Docker Container Access Reference Design

Similar documents
A Reference Design. VPN user access and VPC networking. Version Copyright Aviatrix Systems, Inc. All rights reserved.

Configuring Aviatrix Encryption

Transit Network VPC. AWS Reference Deployment Guide. Last updated: May 10, Aviatrix Systems, Inc. 411 High Street Palo Alto, CA USA

CloudN Startup Guide. Version Copyright Aviatrix Systems, Inc. All rights reserved. Aviatrix Systems Page 0

AWS Remote Access VPC Bundle

Aviatrix Virtual Appliance

Configuring VPC Peering For AWS

Configuring VNet Peering For Azure

Configuring User VPN For Azure

EdgeConnect for Amazon Web Services (AWS)

Aviatrix Site2Cloud Virtual Appliance

AWS VPC Cloud Environment Setup

Check Point vsec for Microsoft Azure

MCR Google Cloud Partner Interconnect

Virtual Private Cloud. User Guide. Issue 03 Date

Puppet on the AWS Cloud

Sangoma VM SBC AMI at AWS (Amazon Web Services)

aviatrix_docs Documentation

Pexip Infinity and Amazon Web Services Deployment Guide

At Course Completion Prepares you as per certification requirements for AWS Developer Associate.

How to Configure Azure Route Tables (UDR) using Azure Portal and ARM

25 Best Practice Tips for architecting Amazon VPC

AWS Integration Guide

Quick Start Guide v3. Nuage Networks 755 Ravendale Drive Mountain View, CA 94043

Microsoft Azure for AWS Experts

VNS3 Configuration. Quick Launch for first time VNS3 users in Azure

Microsoft Azure Configuration. Azure Setup for VNS3

Project Calico v3.1. Overview. Architecture and Key Components

Cloud Native Security. OpenShift Commons Briefing

Overlay Engine. VNS3 Plugins Guide 2018

Veritas Desktop and Laptop Option 9.1 Qualification Details with Cloud Service Providers (Microsoft Azure and Amazon Web Services)

Cisco Virtual Application Container Services 2.0 Lab v1

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

The Balabit s Privileged Session Management 5 F5 Azure Reference Guide

HashiCorp Vault on the AWS Cloud

Amazon Virtual Private Cloud. Getting Started Guide

Cloudera s Enterprise Data Hub on the Amazon Web Services Cloud: Quick Start Reference Deployment October 2014

A: SETTING UP VMware Horizon

Deploy and Secure an Internet Facing Application with the Barracuda Web Application Firewall in Amazon Web Services

HOW TO PLAN & EXECUTE A SUCCESSFUL CLOUD MIGRATION

Netflix OSS Spinnaker on the AWS Cloud

SecureFactors. Copyright SecureFactors Corp ver 1.0a

Get the Most Out of GoAnywhere: Achieving Cloud File Transfers and Integrations

Redhat OpenStack 5.0 and PLUMgrid OpenStack Networking Suite 2.0 Installation Hands-on lab guide

Amazon Web Services (AWS) Solutions Architect Intermediate Level Course Content

Amazon Web Services (AWS) Training Course Content

Building a Modular and Scalable Virtual Network Architecture with Amazon VPC

Powerful Insights with Every Click. FixStream. Agentless Infrastructure Auto-Discovery for Modern IT Operations

Web Cloud Solution. User Guide. Issue 01. Date

Transit VPC Deployment Using AWS CloudFormation Templates. White Paper

VNS3 version 4. Free and Lite Edition Reset Overlay Subnet

AWS EC2 & VPC CRASH COURSE WHITNEY CHAMPION

SymantecTM Desktop and Laptop Option. Symantec DLO s Storage in Cloud (Amazon Web Services)

vrealize Operations Management Pack for NSX for vsphere 3.5 Release Notes

AWS Solutions Architect Associate (SAA-C01) Sample Exam Questions

AWS Reference Architecture - CloudGen Firewall Auto Scaling Cluster

Proxy Protocol Support for Sophos UTM on AWS. Sophos XG Firewall How to Configure VPN Connections for Azure

Project Calico v3.2. Overview. Architecture and Key Components. Project Calico provides network security for containers and virtual machine workloads.

Cisco CSR1000V Overview. Cisco CSR 1000V Use Cases in Amazon AWS

FortiMail AWS Deployment Guide

Security Considerations for Cloud Readiness

Pexip Infinity and Google Cloud Platform Deployment Guide

vrealize Operations Management Pack for NSX for vsphere 2.0

Launching secure-by-default SLES on Amazon EC2 instances with Amazon Virtual Private Cloud (VPC)

Creating a Yubikey MFA Service in AWS

Overview. AWS networking services including: VPC Extend your network into a virtual private cloud. EIP Elastic IP

EASILY DEPLOY AND SCALE KUBERNETES WITH RANCHER

We are ready to serve Latest IT Trends, Are you ready to learn? New Batches Info

Amazon Web Services Training. Training Topics:

AppGate for AWS Step-by-Step Setup Guide. Last revised April 28, 2017

Swift Web Applications on the AWS Cloud

Deploy the Firepower Management Center Virtual On the AWS Cloud

Installation of Informatica Services on Amazon EC2

Enhanced Threat Detection, Investigation, and Response

Creating your Virtual Data Centre

vrealize Operations Management Pack for NSX for vsphere Release Notes

vrealize Operations Management Pack for NSX for vsphere 3.0

Tetration Hands-on Lab from Deployment to Operations Support

VNS3 Configuration. IaaS Private Cloud Deployments

CloudEdge SG6000-VM Installation Guide

CloudEdge Deployment Guide

Deploying the Cisco CSR 1000v on Amazon Web Services

Setting Up Resources in VMware Identity Manager 3.1 (On Premises) Modified JUL 2018 VMware Identity Manager 3.1

CA Agile Central Administrator Guide. CA Agile Central On-Premises

Dell EMC OpenManage Mobile. Version 3.0 User s Guide (Android)

Defining Security for an AWS EKS deployment

Azure Marketplace Getting Started Tutorial. Community Edition

Course Outline. Module 1: Microsoft Azure for AWS Experts Course Overview

VNS3 Configuration. Google Compute Engine

HySecure Quick Start Guide. HySecure 5.0

SymantecTM Desktop and Laptop Option. Symantec DLO s Storage in Cloud (Amazon Web Services)

vrealize Infrastructure Navigator Installation and Configuration Guide

VNS3 to Windows RRAS Instructions. Windows 2012 R2 RRAS Configuration Guide

Guide to Deploying VMware Workspace ONE. VMware Identity Manager VMware AirWatch 9.1

Kubernetes - Networking. Konstantinos Tsakalozos

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

"Charting the Course... H8Q14S HPE Helion OpenStack. Course Summary

DEPLOYING A 3SCALE API GATEWAY ON RED HAT OPENSHIFT

ANIKET DAPTARI & RANJINI RAJENDRAN CONTRAIL TEAM

LINUX, WINDOWS(MCSE),

Transcription:

Docker Container Access Reference Design Version 06-18-2016 Copyright 2014-2016 Aviatrix Systems, Inc. All rights reserved. Introduction Project Skyhook by Aviatrix enables VPN users to access remote Docker containers in a multi-host Swarm cluster built on a VXLAN overlay network in the same manner to access remote cloud instance. (A host is a cloud instance.) With Aviatrix encrypted peering capability that connects VPC/VNets securely across regions and clouds, a multi-host Docker swarm cluster can span across multiple VPC regions and multiple clouds, such as AWS, Azure and Google. Users can use Aviatrix enterprise OpenVPN capability to connect to the cloud, then from your desktop access remote containers in a swarm cluster in the same manner as accessing instances. VPN users from desktop, for example, can use curl or run a browser session directly to a remote container running a web service. Without Aviatrix solution, it requires complex port mapping to access a remote Docker container. It is not possible today, from your desktop, to access a remote container in a VXLAN overlay network. In this reference design, we are going to show you how to enable and use this capability. This document assumes some familiarity with Aviatrix Cloud Native Networking product, Docker Swarm cluster and VXLAN multi-host networking. If not, no worries, read on and proceed, we have compiled instructions for you.

Skyhook: Docker Container Access Aviatrix Docker Container Access solution can be deployed as shown below: In the diagram above, the left most VPC (172.31.0.0/16), the VPN landing VPC, is the one hosting the Swarm primary/secondary managers, consul (Discovery backend) and a few Swarm nodes. Read this link on how to create a Swarm Cluster that you ll need later. Instances in the rest of the VPCs are part of the swarm cluster nodes that span across multiple VPC regions and to Azure and Google by using Aviatrix encrypted peering capability. The Aviatrix Solution Benefits Aviatrix gateways are deployed and managed by an Aviatrix Cloud Connect Controller (the pink color instance in the diagram) which itself is a cloud instance or VM. Aviatrix benefits are highlighted below: Aviatrix solution enables users to remotely access swarm containers as well as instances. Once VPN in, users can use native desktop commands such as curl without complex port mapping and docker exec type of commands. Multi-factor authentication and user profile based access control enable fine granular security. Aviatrix VPN gateways are supported by ELB for high availability and scalability. Extensive logging allows administrators to have complete visibility of network event and user browsing history. With Aviatrix encrypted peering, we can easily span Swarm cluster across different regions, and cloud providers (AWS, Azure, and Google GCE). The gateway is launched from a central controller web console with a few clicks.

Configuration Workflow Before you start, make sure you have the latest software by checking the Dashboard. If an alert message displays, click Upgrade to download the latest software. As a prerequisite, you must create a Swarm overlay network cluster first. You need to record the Docker Swarm Cluster Consul IP address, the Overlay Network Name (e.g. multi-host-overlay), and the Overlay Network Address (e.g. 10.0.0.0/16). Please refer for instructions on how to create a Swarm Cluster. The configuration workflow is as follows, with major steps highlighted. 1. Setup secure VPC access and connectivity infrastructure This step setup a secure environment so that all your instances and containers can be accessed and communicated securely with private IP addresses. If you are going to start with all containers in one VPC (172.31.0.0/16 as shown in the diagram), launching an Aviatrix VPN gateway and create a VPN user for secure remote access to the instances in the VPC. On the other hand, if you like to try to run containers span across multiple VPCs, launch encrypted peering gateways and Aviatrix VPN gateways to create the necessary network infrastructure for secure access and secure connectivity among instances. Note you must launch separate peering gateway and VPN gateways. In either case, check out this reference design for instructions. 2. Create a Docker swarm cluster Follow the instructions to create a Docker swarm cluster and create some containers. First VPN to the landing VPC, then ssh into each swarm node (instance) with its private IP address. With Aviatrix VPN access capability and encrypted peering, your entire swarm cluster can be deployed on private subnets with private IP addresses. 3. Enable overlay network access if you have selected Split Tunnel mode when creating VPN gateways at step 1, you need to add the VXLAN overlay network 10.0.0.0/16 to allow your laptop to tunnel the address range to the VPC, Follow the steps below: Go to VPC/VNet -> Edit Configuration, click Modify Split Tunnel. At VPC/VNet Name field, select the landing VPC (the one with CIDR 172.31.0.0/16) At Additional CIDRs, add 10.0.0.0/16 to the CIDR strings separated with comma. (If you have Nameservers and Search Domains, fill in these fields so you can access containers with names.) Click Modify.

4. Enable Docker Container Access. Go to VPC/VNet -> VPN Access -> Skyhook:Docker Container Access Click on Enable for the gateway you just created (e.g. avx-vpngw01). Fill in the Docker Swarm Cluster Consul IP address, the Overlay Network Name (e.g. multihost-overlay), and the Overlay Network Address (e.g. 10.0.0.0/16). Click Enable to confirm the request. Important notes If there are more than one VPN gateways, make sure you enable Docker Container Access for each one and the same configuration should be applied to all VPN gateways. 5. Verify your setup Now you should be able to access your containers. Use your desktop VPN client to VPN into the VPC. You can try a few things. Note you need to use the container overlay IP address for accessing, in this reference design, all containers overlay IP address is in the 10.0.0.0/16 range. If you have one container that runs a web server, you should be able to access the web server from your desktop browser, run a command wget from a Linux machine, or run a command curl from a OSX machine. If one container has been loaded with ssh access capability, you can ssh directly into the container from your desktop. Ping the container overlay IP address. 6. Adding a new swarm node You can still add a new swarm node later, just follow the same instruction as described in this link. Important note: for a container on a Google GCE instance, you must enable IP forwarding when you launch the Google GCE instance. Troubleshooting 1. If you failed to enable Docker Container Access for a gateway, make sure the Docker Swarm Consul IP address is reachable from your gateway. Check the security group associated with the instances. 2. If there are more than one VPN gateway, make sure you enable Docker Container Access for each one and the same configuration should be applied to all VPN gateways; otherwise, you may experience inconsistent behaviors. 3. After you disabled the Docker Container Access for a VPN gateway, if you try to enable it immediately, it may fail. This is because the Swarm Consul still has the node entry in the DB and it needs time to discover that the node is gone. Simply wait for a few minutes until the TTL expired and the key-value store cleans up the old entry automatically. For support, send email to support@aviatrix.com.

For feature request and feedback, click Make a wish at the bottom of each page. Enjoy!

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback