73 comments

[ 3.7 ms ] story [ 130 ms ] thread
Envoy must have one of the fastest adoption stories in the history of FOSS. It is excellent software, although the space is full of contenders - Traefik and Istio are also exciting projects!
Istio uses Envoy.
And linkerd (2.0) too.
I'm pretty sure linkerd 2 has switched to their own rust/tokio based solution
They do and that is why they are a contender. Not a user of envoy.
Istio is service-mesh software with several components and the data plane is Envoy. Linkerd 2 is a competitor with its own data plane.

Traefik is not a service mesh, it's a webserver and reverse-proxy and similar to Nginx and HAProxy, although all of them have been trying to get into this space along with Kong and others.

In the other direction there's also Heptio Contour and Datawire Ambassador that use Envoy as a reverse-proxy.

Currently we wire all of our VPCs into a large network to access services, and that brings with it all of the associated security concerns.

I wonder if moving to something like this would allow us to eliminate the global network and let VPCs run in an isolated context save for services published via mesh.

Look into VPC Endpoint Services, it may address your use case.

"You can create your own application in your VPC and configure it as an AWS PrivateLink-powered service (referred to as an endpoint service). Other AWS principals can create a connection from their VPC to your endpoint service using an interface VPC endpoint. You are the service provider, and the AWS principals that create connections to your service are service consumers."

https://docs.aws.amazon.com/vpc/latest/userguide/endpoint-se...

Thank you, actually doing a POC of that now and to your point it's probably a more appropriate solution to the problem. Appreciate the suggestion!
I really wish Amazon would have contributed resources to istio instead of rolling their own mesh...
> App Mesh uses the open source Envoy proxy, making it compatible with a wide range of AWS partner and open source tools.

Yet another Amazon product based on open source software, while still contributing almost nothing to this space.

https://github.com/envoyproxy/envoy/blob/master/LICENSE

Permissions: Commercial use, Modification, Distribution, Patent use, Private use

Apologies, I'm not sure if you are disagreeing with me in any way or not. :)

Envoy is indeed open source and freely-available for corporations to use. That is not what I was implying.

Amazon, out of all the big companies (Google, Netflix, Microsoft etc.), is the one with the least contribution to the open source world, despite using many of open source tools to build their AWS products.

If you make something open source and free for anyone to use, don’t complain when anyone uses it. That’s kind of the point.
No it isn't. Just because users aren't legally required to contribute doesn't mean that they don't have a moral duty to support the project, if they can. Given Amazon's vast resources I think it is reasonable to feel that they should help out a bit.
Is this really true, though? Looks like Amazon has multiple github accounts with lots of projects, including some high profile ones like Firecracker, etc.

This has become a bit of an interesting topic to me because it keeps being brought up by people who sort of just state it as fact without providing any real argument. How much is enough? One full time developer? Ten? What if the project doesn't want to merge their contributions? Amazon just got killed on HN for open sourcing all of their ElasticSearch work in a separate repository.

I feel like they can't win on open source with some of you guys.

https://medium.freecodecamp.org/the-top-contributors-to-gith...

On these figures, Amazon is behind other giants and has fewer contributions that a number of midsize tech companies like Red Hat or Pivotal (my employer).

It looks like that's missing data - including some very big ones. https://github.com/firecracker-microvm/firecracker has quite a few stars and came out in 2018 - no mention. All three of them have contributed to the Linux kernel in significant fashions, and it's not listed for any of them, despite the 72k stars.

And are github repos and stars the only way to measure open source contribution? The Xen project only has 162 stars, yet I don't think anyone would say it isn't an important project, and it's one Amazon has contributed to - if you're using a PV guest on Xen that's protected against Meltdown, chances are high you're using the Vixen mitigation that Amazon released.

Could Amazon do more? Probably. I'm not trying to say they're perfect. But this idea that they don't contribute back to open source seems pretty flawed, even by the data in your link, which seems incomplete.

A lot of folks have complained about this data set, but the author has updated based on feedback. So it'll improve.

But unless Amazon are hiding several hundred contributors and thousands of commits in a repo that's been magically overlooked for years, the figures tend to make them look bad.

This is missing so many repos, from so many companies. What a terrible source.
I don't disagree, but it's the source we have and the author appears open to correction.
(comment deleted)
Amazon using it is a big endorsement, I would also imagine that they contribute bug reports.
It’s tricky to collect Amazon data on this. Amazon contributes back to projects under individual employee developers accounts quite a bit.

For some reason Amazon just doesn’t want to show they had any involvement with that commit and doesn’t care about how it’s seen. From the times I’ve seen it, seems like this might by by design

For core services like a proxy, http server etc, I’m kind of glad when larger companies adopt/support a solid service. I think it validates that choice for other companies, and brings attention/bug fixes etc among other things.
While I generally agree I've found Amazon to be particularly bad at supporting their "hosted open source" products vs what they've built. Dynamo and S3 are much more solid than anything they're just wrapping. I think that's part of why it feels like a cheap money grab.
What is a "cheap" money grab? What else should a business do? Is solving problems for their customers not acceptable?
While I understand where you are coming from, have you used envoy or Ambassador (based on envoy)? They are extremely well designed, especially to address the service routing issues of multi-cloud, Kubernetes, micro services etc. I was extremely happy to see AWS backing envoy. It somewhat confirmed a lot of the research we did in the space.
They don't have to. They're busy serving customers who pay lots of money to have their problems solved, not to pontificate about the morality of building with open-source software.

You're free to set your project's license to whatever you want but why complain when it's used the way you said it can be?

I expect more of companies and people than their minimum legal obligations.
It's reasonable to expect that of people, but why of companies? Isn't a company like Amazon's moral compass guided solely by legal obligations?
You are probably right in the sense of what-is, that Amazon's moral compass is guided only by legal obligations. That does not make it what-should-be. Companies are groups of people. Decency is not erased when a corporation enters the picture.

Corporations exist for the benefit of the society that grants them their charter and that charter can--and should--be revoked when the corporation acts against the best interests of that society. We do have that power, but we've forgotten about it.

Companies are just a group of people. Companies don't do anything, people do and then use companies to try and shield themselves from blame.
That's great but others don't. That's why we have legal definitions, so that we can define clear and objective requirements.
"I expect more of companies and people than their minimum legal obligations."

That's weird ... what do you expect from, say, hammers and blenders ?

I expect people to do nice things and be kind and think of my interests. Simple tools, on the other hand (like screwdrivers and shovels and LLCs and Corporations and family trusts) should just do exactly what they are designed to do - and nothing more.

It’s strange to me you excuse groups of people from having the same obligations as a lone person.
They're not obligations, they're just subjectives wishes. If you want to make it a requirement then that's what the license is for.
Fair point. Still, even corporate entities are made up of flesh-and-blood humans. So if those humans benefit substantially more than the original creators of a work then it's reasonable to expect those founders to change their license or stop contributing.

So it's possible that well-funded consumer/producers like Amazon may at times crush, overtake, or otherwise discourage some of the unpaid labor that they benefit from.

(Not trying to make a moral argument. Personally I'm a bit conflicted on consuming and producing FOSS.)

Expectation is the mother of all disappointments.
But we’re not paying them for the product. We’re paying them for the infrastructure.

I don’t see why it is different from asking a small one-man shop to take care of my infrastructure for me?

https://github.com/envoyproxy/envoy/pull/5580 and https://github.com/envoyproxy/envoy/pull/5887

It's a start. Looking forward to more contributions from the team.

Amazon should be pumping hundreds of thousands of dollars into all these open-source projects they're leveraging.
Not according to the licenses of those projects. They’re not a charity.
Also check out Ambassador, which uses Envoy too. Friendly team and easy to grok API.
Is there a planned date when Mesh will be added to the AWS HIPAA covered services list? Didn’t see it currently listed.
AWS generally doesn’t announce dates for BAA coverage ahead of time, but your account manager may be able to give you a heads-up a couple weeks beforehand if you ask.
Thx, probably a common question, but service routing is a hot topic, looking forward to the announce.
One more new cloud service intended to fix what’s wrong with existing cloud services. At what point do you just go back to traditional app architecture with normal servers?
My understanding is that it solves a specific customer problem by seamlessly connecting the workloads running on various forms (ec2, ecs, k8s etc.).
This is all running on normal servers. A service mesh is about communication.

If you're doing any kind of communication between components then that has to be facilitated somehow, and production requirements like security, retries, load-balancing, observability, etc have to live somewhere. A mesh just extracts it all into a single external system.

I thought AWS Xray was the non-transferrable skill that you were supposed to pour your time into and amalgamate into your project to solve this problem.

Always space for one more I guess!

X-Ray is for tracing your overall application across multiple services/components. It's more akin to New Relic and similar products.
Again, AWS proves to be shamelessly exploitative of others' work and success. This must be a culture there or something.
> shamelessly exploitative of others' work and success

i.e. using open source under the published license? Look, I'd prefer that everyone using open software supports it with public patches, but if it's not under A/GPL or something, then clearly the authors weren't so worried about it. If you don't like others using your work without publishing their changes, use A/GPL. If you don't like others using your work without paying you, go with shared source (and accept that you're writing proprietary software) or use a noncommercial license or something. But don't publish something and then complain that people used it under the exact terms that you published it!

I can't really disagree with Redis here.

Traditional licenses forced you to contribute back if you used community's code. SaaS changed everything: you can now "leech" software without giving back.

We need a new model. We need to force contribution, because software corporations won't give back otherwise. I've worked for big corps and the bureaucracy will not allow it, even if developers wish to. If we don't force legal departments to comply we will lose the whole culture of freedom we've built in the past 40 years.

What freedom has been lost? You're free to build what you want and others are free to use it by the license you set.

Forcing contribution would actually remove freedom.

>We need to force contribution

I’m interested in your proposed mechanism for that!

After GPL solves this exact problem. The new problem is that no one wants that solution because massive cloud deployments ate business projects not open source hobby nrojects
Perhaps they meant force contributing back improvements they're already making. I imagine AGPL may be what they had in mind.

EDIT: fixed typo

I think it would be reasonable to require that if you use the open source software for commercial reasons, you must also open source your modifications. The real problem is companies building their proprietary solutions on top of free labor. If they at least had to open source then that would hold back their competitive advantage they are trying to create by not contributing.
So... AGPL? This is not an unsolved problem, unless I'm missing something. And if your answer is that companies won't touch AGPL with a 10-foot pole... why would you expect to get better results with something else?
> We need to force contribution, because software corporations won't give back otherwise

This is untrue; plenty of permissively-licensed projects are supported by code contributions and dedicated paid support by software companies who use their code. You don't need copyleft, much less something new beyond copyleft, to get that.

What Redis and others want gratis-but-proprietary licensing for is to prevent cloud services companies from competing with their SaaS offerings, not to force anyone to “give back”.

How does App Mesh vs Istio shake out? I’ve been reticent to use Istio on GKE but it seems to offer some great features. Something with this basic feature is pretty useful with just a few more micro services, than I current manage.
I'm not super well versed frankly but my attempt:

They're both control planes for envoy proxy. App Mesh is a managed proprietary solution, Istio is open source and self-hosted but there are managed options available. Istio explicitly supports k8s and consul; app mesh doesn't care where the envoy proxies run (great for migrating).

I _think_ Istio is a full knowledge model where everyone knows about everyone else in the mesh, App Mesh is explicit. The configuration pushed to the proxies only have the targets that have been modeled as such in the app mesh model (great for larger organizations).

App Mesh roadmap: https://github.com/aws/aws-app-mesh-roadmap

Istio's: https://istio.io/about/feature-stages/

I actually don't understand what problem this and other API gateways solve?

Let's say I have a bunch of services calling each other. Which I already do... Why should I add this?

This is a service mesh like Istio not an API gateway, it's mainly used for automatic and transparent service discovery and load balancing where client and server service endpoints don't have to worry about that, also other features are automatic handling of failure when one server endpoint isn't responding, traffic management, securing communications between services, enforcing L7/L4 kind of a firewall between services, telemetry, etc..., you probably don't want to use a service mesh like this until your software architecture gets really complex