SHARE
Cloud / September 19, 2019

If You Don’t Have Container Visibility, Your Organization Is at Risk

Containers Are Not Just for Transcontinental Shipping Anymore

As part of IT’s digital transformation, applications have expanded from traditional bare metal servers to virtual machines and now containers. Containers provide DevOps teams faster development, superior portability including for cloud deployments, reduced code level with ten times higher density levels vs. VMs, and their microservices architecture allows individual services to be separately modified and scaled.

Organizations are moving to leverage containerized apps for their workloads with more than 70 percent of organizations running more than 40 percent of their applications in production.1

And Kubernetes Is Not Likely the Name of a Ship Captain

Container orchestration is highlighted by Kubernetes, the de facto standard, and is used by 71 percent of enterprises.2 It has been adopted by major public cloud providers that provide managed services, including Microsoft, Amazon, Google, IBM and Oracle, as well as by private cloud tool suites such as from VMware. Even Red Hat replaced OpenShift with Kubernetes. And for good reason.

Google developed Kubernetes five years ago after internally running production workloads with its forerunner for over a decade; workloads could include long-running services, batch jobs and container host-specific daemons. This orchestration technique made the adoption of emerging software architectures, such as microservices, much easier; it abstracts away management complexities and has paved the way for cloud-native ecosystems.

As it is cloud-agnostic, Kubernetes enables containerized apps to run on any platform without code changes. Any application that runs on virtual machines can be deployed on Kubernetes by simply containerizing its components.

Kubernetes provisions a set of dynamically scalable hosts for running workloads leveraging containers and uses a set of management hosts called masters for providing an API for managing the entire container infrastructure. All the container hosts are connected using a virtual switching-overlay network such as Flannel or Calico for providing container-to-container routing.

Applications deployed on Kubernetes are dynamically discoverable within the cluster network and can be exposed to the external networks using traditional load balancers. The state of the cluster manager is stored on a highly distributed key/value store, etcd, which runs within the master instances.

Google appears to think of everything. Even other orchestration methods such as Mesosphere are incorporating these and other core features, such as container grouping and orchestration, a Layer 4 virtual IP-based routing system, service discovery, support for running daemons, deploying stateful application components and, most importantly, the ability to extend the container orchestrator for supporting complex orchestration requirements.

Or did they?

Microservices Are Dispersing Like Locusts

Monolithic application architectures are decomposing, with the pitfall of containers being that they normally involve dozens if not hundreds of microservices. As an example, Amazon moved from a two-tier monolithic to a fully distributed, decentralized service platform where 100-150 services are accessed just to build a page.

Not only are these microservices proliferating, but they are also constantly popping in and out of existence like quantum fluctuations, are ephemeral in nature and constantly in motion. They move within a given server and across leaf and spine switches to some netherland. This east-west traffic can exceed 80 percent of the total. Even in a static environment, obtaining insights into the packet flows is challenging.

Visibility into Container Traffic Is Imperative

Being able to peer into packet and application-level data is critical to avoiding blind spots — not only from content running in VMs, but also containers too. After all, what is the problem with missing a measly four out of five packets?

Well, most of the recent attacks start from within the data center and move laterally due to a lack of visibility and control for east-west traffic. Hackers exploit this oversight. Not addressing these traffic flows leaves the organization vulnerable to potential security breaches, with potential impact to reputation and brand.

Captain Kubernetes helps IT overcome container deployment challenges. Administrators can now ensure workload automation, scale to handle potentially millions of microservices, handle proper discovery of new applications and adjust policy configurations, all without manual intervention. But if Google had been clairvoyant enough to empower packet and application visibility in such a dynamic environment, they might have been named “Google Plex.”

Gigamon Works Hand in Hand with Kubernetes to Generate Container Insight

GigaVUE® Cloud Suite for Kubernetes provides an industry-leading solution for network visibility and security analytics. It is tightly woven with the Kubernetes Master. This visibility fabric enables traffic flows of interest from Docker-based containers managed by Kubernetes to be acquired, aggregated, processed and delivered to the appropriate security, network and application performance monitoring tools.

The suite includes three main elements:

  • G-vTAP Container: Deployed on each worker node, it fastidiously receives mirrored traffic from the container network on the same node. They tunnel pre-filtered traffic using VXLAN or GRE to the virtual V Series or hardware HC Series appliances using the foundational network overlay based on Flannel or Calico.
  • GigaVUE V Series and HC visibility appliances: These are the heart of packet and application visibility. These solutions aggregate packets from the worker nodes, provide advanced processing such as eliminating duplicated packets, slicing out irrelevant header and payload content, masking confidential information and sending to the appropriate security and monitoring tools. For HC appliances, you can optionally use Gigamon Application Intelligence to automatically identify and selectively filter more than 3,000 apps while providing more than 5,000 advanced Layer 4-7 metadata attributes for contextual insights.
  • GigaVUE-FM (Fabric Manager): Provides centralized management and orchestration akin to what the Vienna Philharmonic conductor does. Well, sort of. Under the auspices of the Kubernetes Cluster Master, GigaVUE-FM dynamically learns via APIs where new worker nodes have been established. In turn, GigaVUE-FM instantiates new G-vTAP Containers, configures policies and directs their traffic to the visibility nodes. GigaVUE-FM also spins up the V Series nodes and scales them as needed, based on capacity, and configures their policies on the fly.

GigaVUE Cloud Suite for Kubernetes Benefits

  • Complete visibility into east-west Docker container traffic
  • Scales to support any number of containers and pods
  • Interoperable with Kubernetes native environments
  • Supports public and private clouds for containerized applications with full automation
  • Automatically discover new workloads and modify the V Series visibility tier
  • Delivery of optimized traffic to the proper security and monitoring tools
  • Minimizes the cost of backhauling traffic when some or all the security or network monitoring tools are on premises

Future-Proof Design for Choosing the Cloud of Your Choice

The GigaVUE Cloud Suite for Kubernetes is proven interoperable with the Kubernetes Cluster Manager to enable infrastructure automation. As Docker containers are constantly provisioned, in motion and removed, GigaVUE-FM works with the container orchestrator to maintain visibility anywhere Kubernetes is deployed, including public and private clouds. This unique hybrid-cloud capability provides maximum flexibility as organizations adopt or shift specific cloud topologies based on cost, functionality or a flip of a coin.

Learn More

We of course believe Gigamon offers the best container visibility solution. May we show you why? Request a live demo and we promise it will be worth your time.

References

  1. Portworx. “Portworx Annual Container Adoption Survey Shows Container Adoption Accelerates While Security and Data Management Concerns Remain Top of Mind.” Portworx. May 21, 2019. https://portworx.com/press_release/portworx-annual-container-adoption-survey-shows-container-adoption-accelerates-security-data-management-concerns-remain-top-mind/.
  2. Shafii, Reza. “451 Research Study Reveals Rapid Adoption of Kubernetes for Hybrid Cloud Infrastructure.” CoreOS Blog. June 16, 2017. https://coreos.com/blog/451-research-container-survey-results.

Featured Webinars
Hear from our experts on the latest trends and best practices to optimize your network visibility and analysis.

CONTINUE THE DISCUSSION

People are talking about this in the Gigamon Community’s Hybrid/Public Cloud group.

Share your thoughts today

RELATED CONTENT

CALCULATOR
Customers have saved millions in IT costs. How much can you save?
WEBINAR
SECUROSIS: NetOps and SecOps Guide to Public Cloud Journeys
WHITEPAPER
Mind the Cloud Visibility Gap: Safely Move Forward on Your Cloud Journey
EBOOK
Closing the Cloud Visibility Gap: Simplify, Secure and Scale Hybrid Infrastructure

Back to top