AMPLIFY Central Mesh Governance is available in beta. All new organizations that join the AMPLIFY platform are automatically enrolled in the public beta program for it when they subscribe to Application Integration… but, What’s a service mesh?
This blog will answer that question and more.
Q: First, why AMPLIFY Central? What happened to API Central?
A: API Central “grew up” and became a unifying and common part of AMPLIFY; so it is no AMPLIFY Central.
- AMPLIFY Central is the common “cockpit” for several of our AMPLIFY platform solutions.
- AMPLIFY Central is your control tower to import and manage APIs, apply security and policy, and to monitor API transaction activity across your various connected and disconnected environments.
- AMPLIFY Central is the common control plane for managing a customer’s various data planes. The run-time API or microservice hosting providing by the data plane can be in the Axway public cloud, it can be in the customer’s private cloud(s), or it may be in the customer’s traditional on-premises environment too.
Q: What is Mesh Governance?
A: AMPLIFY Central with Mesh Governance can now do more than API Central could in the past, and part of that is the ability to both manage APIs (as API Central always did) but also help customers manage their private cloud environments via a hybrid deployed service mesh.
- These hybrid-connected private cloud environments need to be based on Kubernetes at this time… but the customer can select the type of on-premises Kubernetes orchestration stack they want to deploy; AWS EC2, EKS, MS Azure, GCE, OpenShift, etc.
- AMPLIFY Central is itself built as a set of multi-tenant microservices and is also deployed and managed on Kubernetes in our Axway public cloud
- A visual overview of the AMPLIFY Central Mesh Governance feature is here: Mesh Governance Public Beta
READ MORE: Discover what’s new in AMPLIFY.
Q: Why is the Mesh Governance option still in Beta, but the rest of AMPLIFY Central is GA?
A: AMPLIFY Central (and the rest of the AMPLIFY platform) is a SaaS solution, meaning we update and evolve it frequently. The Mesh Governance feature is not fully complete yet, but we want all customers to try it out and give us feedback.
- The main AMPLIFY Central public documentation topic is here: AMPLIFY Central and in open-docs format (for all to comment/update on) here: <AMPLIFY Central open docs> https://axway-open-docs.netlify.com/docs/central/
- The AMPLIFY Central Mesh Governance documentation topic (discussing hybrid environment support and the service mesh) is here: AMPLIFY Central Mesh Governance feature
- The more detailed examples for building and connecting an AWS/EC2 demo environment with AMPLIFY Central are here: Setup Amplify Mesh-Governance
Q: Can AMPLIFY Central still help me secure and manage my APIs too?
A: Yes, it still does that, but it can now also discover and manage microservices that live on the hybrid connected private clouds that can be attached to each AMPLIFY customer’s tenant view of their organization.
- Now AMPLIFY customers can see and manage their microservices (from their own connected private clouds) and the APIs that expose those microservices.
- AMPLIFY Central allows customers to manage both “external” (or legacy service) APIs and “internal” (discovered from connected service meshes on private clouds) APIs in a consistent manner.
Q: What kind of service mesh feature is this?
A: We are providing a “bring your own Kubernetes” cluster approach that allows us to add a service mesh layer on top of a Kubernetes cluster. While we are trying to be a light touch to the cluster, we are still adding a mesh (we use Istio/Envoy) to the private cloud as part of our deployment.
- You can look at our own service mesh primer here to come up to speed: Service Mesh basics You can see/learn about Istio here: What is Istio?
- You can look at the challenging evolution many organizations find themselves in here: AMPLIFY Central and the gateway puzzle
Q: What value does our service mesh add?
A: Take a look at what our “mesh agents” do and see that we are exposing existing customer microservices back into their AMPLIFY Central view of their organizational APIs. Now, they can manage APIs and Services from the same “cockpit” in AMPLIFY. This is part of AMPLIFY Central becoming a common control plane for customers to use to manage internal and external services, and then to manage their sharing of those APIs and services to their own consumers via the AMPLIFY Central Unified Catalog.
- You can learn more about our Mesh Agents here: Axway Mesh Agents You can learn more about the AMPLIFY Unified Catalog here:
Q: Lots of vendors resell or use Istio. What’s so special about what Axway is doing with it?
A: We are using Istio as a standard service mesh (along with our Axway mesh agents) to provide a combined view of all internal and external APIs to the customer, then allowing them to decide which ones to expose to their customers, developers and consumers.
- We are allowing the customer to decide what level of security each API has.
- we are allowing the customer to decide which APIs (from those managed microservices) are exposed to the AMPLIFY Central Proxy Registry and to the AMPLIFY Unified Catalog.
- We are allowing them to add selectively policies to govern the flow of API traffic between those managed APIs inside each service mesh.
- And, we are providing them a common analytics view of all traffic for all APIs in all of their managed (SaaS and Hybrid) environments.
Q: So, what if I have more than one private cloud that I want to connect up and manage?
A: You can do that. Each service mesh is connected to your AMPLIFY Central organizational view as a separate environment to manage. You can have both an individual environment view and a combined global view of the services, policies and externally exposed (we call them “proxied”) APIs for each environment.
Q: Does this new Mesh Governance feature replace Kubernetes or Open Shift?
A: No, we are adding service management on top of the container management they already provide for the customer in their OnPrem or private cloud environments.
- AMPLIFY Central adds a simple policy view (currently native to the service mesh) of both their security authorization rules and their flow management rules that apply to each segment of the API transaction as it flows through their service mesh.
- We plan to extend this policy view in the future to support external gateways (i.e., not just the mesh gateways inside the service mesh).
Q: How is this service mesh attached to AMPLIFY? How is it attached to AMPLIFY Central?
A: Take a look at the Axway Mesh Agents overview to understand more about this… Axway Mesh Agents
- In simple terms, the Axway Mesh Agents are deployed to the private cloud Kubernetes clusters and add (or take over) the service mesh functions and provide secure connections back to AMPLIFY Central to facilitate Service/API discovery, control local security/policy updates and to publish periodically API transaction telemetry back to the AMPLIFY platform analytics stack.
- The discovery reporting is configurable so that the Mesh Governance feature can manage as much or as little of the cluster as the customer wants. Existing microservices can be exposed or hidden as the customer desires.
- The Mesh Governance feature can automate the deployment of a compatible Istio/Envoy layer, or it can interoperate with an existing one that the Kubernetes layer may already have in place.
Q: Where does the mesh run? Where are my services located if they are not being hosted in AMPLIFY Central?
A: That’s the beauty of our AMPLIFY hybrid model. The private cloud can be wherever the customer wants it to be… as long as they have a ready-to-use Kubernetes cluster. We use the hybrid ability of AMPLIFY Central to connect our control plane to that customer private cloud to expose their services and manage policy assignments against them.
- The customer Kubernetes cluster can be on-premises like OpenShift or other “bare metal” Kubernetes stacks, or in a vendor, Kubernetes hosting private cloud like Amazon AWS/EC2 or Microsoft Azure or Google GCE. Our Axway Mesh Agents do the rest to connect this cluster to AMPLIFY Central.
Q: What if I already have a service mesh—can I connect that up to AMPLIFY?
A: Yes and no. If you have a public version of Istio, you should be able to follow our steps described here and skip the Istio deployment step but still add our mesh agents to your cluster to connect it back to your AMPLIFY Central account.
- Keep in mind you have to tell Istio/Envoy what to do so policies are correctly applied. So, while we can interoperate with an existing (and compliant) Istio layer, we (via the AMPLIFY control and configuration plane added by our Mesh Agents) need to be the only control plane telling the mesh environment what to do.
Q: How do I get a service mesh set up? What if I need more help building or accessing a hybrid environment to use?
A: Follow our instructions to build your own and connect it up; they are here: AMPLIFY Central Mesh Governance feature And, learn more about how Mesh Governance is a key part of AMPLIFY here: Learn about AMPLIFY and HIP.
Q: What about OpenShift or Microsoft Azure support? What about… ?
A: The reason we are in Public Beta is to gather some additional feedback from our customer base about what Kubernetes container layer(s) they would like us to support and to validate our approach to policy assignment and management.
- What we have built for the beta is very generic and it can be deployed to many existing Kubernetes stacks, but we have not taken the time and effort to validate fully and performance tests them all.
- We can use your help and feedback, and a future poll will be coming to gauge the need to support other Kubernetes container stacks.
Don’t wait. Sign up for AMPLIFY today.