aws chicago user group presentation: connecting docker containers over the internet
TRANSCRIPT
copyright 2014
Connecting Docker Containers Over the Internet and across the Amazon Cloud
Aug 2014
1Thursday, July 31, 14
copyright 2014 2
VNS3 Virtualizes 6 Network Functions•Allows control, mobility & agility by separating network location and network identity !•Control over end to end encryption, IP addressing and network topology
Router Switch Firewall
VPN Concentrator"IPsec/SSL
Protocol"Redistributor Scriptable SDN
Thursday, July 31, 14
copyright 2014 3
Add Additional Functionality Via Software ContainersIsolated Docker containers within VNS3 3.5 allows customers to embed features and functions safely and securely into their Cloud Network.!
Router Switch Firewall Protocol!Redistributor
VPN!Concentrator
Scriptable!SDN
VNS3 Core Components
Proxy Reverse Proxy Content Caching Load Balancer IDS Custom Container
Thursday, July 31, 14
copyright 2014 4
VNS3 - now more than L3 overlay
Container 1
ContainerInterface
HOST 1
Container 2
ContainerInterface
Cloud VM Adapter
Tunnel Adapter
VNS3 DockerInterface
Container 1
ContainerInterface
HOST 2
Container 2
ContainerInterface
Cloud VM Adapter
Tunnel Adapter
VNS3 DockerInterface
Cloud A Cloud B
Thursday, July 31, 14
copyright 2014
VNS3 Resource Utilization “then” and “now”
5
HOST 1
Cloud VM Adapter
Tunnel Adapter
Container 1
ContainerInterface
HOST 1
Container 2
ContainerInterface
Cloud VM Adapter
Tunnel Adapter
VNS3 DockerInterface
AWS m1.small c1.mediumor equivalent running L3 overlay
AWS m3.medium or larger running L3 overlay plus customer controlled L4-7
functions.
Thursday, July 31, 14
copyright 2014
Cloud Overlay Networking
Chicago, IL USA!Remote Subnet: 192.168.3.0/24
1
Customer Remote Office
VNS3 1
VNS3 2
VNS3 Overlay NetworkSubnet: 172.31.0.0/22
Overlay IP: 192.168.79.1 Overlay IP: 192.168.79.X Overlay IP: 192.168.79.2 Overlay IP: 192.168.79.YCloud Server A Cloud Server B Cloud Server C Cloud Server D
Active IPsec Tunnel192.168.3.0/24 - 172.31.1.0/24
Firewall / IPsec !Cisco 5505
User WorkstationLAN IP: 192.168.3.100
User WorkstationLAN IP: 192.168.3.50
Public IP: 184.73.174.250!Overlay IP: 192.168.79.253
Public IP: 54.246.224.156!Overlay IP: 192.168.79.252
Peered
US East 1 Europe
copyright 2014 6
Connecting Docker Containers with VNS3
Container 1
ContainerInterface
HOST 1
Container 2
ContainerInterface
Cloud VM Adapter
Tunnel Adapter
VNS3 DockerInterface
Container 1
ContainerInterface
HOST 2
Container 2
ContainerInterface
Cloud VM Adapter
Tunnel Adapter
VNS3 DockerInterface
AWS East AWS EU
Send secure network traffic from Container at 198.51.100.3 in AWS East to Container at 198.51.100.18 in AWS EUvia VNS3 encrypted routers.
Thursday, July 31, 14
copyright 2014
Launch VNS3 and configure container networking• Setup Container Network on
instance #1 as 198.51.100.0/28• Setup container network on
instance #2 as 198.51.100.16/28
7Thursday, July 31, 14
copyright 2014
Advertise a route from the manager to its container network
• VNS3 Manager #1exposes a route to container network #1 (198.51.100.0/28) and VNS3
• Manager exposes a route to container network #2 (198.51.100.16/28)
8Thursday, July 31, 14
copyright 2014
Configure firewall to port forward and allow inter-container traffic as desired.
9Thursday, July 31, 14
copyright 2014
Deploy Dockerfiles or LXC images to your VNS3 mesh and then allocate running container “instances”
10Thursday, July 31, 14
copyright 2014
Communicate between docker containers on host 1 in Cloud A and host 2 in Cloud B
11Thursday, July 31, 14
copyright 2014
SSH into the containers - and transfer traffic safely and easily
12Thursday, July 31, 14
copyright 2014
1. Connectivity - More connectivity choices including remote users ‘road warrior’ use case2. Integration - Instance-based appliance fully integrates with your existing network platform3. Security - Customer controlled keys for end-to-end data in motion encryption4. Tried and True - 200+ million device hours secured to date5. Automation - Cloud network creation via full documented API or UI6. Freedom - Customer applications can use protocols typically blocked like UDP multicast7. Control - Custom IP addressing and network topology8. Federation - Create an overlay network across multiple cloud regions or clouds9. Compliance - VNS3 overcomes key HIPAA and PCI obstacles10. Flexibility - Docker Containers allow easy addition of new network functions to your VNS3
Connectivity, Integration and Security for Cloud Applications
Top 10 Reasons to Use VNS3
13Thursday, July 31, 14