Skip to main content

Virtualize the Network

Context

Microservices are adopted. The target deployment environment spans multiple physical machines, potentially distributed over multiple data centers. There is a physical network connecting these machines to faciilitate communication between microservices.

Problem

  • The phyiscal network migh need to change, requiring the microservices or their deployment to change
  • Setting up and managing the network is a complex manual process and leads to recurring issues
  • The network traffic needs to be secured adding complexity

Solution

Virtualize the network. Consider SDNs (software defined networks) that separate the network control from the physical network. The virtualization layer allows adjusting, expanding, or upgrading the underlying physical network without affecting the deployed applications.

SDN can be complemented it with further software (e.g. Open Virtual Network, OVN) to support abstractions, like network overlays and security groups, and inspecting the data transfer to increase customer security and privacy.

Maturity

Proposed, to be evaluated.

Sources of Evidence

L23:

  • microservice deployment and execution => network issues
  • currently: adopt various software defined networking (SDN) and network function virtualization (NFV) for networking microservices
  • OpenStack: management of virtual LANs in data centers by adhoc NFV
    • NFV uses core networking functions via software instead of relying on hardware functions
    • using Open Virtual Network (OVN) => efficient and secure use of the network
      • complements SDN capabilities, adds support for virtual network abstraction, e.g. virtual L1 and L2 overlays and security groups
      • supports security inspection of data transfer inside virtual networks
      • => helps to increase customer security and privacy

L28:

  • Docker supports multiple network virtualization configs
    • bridge network: can provide full virtualization
      • exports a virtualized network interface to a container connected t a private network segment
      • Docker relies on iptables to transfer packets among virtualized interfaces of containers and other physical networks
      • developer can use any port numbers, conflicts are avoided => isolation
      • microservice architecture with many containers => network virtualization puts pressure on SW and HW
        • degraded throughput up to 33% in experiment with NodJs services
    • host network
      • exports network interfaces of host OS to the process in a Docker container
      • allows conflicts of network ports
      • should not impact performance
        • better performance than bridge network
  • => be careful which network virtualization to choose depending on application requirements
    • one goal: performance
    • other goal: avoid port conflicts

LN41:

  • network issues sholud be considered because only with secure network the communication among microservices can be guaranteed
  • SDNs commonly used with microservices
    • separate network control from underlying physical network
    • get rid of limitation on network hardware imposed by manifacturer
    • enterprises can modify network in similar fashion as installing software, upgrade for enterprise's adjustment, expansion, or upgrading software architecture
    • flexibility of SDNs => often used to monitor network flow inside the MSA
    • but: inevitably face potential safety hazard of SDN
      • esp. if network becomes more complex and comm. is more frequent (large quantity of microservices)
      • need for thorough security analysis of network issues
  • container networks
    • default bridge is vulnerable to ARP spoofing and MAC flooding
    • solved if admin adds filtering to bridge or changes connectivity into a more secure one like a virtual network
    • additionally: run containers as non-priviledged; otherwise: has full permissions to host os
  • monolith's network easier to secure: more data or endpoints in the system as attack surface
    • need for network protection
    • SNDs add flexibility and efficiency to cloud management but expose additional security risks
      • thread: authentication and authorization of network applications
      • approach by Aliyu et al. can improve the security of SDNs
      • appoach by Sun to support fine grain virtual network monitoring
      • increased overhead by permission query increases complexity of system
  • ideal solution
    • network protection by SDN-based security monitors to deal with network attacks
    • defense again traditional network attacks like DOS and mainstream
    • still no perfect solution to address all network security issues

LM48:

  • Context: microservice migration describes an examples project (FX Core) and compares back to monolith
  • Docker swarm comes with overlay network to define internal networks between service containers
    • all containers expose ports to internal network

Interview D:

  • Need for virtualized environment
    • includes virtualized network infrastructure
    • self-service like API to generate resources on demand