Comprehensive Software Reviews to make better IT decisions

Sr hero 001 Sr hero 002 Sr hero 003 Sr hero 004

Amazon Web Services Streamlines Container Networking

AWS has provided valuable new features for managing container networking. But this tasty secret sauce may prove addictive.

The largest cloud IaaS provider has enabled superior container networking through an expansion of its virtual private cloud (VPC) service. While container networking within the same instance on AWS is relatively straightforward, issues arise when containers need to communicate across instances.

The traditional way to achieve cross-instances communication between containers is through the use of an overlay network, such as that provided by Docker. An overlay network is a software-defined network that allows containers to communicate to one another by appropriately forwarding traffic based on a particular identifier (e.g. a container name – identifiers may vary), rather than by IP. This also allows for the use of load balancers.

While overlay networks work perfectly fine, they pose problems in a few use cases. Here we’ll focus on high performance computing (HPC) and on security.

  • HPC: In an overlay network packets proceed through multiple hops and latency can affect performance.
  • Security: Many organizations may want to ensure segregation of network traffic from apps belonging to different teams, including the network interfaces that can be used. This can be difficult to achieve with an overlay.

Amazon’s solution to these problems is their VPC task/pod networking feature. This service provides container networking through the use of elastic network interfaces (ENIs).

When you launch a task on an AWS instance, the task gets an ENI. Each ENI shows up in the default namespace and has a different IP address. An agent creates the task namespace for the networking (rather than relying on Docker), and each task namespace has an ENI. The ENIs automatically connect to each other over VPC. ENIs contain task metadata, so VPC directly connects the IP from one task to another (on the basis of the metadata) – so only a single hop is required from one task to another, enabling improved performance and security posture.

Our Take

AWS’s use of ENIs for container networking solves significant problems, and is a valuable feature for many customers. On the other hand, by relying on Amazon’s built-in services to do the heavy lifting on the back end, organizations risk vendor lock-in, and forego some of the value of employing a container ecosystem.

One of the key benefits of containers is being able to deploy scaleable networks of microservices that span seamlessly across on-premises and various cloud infrastructures. By relying on the ENIs in Amazon’s VPC, organizations will forego this key benefit.

Amazon’s streamlining of container networking is another example of innovative and valuable features that can lead to vendor lock-in down the road. After having a taste of AWS’s secret sauce, organizations may never want to open another menu.


Want to Know More?

Containers Survival Guide for Infrastructure

Containers and the “End” of Server Virtualization