@projectcalico

Sponsored by

CONTAINER NETWORKING

AN INTRODUCTION

Ed Harrison

@eepyaich

2nd February

2016

@projectcalico

Host

Host

Networking – why do I care?

Application

A service

Host

Yet

another

service … and

another

application

…

… another

application

A service

… another

application

@projectcalico

Doesn’t Docker sort this out for me?

Host [10.0.0.1]

Application

[172.17.0.2]

A service

[172.17.0.3]

… another

[172.17.0.4]

Docker Bridge

Simple

Works “out of the box”

Easily understood

… but not “real IP

networking”

Onerous port assignment

constraints on applications

Requires app developers to

be aware of constraints

IP:10.0.0.1:80IP:10.0.0.1:80IP:10.0.0.1:8080

@projectcalico

What about multiple hosts, then?

Overlay networks

Connect each container to a virtual Layer 2 segment

Separate “overlay” domain over “underlay” network with GRE, MPLS, VXLAN, or proprietary tunneling protocols

Allows for isolation between networks

But…

Lots of state – 1,000 machines => full mesh

of 499,500 tunnels!

Breaking out of virtual network sandboxes

requires NAT / router

Requires app developers to be networking

experts

Host [10.0.0.1] Host [10.0.0.2]

192.168.0.1

192.168.0.2

19

2.1

68

.0.5

192.168.0.3192.168.0.4 172.17.0.2 17

2.1

7.0

.3

192.168.0.0/16

172.17.0.0/16

10.0.0.0/24

@projectcalico

Remember these “3 tier applications”?

What about security then?

@projectcalico

Getting Medieval

@projectcalico

Isolating Prod / Dev / Test

@projectcalico

The ideal security model

Port 3306

Port 80

@projectcalico Metaswitch Networks | Proprietary and

confidential | © 2014 | 9

@projectcalico

@projectcalico

The Internet Model

Router

Host Host Host Host

RouterRouter

IP IP IP IP… …

…

@projectcalico

Project Calico

HostHost

Router

Workload Workload Workload Workload

RouterRouter

IP IP IP IP

Plugin

… …

…

@projectcalico

An open source project to enable

scalable, simple and secure IP

networking in a data center / cloud

environment

What is Calico?

SimpleScalable SecureThousands of servers,

100k’s of workloads

Don’t demand users to

be networking experts

Rich micro-service

policy framework

@projectcalico

Life Before and after Calico

Before Calico After Calico

Scale challenges above few hundred

servers / thousands of workloads

Scale to millions of workloads with minimal

CPU and network overhead

Troubleshooting connectivity issues can

take hours

What is happening is “obvious” –

traceroute, ping, etc., work as expected

EXITOn/off ramps + NAT to break out of

overlay

Path from workload to non-virtual device

or public internet (or even between data

centers) is just a route

High availability / load balancing across

links requires LB function (virtual or

physical) and/or app-specific logic

Equal Cost Multi-Path (ECMP) & Anycast

just work, enabling scalable resilience and

full utilization of physical links

CC

NA

CCNA or equivalent required to

understand end-to-end networking,

deploy applications

Basic IP networking knowledge only

required

@projectcalico

Get Involved

Main project website:

www.projectcalico.org

Github

github.com/projectcalico

Mailing list, Slack info:

projectcalico.org/contact/

freenode IRC: #calico

Download & try it out

We welcome your

feedback and contributions

Follow us @projectcalico