Overview of IBM Hybrid Cloud Mesh

Edit online

IBM® Hybrid Cloud Mesh (Mesh) is a multicluster, multicloud, application-layer connectivity solution that enables teams to build application networks in minutes. Application teams, networking teams, business transformation teams, and site reliability engineers (SREs) can all use it with ease.

This software-as-a-service (SaaS) solution delivers application networks across any cloud, on-premises environment, or cluster—connecting both cloud-native and non–cloud-native application components.

Mesh automatically configures a software-defined network for the application microservices, which are distributed among multiple clouds in an abstract manner. Mesh is an overlay network that eliminates the need for any reconfiguration of the underlying networks. For example, networks that support the Amazon Cloud, Microsoft™ Azure, and Google Cloud.

Mesh provides the following value to businesses:

  • Improved business agility: Mesh improves business agility by enabling clients to deploy new applications and services faster.
  • Enhanced performance and response time: Mesh can improve performance and the response time of the user experience.
  • Optimized security: Mesh improves security by reducing the attack surface.
  • Better visibility and seamless operation: Mesh gives networking and security professionals better visibility into their enterprise network security along with network and system performance, which provides better recommendations for improvement. At the same time, it saves DevOps and application developer professionals from the burden of juggling application connections across heterogeneous networks and cloud providers.
Get started with Mesh:
  • To get an overview of Mesh, explore the interactive sandbox. You can explore and experience how to establish simple and secure connections between your applications and services in a multicloud environment. Follow the guided tours to see how to migrate your on-premises applications to the cloud, increase your application resilience by using redundant network paths, and diagnose application performance issues.

    Get hands-on with Mesh and Try the sandbox now!

  • You can also start using our Mesh Free edition at no cost. The Free edition provides all of the Mesh capabilities in the Essentials edition. However, the applications and services that you can deploy are limited. For more information about the different editions of Mesh, see Mesh editions.
The following illustration shows the relationship between Mesh and your cloud components:
Overview diagram

Installing Mesh

IBM Hybrid Cloud Mesh is a SaaS-based solution. The control plane runs in IBM Cloud® and provides a REST API to manage application connectivity across your deployment environments. You don't install the Mesh control plane. Instead, you enable access by subscribing to the service and logging in with your IBMid.

To manage your application connectivity, Mesh provides a REST API. You install the palmctl CLI on your local machine to interact with the Mesh APIs. See Installing the CLI.

Gateways provide the application connectivity and run alongside the workloads in your cloud and on-premises deployment environments. Gateways are installed one time into your Kubernetes clusters by installing the Open Horizon agent. After installation, the gateways are managed by using the Mesh APIs. See Installing an Open Horizon agent.

Functional overview

Adopting large numbers of multicloud applications where workloads are distributed across public clouds, edge devices, and on-premises data centers can cause unresponsive networks in Enterprise systems. The Mesh SaaS-based solution meets this challenge by delivering software that enables simple, scalable, seamless, and secure hybrid multicloud connectivity.

Mesh includes the following features:

Infrastructure discovery
Infrastructure discovery creates an inventory of an enterprise's multicloud deployment infrastructure, which enables Mesh to understand the scope and breadth of the enterprise network. The results of this discovery provide enterprise CloudOps teams with full visibility into their mutlicloud infrastructure. This feature requires credentials that can access enterprise cloud accounts and interrogate the cloud's API for assets. Periodic infrastructure discovery ensures that Mesh has the most current model of the enterprise infrastructure. Mesh uses infrastructure models to correlate applications and services with their supporting infrastructure. Examples of infrastructure include clouds, locations, Virtual Private Clouds (VPCs), and Kubernetes clusters.
Application and service discovery

Application and service discovery creates an inventory of points of connectivity between applications and services in a Kubernetes environment. When you deploy a Service Interconnect edge gateway, Mesh discovers all the pods that are running in that namespace.

The primary owner type for your pod can be one of Deployment, DaemonSet, StatefulSet, or VirtualMachine (KubeVirt). Mesh does not support other owner types. Based on the pods that are discovered and their owner type, Mesh then creates the following resources:

  • Application resources for each pod owner.
  • Instance resources for each supported pod.
  • Service resources for each Kubernetes service that selects the supported pods by using a label selector. Mesh ignores Kubernetes services that do not use label selectors.

For example, you might have a Store application and an Inventory service in separate Kubernetes namespaces. The application needs to be able to connect to the service. Therefore, the application needs Mesh to be aware of the deployment environment of both the application and service, even if that environment changes.

Connecting applications and services

Mesh simplifies how you connect your applications and services across deployment environments. When a gateway is deployed, Mesh automatically discovers the applications and services in the Kubernetes namespace. The applications and services don't need to be registered manually.

Mesh supports connectivity across major cloud platforms, including AWS, Microsoft Azure, IBM Cloud, and Red Hat OpenShift Service on AWS (ROSA). You can use Mesh to connect applications and services running in these environments, as well as on-premises infrastructure such as VMs, bare metal servers, and mainframes. For example, Mesh can connect an application deployed in Microsoft Azure to services hosted in IBM Cloud or AWS.

To establish connectivity, DevOps teams can create connection policies that express the intent to connect workloads such as Store and Inventory, regardless of where they are deployed. These policies enable applications to access services within the network segment and allow service requests to flow securely through the gateways.

Connection policies decouple policy authoring from the deployment mechanics of applications and services. It also enables a separation of concerns between the nature of the connection from the specifics of the endpoints that are connected. To enforce the policies, the software gateways open ports at both ends of the gateway and create proxy services on the side of the point of origin. For more information, see Connecting applications by using policies in the Mesh console and Connecting applications by using policies with the Mesh CLI.

Network topology
Network topology provides an overlay network that software gateways manage. The gateways are containers that you deployed in the namespace with the applications and services. The gateways provide the following functions:
  • Discover application and services and manage their connectivity.
  • Provide service proxies to enable applications to communicate with remote services as if they are local resources.

The topology views provide visibility to CloudOps and DevOps, enabling collaboration between teams. Use the Mesh console topology view to explore the applications and services topology. You can view a representation of the key details and relationships between your applications and services. For more information, see Using the IBM Hybrid Cloud Mesh console topology view.

The topology views also include application-to-service metrics that describe network usage over time. For example, you can view the total number of bytes transmitted between an application and a service. For more information about the metrics, see Metrics in the topology view.

Onboarding of existing virtual application networks
Onboards your existing virtual application networks (VANs), such as Red Hat® Service Interconnect VANs, as Mesh network segments.

All gateways, applications, and services in your VANs are onboarded to Mesh. Mesh connection policies are generated that represent how the services are exposed in the VANs. When the onboarding is complete, you can monitor and manage the network and its resources in Mesh. For more information, see Onboarding VANs as Mesh network segments.

Using Mesh with VMs, mainframes, and more

You can use Mesh to connect your Kubernetes and non-Kubernetes client applications and services over the Mesh network segment. The non-Kubernetes applications and services can run on infrastructure such as VMs, mainframes, load balancers, and bare metal servers.

You don’t need to migrate your existing non-Kubernetes workloads to Kubernetes to enable them to connect over the Mesh application network. For example, Mesh enables a front-end application that runs on a VM in an on-premises environment to communicate with a backend service on a cloud-based Kubernetes cluster.

Mesh also supports the migration of external clients and services into Kubernetes, reducing application downtime and helping to ensure a smooth transition. For more information, see Using Mesh with VMs, mainframes, and more.