SlideShare a Scribd company logo

A New Way of Thinking | NATS 2.0 & Connectivity

NATS
NATS

NATS 2.0 is the largest feature release since the original code base for the server was released. NATS 2.0 was created to allow a new way of thinking about NATS as a shared utility, solving problems at scale through distributed security, multi-tenancy, larger networks, and secure sharing of data. In this presentation, Derek discusses the motives behind the newest features of NATS and how to leverage them to reduce total cost of ownership, decrease time to value, support extremely large scale deployments, and decentralize security to create secure and easy to manage modern distributed systems.

1 of 57
Download to read offline
A New Way of Thinking NATS 2.0 and Connectivity
Derek Collison / @derekcollison Founder and CEO at Synadia ๏ Creator of NATS ๏ Founder and Former CEO at Apcera ๏ CTO, Chief Architect at VMware ๏ Architected CloudFoundry ๏ Technical Director at Google ๏ SVP and Chief Architect at TIBCO
A New Way of Thinking | NATS 2.0 & Connectivity
Connected Economy
We one faster complex expensive slow…
A New Way of Thinking | NATS 2.0 & Connectivity
KEY
Connectivity - What we Need
Connectivity
Developing and deploying applications that communicate in distributed systems can be complex, difficult and costly. A communication infrastructure should provide features to make this easier including: ● Multiple messaging patterns bundled into one technology ○ Streams and Services ● Location transparency ● Transparent scalability and disaster recovery ● Decoupled producers and consumers ● Synchronous & Asynchronous communications ● Extensible and Open by default Why is messaging important?
A New Way of Thinking | NATS 2.0 & Connectivity
NATS is a simple and secure, production-proven messaging technology for modern distributed systems. ● Scalable Services and Streams ● Easy to use for developers and operators ● Highly Resilient ● Highly Secure ● Extremely lightweight and performant ● Client support for over 32+ different programming languages ● A CNCF project with Kubernetes and Prometheus integrations ● Originally built to power CloudFoundry. Mature ~10yrs old. ● Applicable in the Cloud, On-Premise, Edge and IoT. What is NATS?
● Subject-Based routing, not IP ● Message based, not packet or byte streams ● Scalable Services and Streams, same technology ● Natively does N:M with queue delivery. Not just 1:1 ● Secure and Isolated, decentralized by design ● Secure Sharing: Exports and Imports of Services and Streams ● Self Healing and Observable ● Capable of being a federated global utility - a Dial Tone What is NATS?
NATS is an always available dial tone to connect everything
CNCF Landscape Joined CNCF as an incubation project in 2018 https://landscape.cncf.io
CNCF Landscape Joined CNCF as an incubation project in 2018 https://landscape.cncf.io
CNCF Landscape https://landscape.cncf.io
Growing Community: NATS End Users
NATS 2.0
● NATS 2.0 is the largest feature release since the original code. ○ Backward Client compatibility ● Created to allow a new way of thinking about NATS as a secure shared utility, globally through NGS, within an enterprise, or both. ● NATS now solves problems at scale through distributed security, multi-tenancy, larger networks, and secure sharing of data. NATS 2.0 allows new ways of architecting distributed systems, service meshes and event/data streams. NATS 2.0 Release https://nats-io.github.io/docs/whats_new/whats_new_20.html
NATS v2 Released on Monday (June 10th, 2019) Biggest release of the project since it started.
Secure Multi-Tenancy (Accounts)
● Accounts are securely isolated communication contexts that allow multi-tenancy. ● Bifurcate technology from business driven use cases ○ Data silos are created by design, not software limitations ● Securely share data between accounts ○ Secure Streams and Services ○ Mutual agreement permits data flow across account boundaries ● Easy, Secure and Cost Effective ○ One NATS deployment for operators to manage ○ Decentralized - Organizations can self-manage Accounts - Containers for Messaging
Service definitions are a secure RPC endpoint ● Export a service to allow other accounts to import ● Import a service to allow requests to be sent and securely and seamlessly to another account ● Use cases include most business applications, certificate generation service, secure vault, location aware services Stream definitions allow data flow between accounts ● Export a stream to allow egress ● Import a stream to allow ingress ● Use cases include observability, metrics, data analytics, etc. ...All with zero client configuration or API changes Services and Streams
The system account publishes system messages under established subject patterns. Server initiated events: ● $SYS.ACCOUNT.<id>.CONNECT (client connects) ● $SYS.ACCOUNT.<id>.DISCONNECT (client disconnects) ● $SYS.SERVER.ACCOUNT.<id>.CONNS (account connections status) ● $SYS.SERVER.<id>.CLIENT.AUTH.ERR (authentication error) ● $SYS.ACCOUNT.<id>.LEAFNODE.CONNECT (leaf node connects) ● $SYS.ACCOUNT.<id>.LEAFNODE.DISCONNECT (leaf node disconnects) ● $SYS.SERVER.<id>.STATSZ (stats summary) System Account
In addition other tools with system account privileges can initiate requests: ● $SYS.REQ.SERVER.<id>.STATSZ (request server stat summary) ● $SYS.REQ.SERVER.PING (discover all servers and metrics) Secure account servers publish messages when a claim is updated: ● $SYS.ACCOUNT.<id>.CLAIMS.UPDATE With these few messages you can build useful monitoring and anomaly detection tools. System Account - Continued
Global Deployments
● Client and server connections reconnect automatically ● Auto-Discovery automatically exchanges server topology ■ Server ⇆ Server ■ Server → Client ○ Zero configuration changes, zero downtime ○ Dynamic and entirely transparent to applications ● Clients can failover to new servers that weren’t originally configured ● NATS server clusters dynamically adjust to new or removed servers ○ Used for rolling upgrades and scaling (up or down). ● NATS is deployment, cloud and geo agnostic. Low Touch Operations - NATS Self-Healing
Superclusters Create clusters of clusters to create a truly global NATS network ● Novel spline based technology ● Optimistic sends with interest graph pruning ● Transparent, intelligent support for geo-distributed queue subscribers
Clusters of Clusters NATS NATSNATS NATS NATSNATS NATS NATSNATS US-East EU-West US-West
Leaf Nodes
● Leaf nodes allow hub and spoke topologies to extend superclusters. ● Leaf nodes allow you to bridge separate security domains. e.g. IoT, mobile, POS, Web. ● Ideal for edge computing, IoT hubs, or data centers that need to be connected to a global, regional, or national NATS deployment. ● Transparently bridge on-premise and cloud or edge deployments. ● Have your cake and eat it too! Leaf Nodes
Leaf Nodes Leaf Node Device Device NATS Supercluster Leaf Node NATS Server NATS Server Client NATS Server Client Leaf Node NATS Server ClientClient
Disaster Recovery with Geo-Aware and Scalable and Observable Services
Geo-Aware Services NATS NATSNATS NATS NATSNATS US-East EU-West Leaf Node SensorSensor Backup Alert Service Queue Sub Primary Alert Service Queue Sub
Geo-Aware Services - Flow NATS NATSNATS NATS NATSNATS US-East EU-West Leaf Node SensorSensor Backup Alert Service Queue Sub Primary Alert Service Queue Sub
Geo-Aware Services - Failure NATS NATSNATS NATS NATSNATS US-East EU-West Leaf Node SensorSensor Backup Alert Service Queue Sub Backup Alert Service Queue Sub
Geo-Aware Services - Remote Routing NATS NATSNATS NATS NATSNATS US-East EU-West Leaf Node SensorSensor Backup Alert Service Queue Sub
Decentralized Security
● Full TLS Support: CA certificates, bidirectional support, default to most secure ciphers. ○ Support for DN or SAN in certificates for NATS user identity ● Support for standard user/password auth ● Permissions restrict who can send and receive on what subjects ● Change these through configuration reload at runtime with zero downtime. ● Operator Mode - NATS >= 2.0 NATS Security Today
NATS 2.0 Security consists of defining Operators, Accounts, and Users within a NATS deployment. ● Operator: Root of trust for the system, e.g. An Enterprise operator. ○ Create Accounts for account administrators. An account represents an organization with a secure context within the NATS deployment, for example a VAS system, an IT system monitoring group, a set of microservices, etc. Account creation would likely be managed by a central group. ● Accounts define limits and may securely export and import services and streams ○ Account managers create and manage Users with permissions ● Users have specific credentials and permissions. Operator Mode - Decentralized
PKI (NKeys - encoded Ed25519) and signed JWTs create a hierarchy of Operators, Accounts, and Users creating a scalable and flexible distributed security mechanism. ● Operators are represented by a self signed JWT and is the only thing that is required to be configured in the server. ○ Operators will sign Account JWTs with various signing keys. ○ Accounts sign User JWTs, again with various signing keys. ● Clients or leaf nodes present User credentials and a signed nonce when connecting. ○ The server uses resolvers to obtain JWTs and verify the client trust chain. This allows for rapid change of permissions, authentication, limits, etc. to a secure multi-tenant NATS system. Decentralized Security Management
╭────────────────────────────────────────────────────────────────────────╮ │ Operator Details │ ├─────────────┬──────────────────────────────────────────────────────────┤ │ Name │ Synadia │ │ Operator ID │ OCDFJINL65FTXNLUB3GODXY3MTCOUFJWC23HONKXNGLZ4SCQRBSFWECQ │ │ Issuer ID │ OCDFJINL65FTXNLUB3GODXY3MTCOUFJWC23HONKXNGLZ4SCQRBSFWECQ │ │ Issued │ 2019-05-13 16:17:29 UTC │ │ Expires │ │ ╰─────────────┴──────────────────────────────────────────────────────────╯ Operator JWT
╭──────────────────────────────────────────────────────────────────────────────────────╮ │ Account Details │ ├───────────────────────────┬──────────────────────────────────────────────────────────┤ │ Name │ Microservices-1 │ │ Account ID │ AAHC5D6GVMRI753MOVEIEV2LVR3C7GUCYLAOHQH5DL5V7M6CXSYGWZRK │ │ Issuer ID │ OCDFJINL65FTXNLUB3GODXY3MTCOUFJWC23HONKXNGLZ4SCQRBSFWECQ │ │ Issued │ 2019-05-14 01:21:19 UTC │ │ Expires │ │ ├───────────────────────────┼──────────────────────────────────────────────────────────┤ │ Max Connections │ Unlimited │ │ Max Leaf Node Connections │ Unlimited │ │ Max Data │ Unlimited │ │ Max Exports │ Unlimited │ │ Max Imports │ Unlimited │ │ Max Msg Payload │ Unlimited │ │ Max Subscriptions │ Unlimited │ │ Exports Allows Wildcards │ True │ ├───────────────────────────┼──────────────────────────────────────────────────────────┤ │ Exports │ None │ ╰───────────────────────────┴──────────────────────────────────────────────────────────╯ ╭───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╮ │ Imports │ ├───────────────┬─────────┬─────────────────┬─────────────────┬─────────┬──────────────────────────────────────────────────────────┬────────┤ │ Name │ Type │ Remote │ Local │ Expires │ From Account │ Public │ ├───────────────┼─────────┼─────────────────┼─────────────────┼─────────┼──────────────────────────────────────────────────────────┼────────┤ │ SvcControl │ Service │ svc.control │ svc.control.1 │ │ ACOAYG5E4EWOE3VJ26RTQFD3QNOL2JA5EMEWHVM5RDKHYQAOEAIO35PS │ Yes │ ╰───────────────┴─────────┴─────────────────┴─────────────────┴─────────┴──────────────────────────────────────────────────────────┴────────╯ Account JWT
╭────────────────────────────────────────────────────────────────────────────╮ │ User │ ├─────────────────┬──────────────────────────────────────────────────────────┤ │ Name │ ProvisioningService │ │ User ID │ UCLEREN55TYVHT3UC25YEC6XJR3TYZB35FJOGTFOACA5NRDRX3LTULUR │ │ Issuer ID │ AAHC5D6GVMRI753MOVEIEV2LVR3C7GUCYLAOHQH5DL5V7M6CXSYGWZRK │ │ Issued │ 2019-05-13 16:21:33 UTC │ │ Expires │ │ ├─────────────────┼──────────────────────────────────────────────────────────┤ │ Max Messages │ Unlimited │ │ Max Msg Payload │ Unlimited │ │ Network Src │ Any │ │ Time │ Any │ ╰─────────────────┴──────────────────────────────────────────────────────────╯ User JWT
Documentation
● https://nats-io.github.io/docs/ All New Documentation
Ecosystem
NATS on Docker ~85M Combined Downloads!
A New Way of Thinking | NATS 2.0 & Connectivity
Roadmap 2019-2020 Our roadmap represents coming features lined up for the future of NATS. We are excited to bring these advances to the NATS community and look forward to your valuable input. Please contact us at info@nats.io or join our Slack channel with any questions, comments, or requests.
A New Way of Thinking | NATS 2.0 & Connectivity
A New Way of Thinking | NATS 2.0 & Connectivity
A New Way of Thinking | NATS 2.0 & Connectivity
A New Way of Thinking | NATS 2.0 & Connectivity
A New Way of Thinking | NATS 2.0 & Connectivity
Thanks! github.com/nats-io / @nats_io https://nats.io

More Related Content

A New Way of Thinking | NATS 2.0 & Connectivity

  • 1. A New Way of Thinking NATS 2.0 and Connectivity
  • 2. Derek Collison / @derekcollison Founder and CEO at Synadia ๏ Creator of NATS ๏ Founder and Former CEO at Apcera ๏ CTO, Chief Architect at VMware ๏ Architected CloudFoundry ๏ Technical Director at Google ๏ SVP and Chief Architect at TIBCO
  • 7. KEY
  • 10. Developing and deploying applications that communicate in distributed systems can be complex, difficult and costly. A communication infrastructure should provide features to make this easier including: ● Multiple messaging patterns bundled into one technology ○ Streams and Services ● Location transparency ● Transparent scalability and disaster recovery ● Decoupled producers and consumers ● Synchronous & Asynchronous communications ● Extensible and Open by default Why is messaging important?
  • 12. NATS is a simple and secure, production-proven messaging technology for modern distributed systems. ● Scalable Services and Streams ● Easy to use for developers and operators ● Highly Resilient ● Highly Secure ● Extremely lightweight and performant ● Client support for over 32+ different programming languages ● A CNCF project with Kubernetes and Prometheus integrations ● Originally built to power CloudFoundry. Mature ~10yrs old. ● Applicable in the Cloud, On-Premise, Edge and IoT. What is NATS?
  • 13. ● Subject-Based routing, not IP ● Message based, not packet or byte streams ● Scalable Services and Streams, same technology ● Natively does N:M with queue delivery. Not just 1:1 ● Secure and Isolated, decentralized by design ● Secure Sharing: Exports and Imports of Services and Streams ● Self Healing and Observable ● Capable of being a federated global utility - a Dial Tone What is NATS?
  • 14. NATS is an always available dial tone to connect everything
  • 15. CNCF Landscape Joined CNCF as an incubation project in 2018 https://landscape.cncf.io
  • 16. CNCF Landscape Joined CNCF as an incubation project in 2018 https://landscape.cncf.io
  • 20. ● NATS 2.0 is the largest feature release since the original code. ○ Backward Client compatibility ● Created to allow a new way of thinking about NATS as a secure shared utility, globally through NGS, within an enterprise, or both. ● NATS now solves problems at scale through distributed security, multi-tenancy, larger networks, and secure sharing of data. NATS 2.0 allows new ways of architecting distributed systems, service meshes and event/data streams. NATS 2.0 Release https://nats-io.github.io/docs/whats_new/whats_new_20.html
  • 21. NATS v2 Released on Monday (June 10th, 2019) Biggest release of the project since it started.
  • 23. ● Accounts are securely isolated communication contexts that allow multi-tenancy. ● Bifurcate technology from business driven use cases ○ Data silos are created by design, not software limitations ● Securely share data between accounts ○ Secure Streams and Services ○ Mutual agreement permits data flow across account boundaries ● Easy, Secure and Cost Effective ○ One NATS deployment for operators to manage ○ Decentralized - Organizations can self-manage Accounts - Containers for Messaging
  • 24. Service definitions are a secure RPC endpoint ● Export a service to allow other accounts to import ● Import a service to allow requests to be sent and securely and seamlessly to another account ● Use cases include most business applications, certificate generation service, secure vault, location aware services Stream definitions allow data flow between accounts ● Export a stream to allow egress ● Import a stream to allow ingress ● Use cases include observability, metrics, data analytics, etc. ...All with zero client configuration or API changes Services and Streams
  • 25. The system account publishes system messages under established subject patterns. Server initiated events: ● $SYS.ACCOUNT.<id>.CONNECT (client connects) ● $SYS.ACCOUNT.<id>.DISCONNECT (client disconnects) ● $SYS.SERVER.ACCOUNT.<id>.CONNS (account connections status) ● $SYS.SERVER.<id>.CLIENT.AUTH.ERR (authentication error) ● $SYS.ACCOUNT.<id>.LEAFNODE.CONNECT (leaf node connects) ● $SYS.ACCOUNT.<id>.LEAFNODE.DISCONNECT (leaf node disconnects) ● $SYS.SERVER.<id>.STATSZ (stats summary) System Account
  • 26. In addition other tools with system account privileges can initiate requests: ● $SYS.REQ.SERVER.<id>.STATSZ (request server stat summary) ● $SYS.REQ.SERVER.PING (discover all servers and metrics) Secure account servers publish messages when a claim is updated: ● $SYS.ACCOUNT.<id>.CLAIMS.UPDATE With these few messages you can build useful monitoring and anomaly detection tools. System Account - Continued
  • 28. ● Client and server connections reconnect automatically ● Auto-Discovery automatically exchanges server topology ■ Server ⇆ Server ■ Server → Client ○ Zero configuration changes, zero downtime ○ Dynamic and entirely transparent to applications ● Clients can failover to new servers that weren’t originally configured ● NATS server clusters dynamically adjust to new or removed servers ○ Used for rolling upgrades and scaling (up or down). ● NATS is deployment, cloud and geo agnostic. Low Touch Operations - NATS Self-Healing
  • 29. Superclusters Create clusters of clusters to create a truly global NATS network ● Novel spline based technology ● Optimistic sends with interest graph pruning ● Transparent, intelligent support for geo-distributed queue subscribers
  • 32. ● Leaf nodes allow hub and spoke topologies to extend superclusters. ● Leaf nodes allow you to bridge separate security domains. e.g. IoT, mobile, POS, Web. ● Ideal for edge computing, IoT hubs, or data centers that need to be connected to a global, regional, or national NATS deployment. ● Transparently bridge on-premise and cloud or edge deployments. ● Have your cake and eat it too! Leaf Nodes
  • 34. Disaster Recovery with Geo-Aware and Scalable and Observable Services
  • 36. Geo-Aware Services - Flow NATS NATSNATS NATS NATSNATS US-East EU-West Leaf Node SensorSensor Backup Alert Service Queue Sub Primary Alert Service Queue Sub
  • 37. Geo-Aware Services - Failure NATS NATSNATS NATS NATSNATS US-East EU-West Leaf Node SensorSensor Backup Alert Service Queue Sub Backup Alert Service Queue Sub
  • 38. Geo-Aware Services - Remote Routing NATS NATSNATS NATS NATSNATS US-East EU-West Leaf Node SensorSensor Backup Alert Service Queue Sub
  • 40. ● Full TLS Support: CA certificates, bidirectional support, default to most secure ciphers. ○ Support for DN or SAN in certificates for NATS user identity ● Support for standard user/password auth ● Permissions restrict who can send and receive on what subjects ● Change these through configuration reload at runtime with zero downtime. ● Operator Mode - NATS >= 2.0 NATS Security Today
  • 41. NATS 2.0 Security consists of defining Operators, Accounts, and Users within a NATS deployment. ● Operator: Root of trust for the system, e.g. An Enterprise operator. ○ Create Accounts for account administrators. An account represents an organization with a secure context within the NATS deployment, for example a VAS system, an IT system monitoring group, a set of microservices, etc. Account creation would likely be managed by a central group. ● Accounts define limits and may securely export and import services and streams ○ Account managers create and manage Users with permissions ● Users have specific credentials and permissions. Operator Mode - Decentralized
  • 42. PKI (NKeys - encoded Ed25519) and signed JWTs create a hierarchy of Operators, Accounts, and Users creating a scalable and flexible distributed security mechanism. ● Operators are represented by a self signed JWT and is the only thing that is required to be configured in the server. ○ Operators will sign Account JWTs with various signing keys. ○ Accounts sign User JWTs, again with various signing keys. ● Clients or leaf nodes present User credentials and a signed nonce when connecting. ○ The server uses resolvers to obtain JWTs and verify the client trust chain. This allows for rapid change of permissions, authentication, limits, etc. to a secure multi-tenant NATS system. Decentralized Security Management
  • 43. ╭────────────────────────────────────────────────────────────────────────╮ │ Operator Details │ ├─────────────┬──────────────────────────────────────────────────────────┤ │ Name │ Synadia │ │ Operator ID │ OCDFJINL65FTXNLUB3GODXY3MTCOUFJWC23HONKXNGLZ4SCQRBSFWECQ │ │ Issuer ID │ OCDFJINL65FTXNLUB3GODXY3MTCOUFJWC23HONKXNGLZ4SCQRBSFWECQ │ │ Issued │ 2019-05-13 16:17:29 UTC │ │ Expires │ │ ╰─────────────┴──────────────────────────────────────────────────────────╯ Operator JWT
  • 44. ╭──────────────────────────────────────────────────────────────────────────────────────╮ │ Account Details │ ├───────────────────────────┬──────────────────────────────────────────────────────────┤ │ Name │ Microservices-1 │ │ Account ID │ AAHC5D6GVMRI753MOVEIEV2LVR3C7GUCYLAOHQH5DL5V7M6CXSYGWZRK │ │ Issuer ID │ OCDFJINL65FTXNLUB3GODXY3MTCOUFJWC23HONKXNGLZ4SCQRBSFWECQ │ │ Issued │ 2019-05-14 01:21:19 UTC │ │ Expires │ │ ├───────────────────────────┼──────────────────────────────────────────────────────────┤ │ Max Connections │ Unlimited │ │ Max Leaf Node Connections │ Unlimited │ │ Max Data │ Unlimited │ │ Max Exports │ Unlimited │ │ Max Imports │ Unlimited │ │ Max Msg Payload │ Unlimited │ │ Max Subscriptions │ Unlimited │ │ Exports Allows Wildcards │ True │ ├───────────────────────────┼──────────────────────────────────────────────────────────┤ │ Exports │ None │ ╰───────────────────────────┴──────────────────────────────────────────────────────────╯ ╭───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╮ │ Imports │ ├───────────────┬─────────┬─────────────────┬─────────────────┬─────────┬──────────────────────────────────────────────────────────┬────────┤ │ Name │ Type │ Remote │ Local │ Expires │ From Account │ Public │ ├───────────────┼─────────┼─────────────────┼─────────────────┼─────────┼──────────────────────────────────────────────────────────┼────────┤ │ SvcControl │ Service │ svc.control │ svc.control.1 │ │ ACOAYG5E4EWOE3VJ26RTQFD3QNOL2JA5EMEWHVM5RDKHYQAOEAIO35PS │ Yes │ ╰───────────────┴─────────┴─────────────────┴─────────────────┴─────────┴──────────────────────────────────────────────────────────┴────────╯ Account JWT
  • 45. ╭────────────────────────────────────────────────��───────────────────────────╮ │ User │ ├─────────────────┬──────────────────────────────────────────────────────────┤ │ Name │ ProvisioningService │ │ User ID │ UCLEREN55TYVHT3UC25YEC6XJR3TYZB35FJOGTFOACA5NRDRX3LTULUR │ │ Issuer ID │ AAHC5D6GVMRI753MOVEIEV2LVR3C7GUCYLAOHQH5DL5V7M6CXSYGWZRK │ │ Issued │ 2019-05-13 16:21:33 UTC │ │ Expires │ │ ├─────────────────┼──────────────────────────────────────────────────────────┤ │ Max Messages │ Unlimited │ │ Max Msg Payload │ Unlimited │ │ Network Src │ Any │ │ Time │ Any │ ╰─────────────────┴──────────────────────────────────────────────────────────╯ User JWT
  • 49. NATS on Docker ~85M Combined Downloads!
  • 51. Roadmap 2019-2020 Our roadmap represents coming features lined up for the future of NATS. We are excited to bring these advances to the NATS community and look forward to your valuable input. Please contact us at info@nats.io or join our Slack channel with any questions, comments, or requests.