VoltMesh’s Service Mesh is a centrally managed globally distributed load balancer and proxy with service discovery, health checking, application micro-segmentation, and application policy providing the most advanced implementation of edge load-balancer with ingress/egress capability for any service mesh. Service discovery integrates with multiple registries like Kubernetes, Consul, or DNS along with health checking support for http/https, tcp, custom, etc. End-point health is distributed to all the sites where the virtual service is exposed using extensions to the BGP protocol and this provides us with valuable insight on how to globally distribute the load balancing function. Support for both TLS and mutual-TLS for authentication with policy-based authorization on the proxy provides the capability to enforce end-to-end security of application traffic. In addition, the proxy gives the ability to terminate user traffic in the Volterra global network and use a persistent connection to serving end-points to accelerate and load balance to the most optimal end-point. It is “out-of-the-box” ready and accessible when Volterra Node or Cluster is deployed.
If you are interested in further details of how the features described in this guide work, read more below in Concepts.
Intro to VoltMesh Service Mesh
With all Volterra Node or Cluster deployments, you have the ability to leverage additional VoltMesh and VoltStack services as a simple add-on. This section discusses specifically the VoltMesh Service Mesh features.
VoltMesh Service Mesh Features
Multi-cluster Secure & Auto Tunnels
VoltMesh’s consolidated network and application software is a Cloud-native software stack that can be used to secure and connect Kubernetes clusters, Virtual Machines and BareMetal across multiple environments and networks. Using VoltMesh Secure Networking tunnels are automatically created between clusters either directly using full-mesh or indirectly via hub-spoke. VoltMesh Secure Backbone offerings further augment the security and connectivity of these clusters.
Identity Authority for AuthN/AuthZ
For applications using secrets (i.e. TLS/mTLS certs, passwords, tokens, etc.), Volterra provides a tenant-specific CA and PKI infrastructure for managing secrets, while providing a mechanism (Blindfold) to store secrets in a centralized control plane without worrying about system compromise. Using the policy framework AuthZ/AuthN can be applied at network or API levels.
Service Discovery & Health-checks
Service endpoints are discovered and globally available and reachable to all Virtual Hosts on VoltMesh locations. Service discovery integrations supported today include DNS, Kubernetes, and Hashicorp Consul. All discovered or configured endpoints and VIPs are automatically probed for explicit (configured) or implicit (i..e latency, error rate, response times, etc.) health checks. The global visibility of endpoints and availability allow for optimized load balancing of clients to services.
Globally Distributed Load Balancing
In addition to VoltMesh Global Load Balancing, since the proxy is distributed and the health of all the endpoints is available across multiple sites, the routing and traffic control decision can be made based on the actual health of the individual endpoints across all the sites and not just the proxies front-ending the endpoints. This is especially useful for high traffic web-services.
Traffic Management & Testing
In additional to GSLB traffic management functionality, rich HTTP/HTTPS routing functionality is available. Matching on parameters such as URLs, headers, query parameters, HTTP methods, etc. are available. Customization to matching is also available using Volterra’s Programmable v8 engine. Routing options based on matched criteria include send a direct response, change of protocol, add/remove headers, timeouts/retries, send to WAF (Web Application Firewall), endpoint selection/grouping, etc. These are building blocks to Application-specific testing A/B testing, canary, staging rollouts, etc.
Service Policy & Advanced Security
Application microsegmentation per virtualhost and services in a namespace using an intent based service policy (L7), enabling enhanced Application Security matching with regex-based label selectors, client IP or ASN lists, actions of allowing, deny (with future options to rate-limit or custom using Java v8 chrome engine).