The concept of cloud-native is mentioned more and more in China, but most people’s understanding of cloud-native is limited to containers, microservices, DevOps and other contents. Containers, microservices and DevOps are equated with cloud. Native, this is obviously wrong. CNCF defines cloud native technology from its own perspective: Cloud native technology enables enterprises to build and run scalable applications in modern dynamic environments, such as public cloud, private cloud and hybrid cloud environments. Including containers, service meshes, microservices, immutable infrastructure, declarative APIs, etc. Using these technologies can achieve loose coupling, elasticity, manageability, and observability of the system. It can also be combined with automation to enable frequent, predictable changes to high-impact functionality with minimal effort.
Cloud computing provides agile, self-service, immutable infrastructure, etc., making business applications move to the cloud gradually becoming a consensus. However, going directly to the cloud without reconstructing the cloud-native architecture may be dangerous. Traditional business applications The architecture cannot perform elastic expansion and agile response on the cloud, and cannot effectively utilize the characteristics of cloud computing to empower enterprises. Therefore, this may require the traditional architecture business system to be split and reconstructed with distributed microservices, deployed and run on container cloud platforms, etc., using DevOps ideas, and continuously improving delivery efficiency through CI, CD, etc., etc. Make the application have the characteristics of the cloud from the beginning and be born for the cloud. It is to make full use of the distributed and elastic expansion characteristics of cloud computing, so that it can meet or adapt to the requirements of deployment and operation on the cloud, or directly use the cloud. The ideas, methods, and tools are created in the cloud and are inherently cloud-like. Therefore, cloud native can be considered as a methodology and technical system for building and running cloud applications based on the cloud. Cloud native technology and methodology are used to build, run and manage cloud applications.
Matt Stine published the book "Migrating to Cloud Native Architecture" in 2015 and defined the characteristics of cloud native architecture: 12-factor applications, microservices, self-service agile infrastructure, API-based collaboration, vulnerability resistance, etc. There is no clear definition of the content of the cloud native system, but it is generally believed that the cloud native technology system and methodology include microservices, containers, DevOps, continuous delivery, ServiceMesh, immutable infrastructure, declarative API, chaos engineering, security, and mobile-based customer experience etc. content.
Twelve element applications provide principle guidance for the design of cloud native applications; microservice architecture provides solutions for cloud native application architecture design, distributed deployment, agile changes, etc.; containers provide elastic scaling and consistency for cloud native applications. Environment and other capabilities, combined with microservices, support application expansion on demand; self-service agile infrastructure provides infrastructure resources and other guarantees for the continuous delivery of cloud native applications, and can work with the containerized PaaS platform to support the automated elastic expansion of cloud native applications. , visual monitoring, automated intelligent operation and maintenance operations, etc., so that users do not need to pay attention to infrastructure resources, do not need to operate and maintain infrastructure resources, do not need to pay attention to application deployment locations, etc.; the service grid supports the management and governance of services; chaos engineering continues to enhance The resilience and stability of the system; DevOps optimizes collaboration between organizations, meets each other's concerns, guides the implementation and continuous delivery of C ICD, and realizes full life cycle management of applications; declarative API realizes the standardized release of services and the coordination between services Collaboration; security involves all aspects of the cloud native architecture system, such as DevOps security, DevSecOps, container image security, network security, application security, API security, authentication and authorization, access control, etc.; all these technologies, methods and principles satisfy customers Meet your needs anytime, anywhere, simplify customer operations and improve customer experience.
Based on the study and understanding of the cloud native architecture system, the author feels that a relatively complete cloud native architecture system includes the following content:
With the development of mobile communication technology and the popularity of mobile devices, significant changes have taken place in the way people work, live, socialize, and invest. At present, people can basically meet their needs anytime and anywhere through mobile phones. Users may access industrial application systems at different times (7x 24) through different terminals, different operating systems, different versions, different places, etc. This requires not only convenient operation and friendly interaction of the APP client, but also requirements for back-end services and The system can respond quickly. The quality of the mobile app application experience may directly determine whether the user continues to use it. In the era of mobile Internet, users’ mobile experience needs are a key driver of application design.
The 12 elements of cloud applications describe a cloud application prototype, which is a design principle and methodology for cloud applications (independently deployable units). It focuses on speed, security, and scalability by emphasizing declarative configuration, horizontally scalable stateless/shared-nothing processes, and overall loose coupling to the deployment environment. In "Beyond the 12-factor App", Kevin Hoffman re-describes and expands the 12 factors of cloud native applications and adds three elements: API priority, telemetry, authentication and authorization. The newly added elements incorporate API collaboration, visual monitoring, security and other contents, and are more complete in guiding the design of cloud native applications.
Microservice architecture is an application distributed architecture method, which splits a monolithic application into a number of independently deployable services with a single capability, which are microservices. Usually a microservice represents a business capability, or the smallest "atomic" service unit that provides business value. It solves the problem that tightly coupled monolithic systems are difficult to change and update, and achieves lightweight and agile changes.
The essence of middle platform is also an architectural method, the core of which is to achieve reuse. Middle platform has always been regarded as an enterprise architecture, and the granularity of reuse has not been clearly discussed, so there are no clear methods and standards for its implementation. From the perspective of application architecture, there is no essential difference between the middle platform and the front-end, middle-end, and back-end hierarchies of the application, and it is not a new architectural approach. The microservice decomposition architecture decomposes the system horizontally, and the mid-level layered architecture layers the system vertically, thereby realizing the reuse and sharing of microservices at different levels. From a single application system to all enterprise systems, it can eventually be integrated into a hierarchically decomposed enterprise-level system. This is the "system integration" idea that the author has been mentioning.
Containers are a lightweight operating system layer virtualization technology that provides isolation at the process level and provides a consistent operating environment for a single application. Each application and its environment can run in an isolated environment. The characteristics of containers fit well with the microservice architecture, so microservices are usually deployed in containers to achieve capabilities such as agile deployment, automated elastic scaling, and environmental consistency. However, containers are still relatively low-level operating units, and the management and governance of many containers is a difficult problem.
Kubernetes (also known as K8s) is an open source container management and scheduling framework for automating the deployment, scaling, and management of container applications. It groups the containers that make up an application into logical units for easier management and discovery. The container cloud platform is an application management, deployment and operation platform built using containers and container management and scheduling technology to support container application management and governance capabilities of different tenants. Based on the container cloud, logs, monitoring, authentication, permissions, configurations, middleware, tool platforms, and algorithms are deployed and maintained in a unified manner to provide enterprise-level platform service capabilities, build a lightweight PaaS platform, and realize self-service by combining automation and intelligence. Agile response infrastructure capabilities.
The core of cloud native is cloud native applications. The self-service agile response infrastructure provides support for the automated environment preparation, construction, deployment, monitoring, feedback, health check, fault self-healing, resource scheduling, elastic scaling, dynamic routing and load balancing of cloud native applications, and realizes the implementation of autonomous service platforms. The deployment and operation of cloud-native applications automates configuration management and makes infrastructure resources transparent, eliminating the need to pay attention to where the applications are running; the final integration of IaaS and PaaS provides a smoother and consistent experience; the enterprise can use the infrastructure to Resource management (multi-cloud management platform) realizes the management of heterogeneous resources and unified resource services; realizes continuous delivery and improves availability, scalability, and manageability.
DevOps is a concept and methodology that aims to coordinate and streamline the concerns between development and operation and maintenance teams and improve collaboration efficiency. DevOps aims to realize the integration of development, operation and maintenance, and achieve full life cycle management of applications and efficient collaboration between organizations through automation, intelligence and other tools. The platform built based on DevOps methodology and concepts is also called DevOps platform. It usually uses automated pipelines to achieve continuous integration CI, continuous delivery CD and other capabilities. Google SRE is a specific practice of DevOps, which uses system engineering ideas to solve software engineering problems and make operation and maintenance automated and intelligent. Operation and maintenance personnel should spend no less than 50% of their time on the research and development of operation and maintenance tools, allowing R&D personnel to focus on the research and development of business applications. Google SRE uses error budgets to coordinate concerns between R&D and operation and maintenance. Once the error budget is exhausted, operation and maintenance will reject the release and deployment of business applications, so that R&D must focus on the stability and robustness of business applications.
Service Mesh realizes the management and governance of east-west traffic of microservices. It is different from the API gateway's management and governance of service north-south traffic. It is usually used in container environments to proxy traffic management, observability and security capabilities in a sidecar manner. The overall architecture of the service grid consists of traffic proxy components and management components. The proxy component is called the data plane, which directly processes inbound and outbound data packets, forwarding, routing, health checks, load balancing, authentication, authentication, and generation of monitoring data. wait. The management component is called the control plane and is responsible for communicating with the agent and issuing policies and configurations. The author has been tracking the development of service grid but has not adopted it. The reason is that on the one hand, I feel that it is not mature enough, and on the other hand, its method of adding layers will cause delays, which is contrary to the simple way of solving complex problems that the author recommends.
Antifragility was proposed by Naasim Taleb in the book "Antifragile". The purpose of randomly injecting faults into the production environment is to identify and eliminate defects in the architecture, find weaknesses in the application architecture, and force repairs. The architecture will change as the It becomes stronger over time, improving its stability, usability, durability, etc. It is also called Chaos Engineering in China. China Academy of Information and Communications Technology began to organize research on chaos engineering technology in 2020, and proposed the application of chaos engineering methods to verify the resilience architecture of cloud native systems, and also established a chaos engineering project team. In 2021, the "Chaos Engineering Test Platform Capability" standard outline was released, and the industry standard "Chaos Engineering Platform Capability Requirements" was released.
Interaction between cloud native applications is achieved through published and versioned APIs, usually using HTTP Rest style to serialize JSON data. A layer of reusable interfaces can be provided through APIs. At the same time, the API encapsulates the internal details of the business logic, and consumers cannot directly access the internal data of the API service, which also enhances data security to a certain extent.
Security is an integral part of any system. Risks are everywhere. There is a lot of content in the cloud native architecture system. Every component and every service may bring risks and security issues (therefore, components and services should be minimized through the "layer reduction" method, and strictly follow the "do not use unless necessary" principle. "). From the perspective of the cloud native application life cycle process, cloud native security can be simply divided into two stages: "design-time security" and "run-time security". The design focuses on static detection and analysis, such as code analysis, image vulnerability scanning, etc.; the runtime focuses on dynamic and interactive detection, protection, and analysis, such as intrusion detection, virus killing, network micro-isolation, etc.
Cloud native security can make use of traditional security technologies and methods, such as authentication and authorization, access control, encryption and decryption, compliance detection, static security detection, dynamic security detection, network isolation, etc. The focus is to enhance cloud native through available security mechanisms Security capabilities. Although we advocate shifting security to the left and eliminating security risks as much as possible during the design period, runtime security is also indispensable. Security vulnerabilities may appear at any time. The cloud native architecture using microservices and containers also brings more problems to the runtime. Risk points make security prevention and control even more difficult. It is necessary to continuously improve system visibility, error isolation and other capabilities to improve security management and control capabilities. Cloud-native security is different from the security domain model of traditional network security. It requires dynamic automation and intelligent management and control capabilities. In the future, cloud native may gradually realize dynamic network security control through software-defined boundaries, enhanced identity authentication, micro-isolation and other technologies.