Istio adoption at Sberbank: Viewpoints from the international project team
Learn how Sberbank used Istio to modernize their application infrastructure.
In 2018, Sberbank initiated a project, codenamed SberSynapse (referred to as Synapse hereafter), to develop a robust integration architecture for their banking application. Their goal was to build a cloud-native solution, so the Synapse team chose a service mesh — and, specifically, Istio — to manage communication between various banking applications and services.
In this blog post, Brad Topol, IBM Distinguished Engineer, asked the Sberbank project team to comment on their work modernizing the current integration layer, key challenges, decisions made, and lessons learned.
Brad Topol: What is Synapse and what benefits can it bring to the users?
Igor Gustomyasov, Synapse Managing Director, Sberbank: The idea behind Synapse was to provide connectivity between multiple applications to form one entity – an idea that is similar to the idea of synapses in neuroscience. Synapses pass signals from one neuron to another, and our project does the same with data between applications.
The Synapse project is a part of Platform V (technology platform made by Sberbank) and provides integration platform as a service that gives users the ability to perform different integration scenarios including service mesh, synchronous and asynchronous interactions, event-driven architecture, and file integration
With Synapse, we are helping our users to improve time-to-market by allowing them to focus on creating business functionality and removing limits on scalability. We are concerned about service level agreements, but Synapse improves our whole system’s performance and decreases latency (approx. from 50ms to 8 ms). In addition to the core functionality, Synapse users benefit from cloud-native advantages like flexibility and gain required modern functionality like timeouts, circuit breakers, bulkheads, and retries.
Brad Topol: Why was Sberbank interested in looking at service mesh technology?
Igor Gustomyasov: Simply put, we needed a service mesh technology to help us scale dramatically. Sberbank is expanding its ecosystem to create additional value for customers beyond banking, including industries such as retail, telco, e-health, and others.
Offering this increased level of support will generate additional workloads on the current financial transactions. We predict that we will need to move from several hundred systems and 1,000+ APIs to over 10,000 connected services and 10,000+ APIs.
After much research, we decided that a microservices architecture would help us achieve these increased workloads. The enterprise service bus worked well for years, but due to the dramatic workload increase, we decided to redesign our current integration layer, moving from broker-type to brokerless by implementing service mesh and other cloud-native technologies.
Brad Topol: How did you merge these new cloud-native technologies with the current technology stack?
Sergey Gorkov, Solution architect, Sberbank: We evaluated each application to determine how — or if — it would use Synapse and a serve mesh inside the application. For each application, we assigned it one of three paths:
- No change. In this approach, the application is not changed at all. The service bus functionality is migrated to the service mesh, and the application uses specific adapters.
- Hybrid approach. This approach modernizes the application and part of the services are migrated to the cloud.
- New application. The application is developed in cloud-native and cloud-ready from the beginning.
Initially, we decided to only update applications that followed cloud development principles. We chose cloud-ready applications from the teams who were actively using the service bus.
Brad Topol: What were the key architectural decisions you made?
Denis Grafenkov, Enterprise Architect, Sberbank: Choosing to adopt the Istio service mesh influenced the following architectural decisions in three major ways:
- Creation of internal cloud-native architecture. To support application migration to a microservices architecture, we developed an internal architectural standard for developing cloud-native applications. All internal systems and applications now follow this standard and pass an automated process control.
- Use of decentralized organizational model. We decided to move away from a centralized organizational model for integration solutions. For each application region, we deployed a separate service mesh with several applications in it. Each application runs in its unique namespace that is controlled by its own ingress and egress gateways. This configuration gives each application a high level of isolation, from security and policy control perspectives within the boundary of its namespace.
- Key and certificate management for security. Security tools, along with Istio’s built-in key and certificate management, significantly helped administrators maintain security functions. In future builds, we plan to integrate with the bank’s Certificate Authority to ensure a complete lifecycle of key and certificate management for both internal and external applications in the service mesh.
Brad Topol: Do you use the full breadth of Istio’s security functionality? What are the main goals of Istio’s implementation in terms of application security?
Danila Trushin, Synapse security services lead, Sberbank: In a banking scenario, cross-application interactions are a heavy security load due to the large number of hosts, technologies, network zones, and more. We have to secure data from unauthorized access, provide strong authentication and authorization to our cloud-native application services, and provide information to audit and monitoring systems, such as access logs.
Using Istio in cooperation with other technologies significantly simplified some of these security challenges. With Istio, we were able to:
- Secure traffic between application pods with an out-of-the-box mutual TLS
- Provide a unique identity for each service
- Realize flexible authentication and authorization for internal (inside one mesh) and external (for non-cloud solutions) client systems
Istio’s embedded certification authority (CA) allows us to split security zones between different clusters and between cloud-native and non-cloud applications that use another stand-alone CA. Istio’s authorization system is extensible and allows us to integrate with the bank’s security services such as authorization service and centralized audit system (a part of SIEM).
Initial security tests performed inside the bank showed a high level of security in the Synapse platform.
Brad Topol: How did you choose the first applications to start experimenting with Istio? Was it hard to convince product teams to try it?
Zoya Badu, Customer Relationship Manager: Synapse is a product made by developers for developers. Developers from other product teams within Sberbank were interested in gaining skills and experience with a new, innovative technology stack that included a service mesh (Istio), microservices, and DevOps. As a result, we had zero issues engaging the first product teams to try Synapse and we even has some competition to be the first application.
Brad Topol: What was IBM’s role in this project?
Vladimir Alekseev, Client Technical Architect, IBM: IBM and Sberbank have been partners for a long time, with both companies valuing open source development. IBM was a co-creator of Istio and is still one of its lead contributors, so our team was able to help Sberbank make architectural decisions and map non-functional requirements to Istio deployment in terms of performance, availability, and security.
Istio contributors from the IBM Research team in Haifa worked with experts from the IBM’s Moscow office to help the Synapse team fully understand the specifics of designing and running Istio in production and take advantage of the flexibility offered by a hybrid cloud environment.
Brad Topol: It’s unique that you were brought in to advise on a purely open source implementation. What are the options for enterprises to work with the open source community?
Maksim Chudnovsky, Open Source Architect, IBM: While the decision to use Istio in Synapse was clear from a technical perspective, we did have to consider how our work with Sberbank and Synapse would affect the greater Istio community, which values both technology expertise and community work. The collaboration between the IBM and Sberbank teams worked very well in this context due to the way we worked together to solve issues, find workarounds, and contribute those fixes jointly to the Istio project.
To solve issues, we used two main approaches. For small issues that don’t need to be widely discussed in the community, we upstreamed fixes. For example, the Sberbank team faced an issue with init container restart (#16768) and an rpm proxy error (#16787) that the IBM team fixed. For more serious issues without a clear solution, the bank made their own workarounds as hotfixes to save time.
In the Synapse case, IBM was a bridge between Sberbank and the Istio community, guiding the bank on their path to adopt open source.
Brad Topol: What were the key insights and takeaways for the Istio project at Sberbank?
Vita Bortnikov, Distinguished Engineer, IBM Research, Haifa: Working with Sberbank to integrate Istio as a key part of the Synapse platform gave us invaluable insightful into our clients’ needs and helped us understand key, real-world requirements that we needed to implement for Istio to become the default framework for connecting microservices in enterprise systems.
My two big takeaways from this engagement are related to enterprise security integration and multi-cluster deployments. While Istio brings its own tools, such as Citadel, for certificate management, when Istio is part of a bigger enterprise system, there are many restrictions and policies set by CISO on how security (and in particular certificates) are managed by the enterprise. This forced us to modify Istio to be flexible in its integration with enterprise Certificate Authorities. In the Sberbank use case, Istio clusters are part of bigger systems, which requires defining policies and rules on outgoing communication from Istio to other services in the organization. The use case strengthened, focused, and extended our work on Istio egress mechanisms.
Sberbank is a large, real-world system that required multi-cluster deployment. We had to figure out how to deploy the Synapse system into a number of Kubernetes and Openshift clusters. It was clear that we needed many clusters for Synapse and that we needed Istio to provide the capability to connect services running in different clusters, exposing only a subset of services based on defined policies. We used what we learned from this engagement to shape Istio’s multi-cluster design.
Brad Topol: Are there any future enhancements Istio could provide for enterprise use cases?
Etai Lev Ran, Istio Technical Lead, IBM Research Lab Haifa: Using Istio with an existing application infrastructure highlighted several potential ways Istio change to help other enterprise companies. From our work with Sberbank, we realized that Istio’s support for Kafka needs to be extend to include security and access controls. Additionally, seeing how Istio interacted with existing enterprise applications, datacenter services and VMs, showed us areas where the community needs to focus on enhancing Istio for future application modernization projects.
The topic of API management and Istio integration is also fundamental for supporting enterprise applications. Because Sberbank Synapse is an integration platform, it manages services for internal consumption (Istio) and external consumption (API users). This real-world use case highlighted the need for compatible interfaces for the services that are used both internally and externally.
With help from IBM and the Istio community, Sberbank had a positive experience adopting Istio in the Synapse project. Synapse is now working in production with a current load of about 5,000 requests per second. Sberbank is expanding Istio adoption by providing Synapse as a platform to a large number of their product teams to develop services using cookbooks, guidelines and recommendations.
“Synapse — enabled by Istio — has become an enabler for internal Sberbank IT transformation and is helping accelerate the transition to cloud-native technology stack,” says Igor Gustomyasov.