add initial ambient mc perf doc #16846
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change | ||||
|---|---|---|---|---|---|---|
| @@ -0,0 +1,30 @@ | ||||||
| --- | ||||||
| title: Ambient Multicluster Performance | ||||||
| description: Ambient Multicluster performance and scalability summary. | ||||||
| weight: 30 | ||||||
| keywords: | ||||||
| - performance | ||||||
| - scalability | ||||||
| - scale | ||||||
| - multicluster | ||||||
| owner: istio/wg-environments-maintainers | ||||||
| test: n/a | ||||||
| --- | ||||||
|
|
||||||
| Multicluster deployments with Ambient mode enable you to offer truly globally resilient applications at scale with minimal overhead. In addition to its normal functions, the Istio control plane creates watches on all remote clusters to keep an up-to-date listing of what global services each cluster offers. The Istio dataplane can route traffic to these remote global services, either as a part of normal traffic distribution, or specifically when the local service is unavailable. | ||||||
|
|
||||||
| ## Control plane performance | ||||||
|
|
||||||
| As documented [here](/docs/ops/deployment/performance-and-scalability), the Istio control plane generally scales as the product of deployment changes, configuration changes, and the number of connected proxies. Ambient Multi Cluster adds two new dimensions to the Control Plane scalability story: number of remote clusters, and number of remote services. This means that adding 10 remote services to the mesh has substantially lower impact on the control plane performance than adding 10 local services. | ||||||
|
There was a problem hiding this comment.
Suggested change
|
||||||
|
|
||||||
| Our Multicluster Control Plane Load test created 300 services with 4000 endpoints in each of 10 clusters, and added these clusters to the mesh one at a time. The approximate control plane impact of adding a remote cluster at this scale was **1% of a CPU core, and 180 MB of memory**. At this scale, it should be safe to scale well beyond 10 clusters in a mesh with a properly scaled control plane. One item to note is that for Multicluster scalability, horizontally scaling the control plane will not help, as each control plane instance maintains a complete cache of remote services. Instead, we recommend modifying the resource requests and limits of the control plane to scale vertically to meet the needs of your multicluster mesh. | ||||||
|
There was a problem hiding this comment. we should standardize on "multi cluster" vs "multicluster" There was a problem hiding this comment. Multicluster as a single word is the standardized term There was a problem hiding this comment.
Suggested change
|
||||||
|
|
||||||
| ## Data plane performance | ||||||
|
|
||||||
| When traffic is routed to a remote cluster, the originating data plane establishes an encrypted tunnel to the destination cluster's east/west gateway. It then establishes a secondary encrypted tunnel inside the first, which is terminated at the destination data plane. This use of inner and outer tunnels allows the data plane to securely communicate with the remote cluster without knowing the details of which pod IPs represent which services. | ||||||
|
|
||||||
| This double-encryption does carry some overhead, however. The Data Plane Load test measures the response latency of traffic between pods in the same cluster, versus those in two different clusters, to understand the impact of double encryption on latency. Additionally, double encryption requires double handshakes, which disproportionately affects the latency of new connections to the remote cluster. As you can see below, our initial connections observed an average of 2.2 milliseconds(346%) additional latency, while requests using existing connections observed an increase of 0.13 milliseconds(72%). While these numbers appear significant, it is expected that most multicluster traffic will cross availability zones or regions, and the observed increase in overhead latency will be minimal compared to the overall transit latency between data centers. | ||||||
|
There was a problem hiding this comment. Its not the double encryption causing 346% increase though, right? At minimum its +1 TCP proxy hop, which is (likely) more expensive than the double TLS. Is this also tested on a real cross-zone/cross-VPC/etc cloud? Or is the network path ~zero cost in the test? If not, that would be a major factor here as well There was a problem hiding this comment. I believe the tests have no network cost since they're run with kind /cc @Stevenjin8 There was a problem hiding this comment. the +346% is due to having to reestablish an inner hbone for every connection. These tests were all run in kind locally. There was a problem hiding this comment. so yeah, its not due to double encryption alone There was a problem hiding this comment. Also, double encryption does not require double handshakes, we/I were just a bit lazy in our implementation. But we can also make the point that we can speed this up in the future to be roughly on par with request/response numbers There was a problem hiding this comment. Ah right, forgot the 346 is for CRR not RR. RR is the more important number anyways There was a problem hiding this comment.
Suggested change
|
||||||
|
|
||||||
| {{< image link="./ambient-mc-dataplane-reconnect.png" caption="request latency with reconnect" width="90%" >}} | ||||||
|
|
||||||
| {{< image link="./ambient-mc-dataplane-existing.png" caption="request latency without reconnect" width="90%" >}} | ||||||
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.