later this year, and Istio management vendor Tetrate also plans a SaaS launch in the coming months. Cloud service providers and networking vendors such as Kong, Google Kubernetes Engine and AWS already offered managed service meshes as 2021 began.
The growth in service mesh SaaS also reflects general trust among enterprises in cloud services and their shared responsibility security model, Dickson said. After spending years growing comfortable with IaaS services, they are ready to hand over higher-level IT functions to service providers as well.
"We've accepted in that shared responsibility model that our providers can do things better than we can do it," Dickson said. Moreover, especially with complex architectures such as service mesh, "we're making our mistakes in configuration, and [providers] can now provide advanced analytics, checking configurations and settings and making sure they're right."
HCP Consul subtracts ops overhead
HCP Consul is among the service mesh SaaS products offered by a vendor that doesn't offer its own public cloud platform, and therefore touted as a way to ease multi-cloud networking, along with simplifying service mesh management in general.
One HCP Consul beta user said the service performed well in proof-of-concept testing earlier this year and demonstrated the value of handing over management for an infrastructure component that is both crucial and complicated.
"Deploying HCP Consul is easy as creating an account, deploying HashiCorp Virtual Network, and peering my AWS VPNs," said Anderson Carvalho, lead site reliability engineer at Veerum, an asset management SaaS provider in Canada. "We also don't have to write Terraform [infrastructure as code] separately for the cloud service."
At the time of Carvahlo's interview in February, the company hadn't decided yet whether to switch from self-managed Consul to HCP Consul. But as the company expands, having a cloud-agnostic service mesh operated by a vendor is appealing for multi-cloud management, Carvalho said.
"We use TLS certificates from Amazon, but we could use mTLS in HCP Consul to encrypt without relying on one cloud provider," he said. "We want to make sure our app supports any client environment."
Carvalho said his company is still weighing HCP Consul pricing, which was made public March 16. Other Consul users said when the service was announced last year that pricing would be a crucial point of evaluation.
Tigera SaaS handles Layer 7 security
Tigera's Project Calico began five years ago as a Kubernetes CNI plugin, and the company's engineers helped maintain the Istio service mesh project. However, the complexity of Istio, especially before it shifted from a microservices to a monolithic architecture for its control plane with version 1.5, stalled adoption and sent Tigera back on a separate path to build its own cloud-native network security project.
The result is Calico Cloud, a SaaS-based service mesh that became generally available Feb. 16. It supports encryption for data in motion, security monitoring and service-level policy controls for applications running in both containers orchestrated with Kubernetes and VMs.
Calico Cloud covers Layers 3 through 7 in the Open Systems Interconnection Model, but its main appeal for one early adopter is its support for Layer 7 security policies.
"The main thing we get with Calico Cloud is control over all the endpoints that we manage," said Jeffrey Puccinelli, senior DevOps engineer at Mulligan Funding, a fintech company in San Diego. "Before that, with Linkerd, we didn't have ways of controlling what pods could talk to which services, and what could be accessed externally, besides firewall rules."
Linkerd will soon add support for Layer 7 policies, which Puccinelli said he's open to considering. But Calico Cloud got there first.
The company had been running an open source version of Calico service mesh for about eight months before signing on to the commercial Calico Cloud SaaS, but the open source version didn't support using DNS names to enforce security policies on the network.
"We had to depend on IP addresses, which is pretty fragile, so we didn't want to put that in our production environment," Puccinelli said. "We started talking to them about Calico Enterprise and Calico Cloud."
Calico Cloud benefits also include a traffic flow visualizer Puccinelli and his team can use to view traffic between specific endpoints and services for troubleshooting.
"You can narrow down to a particular traffic flow … to figure out why traffic is allowed or being blocked," he said. "Troubleshooting is a huge step forward from using the open source version."
The Calico Cloud GUI also supports staging policies to test their effect on the network before they're deployed to production, another feature that appealed to Puccinelli, along with easy setup during beta testing.
"We worked with Tigera engineers when we first set up the beta, and it was a one-line kubectl command to pull down the manifest, configure everything and set up the licensing," Puccinelli said.
Puccinelli said he looks forward to support for in-place Calico Cloud upgrades on Azure Kubernetes Service; in its initial release they were supported on only AWS. Tigera officials said that feature will ship at the end of April.
Solo.io takes on Istio multi-cluster management
In late March, cloud-native networking vendor Solo.io announced plans to ship a public beta version of Gloo Cloud, an Istio service mesh SaaS product, in the second quarter of 2021. Solo.io already has a self-managed service mesh product based on Istio called Gloo Mesh, but Gloo Cloud will appeal to the broader swath of the industry that's now ready to try service mesh yet needs help to get started, according to founder and CEO Idit Levine.
"I think the market is ready … and Istio made a very important move with the cleaner architecture [in version 1.5], so the product is ready," she said. "The product is becoming better and the market is definitely demanding it."
Like Tigera, Solo.io began with a focus on network components other than service mesh -- in Solo.io's case, its first product was an API gateway, now known as Gloo Edge 2.0, which is based on the same Envoy sidecar proxy that underpins Istio. Gloo Mesh, announced in 2018, adds features atop open source Istio such as support for namespace-based multi-tenancy and built-in rate limiting. It also builds in cross-cluster management features such as virtual destinations, which routes failover traffic to clusters closest to the original workload. Gloo Cloud will absorb these features and handle control plane management for customers.
"It will open the market for smaller companies, including customers that already run in the cloud but manage service mesh themselves," Levine said.