The Network is the Bottleneck: Managing Microservices in 2016
We all read the Netflix and Twitter engineering blogs. We saw the diagrams. We smashed our monoliths into fifty jagged pieces and called them "microservices." Now, your developers are happy because they can deploy independent Docker containers, but your Ops team is on fire because nobody knows why the User Profile service is timing out when the Inventory service is under load.
Welcome to the era of network complexity. In a monolith, a function call is a memory jump. In microservices, itβs a network packet. That packet can be dropped, throttled, or routed to a container that died three seconds ago.
The solution gaining traction this year is the Service Mesh. Specifically, we are looking at Linkerd (built on Twitter's Finagle) or the pragmatic combination of Consul + Nginx. But be warned: adding a proxy layer to every request requires infrastructure that doesn't steal your CPU cycles.
The Architecture: Discovery is Step One
Before you can mesh, you must discover. Hardcoding IP addresses in 2016 is negligence. We rely on HashiCorp's Consul for this. Itβs the source of truth.
First, ensure your Consul agents are running effectively. On a CoolVDS instance, we bind to the private interface to keep traffic off the public internet, which is crucial for compliance with Norwegian data standards (Datatilsynet takes a dim view of leaking internal topology).
# Starting a Consul agent in server mode (Ubuntu 16.04)consul agent -server -bootstrap-expect=3 -data-dir=/tmp/consul -node=agent-one -bind=10.0.0.2 -config-dir=/etc/consul.dOption A: The JVM Heavy hitter (Linkerd)
Linkerd is the new kid on the block, bringing Twitter's heavy-duty Finagle library to the masses. It offers resiliency features like latency-aware load balancing (EWMA) and backpressure that Nginx simply cannot match out of the box.
However, Linkerd runs on the JVM. It is hungry. Do not try running this on a standard shared hosting plan where RAM is "burstable." You need dedicated RAM. We see JVMs crash constantly on inferior VPS providers because the host OS kills the process when the neighbor gets noisy.
Here is a basic linkerd.yaml configuration connecting to Consul:
admin: port: 9990routers:- protocol: http label: outgoing dtab: | /svc => /#/io.l5d.consul/dc1; servers: - port: 4140 ip: 0.0.0.0namers:- kind: io.l5d.consul prefix: /io.l5d.consul host: 127.0.0.1 port: 8500The magic here is the Dtab (Delegation Table). It rewrites logical names into concrete paths found in Consul. It allows you to do canary deployments by shifting traffic percentages in the routing rules rather than changing DNS.
Pro Tip: Linkerd's GC (Garbage Collection) pauses can spike your P99 latency. Tune your JVM flags. We recommend -Xms1024m -Xmx1024m at a minimum. If your VPS doesn't allow you to lock memory, you're going to have a bad time.Option B: The Pragmatic Approach (Consul Template + Nginx)
If the JVM overhead scares you (or your budget is tight), the "SmartStack" pattern using Consul Template and Nginx is the battle-tested alternative. Itβs not a true "mesh" in the sense of sidecars everywhere, but it solves the discovery problem.
Consul Template watches the Consul Service Catalog. When a new container spins up, it rewrites the nginx.conf and reloads Nginx automatically.
The Template File (nginx.ctmpl):
upstream my-app { least_conn; {{range service "production.webapp"}} server {{.Address}}:{{.Port}} max_fails=3 fail_timeout=60 weight=1; {{else}}server 127.0.0.1:65535; # force a 502{{end}}}server { listen 80; location / { proxy_pass http://my-app; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; }}You run the daemon like this:
consul-template -consul 127.0.0.1:8500 -template "/etc/nginx/nginx.ctmpl:/etc/nginx/conf.d/app.conf:service nginx reload"Infrastructure Matters: The Latency Tax
Whether you choose Linkerd or Nginx, you are adding a hop. In a microservices chain of 5 services, that's 10 extra hops (request + response) per user action. If your VPS provider has high I/O wait or slow network switching, you just added 200ms to your checkout process. That kills conversion rates.
This is where CoolVDS differs from the commodity cloud.
- KVM Virtualization: We don't use containers for virtualization. You get a real kernel. Your TCP stack is yours.
- NVMe Storage: Service meshes generate massive logs. Access logs, error logs, tracing data. Writing these to a spinning HDD or a shared SATA SSD creates an I/O bottleneck that blocks the application. Our NVMe arrays handle high-concurrency writes without sweating.
- Network Priority: Our datacenter is peered directly at NIX (Norwegian Internet Exchange). If your customers are in Oslo or Bergen, the round-trip time is physically as low as possible.
Debugging the Mesh
When things break (and they will), you need to trace the request. In Linkerd, you can use the built-in dashboard on port 9990. In Nginx, you need to parse logs.
If you are seeing 502 Bad Gateway errors, check the connection limits. The operating system's file descriptor limit usually defaults to 1024. For a proxy handling all your microservices traffic, this is laughably low.
# Check limitsulimit -n# Edit /etc/security/limits.conf* soft nofile 65535* hard nofile 65535Don't forget to apply this to the user running Nginx or the Linkerd JVM.
Conclusion
A service mesh is powerful, but it is not free. It costs CPU, RAM, and network latency. If you are building the next Spotify or massive eCommerce platform, you need to account for this overhead.
Don't layer complex routing logic on top of unstable hardware. You need high frequency CPUs to handle the encryption/decryption of traffic and low-latency storage for the telemetry.
Ready to deploy? Spin up a KVM instance on CoolVDS today. With our 100% NVMe storage and unmetered internal traffic, you can build a mesh that actually scales.