Solving Kubernetes Networking and Security Challenges at Scale with Contrail
Nov 18, 2019
Modern applications are distributed, microservices-based affairs that consist of multiple workloads operating across multiple fault domains. Kubernetes has become the de facto orchestrator for cloud-native applications with a rich and ever-growing ecosystem, but challenges remain. Among those, security, networking and analytics stand out at the top, based on user surveys.
Driven to solve the hardest problems facing our industry today, Juniper Networks is helping users to tackle these exact challenges head on. Today at KubeCon, we’re launching our newly evolved solution for cloud-native operational simplicity and security at scale.
In recent blogs, we’ve covered microservices, as the motivations, advantages, opportunities and challenges for Kubernetes. Let’s look at Juniper’s cloud-native solutions and how they can benefit your microservice application’s users.
Enter Contrail Enterprise Multicloud
While Kubernetes has made orchestration of compute and storage workloads at scale a breeze, it relies on a robust networking solution exposed through the CNI APIs to make that magic happen. Unfortunately, such a reliable networking stack, built for Kubernetes, has been hard to come by.
Contrail Enterprise Multicloud, a software-defined networking solution proven to operate at hyperscale, solves this hard networking piece of the puzzle. It allows organizations to operate their network as one domain, even though endpoints are spread across multiple namespaces and infrastructure providers all over the world. Contrail allows organizations to virtualize their network for multiple tenants and empowers organizations to secure their network against threats.
Contrail already offers the best defense in depth for microservice applications. This security capability is a result of Contrail's embedded container service chaining capability, which enables organizations to provision security functions, such as Deep Packet Inspection (DPI) or Web Application Firewalls (WAF), between application tiers. Now, Contrail offers even more.
More Secure Microservices
With today's launch, Contrail now supports encryption between Kubernetes nodes. This is a vital capability for organizations operating instances in untrusted environments, public cloud environments or where strict security compliance rules must be followed.
We also recently added support for bare-metal gateways to enable more efficient forwarding of traffic to applications running in the Kubernetes cluster. This can prevent a double forwarding situation that happens with default CNIs and gives organizations the ability to provide an even more responsive application experience for their end users. Finally, it can help lower infrastructure costs because fewer compute and network resources are required as the application scales.
Contrail's network overlays help DevOps teams maintain complicated distributed applications, even when service instances within those applications have overlapping IPs. Contrail allows organizations to apply consistent and granular security and network policies throughout the entire network. Using these policy controls, infrastructure administrators can also create multitenancy in a single cluster, with complete isolation between tenants. At the same time, Contrail goes beyond simple policy enforcement by allowing organizations to insert a containerized next-generation firewall, such as the Juniper cSRX, directly into the data path, adding enhanced protection from lateral threats.
On top of this, Contrail adds visualization of network and security, enabling DevOps teams to easily show traffic flows and policy enforcement. This can make an exponential difference when troubleshooting an application or demonstrating to auditors or the SOC that an application is compliant with security policy.
Contrail is now the most capable and most secure Kubernetes networking solution (K8 CNI).. Its established history of success offers organizations a time-tested alternative to embracing more nascent products. More importantly, it allows organizations to create secure inter-process communication between service instances, despite whether some of those instances operate on VMs or bare-metal servers.
Add Some Metal
In addition to extending secure networking across an organization's entire IT infrastructure, Contrail can feed load-balanced routes to routers, like the Juniper Networks MX Series, to allow for efficient load balancing and security in hardware. Contrail does this by implementing the load balancing native to Kubernetes, using standards-based networking in the vRouter and controller.
The practical upshot of this is that requests from outside the Kubernetes cluster get delivered directly to the destination Kubernetes node or Pod, which can make apps more performant and efficient. In the long run, as the application scales, I believe this can provide savings in compute and network resources.
Secure. Scalable. Insightful.
We hope that you can join us at our KubeCon booth (P22) to discuss how Juniper can provide advanced networking and security, storage and analytics for your workloads – data center or cloud-native, bare metal or VM-based.