Photon Platform and NSX: Multi-Tenant Networking and Security for K8s

On October 17th, VMware Photon Platform introduced Kubernetes as a Service.

Purpose built for cloud-native applications with integrated enterprise container infrastructure support, Photon Platform is a fully API-driven, multi-tenant platform leveraging ESXi, VMware NSX and VMware Virtual SAN.  

Guido Appenzeller, VMware’s chief technology strategy officer, demonstrated NSX and containers at VMworld 2016, and now with VMware Photon Platform integrated enterprise container infrastructure support, developers can get one-click access to Kubernetes, and IT can deliver the reliable infrastructure demanded by today’s business.

A large number of enterprises are beginning to build, test and deploy enterprise apps as Containerized Cloud Native Applications. Enterprise IT and Line of Business teams believe that the primary drivers for using Containers are that they enable

  1. Faster software development and business agility – where a developer/devops person is able to deploy the same Docker container used in dev/test later into production environments.
  2. Efficient IT operations – where Containers and Container Management platforms provide a great set of tooling to deploy, upgrade, scale and patch applications
  3. Workload portability – with the Container run-time providing a consistent environment across a variety of compute infrastructure.

Market research from leading industry analysts shows that about 22% of enterprise customers have already deployed some apps on Containerized infrastructure1 and that by end of 2018 about 50% of enterprises are likely to have some Containerized apps in production2   

In most deployments of Containerized apps today, customers don’t leverage native Container Networking – where the Container Network is reachable to the data center network and each Container has its own unique IP address. Administrators instead use the Networking stack of the Containers host and leverage NAT (Network Address Translation) to send traffic in and out of the Container – as shown in the figure below

Host Networking: SNAT and DNAT by vSwitch on Container Host

Lack of native Container Networking and Security leads to the following challenges for networking and security operations teams –

  1. Challenges with NAT – Security operations team will not be able to apply any security policy for these containerized applications as all traffic in and out of the Container Host is NATed. Additionally, network and security team’s operation tooling cannot be used to monitor, debug, & troubleshoot these Containerized apps. This is often cited as the one of the key challenge in operationalizing Containers at scale.
  2. Connectivity to apps on VM, bare metal most Containerized applications often require access to services / apps running on bare metal and VM infrastructure. Lack of native Container network integration with the data center network requires implementing ramp nodes or on ramp / off ramp nodes to connect the data center network with the Container Network.
  3. Multi-Tenancy – most customers require their compute, network and storage infrastructure to be multi-tenant where an admin is able to provision policies for QoS, rate limiting for a particular tenant or class of application.

In a future series of blogs, we plan to go into detail on how VMware NSX intends to address those challenges and to support native Container Networking, micro-segmentation for CaaS/PaaS, enabling a tool set for network and security teams to operationalize Containerized apps at enterprise scale – as shown in the figure below.

NSX and Containerized Apps

In addition to this rich feature set, VMware NSX intends to enable a consistent feature set across a variety of CaaS/PaaS platforms such as Kubernetes, Cloud Foundry, Docker, Mesos and a variety of compute platforms such as vSphere, Photon Platform, KVM, bare metal servers and public cloud VMs.

Co-author Sai Chaitanya is a Product Manager in the Networking and Security Business Unit at VMware and drives the Cloud Native Apps strategy and execution with VMware NSX.

To learn more about NSX’s Container Networking and Security, watch these VMworld 2016 sessions:

To learn more about Photon Platform, check out the GitHub projectproduct page and these VMworld 2016 sessions: