-
Notifications
You must be signed in to change notification settings - Fork 120
/
understand-cf-networking.html.md.erb
209 lines (157 loc) · 10.2 KB
/
understand-cf-networking.html.md.erb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
---
title: Container-to-container networking
owner: CF for VMs Networking
---
This topic provides you with an overview of how container-to-container networking works in <%= vars.app_runtime_first %>.
Container-to-container networking is not available for apps hosted on Microsoft Windows.
The container-to-container networking feature enables app instances to communicate with each other directly.
<%= vars.cf_networking %>
## <a id="architecture"></a> Architecture
Container-to-container networking integrates with [Garden-runC] in a Diego deployment. The CF Networking Release includes several core components, as well as swappable components. For more information about Garden-runC, see [Garden-runC](./architecture/garden.html#garden-runc) in _Garden_. For more information about Diego, see [Diego Components and Architecture](./diego/diego-architecture.html). For more information about the CF Networking release, see [CF Networking Release](https://github.com/cloudfoundry-incubator/cf-networking-release) on GitHub.
To understand the components and how they work, see the following diagram and tables.
The diagram highlights <%= vars.app_runtime_abbr %> components in blue and green. The diagram also highlights swappable components in red.
### <a id='core'></a> Core components
The container-to-container networking BOSH release has the following core components:
<table>
<thead>
<tr>
<th>Part</th>
<th>Function</th>
</tr>
</thead>
<tbody>
<tr>
<td>Policy Server</td>
<td>A central management node that:
<ul>
<li>Maintains a database of policies for traffic between apps. The cf CLI calls an API to create or update a record in the policy database whenever you create or remove a policy.</li>
<li>Exposes a JSON REST API used by the cf CLI. This API serves traffic using TLS.</li>
</ul>
</td>
</tr>
<tr>
<td>Garden External Networker</td>
<td>
A Garden-runC add-on deployed to every Diego Cell that:
<ul>
<li>Runs the CNI plug-in component to set up the network for each app.</li>
<li>Forwards ports to support incoming connections from the Gorouter, TCP Router, and Diego SSH Proxy. This keeps apps externally reachable.</li>
<li>Installs outbound allow list rules to support Application Security Groups (ASGs).</li>
</ul>
</td>
</tr>
</tbody>
</table>
### <a id='swap'></a> Swappable components
<table>
<thead>
<tr>
<th>Part</th>
<th>Function</th>
</tr>
</thead>
<tbody>
<tr>
<td>Silk CNI plug-in<br></td>
<td>A plug-in that provides IP address management and network connectivity to app instances as follows:
<ul>
<li>Uses a shared VXLAN overlay network to assign each container a unique IP address.</li>
<li>Installs network interface in container using the Silk VXLAN back end. This is a shared, flat L3 network.</li>
</ul>
</td>
</tr>
<tr>
<td>VXLAN Policy Agent<br></td>
<td>Enforces network policy for traffic between apps as follows:
<ul>
<li>Discovers network policies from the Policy Server Internal API.</li>
<li>Updates iptables rules on the Diego Cell to allow approved inbound traffic.</li>
<li>Tags outbound traffic with the unique identifier of the source app using the VXLAN Group-Based Policy (GBP) header.</li>
</ul>
</td>
</tr>
</tbody>
</table>
## <a id='app-comm'></a> App instance communication
The following diagram illustrates how app instances communicate in a deployment with container-to-container networking enabled. In this example, the operator creates two policies to regulate the flow of traffic between **App A**, **App B**, and **App C**.
* Allow traffic from **App A** to **App B**
* Allow traffic from **App A** to **App C**
If traffic and its direction is not explicitly allowed, it is denied. For example, **App B** cannot send traffic to **App C**.
### <a id='overlay-network'></a> Overlay network
Container-to-container networking uses an overlay network to manage communication between app instances.
Overlay networks are not externally routable, and traffic sent between containers does not exit the overlay. You can use the same overlay network range for different <%= vars.app_runtime_abbr %> deployments in your environment.
The overlay network range defaults to `10.255.0.0/16`. You can modify the default to any [RFC 1918](https://tools.ietf.org/html/rfc1918) range that meets the following requirements:
* The range is not used by services that app containers access.
* The range is not used by the underlying <%= vars.app_runtime_abbr %> infrastructure.
All Diego Cells in your <%= vars.app_runtime_abbr %> deployment share this overlay network. By default, each Diego Cell is allocated a /24 range that supports 254 containers per Diego Cell, one container for each of the usable IP addresses, `.1` through `.254`. To modify the number of Diego Cells your overlay network supports, see [Overlay Network](../devguide/deploy-apps/cf-networking.html#overlay) in _Configuring Container-to-Container Networking_.
<%= vars.app_runtime_abbr %> container networking is currently supported only on Linux.
<p class="note caution">
The overlay network IP address range must not conflict with any other IP addresses in the network. If a
conflict exists, Diego Cells cannot reach any endpoint that has a conflicting IP address.
</p>
Traffic to app containers from the Gorouter or from app containers to external services uses
Diego Cell IP addresses and NAT, not the overlay network.
### <a id="policies"></a> Policies
Enabling container-to-container networking for your deployment allows you to create policies for communication between app instances. The container-to-container networking feature also provides a unique IP address to each app container and provides direct IP reachability between app instances.
The policies you create specify a source app, destination app, protocol, and port so that app instances can communicate directly without going through the Gorouter, a load balancer, or a firewall. Container-to-container networking supports UDP and TCP, and you can configure policies for multiple ports. These policies apply immediately without having to restart the app.
Additionally, policies use and and track the GUIDs of the apps. The policies continue to work when apps redeploy, or if they crash and Diego places them in a new container. Pushing a brand new app requires a new policy, but not updates to an existing app because an app always retains its GUID.
<% if vars.platform_code == "CF" || vars.platform_code == "PCF" %>
## <a id='service-discovery'></a> App service discovery
The <%= vars.app_runtime_abbr %> platform supports DNS-based service discovery that lets apps find each other's internal addresses. For example, a front end app instance can use the service discovery mechanism to establish communications with a back end app instance. To set up and use app service discovery, see [App service discovery](../devguide/deploy-apps/cf-networking.html#discovery) in _Configuring container-to-container networking_.
Container-to-container app service discovery does not provide client-side load balancing or circuit-breaking, and it does not apply to `cf marketplace` services or require app binding. It just lets apps publish service endpoints to each other, unbrokered and unmediated.
<% end %>
## <a id="alt-stack"></a> Alternative network stacks
The BOSH release that contains the container-to-container networking feature that is composed of a plug-in network stack. Advanced users or third party vendors can integrate a different network stack. For more information about third party plug-ins, see [3rd Party Plug-in Development for Container Networking](https://github.com/cloudfoundry/cf-networking-release/blob/develop/docs/11-3rd-party.md) in the CF Networking Release repository on GitHub.
## <a id="c2cvsasg"></a> Container-to-container networking versus ASGs
Both app security groups (ASGs) and container-to-container networking policies affect traffic from app instances. The following table highlights differences between ASGs and container-to-container networking policies.
<table>
<thead>
<tr>
<th></th>
<th>ASGs</th>
<th>Container-to-Container Networking Policies</th>
</tr>
</thead>
<tbody>
<tr>
<th>Policy granularity</th>
<td>From a space to an IP address range</td>
<td>From a source app to a destination app</td>
</tr>
<tr>
<th>Scope</th>
<td>For a space, org, or deployment</td>
<td>For app to app only</td>
</tr>
<tr>
<th>Traffic direction</th>
<td>Outbound control</td>
<td>Policies apply for incoming packets from other app instances</td>
</tr>
<tr>
<th>Source app</th>
<td>Is not known</td>
<td>Is identified because of direct addressability</td>
</tr>
<tr>
<th>Policies take affect</th>
<td>Immediately</td>
<td>Immediately</td>
</tr>
</tbody>
</table>
## <a id="securing-traffic"></a> Securing container-to-container traffic
The platform provides a TLS encapsulation for container-to-container network traffic.
To utilize TLS capabilities, the client application can connect to port 61443 on the destination application over HTTPS. Traffic to application
container port 61443 is proxied to application port 8080 inside of the container. In this case:
- The platform provides certificates for each app.
- The platform makes sure that TLS ends within the destination container and passes cleartext traffic to the app.
- The destination app does not need special configuration.
Additionally, applications can implement TLS termination in their destination applications. Use this option if your application needs to use more TLS capabilities, like verifying client certificates and rejecting service for those that are not permitted, or if your application needs TLS termination on a different port than the default port, 8080.
Specific Cloud Foundry vendors might provide additional methods for securing container-to-container traffic.
<p> For information about how the platform can encrypt public traffic to apps, see
<a href="http-routing.html#tls-to-back-end">TLS to Apps and Other Back End Services</a> in
<em>HTTP Routing</em>.
</p>