Oracle Cloud Infrastructure (OCI) customers are increasingly turning to a microservices architecture that brings many benefits but also introduces new challenges. In a microservices architecture, a monolithic application is split into multiple smaller microservices that communicate over the network via APIs. This led to a surge in network traffic and increased the complexity of the architecture and the overall attack surface. Adding a service mesh to a microservice alleviates many of the challenges that come with a microservices architecture and provides the benefit of allowing you to control where traffic flows to your microservices.
Provide visibility into your applications.
Enables microservices to connect securely without changing the application.
With OCI Service Mesh, you can deploy a managed Service Mesh architecture to your Kubernetes Container Engine (OKE) cluster. This reference architecture provides a detailed example of an OCI Service Mesh architecture deployed in an OKE cluster. OCI Service Mesh uses access policies to define access rules. Access policies enforce communication between microservices and only allow authenticated requests, which come from inside and outside the app. Access policies are also used to define allowed communication to external services.
Zero trustOCI Service Mesh automates the implementation of a zero-trust security architecture across all microservices. Data between microservices is encrypted. Authentication between microservices is required at the beginning of communication. The two parties must exchange credentials with identification information. This enables services to identify each other to determine whether they have permission to interact or not. This is achieved by automating certificate and key rotation through the use of OCI Certificate Service and OCI Key Management Service, which is used to manage certificates and keys, and implements mutual TLS.
Traffic managementTraffic Transfer.
OCI Service Mesh allows you to do canary deployments. When you release a new version of ** to production, you only allow a portion of the traffic to reach it. This feature enables you to deploy quickly with minimal disruption to your applications. You can define routing rules that control communication between all microservices within a mesh. You might route a subset of your traffic to a specific version of your service.
ObservabilityMonitoring and logging.
OCI service meshes are uniquely positioned to provide telemetry information because all communication between microservices must pass through it. This enables the service mesh to capture telemetry data such as **, destination, protocol, URL, duration, status code, latency, logging, and other detailed statistics. You can export log information to Log Service. OCI Service Mesh provides two types of logs: error logs and traffic logs. You can use these logs to debug 404 or 505 issues or generate log-based statistics. Metrics and telemetry data can be exported to Prometheus and visualized via Grafana. Both of these can be deployed directly into an OKE cluster.
The OCI service mesh uses a sidecar model. This architecture encapsulates the network functions into the network, and then relies on traffic from and to the service to be redirected into the sidecar. It's called a sidecar because it's attached to each app, just like a sidecar is attached to a motorcycle. In OKE, the application container is in the same pod as the sidecar container. Since they are in the same pod, they share the same network namespace and IP address, allowing containers to communicate via "localhost". The OCI Service Mesh has two main components: the OCI Service Mesh control plane manages and configures the entire collection to route traffic. It handles aggregation of health, health checks, load balancing, authentication, authorization, and telemetry. The control plane interacts with the OCI Certificate Service and the OCI Key Management Service to provide each of its certificates.
The data plane consists of a collection of sidecars** deployed in the environment and is responsible for the security, network functionality, and observability of the application. They also collect and report telemetry for all grid traffic. Envoy is used as the data plane for the OCI Service Mesh. The following diagram illustrates this reference architecture.
This reference architecture shows an application deployed in an OKE cluster with three services. The namespace in which the application is deployed has been "gridded". A "meshed" namespace means that the services deployed within that namespace will become part of the service mesh, and each newly deployed pod will be injected with an envoy** container. When each pod is deployed, the configuration and certificates are sent to each container by the OCI Service Mesh control plane. The OCI Service Mesh control plane communicates with the OCI Certificate Service and the Key Management Service to obtain certificates for each **. An ingress gateway is deployed to provide external access to the application. The ingress gateway is part of the OCI Service Mesh data plane and is also an Envoy that receives the configuration and certificates from the OCI Service Mesh control plane. The container's responsibility is to perform service discovery, traffic encryption, and authentication to the destination service. Containers also apply network policies, such as traffic distribution between different service versions, and enforce access policies. Ingress gateways perform the same function for traffic coming from outside the service mesh. Prometheus and Grafana are deployed in a separate namespace within the OKE cluster that is not part of the service mesh. The service mesh data plane sends critical operational statistics such as latency, failures, requests, and telemetry to the Prometheus deployment. Grafana pulls data from Prometheus deployments, which can be used to create dashboards for visualization. OCI Service Mesh is integrated with OCI Log Service, and logging can be enabled when creating a Service Mesh. OCI Service Mesh provides two types of logs: error logs and traffic logs. These logs can be used to debug 404 or 505 issues or to generate log-based statistics. This architecture includes the following OCI services: Deliver highly available, scalable, production-ready Kubernetes clusters for deploying your containerized applications in the cloud.
Provides access to ingress gateways in the OKE cluster. Ingress directs traffic to the requested service in the OKE cluster.
Manage the TLS certificates of the OCI Service Mesh service.
Manage the keys used by the Certificate Authority service.
This architecture consists of the following components: An Oracle Cloud Infrastructure region is a geographic region that contains one or more data centers, known as availability domains. Regions are independent of each other and far apart (across countries and even continents).
A VCN is a customizable, software-defined network that you set up in an Oracle Cloud Infrastructure region. Just like a traditional data center network, a VCN gives you complete control over your network environment. A VCN can have multiple non-overlapping CIDR blocks, which you can change after the VCN is created. You can split a VCN into subnets, which can be confined to a region or an availability domain. Each subnet contains a contiguous range of addresses that do not overlap with other subnets in the VCN. You can change the size of the subnet after it has been created. Subnets can be public or private.
For each subnet, you can create security rules that specify the traffic, destination, and type of traffic that must be allowed in and out of the subnet.
When configuring an OCI Service Mesh deployed in an OKE cluster, several Kubernetes resources are defined that map to the key components of your application. 
The following diagram depicts how configured OCI Service Mesh resources: Access Policies, Ingress Gateways, Virtual Services, and Virtual Deployments map to your application resources: K8S Services, K8S Service Load Balancers, Deployments, and Pods. 
Use the following suggestions as a starting point. Your needs may differ from the architecture described here. When you create a VCN, determine the number of CIDR blocks you need and the size of each block based on the number of resources you plan to attach to the VCN subnet. CIDR blocks within a standard private IP address space are used.
Select a CIDR block that does not overlap with any other network (in Oracle Cloud Infrastructure, your on-premises data center, or another cloud provider) that you intend to set up a private connection to.
Once the VCN is created, you can change, add, and remove its CIDR blocks.
When designing your subnets, consider where your traffic is going and security requirements. Attach all resources within a specific tier or role to the same subnet, which can act as a security boundary.
When you create a load balancer, you can choose a predefined shape that provides fixed bandwidth, or a custom (flexible) shape where you set the bandwidth range and have the service automatically scale the bandwidth based on traffic patterns. Either way, you can change the shape of the load balancer at any time after you create it.
When deploying this reference architecture, consider the following options. On an OKE cluster, there is no charge for the control plane of the OCI service mesh. Customers are charged for the resource utilization of the container serving the mesh data plane. However, in practice, customers have already paid for the node pool resources in the OKE cluster, and there is no additional cost to add an OCI service mesh to your microservices architecture unless the utilization of the container pushes the utilization of the node pool above 100%.
The control plane of an OCI service mesh is always deployed as highly available.
As an Oracle Premier Partner, Agilewing is redefining the way enterprises experience Oracle Cloud Services. With its streamlined account opening process and best-in-class technical support, Agilewing transforms the complex process of account opening and operation into an easy, intuitive experience. With our one-stop shop, you can quickly get up and running with the full range of Oracle Cloud services, so you can seamlessly integrate into the cloud. Agilewing's AgileCDN service, combined with OCI's cloud-based services, provides a best-in-class global content acceleration solution. A strong network of more than 2,800 global POP nodes and 7,000 direct connection points ensures efficient and stable operation no matter where your business expands to the world. Leveraging the advanced technology of Oracle Cloud, Agilewing is committed to simplifying the process of cloud service building, cloud migration, and business going global. "Our partnership model provides customers with cost-effective solutions that allow them to focus more on their core business while enjoying the high performance and security of Oracle Cloud." Oracle Cloud Service, as a promising field, opens the door to new opportunities for enterprises with its high performance, security, and globally consistent service standards. Through Agilewing's professional services, both individual users and enterprises can easily enter this new era full of technological innovation and high performance. Let Agilewing start exploring Oracle Cloud Services and open the door to a whole new world today.