Contrail Networking: Evolve your cloud with Containers INSIDE Containers and Microservices Transformation of the Cloud Building a Network for Containers Juniper Networks Contrail Solution BUILD MORE THAN A NETWORK
Preface Large enterprises are exploring the possibilities enabled by emerging container technologies such as Docker. At Juniper, we see this trend as a milestone in data center innovation, offering significant gains in efficiency, productivity, and agility for large enterprises that offer cloud as a service. Containers and Microservices The primary purpose of containerized applications is to improve the effectiveness of software teams, making it easier for people to work together while lowering the communications overhead. In large enterprises, applications such as ERP or CRM software suites often begin as simple projects, but as time passes, they quickly become clunky and inefficient, with a monolithic code base that slows progress for development teams. Containers free developers to focus on their core competency, while operations staff benefit from flexibility, a smaller footprint in the data center, and lower overhead. To get beyond this inefficiency, a new approach breaks down the application into smaller, bitesize components known as microservices. Adopting a microservices architecture gives development teams agility and operational efficiency by virtue of the smaller code base in each application component. As the software goes through its various stages of development, it may move from the developer s PC to a lab or test environment; it may move from a physical to a virtual environment, and ultimately, to a production environment. In each of these, the app must perform consistently. Containers address the problem of how to make software work in different computing environments. They enable software developers to encapsulate an application component in a single, lightweight package. Inherently Linux-based, containers offer the promise of running consistently from one computing environment to another, virtual or physical. 1
Contrail Networking: Inside the Linux Container Ecosystem Adopting a microservices architecture gives development teams agility and operational efficiency by virtue of the smaller code base in each application component. Transformation of the Cloud With containers inherently lightweight nature, a single host can support many more container instances than traditional virtual machines (VMs). Typically short lived, containers can be created and moved more efficiently than VMs, and they can also be managed as groups of logically related elements. These container characteristics impact the requirements for container networking solutions: the network must be agile and scalable. The transition from VMs to containers will not happen overnight, so VMs, containers, and baremetal servers will need to coexist in the same cloud environment. The container network, therefore, must be seamless across diverse environments. It also must be agnostic to work with whatever compute vehicle is in use to deploy applications. Building a Network for Containers The network plays a vital role in containerization. In multitenant environments, one essential need is the ability to provide access control and auditing capabilities for network flows. The access controls provided by the network complement application-based authentication and authorization mechanisms. Together, they provide a common layer across heterogeneous authentication methods. This function addresses a frequent requirement in environments where thirdparty software such as virtualized firewalls is in use, or when multiple generations of software technologies are running simultaneously. Network access-control, combined with security at Layers 3 7, should encompass the clusters that are executing containerized workloads, as well as external environments such as existing OpenStack or bare-metal servers. In these heterogeneous environments, the network is the glue that holds together the diverse elements. 2
Juniper Networks Contrail Solution Juniper Networks Contrail is a simple, open, and agile Cloud Network Automation platform that can provide microsegmentation for a container ecosystem, securely isolating networks within a multi-tenant environment. It enables the cluster management tool to connect different virtual networks between applications running on containers and VMs, and also connect elements outside the cluster management tool, such as legacy infrastructure or databases running on bare-metal servers in private, public, and hybrid clouds. The Contrail solution is composed of two products: Contrail Networking and Contrail Cloud Platform. Contrail Networking: An open SDN solution that consists of Contrail Controller, Contrail vrouter, an analytics engine, and published northbound APIs for cloud and NFV. Contrail Networking improves business agility by delivering unique security, availability, performance, automation, and elasticity capabilities Contrail Cloud Platform: A turnkey cloud orchestration and automation platform that consists of Contrail Networking, Juniper s OpenStack Distribution, Server Manager, and Ceph-Based Distributed Storage. K8s Components Kubernetes Master kube-network-manager REST kube-network-manager New OC daemon for kuberbetes to listen to k8s API and automate the creation of virtual networks and policy Controller BGP Federation Controller Configuration Analytics Control BGP Clustering Controller XMPP BGP + Netconf XMPP Minion IP Fabric (Underlay Network) Minion Container s Docker & Kubelet Docker & Kubelet vrouter (L2 & L3) on replaces docker0 MPLS over GRE/UDP or VXLAN kube-minion-plugin and vrouter Kuberbetes proxy is removed Attaches containers veth-pair bridge between the container and pod s VRF in the vrouter (replacing the docker0 interface) 3
Benefits and Features Provides the ability to weave virtual overlay networks with heterogeneous environments that straddle private and public clouds, orchestration tools, and compute workload vehicles. Allows tenants to specify traffic selection criteria and the network function sequences to which selected traffic will be subjected a capability referred to as Service Function Chaining. Implements secure multitenancy for tenants utilizing containers and/or groups of containers, ensuring clear segmentation between tenants sharing the pooled infrastructure. Enforces security policies at every server host where containers are running by implementing a fully distributed firewall in the vrouter. Additional Information Product URL: http://www.juniper.net/us/en/products-services/ sdn/contrail Contrail Sandbox: www.opencontrail.org/sandbox Contrail Package: https://www.juniper.net/support/ downloads/?p=contrail About Juniper Networks Juniper Networks challenges the status quo with products, solutions and services that transform the economics of networking. Our team co-innovates with customers and partners to deliver automated, scalable and secure networks with agility, performance and value. Additional information can be found at Juniper Networks or connect with Juniper on Twitter and Facebook. Corporate and Sales Headquarters Juniper Networks, Inc. 1133 Innovation Way Sunnyvale, CA 94089 USA Phone: 888.JUNIPER (888.586.4737) or +1.408.745.2000 Fax: +1.408.745.2100 www.juniper.net APAC and EMEA Headquarters Juniper Networks International B.V. Boeing Avenue 240 1119 PZ Schiphol-Rijk Amsterdam, The Netherlands Phone: +31.0.207.125.700 Fax: +31.0.207.125.701 EXPLORE JUNIPER Get the App. Copyright 2016 Juniper Networks, Inc. All rights reserved. Juniper Networks, the Juniper Networks logo, Junos and QFabric are registered trademarks of Juniper Networks, Inc. in the United States and other countries. All other trademarks, service marks, registered marks, or registered service marks are the property of their respective owners. Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice. 7400034-001-EN May 2016