SHARE
Cloud / September 19, 2019

If You Don’t Have Container Visibility, Your Organization Is at Risk

Containers Are Not Just for Transcontinental Shipping Anymore

As part of IT’s digital transformation, applications have expanded from traditional bare metal servers to virtual machines (VMs) and now containers. Containers provide DevOps teams faster development, superior portability including for cloud deployments, reduced code level with ten times higher density levels vs. VMs, and their microservices architecture allows individual services to be separately modified and scaled.

Organizations are moving to leverage containerized apps for their workloads with more than 70 percent of organizations running more than 40 percent of their applications in production.1

Likewise, communications service providers are also transforming their subscriber networks, not least mobile operators who are adopting 5G in both their radio and core networks, where network function virtualization (NVF) has evolved from VMs to containers to take advantage of the elasticity and scalability.

And Kubernetes Is Not Likely the Name of a Ship Captain

Container orchestration is highlighted by Kubernetes, the de facto standard, and is used by 71 percent of enterprises.2 It has been adopted by major public cloud providers that provide managed services, including Amazon, Google, IBM, Microsoft, and Oracle, as well as by private cloud infrastructure suites such as Red Hat OpenShift and VMware Tanzu. And for good reason.

Google developed Kubernetes over eight years ago after internally running production workloads with its forerunner for over a decade; workloads could include long-running services, batch jobs and container host-specific daemons. This orchestration technique made the adoption of emerging software architectures, such as microservices, much easier; it abstracts away management complexities and has paved the way for cloud-native ecosystems.

As it is cloud-agnostic, Kubernetes enables containerized apps to run on any platform without code changes. Any application that runs on virtual machines can be deployed on Kubernetes by simply containerizing its components.

Kubernetes provisions a set of dynamically scalable hosts for running workloads leveraging containers and uses a set of management hosts called masters for providing an API for managing the entire container infrastructure. All the container hosts are connected using a virtual switching-overlay network, often referred to as container network interface (CNI), such as Antrea, Calico, Flannel, and Multus for providing container-to-container routing.

Applications deployed on Kubernetes are dynamically discoverable within the cluster network and can be exposed to the external networks using traditional load-balancers. The state of the cluster manager is stored on a highly distributed key/value store, called etcd, which runs within the master instances.

Google appears to have thought of everything. Even other orchestration methods such as Mesosphere are incorporating these and other core features, such as container grouping and orchestration, a Layer 4 virtual IP-based routing system, service discovery, support for running daemons, development of stateful application components and, most importantly, the ability to extend the container orchestrator for supporting complex orchestration requirements.

Or did they?

Microservices Are Dispersing Like Locusts

Monolithic application architectures are decomposing, with the pitfall of containers being that they normally involve dozens if not hundreds of microservices. As an example, Amazon moved from a two-tier monolithic to a fully distributed, decentralized service platform where 100-150 services are accessed just to build a webpage.

Not only are these microservices proliferating, but they are also constantly popping in and out of existence like quantum fluctuations, are ephemeral in nature and constantly in motion. They move within a given server and across leaf and spine switches to some hinterland. This east-west traffic can exceed 80 percent of the total. Even in a static environment, obtaining insights into the communications flows is challenging.

Visibility into Container Traffic Is Imperative

Being able to peer into network and application-level traffic data is critical to avoiding blind spots — not only from content running in VMs, but also containers too. However, what is the problem with missing a measly four out of five packets?

Well, most of the recent attacks start from within the data center and move laterally due to a lack of visibility and control for east-west traffic. Hackers exploit this oversight. Not addressing these traffic flows leaves the organization vulnerable to potential security breaches, with potential impact to reputation and brand.

Captain Kubernetes helps IT overcome container deployment challenges. Administrators can now ensure workload automation, scale to handle potentially millions of microservices, handle proper discovery of new applications, and adjust policy configurations, all without manual intervention. But if Google had been clairvoyant enough to empower network and application traffic visibility in such a dynamic environment, they might have been named “Google Plex.”

Gigamon Works Hand in Hand with Kubernetes to Generate Container Insight

GigaVUE® Cloud Suite for Kubernetes provides an industry-leading deep observability solution for network visibility and security analytics. It is tightly woven with the Kubernetes Control Plane node. This deep observability pipeline enables traffic flows of interest from Docker-based containers managed by Kubernetes to be acquired, aggregated, optimized, transformed, and delivered to the appropriate security, network, and application monitoring tools.

Cloud Suite includes three main elements:

  • Universal Container TAP (UCT): Deployed on each worker node, the UCTs sets up mirroring of traffic from the container network on the same node. The traffic is tunneled, after optionally being pre-filtered, using VXLAN or L2GRE to a virtual V Series appliance using the CNI.
  • GigaVUE V Series: This node is the heart of the deep observability pipeline that provides network and application traffic visibility. V Series nodes aggregate communication traffic to and from the worker nodes and provide advanced processing, such as eliminating duplicated packets, slicing out irrelevant header and payload content, masking confidential information, automatically identifying and selectively filtering more than 3,500 apps, and providing advanced Layer 3-7 metadata selected from more than 7,000 attributes for contextual insights.
  • GigaVUE-FM (Fabric Manager): Provides centralized management and orchestration akin to what the Vienna Philharmonic conductor does. Well, sort of. Under the auspices of the Kubernetes Cluster Control Plane node, GigaVUE-FM dynamically learns via APIs where new worker nodes have been established. In turn, GigaVUE-FM instantiates new UCT instances, configures policies, and directs their traffic to the V Series nodes. GigaVUE-FM also spins up the V Series nodes and scales them as needed, based on capacity, and configures their policies on the fly.

GigaVUE Cloud Suite for Kubernetes Benefits

  • Complete visibility into east-west Docker container traffic
  • Scales to support any number of containers and pods
  • Interoperable with vendor-specific and native Kubernetes environments, regardless of CNI
  • Supports public and private clouds for containerized applications with full automation
  • Automatically discovers new workloads and modifies the visibility node tier
  • Delivery of optimized or transformed traffic to the proper security and monitoring tools
  • Minimizes the cost of backhauling traffic when some or all the security or network monitoring tools are on premises

Future-Proof Design for Choosing the Cloud of Your Choice

The GigaVUE Cloud Suite for Kubernetes is proven interoperable with the Kubernetes Cluster Manager to enable infrastructure automation. As Docker containers are constantly provisioned, in motion and removed, GigaVUE-FM works with the container orchestrator to maintain visibility anywhere Kubernetes is deployed, including public and private clouds. This unique hybrid-cloud capability provides maximum flexibility as organizations adopt or shift specific cloud topologies based on cost, functionality, or a flip of a coin.

Learn More

We of course believe Gigamon offers the best container visibility solution. May we show you why? Request a live demo and we promise it will be worth your time.

References

  1. Portworx. “Portworx Annual Container Adoption Survey Shows Container Adoption Accelerates While Security and Data Management Concerns Remain Top of Mind.” Portworx. May 21, 2019. https://portworx.com/press_release/portworx-annual-container-adoption-survey-shows-container-adoption-accelerates-security-data-management-concerns-remain-top-mind/.
  2. Shafii, Reza. “451 Research Study Reveals Rapid Adoption of Kubernetes for Hybrid Cloud Infrastructure.” CoreOS Blog. June 16, 2017. https://coreos.com/blog/451-research-container-survey-results.

Featured Webinars
Hear from our experts on the latest trends and best practices to optimize your network visibility and analysis.

CONTINUE THE DISCUSSION

People are talking about this in the Gigamon Community’s Hybrid/Public Cloud group.

Share your thoughts today


}
Back to top