On a recent earnings call VMware CEO Pat Gelsinger said the company’s top priorities for 2019 would be NSX, cloud, and containers – in that order. The announcement that VMware is bringing the open source Istio network service mesh to NSX, its network virtualization platform, combines all three.
One the one hand, NSX Service Mesh improves VMware’s Kubernetes and multi-cloud support. Istio is quickly becoming a fairly common part of the Kubernetes stack, and when the beta of NSX Service Mesh arrives in early 2019 it will work first with Cloud PKS (VMware’s Kubernetes-as-a-Service offering that runs on AWS and soon also Azure) and later with any Kubernetes environment. But VMware is also extending Istio with the more sophisticated monitoring options enterprises need around resources and geographical restrictions.
Containerized applications built with microservices are easier to develop, scale, and move from one infrastructure to another than traditional “monolithic” applications. But they also have far more interconnections and endpoints to secure and monitor, and managing networks in distributed systems is complicated, especially as the environments they run in aren’t static, with services scaling or failing and recovering frequently.
A network service mesh like Istio acts as an interface layer for communication between different microservices, abstracting those communications for developers. It also acts as a control plane. Because microservices talk to the service mesh rather than directly to each other, a service mesh can handle network tasks like routing, load balancing, failover, and rate limiting, providing resiliency and service discovery as well as adding security with quotas, access control or encryption, and observability with logging, monitoring, and alerting.
That’s different from the network virtualisation features in NSX. “The existing VMware network stack is very low-level; Istio is at a slightly higher level, it’s layer 3 and 4 and 7,” Venil Noronha, an engineer at VMware’s open source technology center who contributes to the Kubernetes and Istio open source projects, told Data Center Knowledge in an interview.
“This is definitely going to help developers deploy workloads in a service mesh environment,” he said. “You have the same kind of [communications] logic in every single microservices app, and now we want to bring that core out so developers don’t have to worry about it. That makes it easier for developers to do what they want to do.”
It makes sense for existing customers to look to VMware for these features, James Governor, analyst and co-founder of Redmonk, a market research firm that serves software developers, told us. “For a lot of organizations service mesh is the next logical thing. You do Kubernetes, you start doing microservices, and then you think, I've created this management nightmare, what am I going to do next? For operations this is another thing you’re being told to manage, and you can get your elbows out and own some of this as opposed to being sidelined.”
NSX Service Mesh is also part of VMware’s hybrid cloud strategy along with Cloud PKS and the recent Heptio acquisition, Governor suggested. “VMware is in a nice place with on-premises options,” he said. “Amazon's Relational Database Service on premises runs on VMware, GKE (Google’s Kubernetes cloud service) on premises runs on VMware, Outposts from AWS runs on VMware. That means VMware can have a sensible conversation with their customers and say look, hybrid cloud is coming to you and some of the management is going to be done by the cloud provider, but you've got an important role to play with the management of these microservices.”
Maturing Service Mesh
Network service mesh technologies like Istio (and network proxies like Envoy) are still very much in development and they’re evolving rapidly. Istio only reached version 1.0 in July 2018 and in some areas it remains fragile; in particular, it’s difficult to debug when things go wrong.
While it’s not the most mature service mesh, it is the fastest growing. “The community behind Istio is very strong,” Noronha said.
Overall, network service meshes are so useful that enterprises are already implementing them in production systems, despite the technology’s relative immaturity.
A May 2018 survey by 451 Research found strong interest, with only a small minority saying they had no plans to adopt service mesh. A surprisingly high number of enterprises in manufacturing, financial services, packages goods, oil and gas, healthcare, communications, technology, and other verticals reported broad implementation in production (up to 22 percent for oil and gas, for example). 451 predicts that up to 28 percent of enterprises will have service mesh in production broadly within a year. Even among conservative industries like financial services and retail adoption will be as high as 5 percent to 10 percent.
VMware can add many enterprise features for operations to NSX Service Mesh that Istio doesn’t already have, from connecting to other NSX products to collecting metrics and applying unified polices for security, encryption, and access control. VMware has already created an adapter to export Istio metrics to its Wavefront monitoring and analytics tool.
The open source version of Istio supports single clusters and scaling software into multiple clusters, but having services communicate over data boundaries is currently more difficult. Extending NSX Service Mesh to support multiple clusters will make it possible to monitor data moving between different systems or to restrict data movement out of geographical areas for governance and compliance. Istio has no real notion of the users who access services, but VMware can connect NSX Service Mesh to identity and access management systems already in use within the organization.
VMware is also keen to extent Istio to support multiple backends, going beyond hybrid to joining Kubernetes clusters deployed across multiple clouds.
Having that as part of the same tools enterprises already use to manage on-premises infrastructure will definitely be appealing, Governor suggested. “If you're coming from the cloud with Istio you can’t do any of the things NSX can do in terms of touching on-premise infrastructure. NSX is much more mature.”