Securing Azure Kubernetes networking with Calico

One of the interesting aspects of moving to a top-down, application-centric way of working is rethinking how we do networking. Much as the application model first abstracted away physical infrastructure with virtualization and is now using Kubernetes and similar orchestration tools to abstract away the underlying virtual machines, networking is moving away from general-purpose routed protocol stacks to software-driven networking that uses common protocols to implement application-specific network functions.

We can see how networking is evolving with Windows Server 2022’s introduction of SMB over QUIC as an alternative to general-purpose VPNs for file sharing between on-premises Azure Stack systems and the Azure public cloud. Similarly, in Kubernetes, we’re seeing technologies such as service mesh provide an application-defined networking model that delivers network meshes with your distributed application as part of the application definition rather than as a network that an application uses.

A new networking layer: application-defined networking

This application-driven networking is a logical extension of much of the software-defined networking model that underpins the public cloud. However, instead of requiring deep understanding of networking and, more importantly, network hardware, it’s a shift to a higher-level approach where a network is automatically deployed using the intents in policy and rules. The shift away from both the virtual and the physical is essential when we’re working with dynamically self-orchestrating applications that scale up and down on demand, with instances across multiple regions and geographies all part of the same application.

It’s still early days for application-driven networking, but we’re seeing tools appear in Azure as part of its Kubernetes implementation. One option is the Open Service Mesh, of course, but there’s another set of tools that helps manage the network security of our Kubernetes applications: Network Policy. This helps manage connectivity between the various components of a Kubernetes application, handling traffic flow between pods.

Network policies in Azure Kubernetes Service

AKS (Azure Kubernetes Service) offers network policy support through two routes: its own native tool or the community-developed Calico. This second option is perhaps the most interesting, as it gives you a cross-cloud tool that can work not only with AKS, but also with your own on-premises Kubernetes, Red Hat’s Open Shift, and many other Kubernetes implementations.

Calico is managed by Kubernetes security and management company Tigera. It is an open source implementation of the Kubernetes network policy specification, handling connectivity between workloads and enforcing security policies on those connections, adding its own extensions to the base Kubernetes functions. It’s designed to work using different data planes, from eBPF on Linux to Windows Host Networking. This approach makes it ideal for Azure, which offers Kubernetes support for both Linux and Windows containers.

Copyright © 2022 IDG Communications, Inc.

Source link

Join Us For LU

Leave a Comment