Decoding the future: unravelling the intricacies of Hybrid Cloud Mesh versus service mesh

Hybrid Cloud Mesh, which is generally available now, is revolutionizing application connectivity across hybrid multicloud environments. Let’s draw a comparison between Hybrid Cloud Mesh and a typical service mesh to better understand the nuances of these essential components in the realm of modern enterprise connectivity. This comparison deserves merit because both the solutions are focused on application-centric connectivity albeit in a different manner.

Before we delve into the comparison, let’s briefly revisit the concept of Hybrid Cloud Mesh and a typical service mesh.

Hybrid Cloud Mesh

Hybrid Cloud Mesh is a modern application-centric connectivity solution that is simple, secure, scalable and seamless. It creates a secure network overlay for applications distributed across cloud, edge and on-prem and holistically tackles the challenges posed by distribution of services across hybrid multicloud. 

Service mesh

A service mesh is a configurable infrastructure layer that manages all connectivity requirements between microservices. It manages service-to-service communication, providing essential functionalities such as service discovery, load balancing, encryption and authentication. 

Language libraries for connectivity have partial and inconsistent implementation of traffic management features and are difficult to maintain and upgrade. A service mesh eliminates such libraries and allows services to focus on their business logic and communicate with other services without adding any connectivity logic in situ. 

Hybrid Cloud Mesh versus service mesh: a comparative analysis 

1. Scope of connectivity

• Hybrid Cloud Mesh: Goes beyond microservices within a containerized application, extending connectivity to applications regardless whether they’re form-factor deployed across on-premises, public cloud and private cloud infrastructure. Its scope encompasses a broader range of deployment scenarios. 
• Service mesh: Primarily focuses on managing communication between microservices within a containerized environment. Although many service meshes have started looking outward, enabling multi-cluster any-to-any connectivity. 

2. Multicloud connectivity

• Hybrid Cloud Mesh: Seamlessly connects applications across hybrid multicloud environments, offering a unified solution for organizations with diverse cloud infrastructures. 
• Service mesh: Typically designed for applications deployed within a specific cloud or on-premises environment. Many service meshes have expanded scope to multicloud connectivity, but they are not fully optimized for it.  

3. Traffic engineering capabilities

• Hybrid Cloud Mesh: Utilizes waypoints to support path optimization for cost, latency, bandwidth and others,. enhancing application performance and security. 
• Service mesh: No traffic engineering capabilities. Primarily focuses on internal traffic management within the microservices architecture. 

4. Connectivity intent expression

• Hybrid Cloud Mesh: Allows users to express connectivity intent through the UI or CLI, providing an intuitive, user-friendly experience with minimal learning curve.  
• Service mesh: Requires users to implement complex communication patterns in the sidecar proxy using configuration files. Service mesh operations entail complexity and demand a substantial learning curve. The expert team responsible for managing the service mesh must consistently invest time and effort to effectively utilize and maintain the service mesh. Due to steep learning curve and tooling required (such as integration with CI/CD pipeline or day 0 to day 2 automation), service meshes can be adopted only after customers gain a certain scale to make the investment worthwhile.   

5. Management and control plane

• Hybrid Cloud Mesh: Employs a centralized SaaS-based management and control plane, enhancing ease of use and providing observability. Users interact with the mesh manager through a user-friendly UI or CLI. 
• Service mesh: Often utilizes decentralized management, with control planes distributed across the microservices, requiring coordination for effective administration. 

6. Integration with gateways

• Hybrid Cloud Mesh: Integrates with various gateways, promoting adaptability to diverse use cases and future-ready for upcoming gateway technologies. 
• Service mesh: Primarily relies on sidecar proxies for communication between microservices within the same cluster. Typically features on the proxy are extended to meet requirements.  

7. Application discovery

• Hybrid Cloud Mesh: Mesh manager continuously discovers and updates multicloud deployment infrastructure, automating the discovery of deployed applications and services. 
• Service mesh: Typically relies on service registration and discovery mechanisms within the containerized environment. 

8. Dynamic network maintenance

• Hybrid Cloud Mesh: Automatically adapts to dynamic changes in workload placement or environment, enabling resilient and reliable connectivity at scale without manual intervention. 
• Service mesh: Usually, the day 2 burden to manage a service mesh connecting applications across multicloud is huge due to complexity of operations required to manage dynamic infrastructure changes. It requires manual adjustments to accommodate changes in microservices deployed in a multicloud environment. There’s significant effort in keeping it running such as—upgrades, security fixes and others apart from infrastructure changes. This takes away a lot of time and very little time is left for implementing new features.  

9. Infrastructure overhead

• Hybrid Cloud Mesh: Data plane is composed of a limited number of edge-gateways and waypoints.
• Service mesh: Significant overhead due to sidecar proxy architecture which requires 1 sidecar-proxy for every workload.  

10. Multitenancy

• Hybrid Cloud Mesh: Offers robust multitenancy; moreover, subtenants can be created to maintain separation between different departments or verticals within an organization. 
• Service mesh: May lack the capability to accommodate multitenancy or a subtenant architecture. Few customers may create a separate service mesh per cluster to keep the tenants separate. Hence, they must deploy and manage their own gateways to connect various service meshes.  

Take the next step with Hybrid Cloud Mesh

We are excited to showcase a tech preview of Hybrid Cloud Mesh supporting the use of Red Hat® Service Interconnect gateways simplifying application connectivity and security across platforms, clusters and clouds. Red Hat Service Interconnect, announced 23 May 2023 at Red Hat Summit, creates connections between services, applications and workloads across hybrid necessary environments. 

We’re just getting started on our journey building comprehensive hybrid multicloud automation solutions for the enterprise. Hybrid Cloud Mesh is not just a network solution; it’s engineered to be a transformative force that empowers businesses to derive maximum value from modern application architecture, enabling hybrid cloud adoption and revolutionizing how multicloud environments are utilized. We hope you join us on the journey. 

Source: ibm.com

Continue reading

Overcoming the architecture challenges of a hybrid cloud world

More than likely, your organization already employs some version of a hybrid cloud approach to its IT architecture. In fact, you are likely operating between six and eight clouds, like most organizations.

It’s also likely that your organization’s mix of cloud environments has some level of on-premises infrastructure integration that spans across it and includes edge computing and/or distributed cloud. When managed correctly, this hybrid cloud infrastructure can do more than optimize your business — it can transform it. The recent IBM Institute of Business Value report, Mastering Hybrid Cloud, points out five key challenges to achieving hybrid cloud mastery. The first of these challenges is architecture.

According to the report, 97% of organizations claim to use more than one cloud. Not to mention, the average organization is anticipated to have 10 clouds by 2023. That’s a serious amount of potential chaos to manage. So how do you bring order to the chaos of a crowded cloud estate and move one step closer to hybrid cloud mastery?

Step 1: Build a single, integrated hybrid cloud platform

A single, integrated hybrid cloud platform and application architecture is the foundation on which to mount and connect all the parts. Instead of disconnected components that accomplish little on their own, it’s important to establish a united system that can save cost and create ease.

A hybrid cloud platform streamlines service provisioning and consumption through a convenient and cost-effective “build applications once, deploy them anywhere” superpower. Developers build microservices once and can then reuse them in applications that run anywhere in the cloud estate. It defines landing zones that empower platform users with a reduced level of technical and administrative burden. These zones include where your data is stored and used — and even where and how it’s secured.

Step 2: Align your hybrid cloud platform with your customer-facing product

That integrated hybrid cloud platform begs for its complement: a business-aligned application architecture. This framework guides decisions about how applications work in a hybrid cloud environment. By removing the guesswork, you can achieve greater levels of agility and innovation.

Keep in mind that the hybrid cloud platform you’re building is a platform for service delivery. You’re delivering those cloud platform services to customers who define what “value” looks like. Defining customer-centric design thinking principles at the outset of platform development can pay big dividends when you begin to launch platform services.

Step 3: Find the ideal balance

The ideal balance is where your organization’s hybrid cloud platform IT roadmap drives cloud performance improvements. That may sound obvious, but achieving it is far from commonplace across organizations today, especially in regulated environments where compliance and regulatory reporting concerns often require an on-premises storage option for the highest security.

Aim to balance resources effectively and achieve your growth goals without sacrificing operational requirements or creating undue risk. Achieving balance isn’t easy, but with optimized architecture automation, streamlined DevSecOps and risk reduction across the hybrid multicloud spectrum, it can be achieved.

Why tackle the architectural challenge?

No matter what your business and IT transformation goals are, an integrated, open hybrid cloud platform can help you:

1. Foster greater innovation and reduce time to market.

2. Protect your data and manage regulatory changes.

3. Boost developer productivity and develop new product solutions more quickly.

4. Manage complexity in your infrastructure while streamlining your operations.

5. Adopt new technology while shifting your CapEx to OpEx.

Done right, a hybrid cloud platform is a unifying strategy that orchestrates your data and workloads, management and application portability across environments. It’s empowering for your business and can move you closer to getting the most business value out of your hybrid cloud investments. So, are you ready to tackle the challenge?

Source: ibm.com

Continue reading

How IBM Research is creating the future of hybrid cloud

Constellation Research report praises IBM Research for commitment to fundamental research that's delivering competitive cloud solutions.

“IBM is one of the few vendors offering a competitive cloud solution in the 2020s that also has been a traditional IT leader and supplier for more than 50 years.”

Strong words from Constellation Research Vice President and Principal Analyst Holger Mueller in his March 2021 report, “IBM Research Bolsters IBM Hybrid Cloud: A Strong Innovation Pipeline Can Make a Difference for IBM Hybrid Cloud—and for IBM.”

And like so many past innovations and industry firsts—from powering the Apollo mission, to putting the first quantum computer online for the world to use—IBM is building the hard tech behind the future of computing.

A hybrid approach to cloud computing transformation

Thanks to innovations like agile development practices and cloud-native tools, platforms, and consumption models, technological progress is faster than ever before. At the same time, AI and data analytics techniques are getting increasingly capable of extracting value from the vast amounts of data we produce, fueling an ever-increasing demand for more compute capacity. This demand can be met by the nearly limitless computing now available at all our fingertips, thanks to the maturation of public clouds.

But efforts to adopt new technologies are juxtaposed against a backdrop of years of prior infrastructure investments, where large IT footprints exist in traditional data centers running legacy systems. And for most companies, cloud technologies’ value also requires specialized skills, and the ability to use, manage, and protect the data on the cloud isn’t so simple.

Navigating this landscape and the associated opportunities and challenges is a massive undertaking for any business. It's particularly straining for the business functions responsible for security and compliance against relentless and increasingly sophisticated attacks, and an ever-changing compliance landscape.

We believe there is tremendous value to unlock if we solve the primary challenges in today’s world of hybrid cloud computing:

◉ Moving from legacy to cloud and AI models: Helping businesses transform their IT estates so they can reap the benefits of state-of-the-art hybrid cloud and AI technologies.

◉ Creating truly hybrid architectures: Helping customers simplify the productive use and management of complex and heterogeneous IT estates, spanning legacy systems, private cloud, several public cloud environments, and even edge.

◉ Streamlining security and compliance: Reduce the burden and overhead of navigating security and compliance concerns in the hybrid cloud, which currently slows down innovation and technology adoption.

◉ Preparing for the future: Identifying and anticipating the next frontiers of technology that will enable businesses to achieve things that remain unachievable today.

Our hybrid cloud research works to address these challenges in four ways:

1. Driving agility through AI and automation. We are developing AI capabilities to support our customers throughout their journeys to cloud. This includes helping them modernize applications, keep IT available more of the time, and navigate security and compliance concerns. AI assistance for these tasks will help customers overcome some of the roadblocks that prevent them from reaping the full benefits of hybrid cloud. This work is underpinned by a strong technological focus on the discipline of AI for Code: the idea that code is itself similar in many ways to human language, and we can therefore build AI systems that can “speak the language” of software.

2. Creating a seamless hybrid cloud platform. We are focused on simplifying the experience of using and managing a fragmented IT landscape of both infrastructure and data. To do this we are evolving the platform itself, particularly the management for both infrastructure and data across on-premise data centers, public clouds, and edge. Letting customers treat fragmented data and large fleets of distributed devices as if they are all part of a single computing environment would tremendously simplify the job of developers and IT administrators, and open the door to new business opportunities.

3. Establishing a holistic approach to security and compliance. Our approach involves both hardware- and software-defined technologies that enhance security by strengthening the separation between user workloads and providing evidence of the trustworthiness of the underlying IT platforms running the user workloads. Moreover, we are transforming compliance processes from manual exercises to modern, software-defined approaches to dramatically reduce the overhead on compliance officers and their teams. Our vision is to mitigate the security and compliance obstacles that slow teams down, and in doing so accelerate the pace of innovation across the enterprise.

4. Enabling flexible, composable computing. We are redefining performance-focused computing across all layers of the hybrid cloud stack, from core infrastructure innovations (like network and storage, as well as quantum computing and AI accelerators), to a performant hybrid cloud platform (optimized for large-scale and performance-sensitive workloads), to advances in serverless computing that simplify consumption of state-of-the-art capabilities underneath.

Our vision is to reimagine supercomputing, using the benefits of the hybrid cloud: simplicity, agility, scale on demand, automation, and access to best-in-class resources, wherever they are. Reimagining and democratizing access to supercomputing, making it available to anyone with a cloud account, has the potential to enable more people to achieve previously unachievable things.

The hybrid cloud research organization, along with our IBM Research counterparts in AI, quantum computing, and exploratory science, is delivering research innovations that help enterprises and other organizations meet what challenges and opportunities lie ahead. We are extremely excited about the hybrid world we are helping to shape.

Download the Constellation Research report: “IBM Research Bolsters IBM Hybrid Cloud: A Strong Innovation Pipeline Can Make a Difference for IBM Hybrid Cloud—and for IBM.”

Source: ibm.com

Continue reading

Open source workload identity management could help secure hybrid clouds

IBM is open sourcing project “Tornjak” to encourage the development and adoption of enterprise-level identity management between clouds.

Organizations have made great strides migrating workloads to the cloud and deploying cloud native applications. At the same time, the resulting hybrid multi-cloud architectures can create challenges for identity and access control, as resources and workloads must operate across multiple public clouds and services.

IBM Research’s new open source “Tornjak” project seeks to tackle those challenges head-on. Our goal is to help enterprises embrace this new way of working by providing a consistent level of control, visibility and auditability of workload identities for workloads across various clouds.

Different cloud providers have their own sets of identity and access control systems. That allows strong authentication of workloads and access control management within a cloud provider’s own domain. Securing shared resources between clouds can be complex.

Read More: C2090-424: IBM InfoSphere DataStage v11.3

Today, when developers want to grant access between clouds, they use one of two common methods:

1. The first is to generate a long-term token or API key. Unfortunately, that approach comes with many downsides because it leaves administrators unable to audit and determine the total impact—or blast radius—of a potential security incident.

2. The second method relies on federation, which is more secure but not very efficient, today.

That’s because federation support across different clouds varies greatly. More importantly, each cloud provider has its own notion of identity, schema and trust relationships. That makes creating a holistic federated identity within an organization a complex exercise, whose result is often misconfiguration and mismanagement of access control.

Finding common ground

Tornjak is designed to create common ground for workload identity management. It does that by providing a management layer atop the SPIFFE (Secure Production Identity Framework for Everyone), a universal identity control plane for distributed systems under the aegis of the CNCF—the Cloud Native Computing Foundation.

Tornjak also uses SPIRE, an implementation of the SPIFFE runtime environment. Using SPIFFE and SPIRE as a foundation of a zero-trust security model, Tornjak can help manage the secure provisioning and authentication identities.

One of our main goals is to provide CISOs, security operators and auditors the management interfaces and tools necessary to manage their organizations’ workload identities. The combination of SPIFFE, SPIRE and Tornjak should offer organizations stratified workload identity management, simplifying access control without sacrificing security.

“I am very excited about the innovation happening in the zero-trust security. SPIFFE and SPIRE now combined with Tornjak are providing a highly scalable and community-driven solution to address service mesh security,” said Luke Hinds, security engineering lead, Red Hat Office of the CTO.

It's great to see IBM and others spearheading this work upstream in the community. This is technology that addresses a clear problem space of machine identity trust in cloud native networks.

Figure 1:

IBM open sourcing project “Tornjak” logo.

Barriers to secure workload identity management

The main challenge of our research is to create a shift in the way cloud users manage and secure their organization’s workload identities.

This challenge manifests itself in two ways:

1. As use of cloud native technology matures and users start to move more workloads to cloud, they will discover the difficulty managing workload identities across multiple public clouds. Because there’s very little education on how this should be handled, most users end up creating work arounds or employing techniques that may jeopardize security.

2. And from a security and audit perspective, requirements around security are still being formalized. For the most part, users and auditors alike are uncertain how cloud native technology plays into security and compliance. That lack of common understanding and tooling in cloud native environments keeps the technology from reaching the mainstream, relegating cloud native to a much smaller group of early adopters.

Open source can accelerate development

In an effort to keep Tornjak open and available to all, IBM is donating the project to be part of the CNCF, under the SPIFFE community umbrella. The project will join a well-founded community of developers, integrators and users—including Bloomberg, ByteDance (developer of TikTok) and Github—focused on solving workload identity challenges introduced by hybrid cloud environments. The community also includes Cisco, Google, HPE and others building new tools atop SPIFFE/SPIRE.

In open sourcing Tornjak, IBM’s goal is to accelerate the development of hybrid cloud workload identity solutions. We’re also hoping to highlight the workload identity problem for those unfamiliar with it, and to demonstrate IBM’s close partnership with Red Hat and the open-source community in addressing these challenges. The CNCF SPIFFE community offers us an excellent forum through which we can contribute our ideas and pursue the best identity management solutions.

Tornjak is still in its early development stages—the project has been implemented with the basic functionality for managing identities. Additional work needs to be done to get it ready for enterprise adoption. Our hope is that the open-source community's combined efforts will enable us to achieve a production-ready solution by the end of the year.

Source: ibm.com

Continue reading