SlideShare a Scribd company logo

The new (is it really ) api stack

Download as PPTX, PDF
Red Hat
Red Hat

The document presents an overview of gRPC and HTTP/2, highlighting the limitations of REST and the advantages of using gRPC for microservices, including lower latency and better performance. It discusses the architecture, protocol buffers (protobuf), and the benefits of transitioning to these technologies for efficient communication in distributed systems. A demo is included to illustrate the implementation of gRPC services using Golang.

Software
1 of 48
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
Built by Luca Ferrari Version 1.0 The new (is it really?) API stack by Luca Ferrari EMEASolutionArchitect Red Hat 1
Built by Luca Ferrari Version 1.0 What we are going to see today: ➔ Intro to grpc (and HTTP/2) ➔ Intro to protobuf ➔ Layering on Golang ➔ Comparison with REST 2 ➔ Demo building a microservice ➔ Protection with API Management ➔ Resources
Overview Why we are speaking today about gRPC? 3
Trend Microservices gRPC 4
Also... ● One of the protocols supported by Istio Service Mesh ● Reaching some of the limits of REST ● Reaching some of the limits of HTTP/1.1 ● What about yourself? 5
What is HTTP/2 and why it’s important to know about it 6
History 1991 HTTP 0.9 1996 HTTP 1.0 1997 HTTP 1.1 2009 SPDY 1.0 2015 HTTP 2.0 7
Principles new version of HTTP: 1. Simplicity 2. High performance 3. Robustness Aim: ● reduce latency in processing browser requests ● while maintaining compatibility 8
HTTP/1.1 issues 1 HTTP/1.1 was limited to processing only one outstanding request per TCP connection, forcing browsers to use multiple TCP connections to process multiple requests simultaneously. 2 However, using too many TCP connections in parallel leads to TCP congestion that causes unfair monopolization of network resources 3 Issuing multiple requests from the browser also causes data duplication on data transmission wires, which in turn requires additional protocols to extract the desired information free of errors at the end-nodes. 4 Security loopholes (like Cookie Hack)* 9* [ http://http2.github.io/http2-spec/#TLSUsage ]
HTTP/2 solutions 1 Multiplexed streams: Earlier iterations of the HTTP protocol were capable of transmitting only one stream at a time along with some time delay between each stream transmission. Receiving tons of media content via individual streams sent one by one is both inefficient and resource consuming. This new layer allows client and server to disintegrate the HTTP payload into small, independent and manageable interleaved sequence of frames. Benefits: ● The parallel multiplexed requests and response do not block each other. ● A single TCP connection is used despite transmitting multiple data streams. ● Reduced latency, faster web performance, better search engine rankings. 10
HTTP/2 solutions 2 Server Push: This capability allows the server to send additional cacheable information to the client that isn’t requested but is anticipated in future requests. For example, if the client requests for the resource X and it is understood that the resource Y is referenced with the requested file, the server can choose to push Y along with X instead of waiting for an appropriate client request. This mechanism saves a request-respond round trip and reduces network latency. Benefits: ● The client can reuse these cached resources across different pages. ● The server can multiplex pushed resources along with originally requested information within the same TCP connection. ● The client can decline pushed resources to maintain an effective repository of cached resources or disable Server Push entirely. 11
HTTP/2 solutions 3 Binary protocols: HTTP1.x used to process text commands to complete request-response cycles. HTTP/2 will use binary commands (in 1s and 0s) to execute the same tasks. Although it will probably take more efforts to read binary as compared text commands, it is easier for the network to generate and parse frames available in binary. The actual semantics remain unchanged. Benefits: ● Low overhead in parsing data ● Less prone to errors ● Lighter network footprint ● Eliminating security concerns associated with the textual nature of HTTP1.x such as response splitting attacks* 12* [ https://resources.infosecinstitute.com/http-response-splitting-attack/#gref ]
HTTP/2 solutions 4 Stream prioritization: Stream prioritization works with Dependencies and Weight assigned to each stream. Although all streams are inherently dependent on each other except, the dependent streams are also assigned weight between 1 and 256. The details for stream prioritization mechanisms are still debated. Holding off data stream processing requests on a random basis undermines the efficiencies and end- user experience promised by HTTP/2 changes. Benefits: ● Effective network resource utilization. ● Reduced time to deliver primary content requests. ● Improved page load speed and end-user experience. 13
HTTP/2 solutions 5 Header Compression: The HTTP application protocol is stateless, which means each client request must include as much information as the server needs to perform the desired operation. This mechanism causes the data streams to carry multiple repetitive frames of information such that the server itself does not have to store information from previous client requests. HTTP/2 adds the ability to compress large number of redundant header frames. It uses the HPACK specification. Both client and server maintain a list of headers used in previous client-server requests. Benefits: ● Reduced resource overhead ● Encodes large headers as well as commonly used headers which eliminates the need to send the entire header frame itself. ● Not vulnerable to security attacks such as CRIME 14
HTTP/2 solutions 6 Security: HTTP/2 defines a profile of TLS that is required; this includes the version, a ciphersuite blacklist, and extensions used (with TLS1.2 set as minimum ciphersuite) There is also discussion of additional mechanisms, such as using TLS for HTTP:// URLs (so-called “opportunistic encryption”). 15
Quick demo Two elements: ● Is a website HTTP/2 ready: https://tools.keycdn.com/http2-test [facebook.com] ● Do a speed comparison between HTTP/1.1 and HTTP/2: https://http2.akamai.com/demo 16
What is gRPC and why it’s important to know about it 17
REST issues 1 Not built for microservices chattiness architecture 2 JSON format not optimized for efficiency or performance 3 Streaming APIs not native to REST 4 API Spec loosely coupled to REST Client generation issues 18
Definition gRPC, short for “gRPC Remote Procedure Call,” is Google’s lightweight, open source RPC framework gRPC is a high performance, open-source remote procedure call (RPC) framework that can run anywhere. It enables client and server applications to communicate transparently, and makes it easier to build connected systems. gRPC follows HTTP semantics over HTTP/2. It allows you to build services with both synchronous and asynchronous communication model. It supports traditional Request/Response model and bidirectional streams. Its capability for building full-duplex streaming lets you use it for advanced scenarios where both client and server applications can send stream of data asynchronously 19
Principles Google has been using a single general-purpose RPC infrastructure called Stubby to connect the large number of microservicesrunning within and acrossourdata centersfor over a decade … https://grpc.io/blog/principles/ gRPC is a Cloud Native Computing Foundation (CNCF) project. 20
Use cases ● Low latency, highly scalable, distributed systems. ● Developing mobile clients which are communicating to a cloud server. ● Designing a new protocol that needs to be accurate, efficient and language independent. ● Layered design to enable extension eg. authentication, load balancing, logging and monitoring etc. 21
Data Format By default, gRPC uses Protocol Buffers as the Interface Definition Language (IDL) and as its underlying message interchange format. But it comes with external support for other content types such as FlatBuffers and Thrift, at varying levels of maturity. 22
What is protobuf and why it’s important to know about it 23
Definition Protocol Buffers (Protobuf) is a method of serializing structured data. The method involves an interface descriptionlanguage that describes the structure of some data and a program that generates source code from that description for generating or parsing a stream of bytes that represents the structured data. It is a simple language-neutral and platform-neutral Interface Definition Language (IDL) for defining data structure schemas and programming interfaces. It supports both binary and text wire formats, and works with many different wire protocols on different platforms. The design goals for Protocol Buffers emphasized simplicity and performance. In particular, it was designed to be smaller and faster than XML. 24
How does it work Unlike JSON and XML, Protocol Buffers are not just message interchange format, it’s also used for describing the service interfaces (service endpoints). Thus Protocol Buffers are used for both the service interface and the structure of the payload messages. Like a typical communication between a client application and a RPC system, a gRPC client application can directly call methods on a remote server as if it was a local object in your client application. 25
To Go or not to Go 26
Language Natural choice for gRPC and protobuf is Golang given the plugins and tools available There are also plugins in the following languages: ● C++ ● Java ● Python ● Ruby ● Node.js ● C# 27
2 minutes setup go get -u github.com/golang/protobuf/proto go get -u github.com/golang/protobuf/protoc-gen-go go get google.golang.org/grpc 28
How RESTful is this? 29
gRPC advantage The main advantage of developing services and clients with gRPC is that your service code or client side code doesn’t need to worry about parsing JSON or similar text-based message formats (within the code or implicitly inside the underlying libraries such as Jackson, which is hidden from service code). What comes in the wire is a binary format, which is unmarshalled into an object. Therefore, as a general practice, we can use gRPC for all synchronous communications between internal microservices. Other synchronous messaging technologies such as RESTful services and GraphQL are more suitable for external-facing services. 30
REST comparison 31 Feature gRPC HTTP APIs with JSON Contract Required (.proto) Optional (OpenAPI) Protocol HTTP/2 HTTP Payload Protobuf (small, binary) JSON (large, human readable) Prescriptiveness Strict specification Loose. Any HTTP is valid. Streaming Client, server, bi- directional Client, server Browser support No (requires grpc-web) Yes Security Transport (TLS) Transport (TLS) Client code- generation Yes OpenAPI + third-party tooling
Sweet spot 32
Did you say SOAP? You can think about gRPC Web Services as a throwback to the original Web Service technologies, SOAP and WSDL. Unlike REST, gRPC isn't an architectural style that comes with a lot of design principles or guidelines on how you should structure your services. Instead, like WSDL/SOAP services, gRPC is a technical specification that lets you call methods over the Internet without worrying about what platform the service or the client is running on 33
Demo time! 34
Building the demo 35 Define service interface in protobuf01 ● Customer service with 2 methods ● Defined in .proto file ● Request / response or stream
Building the demo 36 Generate code for client and server02 ● Use protocol buffer compiler ● Outputs go files Define service interface in protobuf01 ● Customer service with 2 methods ● Defined in .proto file ● Request / response or stream
Building the demo 37 Implement the gRPC server 03 ● Implement the 2 service methods Generate code for client and server02 ● Use protocol buffer compiler ● Outputs go files Define service interface in protobuf01 ● Customer service with 2 methods ● Defined in .proto file ● Request / response or stream
Building the demo 38 Implement the gRPC server 03 ● Implement the 2 service methods Generate code for client and server02 ● Use protocol buffer compiler ● Outputs go files Define service interface in protobuf01 ● Customer service with 2 methods ● Defined in .proto file ● Request / response or stream Use the gRPC client 04 ● Or use a curl tool to test the service (remember to set the HTTP2 option)
Setup Local setup on my machine 3 folders: 1. Client 2. Server 3. Service definition Using self-signed certificate and server reflection 39 go run main.go grpcui -plaintext localhost:50051 grpcui -cacert "cert/ca.cert" localhost:50051
40
API Management you said? 41
API Gateway Most recent API Management solutions can understand: ● HTTP/2 ● gRPC https://github.com/3scale/APIcast/pull/1128 42
Closing 43
Performance comparison Test performed on the same service implemented using either grpc/protobuf or REST/JSON Both services are using Golang Latency CPUandmemory Bandwidth 44 Unexpectedly very similar results in terms of both CPU and memory usage
Conclusion Whento use gRPC: ● Well suited for IoT and Mobile cases, given bandwidth efficiency ● Well suited for intra microservice communication ● Standard way to document interface and messages ● Standard way to produce client and server code from service definition (language agnostic) ● Don’t want to deal with serialization / deserialization 45
Conclusion Whennot to use gRPC: ● You don’t want your client and server to be tightly coupled ● You are using REST not in a RESTful way and hope gRPC will solve all your problems ● You love the buzzword 46
Resources https://kinsta.com/learn/what-is-http2/# https://medium.com/@shijuvar/building-high-performance- apis-in-go-using-grpc-and-protocol-buffers-2eda5b80771b https://medium.com/google-cloud/exploring-grpc-on- google-cloud-platform-82531b4b82b7 47
Thank you! 48

More Related Content

What's hot (18)

PPT
The constrained application protocol (coap) part 3
Hamdamboy (함담보이)
 
PPT
The constrained application protocol (coap) part 2
Hamdamboy (함담보이)
 
PDF
Reactive micro services using RSocket
tothepointIT
 
PPT
The constrained application protocol (CoAP)
Hamdamboy (함담보이)
 
PPT
The constrained application protocol (co ap) part 3
Hamdamboy (함담보이)
 
PDF
21 HTTP Protocol #burningkeyboards
Denis Ristic
 
PPT
The constrained application protocol (coap) part 3
Hamdamboy
 
PDF
Websocket
艾鍗科技
 
PPT
IoT Coap
Rajanikanth U
 
PPT
The constrained application protocol (co ap) part 2
Hamdamboy (함담보이)
 
DOC
Computer networking mcis 6163 project
Anakinzs
 
PPTX
CoAP protocol -Internet of Things(iot)
Sabahat Nowreen Shaik
 
PDF
Distributed Web-Cache using OpenFlow
Aasheesh Tandon
 
PPTX
Http-protocol
Toushik Paul
 
PPTX
application layer protocols
bhavanatmithun
 
PPTX
web connectivity in IoT
FabMinds
 
PPT
Implementation and Performance Analysis of a UDP Binding for SOAP
Dr. Fahad Aijaz
 
PDF
HTTP
Daniel Kummer
 
The constrained application protocol (coap) part 3
Hamdamboy (함담보이)
 
The constrained application protocol (coap) part 2
Hamdamboy (함담보이)
 
Reactive micro services using RSocket
tothepointIT
 
The constrained application protocol (CoAP)
Hamdamboy (함담보이)
 
The constrained application protocol (co ap) part 3
Hamdamboy (함담보이)
 
21 HTTP Protocol #burningkeyboards
Denis Ristic
 
The constrained application protocol (coap) part 3
Hamdamboy
 
Websocket
艾鍗科技
 
IoT Coap
Rajanikanth U
 
The constrained application protocol (co ap) part 2
Hamdamboy (함담보이)
 
Computer networking mcis 6163 project
Anakinzs
 
CoAP protocol -Internet of Things(iot)
Sabahat Nowreen Shaik
 
Distributed Web-Cache using OpenFlow
Aasheesh Tandon
 
Http-protocol
Toushik Paul
 
application layer protocols
bhavanatmithun
 
web connectivity in IoT
FabMinds
 
Implementation and Performance Analysis of a UDP Binding for SOAP
Dr. Fahad Aijaz
 
HTTP
Daniel Kummer
 

Similar to The new (is it really ) api stack (20)

PPTX
Introduction to gRPC (Application) Presentation
Knoldus Inc.
 
PPTX
Introduction to gRPC Presentation (Java)
Knoldus Inc.
 
PDF
Robert Kubis - gRPC - boilerplate to high-performance scalable APIs - code.t...
AboutYouGmbH
 
PPTX
Introduction to gRPC. Advantages and Disadvantages
abdulrehmanlatif65
 
PPT
gRPC
Majid Alaeinia
 
PDF
gRPC Design and Implementation
Varun Talwar
 
PDF
gRPC - RPC rebirth?
Luís Barbosa
 
PDF
APIdays Helsinki 2019 - gRPC: Lightning Fast, Self-Documenting APIs with Moha...
apidays
 
PPTX
gRPC on .NET Core - NDC Sydney 2019
James Newton-King
 
PDF
Building Language Agnostic APIs with gRPC - JavaDay Istanbul 2017
Mustafa AKIN
 
PDF
apidays LIVE Helsinki - Implementing OpenAPI and GraphQL Services with gRPC b...
apidays
 
PPTX
CocoaConf: The Language of Mobile Software is APIs
Tim Burks
 
PDF
gRPC or Rest, why not both?
Mohammad Murad
 
PPTX
Building API Using GRPC And Scala
Knoldus Inc.
 
PDF
gRPC with java
Knoldus Inc.
 
PPTX
ASP.NET Core 3.0 Deep Dive
Jon Galloway
 
PDF
Fast and Reliable Swift APIs with gRPC
Tim Burks
 
PDF
From '00s to '20s: from RESTful to gRPC
Gianfranco Reppucci
 
PDF
Creating Great REST and gRPC API Experiences (in Swift)
Tim Burks
 
PPTX
What I learned about APIs in my first year at Google
Tim Burks
 
Introduction to gRPC (Application) Presentation
Knoldus Inc.
 
Introduction to gRPC Presentation (Java)
Knoldus Inc.
 
Robert Kubis - gRPC - boilerplate to high-performance scalable APIs - code.t...
AboutYouGmbH
 
Introduction to gRPC. Advantages and Disadvantages
abdulrehmanlatif65
 
gRPC
Majid Alaeinia
 
gRPC Design and Implementation
Varun Talwar
 
gRPC - RPC rebirth?
Luís Barbosa
 
APIdays Helsinki 2019 - gRPC: Lightning Fast, Self-Documenting APIs with Moha...
apidays
 
gRPC on .NET Core - NDC Sydney 2019
James Newton-King
 
Building Language Agnostic APIs with gRPC - JavaDay Istanbul 2017
Mustafa AKIN
 
apidays LIVE Helsinki - Implementing OpenAPI and GraphQL Services with gRPC b...
apidays
 
CocoaConf: The Language of Mobile Software is APIs
Tim Burks
 
gRPC or Rest, why not both?
Mohammad Murad
 
Building API Using GRPC And Scala
Knoldus Inc.
 
gRPC with java
Knoldus Inc.
 
ASP.NET Core 3.0 Deep Dive
Jon Galloway
 
Fast and Reliable Swift APIs with gRPC
Tim Burks
 
From '00s to '20s: from RESTful to gRPC
Gianfranco Reppucci
 
Creating Great REST and gRPC API Experiences (in Swift)
Tim Burks
 
What I learned about APIs in my first year at Google
Tim Burks
 
Ad

More from Red Hat (20)

PDF
Meetup 2023 - Gateway API.pdf
Red Hat
 
PDF
Meetup 2022 - APIs with Quarkus.pdf
Red Hat
 
PDF
Meetup 2022 - API Gateway landscape.pdf
Red Hat
 
PPTX
APIs at the Edge
Red Hat
 
PDF
Opa in the api management world
Red Hat
 
PDF
How easy (or hard) it is to monitor your graph ql service performance
Red Hat
 
PDF
Covid impact on digital identity
Red Hat
 
PPTX
How do async ap is survive in a rest world
Red Hat
 
PDF
The case for a unified way of speaking to things
Red Hat
 
PDF
What is the best approach to tdd
Red Hat
 
PDF
Leverage event streaming framework to build intelligent applications
Red Hat
 
PDF
Using Streaming APIs in Production
Red Hat
 
PDF
The independence facts
Red Hat
 
PDF
Api observability
Red Hat
 
PPTX
Api service mesh and microservice tooling
Red Hat
 
PDF
Api design best practice
Red Hat
 
PDF
Certificate complexity
Red Hat
 
PDF
Lucamaf1 2949-db--winter2013-accomplishment
Red Hat
 
PDF
certificate game theory
Red Hat
 
PDF
statement of accomplishment - heterogeneous parallel programming
Red Hat
 
Meetup 2023 - Gateway API.pdf
Red Hat
 
Meetup 2022 - APIs with Quarkus.pdf
Red Hat
 
Meetup 2022 - API Gateway landscape.pdf
Red Hat
 
APIs at the Edge
Red Hat
 
Opa in the api management world
Red Hat
 
How easy (or hard) it is to monitor your graph ql service performance
Red Hat
 
Covid impact on digital identity
Red Hat
 
How do async ap is survive in a rest world
Red Hat
 
The case for a unified way of speaking to things
Red Hat
 
What is the best approach to tdd
Red Hat
 
Leverage event streaming framework to build intelligent applications
Red Hat
 
Using Streaming APIs in Production
Red Hat
 
The independence facts
Red Hat
 
Api observability
Red Hat
 
Api service mesh and microservice tooling
Red Hat
 
Api design best practice
Red Hat
 
Certificate complexity
Red Hat
 
Lucamaf1 2949-db--winter2013-accomplishment
Red Hat
 
certificate game theory
Red Hat
 
statement of accomplishment - heterogeneous parallel programming
Red Hat
 
Ad

Recently uploaded (20)

PDF
Empower Your Tech Vision- Why Businesses Prefer to Hire Remote Developers fro...
logixshapers59
 
PDF
Why Businesses Are Switching to Open Source Alternatives to Crystal Reports.pdf
Varsha Nayak
 
PDF
Linux Certificate of Completion - LabEx Certificate
VICTOR MAESTRE RAMIREZ
 
PDF
SciPy 2025 - Packaging a Scientific Python Project
Henry Schreiner
 
PDF
MiniTool Partition Wizard Free Crack + Full Free Download 2025
bashirkhan333g
 
PPTX
Transforming Mining & Engineering Operations with Odoo ERP | Streamline Proje...
SatishKumar2651
 
PPTX
Hardware(Central Processing Unit ) CU and ALU
RizwanaKalsoom2
 
PPTX
AEM User Group: India Chapter Kickoff Meeting
jennaf3
 
PDF
유니티에서 Burst Compiler+ThreadedJobs+SIMD 적용사례
Seongdae Kim
 
PDF
SAP Firmaya İade ABAB Kodları - ABAB ile yazılmıl hazır kod örneği
Salih Küçük
 
PDF
TheFutureIsDynamic-BoxLang witch Luis Majano.pdf
Ortus Solutions, Corp
 
PPTX
Why Businesses Are Switching to Open Source Alternatives to Crystal Reports.pptx
Varsha Nayak
 
PPTX
Milwaukee Marketo User Group - Summer Road Trip: Mapping and Personalizing Yo...
bbedford2
 
PPTX
Home Care Tools: Benefits, features and more
Third Rock Techkno
 
PDF
Driver Easy Pro 6.1.1 Crack Licensce key 2025 FREE
utfefguu
 
PPTX
OpenChain @ OSS NA - In From the Cold: Open Source as Part of Mainstream Soft...
Shane Coughlan
 
PDF
Alexander Marshalov - How to use AI Assistants with your Monitoring system Q2...
VictoriaMetrics
 
PPTX
Homogeneity of Variance Test Options IBM SPSS Statistics Version 31.pptx
Version 1 Analytics
 
PDF
AI + DevOps = Smart Automation with devseccops.ai.pdf
Devseccops.ai
 
PDF
[Solution] Why Choose the VeryPDF DRM Protector Custom-Built Solution for You...
Lingwen1998
 
Empower Your Tech Vision- Why Businesses Prefer to Hire Remote Developers fro...
logixshapers59
 
Why Businesses Are Switching to Open Source Alternatives to Crystal Reports.pdf
Varsha Nayak
 
Linux Certificate of Completion - LabEx Certificate
VICTOR MAESTRE RAMIREZ
 
SciPy 2025 - Packaging a Scientific Python Project
Henry Schreiner
 
MiniTool Partition Wizard Free Crack + Full Free Download 2025
bashirkhan333g
 
Transforming Mining & Engineering Operations with Odoo ERP | Streamline Proje...
SatishKumar2651
 
Hardware(Central Processing Unit ) CU and ALU
RizwanaKalsoom2
 
AEM User Group: India Chapter Kickoff Meeting
jennaf3
 
유니티에서 Burst Compiler+ThreadedJobs+SIMD 적용사례
Seongdae Kim
 
SAP Firmaya İade ABAB Kodları - ABAB ile yazılmıl hazır kod örneği
Salih Küçük
 
TheFutureIsDynamic-BoxLang witch Luis Majano.pdf
Ortus Solutions, Corp
 
Why Businesses Are Switching to Open Source Alternatives to Crystal Reports.pptx
Varsha Nayak
 
Milwaukee Marketo User Group - Summer Road Trip: Mapping and Personalizing Yo...
bbedford2
 
Home Care Tools: Benefits, features and more
Third Rock Techkno
 
Driver Easy Pro 6.1.1 Crack Licensce key 2025 FREE
utfefguu
 
OpenChain @ OSS NA - In From the Cold: Open Source as Part of Mainstream Soft...
Shane Coughlan
 
Alexander Marshalov - How to use AI Assistants with your Monitoring system Q2...
VictoriaMetrics
 
Homogeneity of Variance Test Options IBM SPSS Statistics Version 31.pptx
Version 1 Analytics
 
AI + DevOps = Smart Automation with devseccops.ai.pdf
Devseccops.ai
 
[Solution] Why Choose the VeryPDF DRM Protector Custom-Built Solution for You...
Lingwen1998
 

The new (is it really ) api stack

  • 1. Built by Luca Ferrari Version 1.0 The new (is it really?) API stack by Luca Ferrari EMEASolutionArchitect Red Hat 1
  • 2. Built by Luca Ferrari Version 1.0 What we are going to see today: ➔ Intro to grpc (and HTTP/2) ➔ Intro to protobuf ➔ Layering on Golang ➔ Comparison with REST 2 ➔ Demo building a microservice ➔ Protection with API Management ➔ Resources
  • 3. Overview Why we are speaking today about gRPC? 3
  • 5. Also... ● One of the protocols supported by Istio Service Mesh ● Reaching some of the limits of REST ● Reaching some of the limits of HTTP/1.1 ● What about yourself? 5
  • 6. What is HTTP/2 and why it’s important to know about it 6
  • 7. History 1991 HTTP 0.9 1996 HTTP 1.0 1997 HTTP 1.1 2009 SPDY 1.0 2015 HTTP 2.0 7
  • 8. Principles new version of HTTP: 1. Simplicity 2. High performance 3. Robustness Aim: ● reduce latency in processing browser requests ● while maintaining compatibility 8
  • 9. HTTP/1.1 issues 1 HTTP/1.1 was limited to processing only one outstanding request per TCP connection, forcing browsers to use multiple TCP connections to process multiple requests simultaneously. 2 However, using too many TCP connections in parallel leads to TCP congestion that causes unfair monopolization of network resources 3 Issuing multiple requests from the browser also causes data duplication on data transmission wires, which in turn requires additional protocols to extract the desired information free of errors at the end-nodes. 4 Security loopholes (like Cookie Hack)* 9* [ http://http2.github.io/http2-spec/#TLSUsage ]
  • 10. HTTP/2 solutions 1 Multiplexed streams: Earlier iterations of the HTTP protocol were capable of transmitting only one stream at a time along with some time delay between each stream transmission. Receiving tons of media content via individual streams sent one by one is both inefficient and resource consuming. This new layer allows client and server to disintegrate the HTTP payload into small, independent and manageable interleaved sequence of frames. Benefits: ● The parallel multiplexed requests and response do not block each other. ● A single TCP connection is used despite transmitting multiple data streams. ● Reduced latency, faster web performance, better search engine rankings. 10
  • 11. HTTP/2 solutions 2 Server Push: This capability allows the server to send additional cacheable information to the client that isn’t requested but is anticipated in future requests. For example, if the client requests for the resource X and it is understood that the resource Y is referenced with the requested file, the server can choose to push Y along with X instead of waiting for an appropriate client request. This mechanism saves a request-respond round trip and reduces network latency. Benefits: ● The client can reuse these cached resources across different pages. ● The server can multiplex pushed resources along with originally requested information within the same TCP connection. ● The client can decline pushed resources to maintain an effective repository of cached resources or disable Server Push entirely. 11
  • 12. HTTP/2 solutions 3 Binary protocols: HTTP1.x used to process text commands to complete request-response cycles. HTTP/2 will use binary commands (in 1s and 0s) to execute the same tasks. Although it will probably take more efforts to read binary as compared text commands, it is easier for the network to generate and parse frames available in binary. The actual semantics remain unchanged. Benefits: ● Low overhead in parsing data ● Less prone to errors ● Lighter network footprint ● Eliminating security concerns associated with the textual nature of HTTP1.x such as response splitting attacks* 12* [ https://resources.infosecinstitute.com/http-response-splitting-attack/#gref ]
  • 13. HTTP/2 solutions 4 Stream prioritization: Stream prioritization works with Dependencies and Weight assigned to each stream. Although all streams are inherently dependent on each other except, the dependent streams are also assigned weight between 1 and 256. The details for stream prioritization mechanisms are still debated. Holding off data stream processing requests on a random basis undermines the efficiencies and end- user experience promised by HTTP/2 changes. Benefits: ● Effective network resource utilization. ● Reduced time to deliver primary content requests. ● Improved page load speed and end-user experience. 13
  • 14. HTTP/2 solutions 5 Header Compression: The HTTP application protocol is stateless, which means each client request must include as much information as the server needs to perform the desired operation. This mechanism causes the data streams to carry multiple repetitive frames of information such that the server itself does not have to store information from previous client requests. HTTP/2 adds the ability to compress large number of redundant header frames. It uses the HPACK specification. Both client and server maintain a list of headers used in previous client-server requests. Benefits: ● Reduced resource overhead ● Encodes large headers as well as commonly used headers which eliminates the need to send the entire header frame itself. ● Not vulnerable to security attacks such as CRIME 14
  • 15. HTTP/2 solutions 6 Security: HTTP/2 defines a profile of TLS that is required; this includes the version, a ciphersuite blacklist, and extensions used (with TLS1.2 set as minimum ciphersuite) There is also discussion of additional mechanisms, such as using TLS for HTTP:// URLs (so-called “opportunistic encryption”). 15
  • 16. Quick demo Two elements: ● Is a website HTTP/2 ready: https://tools.keycdn.com/http2-test [facebook.com] ● Do a speed comparison between HTTP/1.1 and HTTP/2: https://http2.akamai.com/demo 16
  • 17. What is gRPC and why it’s important to know about it 17
  • 18. REST issues 1 Not built for microservices chattiness architecture 2 JSON format not optimized for efficiency or performance 3 Streaming APIs not native to REST 4 API Spec loosely coupled to REST Client generation issues 18
  • 19. Definition gRPC, short for “gRPC Remote Procedure Call,” is Google’s lightweight, open source RPC framework gRPC is a high performance, open-source remote procedure call (RPC) framework that can run anywhere. It enables client and server applications to communicate transparently, and makes it easier to build connected systems. gRPC follows HTTP semantics over HTTP/2. It allows you to build services with both synchronous and asynchronous communication model. It supports traditional Request/Response model and bidirectional streams. Its capability for building full-duplex streaming lets you use it for advanced scenarios where both client and server applications can send stream of data asynchronously 19
  • 20. Principles Google has been using a single general-purpose RPC infrastructure called Stubby to connect the large number of microservicesrunning within and acrossourdata centersfor over a decade … https://grpc.io/blog/principles/ gRPC is a Cloud Native Computing Foundation (CNCF) project. 20
  • 21. Use cases ● Low latency, highly scalable, distributed systems. ● Developing mobile clients which are communicating to a cloud server. ● Designing a new protocol that needs to be accurate, efficient and language independent. ● Layered design to enable extension eg. authentication, load balancing, logging and monitoring etc. 21
  • 22. Data Format By default, gRPC uses Protocol Buffers as the Interface Definition Language (IDL) and as its underlying message interchange format. But it comes with external support for other content types such as FlatBuffers and Thrift, at varying levels of maturity. 22
  • 23. What is protobuf and why it’s important to know about it 23
  • 24. Definition Protocol Buffers (Protobuf) is a method of serializing structured data. The method involves an interface descriptionlanguage that describes the structure of some data and a program that generates source code from that description for generating or parsing a stream of bytes that represents the structured data. It is a simple language-neutral and platform-neutral Interface Definition Language (IDL) for defining data structure schemas and programming interfaces. It supports both binary and text wire formats, and works with many different wire protocols on different platforms. The design goals for Protocol Buffers emphasized simplicity and performance. In particular, it was designed to be smaller and faster than XML. 24
  • 25. How does it work Unlike JSON and XML, Protocol Buffers are not just message interchange format, it’s also used for describing the service interfaces (service endpoints). Thus Protocol Buffers are used for both the service interface and the structure of the payload messages. Like a typical communication between a client application and a RPC system, a gRPC client application can directly call methods on a remote server as if it was a local object in your client application. 25
  • 26. To Go or not to Go 26
  • 27. Language Natural choice for gRPC and protobuf is Golang given the plugins and tools available There are also plugins in the following languages: ● C++ ● Java ● Python ● Ruby ● Node.js ● C# 27
  • 28. 2 minutes setup go get -u github.com/golang/protobuf/proto go get -u github.com/golang/protobuf/protoc-gen-go go get google.golang.org/grpc 28
  • 30. gRPC advantage The main advantage of developing services and clients with gRPC is that your service code or client side code doesn’t need to worry about parsing JSON or similar text-based message formats (within the code or implicitly inside the underlying libraries such as Jackson, which is hidden from service code). What comes in the wire is a binary format, which is unmarshalled into an object. Therefore, as a general practice, we can use gRPC for all synchronous communications between internal microservices. Other synchronous messaging technologies such as RESTful services and GraphQL are more suitable for external-facing services. 30
  • 31. REST comparison 31 Feature gRPC HTTP APIs with JSON Contract Required (.proto) Optional (OpenAPI) Protocol HTTP/2 HTTP Payload Protobuf (small, binary) JSON (large, human readable) Prescriptiveness Strict specification Loose. Any HTTP is valid. Streaming Client, server, bi- directional Client, server Browser support No (requires grpc-web) Yes Security Transport (TLS) Transport (TLS) Client code- generation Yes OpenAPI + third-party tooling
  • 33. Did you say SOAP? You can think about gRPC Web Services as a throwback to the original Web Service technologies, SOAP and WSDL. Unlike REST, gRPC isn't an architectural style that comes with a lot of design principles or guidelines on how you should structure your services. Instead, like WSDL/SOAP services, gRPC is a technical specification that lets you call methods over the Internet without worrying about what platform the service or the client is running on 33
  • 35. Building the demo 35 Define service interface in protobuf01 ● Customer service with 2 methods ● Defined in .proto file ● Request / response or stream
  • 36. Building the demo 36 Generate code for client and server02 ● Use protocol buffer compiler ● Outputs go files Define service interface in protobuf01 ● Customer service with 2 methods ● Defined in .proto file ● Request / response or stream
  • 37. Building the demo 37 Implement the gRPC server 03 ● Implement the 2 service methods Generate code for client and server02 ● Use protocol buffer compiler ● Outputs go files Define service interface in protobuf01 ● Customer service with 2 methods ● Defined in .proto file ● Request / response or stream
  • 38. Building the demo 38 Implement the gRPC server 03 ● Implement the 2 service methods Generate code for client and server02 ● Use protocol buffer compiler ● Outputs go files Define service interface in protobuf01 ● Customer service with 2 methods ● Defined in .proto file ● Request / response or stream Use the gRPC client 04 ● Or use a curl tool to test the service (remember to set the HTTP2 option)
  • 39. Setup Local setup on my machine 3 folders: 1. Client 2. Server 3. Service definition Using self-signed certificate and server reflection 39 go run main.go grpcui -plaintext localhost:50051 grpcui -cacert "cert/ca.cert" localhost:50051
  • 40. 40
  • 42. API Gateway Most recent API Management solutions can understand: ● HTTP/2 ● gRPC https://github.com/3scale/APIcast/pull/1128 42
  • 44. Performance comparison Test performed on the same service implemented using either grpc/protobuf or REST/JSON Both services are using Golang Latency CPUandmemory Bandwidth 44 Unexpectedly very similar results in terms of both CPU and memory usage
  • 45. Conclusion Whento use gRPC: ● Well suited for IoT and Mobile cases, given bandwidth efficiency ● Well suited for intra microservice communication ● Standard way to document interface and messages ● Standard way to produce client and server code from service definition (language agnostic) ● Don’t want to deal with serialization / deserialization 45
  • 46. Conclusion Whennot to use gRPC: ● You don’t want your client and server to be tightly coupled ● You are using REST not in a RESTful way and hope gRPC will solve all your problems ● You love the buzzword 46

Editor's Notes

  • #8: https://kinsta.com/learn/what-is-http2/#
  • #9: centers around three qualities rarely associated with a single network protocol without necessitating additional networking technologies with techniques such as multiplexing, compression, request prioritization and server push.
  • #11: https://kinsta.com/learn/what-is-http2/#multiplexed-streams
  • #12: https://kinsta.com/learn/what-is-http2/#multiplexed-streams
  • #13: https://kinsta.com/learn/what-is-http2/#multiplexed-streams
  • #14: https://kinsta.com/learn/what-is-http2/#multiplexed-streams
  • #15: https://kinsta.com/learn/what-is-http2/#multiplexed-streams
  • #16: https://kinsta.com/learn/what-is-http2/#multiplexed-streams
  • #17: centers around three qualities rarely associated with a single network protocol without necessitating additional networking technologies with techniques such as multiplexing, compression, request prioritization and server push.
  • #20: https://medium.com/@shijuvar/building-high-performance-apis-in-go-using-grpc-and-protocol-buffers-2eda5b80771b
  • #22: https://grpc.io/faq/
  • #32: https://docs.microsoft.com/en-us/aspnet/core/grpc/comparison?view=aspnetcore-3.0
  • #33: https://levelup.gitconnected.com/grpc-in-microservices-5887caef195
  • #45: https://medium.com/google-cloud/exploring-grpc-on-google-cloud-platform-82531b4b82b7