Anthos is a modern application management platform that provides a consistent development and operations experience for cloud and on-prem environments. This page provides an overview of each layer of the Anthos infrastructure and shows how you can leverage its features.
The following diagram shows the Anthos components and their interactions in a typical enterprise environment:
The primary computing environment for Anthos relies on Google Kubernetes Engine (GKE) and GKE On-Prem to manage Kubernetes installations in the environments where you intend to deploy your applications. These offerings bundle upstream Kubernetes releases and provide management capabilities for creating, scaling, and upgrading conformant Kubernetes clusters.
Kubernetes has two main parts: the control plane and the node components. With GKE, Google Cloud Platform hosts the control plane, and the Kubernetes API server is the only control-plane component accessible to customers. GKE manages the node components in the customer's project using instances in Compute Engine. With GKE On-Prem, all components are hosted in the customer's on-prem virtualization environment.
With Kubernetes installed and running, you have access to a common orchestration layer that manages application deployment, configuration, upgrade, and scaling.
To take advantage of the full functionality provided by Anthos, your GKE and GKE On-Prem clusters need IP connectivity among them. Additionally your GKE On-Prem environment must be able to reach Google's API endpoints, specifically Stackdriver for monitoring and alerting, and GKE Connect for registering clusters with Google Cloud Platform Console.
You can connect your on-prem and GCP environments in various ways. The easiest way to get started is by implementing a site-to-site VPN between the environments using Cloud VPN. If you have more stringent latency and throughput requirements, you can choose between Dedicated and Partner Cloud Interconnect. For more information on choosing an interconnect type, see Cloud VPN and other Interconnect Types.
Kubernetes allows users to provision Layer 4 and Layer 7 load balancers. GKE uses Network Load Balancing for Layer 4 and HTTP(S) Load Balancing for Layer 7. Both are managed services and do not require any additional configuration or provisioning on your part. In contrast, GKE On-Prem uses an on-prem load balancing appliance.
In Kubernetes, services are composed of many Pods, which execute containers. In a microservices architecture, a single application may consist of numerous services, and each service may have multiple versions deployed concurrently.
With a monolithic application, you have no network-related concerns, because communication happens through function calls that are isolated within the monolith. In a microservice architecture, service-to-service communication occurs over the network.
Networks can be unreliable and insecure, so services must be able to identify and deal with network idiosyncrasies. For instance, if Service A calls Service B, and there is a network outage, what should Service A do when it doesn't get a response? Should it retry the call? If so, how often? Or how does Service A know that it is Service B returning the call?
You can deal with these types of network concerns in a number of ways. For example:
You can use client libraries inside your application to mitigate some of the network's inconsistencies. Managing multiple library versions in a polyglot environment requires diligence, rigor, and—sometimes—duplicated effort.
You can use Istio, which is an open-source implementation of the service mesh model. Istio uses side-car proxies to enhance network security, reliability, and visibility. With a service mesh, like Istio, these functions are abstracted away from the application's primary container, and implemented in a common out-of-process proxy delivered as a separate container in the same Pod.
Istio's features include:
Fine-grained control of traffic with rich routing rules for HTTP, gRPC, WebSocket, and TCP traffic.
Request resiliency features such as retries, failovers, circuit breakers, and fault injection.
A pluggable policy layer and configuration API supporting access control and rate limiting.
Automatic metrics, logs, and traces for all traffic within a cluster, including cluster ingress and egress.
Secure service-to-service communication with authentication and authorization based on service accounts.
Facilitation of tasks like A/B testing, canary rollouts, fault injection, and rate-limiting.
Cloud Service Mesh (CSM) manages Istio in both GKE and GKE On-Prem, providing all the benefits of open-source Istio, without the complexity of configuration, installation, upgrade, and certificate authority setup.
CSM also provides the following integrations with GCP features:
View the connections between services.
Monitor and manage service level objectives (SLOs) for error rates and latency.
Provides service-to-service encryption.
Google manages the issuance and rotation of mTLS certificates and keys for Kubernetes Pods.
Integration with Cloud Identity-Aware Proxy (Cloud IAP)
Shows security information about applications running in the service mesh, and makes recommendations to help improve the security posture of applications.
Identifies services not secured by mTLS and alerts administrators.
Provides the necessary changes to the mesh policy and destination rule to remediate issues.
Centralized config management
Spanning multiple environments adds complexity in terms of resource management and consistency. Anthos provides a unified model for computing, networking, and even service management across clouds and datacenters.
Configuration as code is one common approach to managing this complexity. Anthos provides configuration as code via Anthos Config Management, which deploys the Anthos Config Management Operator to your GKE or GKE On-Prem clusters, allowing you to monitor and apply any configuration changes detected in a Git repo.
This approach leverages core Kubernetes concepts, such as Namespaces, labels, and annotations to determine how and where to apply the config changes to all of your Kubernetes clusters, no matter where they reside. The repo provides a versioned, secured, and controlled single source of truth for all of your Kubernetes configurations. Any YAML or JSON that can be applied with kubectl commands can be managed with the Anthos Config Management Operator and applied to any Kubernetes cluster using Anthos Config Management.
Anthos Config Management has the following benefits for your Kubernetes Engine clusters:
Single source of truth, control, and management
Enables the use of code reviews, validation, and rollback workflows.
Avoids shadows ops, where Kubernetes clusters drift out of sync due to manual changes.
Enables the use of CI/CD pipelines for automated testing and rollout.
One-step deployment across all clusters
Anthos Config Management turns a single Git commit into multiple kubectl commands across all clusters.
Rollback by simply reverting the change in Git. The reversion is then automatically deployed at scale.
Rich inheritance model for applying changes
Using Namespaces, you can create configuration for all clusters, some clusters, some Namespaces, or even custom resources.
Using Namespace inheritance, you can create a layered Namespace model that allows for configuration inheritance across the repo folder structure.
Unified user interface
As the number of Kubernetes clusters in an organization increases, it can be difficult to understand what is running across each environment. The GKE Dashboard provides a secure console to view the state of your Kubernetes clusters and Kubernetes workloads. With GKE Connect, you can register your GKE On-Prem clusters securely with GCP and view the same information that is available for your GKE clusters through the GKE Dashboard.
To connect a cluster, deploy the GKE Connect Agent, which sets up a secure tunnel that allows GCP Console to manage the resources in your cluster. All requests through GKE Connect are included in the audit logs for your cluster. You can restrict the capabilities of the agent by using the native RBAC functionality of your cluster.
Anthos is a platform of distinct services that work in concert to deliver value across the entire enterprise. This section describes how it can be used by the various roles in an organization, and the benefits each group will see.
Anthos for development
For the developer, Anthos provides a state-of-the-art container management platform based on Kubernetes. Developers can use this platform to quickly and easily build and deploy existing container-based applications and microservices-based architectures.
Key benefits include:
Git-compliant management and CI/CD workflows for configuration as well as code using Anthos Config Management.
Code-free instrumentation of code using Istio and Stackdriver to provide uniform observability.
Code-free protection of services using mTLS and throttling with CSM (Istio).
Support for Google Cloud Platform Marketplace to quickly and easily drop off-the-shelf products into clusters.
Anthos for operations
For Operations, Anthos provides centralized, efficient, and templatized deployment and management of clusters, allowing the operations team to quickly provide and manage infrastructure that is compliant with corporate standards.
Key benefits include:
Single command deployment of new clusters with GKE and GKE On-Prem (
Centralized configuration management and compliance with configuration-as-code and Anthos Config Management.
Simplified deployment and rollback with Git check-ins and Anthos Config Management.
Single pane of glass visibility across all clusters from infrastructure through to application performance and topology with Stackdriver and CSM (Istio).
Anthos for security
For Security, Anthos provides the ability to enforce security standards on clusters, deployed applications, and even the configuration management workflow using a configuration-as-code approach and centralized management.
Key benefits include:
Centralized, auditable, and securable workflow using Git compliant configuration repos with Anthos Config Management.
Compliance enforcement of cluster configurations using Namespaces and inherited config with Anthos Config Management.
Code-free securing of microservices using Istio, providing in-cluster mTLS and certificate management.
Built-in services protection using Istio throttling and routing.