1) Problem Clarification / Làm rõ bài toán
EN
Modern microservices require:
- centralized routing
- authentication
- rate limiting
- service discovery
- resiliency (retry, timeout, circuit breaker)
- mTLS between services
API Gateway and Service Mesh solve these problems, but at different layers.
VI
Hệ thống microservice hiện đại cần:
- routing tập trung
- xác thực
- rate limit
- service discovery
- resiliency (retry, timeout, circuit breaker)
- mTLS giữa các service
API Gateway & Service Mesh giải quyết các vấn đề này, nhưng ở mức khác nhau.
2) API Gateway vs Service Mesh – Difference / Khác nhau cốt lõi
EN
| Feature | API Gateway | Service Mesh |
|---|---|---|
| Layer | North–South traffic | East–West traffic |
| Purpose | Entry point for external clients | Manage internal service-to-service traffic |
| Examples | NGINX, Kong, Apigee, AWS API GW | Istio, Linkerd, Consul Mesh |
| Focus | routing, auth, rate limit | observability, mTLS, retries, traffic shaping |
| Handles | HTTP, REST, GraphQL | TCP + HTTP microservice traffic |
VI
| Tính năng | API Gateway | Service Mesh |
|---|---|---|
| Luồng traffic | North–South (bên ngoài → vào hệ thống) | East–West (service → service) |
| Mục tiêu | điểm vào duy nhất | kiểm soát toàn bộ mạng nội bộ |
| Ví dụ | NGINX, Kong, Apigee | Istio, Linkerd |
| Tập trung | routing, auth, rate limit | mTLS, telemetry, retry, circuit breaker |
| Xử lý | HTTP/REST/GraphQL | TCP/HTTP giữa microservice |
PART A — API GATEWAY
3) API Gateway Architecture / Kiến trúc API Gateway
Client → API Gateway → Microservices
↘ Auth
↘ Rate Limit
↘ Routing
↘ Transformation
EN
Gateway provides:
- centralized entry
- auth (JWT, OAuth2)
- API keys
- request/response transform
- caching
- rate limiting
VI
Gateway cung cấp:
- điểm vào duy nhất
- auth (JWT/OAuth2)
- key API
- transform request/response
- cache
- rate limit
4) Gateway Features
EN
✔ Authentication & Authorization
✔ Rate Limiting
✔ API Key Management
✔ Routing & Canary Deployment
✔ Request Validation
✔ Response Caching
✔ Logging / Metrics
VI
✔ Xác thực & phân quyền
✔ Rate limit
✔ Quản lý API key
✔ Routing & Canary
✔ Validate request
✔ Cache response
✔ Logging / metrics
5) Popular API Gateway Solutions
NGINX / OpenResty
- High performance
- Lua scripting
Kong
- Plugin ecosystem
- Extensible
Apigee
- Enterprise API management
AWS API Gateway
- Serverless
- Rate limit per-client
PART B — SERVICE MESH
6) Service Mesh Architecture
EN
Key idea:
Inject sidecar proxy (Envoy) next to each service.
Service A ↔ Envoy sidecar ↔ Envoy sidecar ↔ Service B
VI
Ý tưởng chính:
Tiêm sidecar Envoy bên cạnh mỗi service.
Service A ↔ Envoy ↔ Envoy ↔ Service B
Sidecar quản lý traffic thay vì service tự làm.
7) Control Plane vs Data Plane
EN
Data Plane (Envoy):
- captures all traffic
- enforces policies
Control Plane (Istio Pilot/Citadel/Galley):
- pushes config rules to Envoy
- issues certificates for mTLS
- manages routing
VI
Data Plane (Envoy): nhận và xử lý traffic.
Control Plane (Istio): gửi config và cấp TLS cert.
8) Key Features of Service Mesh
EN
✔ mTLS (Mutual TLS) end-to-end
✔ Traffic management (retry, timeout, circuit breaker)
✔ Observability (metrics, tracing, logs)
✔ Canary / Blue-Green deployment
✔ A/B testing
✔ Fault injection (chaos testing)
VI
✔ mTLS toàn hệ thống
✔ Điều khiển traffic (retry, timeout…)
✔ Quan sát (metric, log, tracing)
✔ Canary / Blue-Green
✔ A/B test
✔ Fault injection
9) Istio In-Depth
Components:
- Pilot: config distribution
- Citadel: mTLS certificate authority
- Envoy Proxy: data plane
- Mixer (old): policy/telemetry
Features:
- VirtualService: routing rules
- DestinationRule: subsets, traffic policies
- Gateway: ingress/egress
- Sidecar: workload-specific config
10) Linkerd Overview
EN
Focus: simplicity + security.
Key features:
- ultra-light data plane
- Rust-based proxy
- automatic mTLS
- stable latency
VI
Tập trung đơn giản và an toàn
Proxy viết bằng Rust, mTLS tự động.
11) Traffic Management
EN
Service mesh supports:
- retry policies
- timeout
- circuit breaking
- weighted routing
- mirror traffic (shadowing)
- canary release
VI
Service mesh hỗ trợ:
- retry
- timeout
- circuit breaker
- weighted routing
- mirror traffic
- canary rollout
12) Observability in Mesh
EN
Telemetry automatically collected:
- metrics (Prometheus)
- tracing (Jaeger)
- logs
VI
Mesh thu thập tự động:
- metric Prometheus
- tracing Jaeger
- log
13) Zero-Trust Networking (mTLS Everywhere)
EN
Every request:
- authenticated
- encrypted
- authorized
Envoy handles certificate rotation.
VI
Mỗi request phải:
- xác thực
- mã hóa
- phân quyền
Envoy lo việc cấp & gia hạn cert.
14) Failure Scenarios
EN
- bad config pushed → break traffic
- sidecar crash → service unreachable
- large mesh → control plane overload
- observability noise → high overhead
VI
- config sai → gây outage
- sidecar chết → service unreachable
- mesh lớn → control plane chậm
- quá nhiều metric/log → tốn tài nguyên
15) When to Use API Gateway vs Service Mesh?
EN
Use API Gateway for:
- external traffic
- authentication & rate limits
- request transformation
- API monetization
Use Service Mesh for:
- internal east–west traffic
- mTLS
- retries/timeouts
- traffic splitting & canary
- observability
VI
API Gateway:
- traffic từ ngoài vào
- auth, rate limit
- transform request
Service Mesh:
- traffic giữa các service
- mTLS
- resiliency
- canary
- observability
[…] API Gateway & Service Mesh (Envoy / Istio / Linkerd) […]