A few of the large announcements included Anthos and Cloud run. It is easy to get overwhelmed by the sheer amount of presentations and announcements.

This year there were two presentations that I felt may have flown under the radar, but would be a shame to miss out on.

 

Istio Service mesh for VM’s

Service meshes and overlay networking have been around for a while. Tools like Istio and such, enabled engineers to create overlay networks between containers. These networks allow for software-based networking between services and higher level features like:
circuit-breaking, latency-aware load balancing, and service discovery.

One of the drawbacks of these tools was the fact that most of the relied on sidecar containers. As a result, setting this up for non-container workloads like VM’s was pretty difficult. In this talk Chris Crall and Jianfei Hu show an easy way of integrating Istio with VM’s. This means that we can now integrate almost anything into our service mesh. This includes things like databases, legacy workloads or anything else that runs on a VM.

Even though it might seem like a minor feature, this is pretty game-breaking. Imagine migrating a large application landscape critical of legacy workloads into containers: Istio can do weight-based routing. This means that we can set up many endpoints for the same service, all receiving only part of the traffic. By doing this for an application we’re trying to migrate, we can compare the performance of the old- to the new containerised version.

 

Zero-trust networking and PII

Another video that would be easy to miss, but definitely worth a watch is the one by Roy Bryant from Scotiabank. They’ve started shifting recently from a financial institution to ‘a tech company that also does banking’. As shown by them starting to push code open-source to GitHub.

Being a bank, they deal with a lot of PII (Personally identifiable information). As a result, security is one of their main concerns.  In the video they mention that besides using ML to tokenise things like CC numbers, they leverage intent-based zero trust networking. This might sound complex but in reality it is quite elegant.

Traditionally, access between services or computers is enforced through firewalls and network configurations. With the emergence of software-defined networks, and layer-7 routing we can start thinking about other ways.

In the video, they mention that instead of configuring firewalls, they started expressing intent: “I want service A to be able to read 10 records per second from service B for the next 5 minutes”

By versioning these intents and abstracting the logic behind it away into libraries, we are no longer maintaining complex sets of firewall rules. Access is now governed in a transparent maintainable manner, allowing for an intuitive way of approaching security.

 

Conclusion

A blogpost like this can only cover so much ground, and these are complex subjects. I recommend watching the videos mentioned here, and checking out the links in the reference below. I’d like to end this post with some food for thought:

Currently in modern clouds, a large part of the security model relies on network security through firewalls and NACLs in addition to IAM.

With the increasing usage of layer-7 overlay-networking I expect to see these two amalgamate into new multi-disciplinary security mechanisms.

References