SlideShare a Scribd company logo

Cloud Native Lou - Networking

James Strong
James Strong

Cloud Native Lou presentation October - k8s SIG Network update - Ingres-nginx CVE discussion - k8s and networking book review - AWS Container and Networking

Engineering
1 of 31
Download to read offline
Cloud Native Lou - 10/21/2021 James Strong AWS APN AMBASSADOR
Agenda ● k8s Sig-Network updates ● Ingress-nginx CVE ● 1.22 k8s updates ● Kubernetes and Networking Book ● AWS Containers and Networking Review
SIG Network Update ● Dual-Stack (now GA in 1.23 ● Gateway API (v1alpha2 for L4/L7 ● Topology keys deprecated in 1.21, 1.23 Topology hints ● KPNG (kube-proxy NG ● ClusterNetworkPolicy ● Cilium CNCF Project
SIG Network Update https://kubernetes.io/blog/2021/04/22/evolving-kubernetes-networking-with-the-gateway-api/ 2019 Kubecon discussion
v1 ingress-nginx 1.22 Release updates + • v1 upgrade • Update manifests • Ingress Class Definitions • https://kubernetes.io/blog/20 21/07/26/update-with-ingres s-nginx/ • networking.k8s.io/v1 went GA in 1.22 • Ingress and IngressClass • CustomResourceDefinition Among many others • https://kubernetes.io/docs/re ference/using-api/deprecatio n-guide/#v1-22
Notable Changes in Ingress Manifest apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: simple-fanout-example spec: rules: - host: foo.bar.com http: paths: - path: /foo pathType: Prefix backend: service: name: service1 port: number: 4200 - path: /bar pathType: Prefix backend: service: name: service2 port: number: 8080
Ingress-nginx CVE202125742 ● Disable config snippets ● Multitenant environments where non-admin users have permissions to create Ingress objects are most affected by this issue. ● Secrets can be accessed by malicious config snippet Set allow-snippet-annotations to false in your ingress-nginx https://github.com/kubernetes/ingress-nginx/issues/7837
Kubernetes and Networking James Strong AWS APN AMBASSADOR
Networking and Kubernetes package main import ( "fmt" "net/http" ) func hello(w http.ResponseWriter, r *http.Request) { fmt.Fprintf(w, "Hello") } func main() { http.HandleFunc("/", hello) http.ListenAndServe("0.0.0.08080", nil) }
James Strong AWS APN AMBASSADOR 1. Networking 2. Linux Networking 3. Container Networking 4. Kubernetes Networking 5. Kubernetes Networking Abstractions 6. Kubernetes and Cloud networking https://learning.oreilly.com/library/view/networ king-and-kubernetes/9781492081647/
AWS Network and Container Review James Strong AWS APN AMBASSADOR
EKS Anywhere ● Run on-prem, laptop, vSphere ● EKS Connector ● Demo - https://aws.amazon.com/blogs/containers/introducing-general-ava ilability-of-amazon-eks-anywhere/ ● More Info - https://aws.amazon.com/eks/eks-anywhere/ https://aws.amazon.com/eks/eks-anywhere/
Network Review – Customer-Managed VPC VPC 192.168.0.0/16 Availability Zone Availability Zone Availability Zone Public subnet Public subnet Public subnet Private subnet Private subnet Private subnet NAT gateway Security group Internet gateway EKS Control Plane
Network Review – Customer-Managed VPC AWS NETWORK REVIEW VPC 192.168.0.0/16 Availability Zone Availability Zone Availability Zone Public subnet Public subnet Public subnet Private subnet Private subnet Private subnet Node group NAT gateway Internet gateway Security group EKS Control Plane Node group EKS Control Plane
Amazon VPC CNI James Strong AWS APN AMBASSADOR
Availability Low Latency Minimal Network Jitter KUBERNETES NETWORK AWS VPC CNI Apply VPC Best Practices
KUBERNETES NETWORK AWS VPC CNI Security Groups Apply VPC Best Practices VPC Routing Policies VPC Flow Logs AWS Native Integrations
CNI IPAMD Amazon VPC CNI Components AMAZON VPC CNI + • Configures the ENI IPAM daemon responsible for: • Responsible for pod’s networking stack • Pool of IP Addresses • Assigning out IP Address
Amazon VPC CNI AMAZON VPC CNI Customer VPC Pod 3 eth0 10.200.1.7 10.200.1. 7 Node 1 VPC Subnet – 10.200.1.0/24 Pod 4 eth0 10.200.1. 9 Pod 1 eth0 10.200.1. 6 Secondary IPs: 10.200.1.6 Pod 2 eth0 10.200.1. 8 Secondary IPs: 10.200.1.8 10.200.1. 9 Node 2
AWS VPC CNI Configuration Variables AMAZON VPC CNI AWS VPC CNI NODE PORT SUPPORT Node port support on worker nodes 1 AWS VPC K8S CNI CUSTOM NETWORK CFG Security group creation per pod 2 AWS VPC ENI MTU MTU setting 3 AWS VPC K8S CNI EXTERNAL SNAT Specifies whether an external NAT gateway should be used to provide SNAT of secondary ENI IP addresses 4 WARM ENI TARGET Number of ENI IP address to keep ready 5 AWS VPC K8S CNI EXCLUDE SNAT CIDRS Exclude CIDIRs from SNAT 6
AWS EKS Cluster James Strong AWS APN AMBASSADOR
EKS Communication AWS EKS CLUSTER EKS Managed VPC Customer VPC Node group ENI EKS Control Plane Kubectl Application User EKS Control Application Admin
EKS Networking Mode - Public Endpoint Only AWS EKS CLUSTER EKS Managed VPC Kubectl Availability Zone 1 Customer VPC AZ 1 Kubelet Kube-proxy Kubelet Kube-proxy EKS Control Plane EKS Owned ENI
EKS Networking Mode – Public and Private Endpoint Only AWS EKS CLUSTER Customer VPC AZ 1 Kubelet Kube-proxy Kubelet Kube-proxy Private Hosted Zone 56d02fd4cb4ef6f7.eks. amazonaws.com Kubectl EKS Managed VPC Availability Zone 1 EKS Control Plane EKS Owned ENI
EKS Networking Mode – Private Endpoint Only AWS EKS CLUSTER EKS Managed VPC Customer VPC AZ 1 Kubelet Kube-proxy Kubelet Kube-proxy 56d02fd4cb4ef6f7.eks. amazonaws.com kubectl Availability Zone 1 EKS Control Plane EKS Owned ENI
VPC Subnet Considerations AWS EKS CLUSTER Public Only Using only public subnets. Nodes and ingress resources, load balancers, are deployed in the same public subnets. 1 Private Only Using only private subnets. Nodes are instantiated in private subnets. 2 Public and Private Using public and private subnets. Nodes are deployed in the private subnets and ingress resources (like load balancers) are instantiated in the public subnets. 3
AWS ALB Ingress Controller AWS ALB AND ALB INGRESS CONTROLLER LAB AWS Resources K8 Cluster Ping Data Admin Node Node Node Ping Pod 1 Admin Pod 2 Data Pod 3 NP NP NP NP Data Pod 3 ALB Controller NP Ping Pod 1 Admin Pod 3 Data Pod 3 NP API Server NP 1 2 3 4 5 30040 192.168.1.7
AWS App Mesh James Strong AWS APN AMBASSADOR
AWS App Mesh Functionality 1 Point-to-Point Communication 2 Network Traffic Control 3 Observability Fault Isolation 4
AWS App Mesh Components AWS APP MESH Application User App Mesh Ping Virtual Router Data Virtual Router Admin Virtual Router Ping Virtual Node Data Virtual Node Admin Virtual Node Data Virtual Service Ping Virtual Service Admin Virtual Service
AWS App Mesh Envoy Communication AWS APP MESH Applicatio n User Application Pods Application XRay Agent AWS XRay Amazon CloudWatch Metrics Amazon CloudWatch Logs Metrics Ingress Egress

Recommended

Container Networking Deep Dive
Container Networking Deep DiveContainer Networking Deep Dive
Container Networking Deep DiveOpen Networking Summit
 
Redis on Kubernetes
Redis on KubernetesRedis on Kubernetes
Redis on KubernetesIdan Atias
 
Continuous Delivery to Amazon ECS
Continuous Delivery to Amazon ECSContinuous Delivery to Amazon ECS
Continuous Delivery to Amazon ECSAmazon Web Services
 
Docker network performance in the public cloud
Docker network performance in the public cloudDocker network performance in the public cloud
Docker network performance in the public cloudArjan Schaaf
 
How to install and use Kubernetes
How to install and use KubernetesHow to install and use Kubernetes
How to install and use KubernetesLuke Marsden
 
Docker Networking with Project Calico
Docker Networking with Project CalicoDocker Networking with Project Calico
Docker Networking with Project CalicoAndrew Kennedy
 
How and why we got Prometheus working with Docker Swarm
How and why we got Prometheus working with Docker SwarmHow and why we got Prometheus working with Docker Swarm
How and why we got Prometheus working with Docker SwarmLuke Marsden
 
Hyper-V OpenStack Nova Compute
Hyper-V OpenStack Nova ComputeHyper-V OpenStack Nova Compute
Hyper-V OpenStack Nova ComputeAlessandro Pilotti
 

Recommended

Container Networking Deep Dive
Container Networking Deep DiveContainer Networking Deep Dive
Container Networking Deep DiveOpen Networking Summit
 
Redis on Kubernetes
Redis on KubernetesRedis on Kubernetes
Redis on KubernetesIdan Atias
 
Continuous Delivery to Amazon ECS
Continuous Delivery to Amazon ECSContinuous Delivery to Amazon ECS
Continuous Delivery to Amazon ECSAmazon Web Services
 
Docker network performance in the public cloud
Docker network performance in the public cloudDocker network performance in the public cloud
Docker network performance in the public cloudArjan Schaaf
 
How to install and use Kubernetes
How to install and use KubernetesHow to install and use Kubernetes
How to install and use KubernetesLuke Marsden
 
Docker Networking with Project Calico
Docker Networking with Project CalicoDocker Networking with Project Calico
Docker Networking with Project CalicoAndrew Kennedy
 
How and why we got Prometheus working with Docker Swarm
How and why we got Prometheus working with Docker SwarmHow and why we got Prometheus working with Docker Swarm
How and why we got Prometheus working with Docker SwarmLuke Marsden
 
Hyper-V OpenStack Nova Compute
Hyper-V OpenStack Nova ComputeHyper-V OpenStack Nova Compute
Hyper-V OpenStack Nova ComputeAlessandro Pilotti
 
Multi host container networking
Multi host container networkingMulti host container networking
Multi host container networkingWeaveworks
 
OpenEBS - Containerized Storage for Containers
OpenEBS - Containerized Storage for ContainersOpenEBS - Containerized Storage for Containers
OpenEBS - Containerized Storage for ContainersUmasankar Mukkara
 
AWS ECS Quick Introduction
AWS ECS Quick IntroductionAWS ECS Quick Introduction
AWS ECS Quick IntroductionVinothini Raju
 
Overlay/Underlay - Betting on Container Networking
Overlay/Underlay - Betting on Container NetworkingOverlay/Underlay - Betting on Container Networking
Overlay/Underlay - Betting on Container NetworkingLee Calcote
 
Metaswitch Project Calico
Metaswitch Project CalicoMetaswitch Project Calico
Metaswitch Project CalicoAndrew Kennedy
 
Istio on Kubernetes
Istio on KubernetesIstio on Kubernetes
Istio on KubernetesDaneyon Hansen
 
Java Microservices with Netflix OSS & Spring
Java Microservices with Netflix OSS & Spring Java Microservices with Netflix OSS & Spring
Java Microservices with Netflix OSS & Spring Conor Svensson
 
Kubernetes integration with ODL
Kubernetes integration with ODLKubernetes integration with ODL
Kubernetes integration with ODLPrem Sankar Gopannan
 
Building Micro-Services with Scala
Building Micro-Services with ScalaBuilding Micro-Services with Scala
Building Micro-Services with ScalaYardena Meymann
 
Migration of Microsoft Workloads
Migration of Microsoft WorkloadsMigration of Microsoft Workloads
Migration of Microsoft WorkloadsAmazon Web Services
 
DockerCon EU 2015: The Missing Piece: when Docker networking unleashing soft ...
DockerCon EU 2015: The Missing Piece: when Docker networking unleashing soft ...DockerCon EU 2015: The Missing Piece: when Docker networking unleashing soft ...
DockerCon EU 2015: The Missing Piece: when Docker networking unleashing soft ...Docker, Inc.
 
Kubernetes Policy As Code usando WebAssembly | Flavio Castelli
Kubernetes Policy As Code usando WebAssembly | Flavio CastelliKubernetes Policy As Code usando WebAssembly | Flavio Castelli
Kubernetes Policy As Code usando WebAssembly | Flavio CastelliKCDItaly
 
Kuryr-Kubernetes: The perfect match for networking cloud native workloads - I...
Kuryr-Kubernetes: The perfect match for networking cloud native workloads - I...Kuryr-Kubernetes: The perfect match for networking cloud native workloads - I...
Kuryr-Kubernetes: The perfect match for networking cloud native workloads - I...Cloud Native Day Tel Aviv
 
Cloud networking deep dive
Cloud networking deep diveCloud networking deep dive
Cloud networking deep diveamylynn11
 
New Features of Kubernetes v1.2.0 beta
New Features of Kubernetes v1.2.0 betaNew Features of Kubernetes v1.2.0 beta
New Features of Kubernetes v1.2.0 betaGiragadurai Vallirajan
 
VMWare Networking Basic
VMWare Networking BasicVMWare Networking Basic
VMWare Networking BasicMuhammad Yasir Nawaz
 
Infinit's Next Generation Key-value Store - Julien Quintard and Quentin Hocqu...
Infinit's Next Generation Key-value Store - Julien Quintard and Quentin Hocqu...Infinit's Next Generation Key-value Store - Julien Quintard and Quentin Hocqu...
Infinit's Next Generation Key-value Store - Julien Quintard and Quentin Hocqu...Docker, Inc.
 
Dockercon 2015 Recap
Dockercon 2015 RecapDockercon 2015 Recap
Dockercon 2015 Recapehazlett
 
Metal³ – Metal Kubed, Bare Metal Provisioning for Kubernetes | Kim Bảo Long
Metal³ – Metal Kubed, Bare Metal Provisioning for Kubernetes | Kim Bảo LongMetal³ – Metal Kubed, Bare Metal Provisioning for Kubernetes | Kim Bảo Long
Metal³ – Metal Kubed, Bare Metal Provisioning for Kubernetes | Kim Bảo LongVietnam Open Infrastructure User Group
 
Container Networking - State of the Ecosystem [ContainerConf, Mannheim, Nov 2...
Container Networking - State of the Ecosystem [ContainerConf, Mannheim, Nov 2...Container Networking - State of the Ecosystem [ContainerConf, Mannheim, Nov 2...
Container Networking - State of the Ecosystem [ContainerConf, Mannheim, Nov 2...Karthik Prabhakar
 
EKS New features - Re:invent 2022 recap at AWSUGNL Benelux
EKS New features - Re:invent 2022 recap at AWSUGNL BeneluxEKS New features - Re:invent 2022 recap at AWSUGNL Benelux
EKS New features - Re:invent 2022 recap at AWSUGNL BeneluxMasoom Tulsiani
 
Amazon Virtual Private Cloud VPC Architecture AWS Web Services
Amazon Virtual Private Cloud VPC Architecture AWS Web ServicesAmazon Virtual Private Cloud VPC Architecture AWS Web Services
Amazon Virtual Private Cloud VPC Architecture AWS Web ServicesRobert Wilson
 

More Related Content

What's hot

Multi host container networking
Multi host container networkingMulti host container networking
Multi host container networkingWeaveworks
 
OpenEBS - Containerized Storage for Containers
OpenEBS - Containerized Storage for ContainersOpenEBS - Containerized Storage for Containers
OpenEBS - Containerized Storage for ContainersUmasankar Mukkara
 
AWS ECS Quick Introduction
AWS ECS Quick IntroductionAWS ECS Quick Introduction
AWS ECS Quick IntroductionVinothini Raju
 
Overlay/Underlay - Betting on Container Networking
Overlay/Underlay - Betting on Container NetworkingOverlay/Underlay - Betting on Container Networking
Overlay/Underlay - Betting on Container NetworkingLee Calcote
 
Metaswitch Project Calico
Metaswitch Project CalicoMetaswitch Project Calico
Metaswitch Project CalicoAndrew Kennedy
 
Java Microservices with Netflix OSS & Spring
Java Microservices with Netflix OSS & Spring Java Microservices with Netflix OSS & Spring
Java Microservices with Netflix OSS & Spring Conor Svensson
 
Building Micro-Services with Scala
Building Micro-Services with ScalaBuilding Micro-Services with Scala
Building Micro-Services with ScalaYardena Meymann
 
Migration of Microsoft Workloads
Migration of Microsoft WorkloadsMigration of Microsoft Workloads
Migration of Microsoft WorkloadsAmazon Web Services
 
DockerCon EU 2015: The Missing Piece: when Docker networking unleashing soft ...
DockerCon EU 2015: The Missing Piece: when Docker networking unleashing soft ...DockerCon EU 2015: The Missing Piece: when Docker networking unleashing soft ...
DockerCon EU 2015: The Missing Piece: when Docker networking unleashing soft ...Docker, Inc.
 
Kubernetes Policy As Code usando WebAssembly | Flavio Castelli
Kubernetes Policy As Code usando WebAssembly | Flavio CastelliKubernetes Policy As Code usando WebAssembly | Flavio Castelli
Kubernetes Policy As Code usando WebAssembly | Flavio CastelliKCDItaly
 
Kuryr-Kubernetes: The perfect match for networking cloud native workloads - I...
Kuryr-Kubernetes: The perfect match for networking cloud native workloads - I...Kuryr-Kubernetes: The perfect match for networking cloud native workloads - I...
Kuryr-Kubernetes: The perfect match for networking cloud native workloads - I...Cloud Native Day Tel Aviv
 
Cloud networking deep dive
Cloud networking deep diveCloud networking deep dive
Cloud networking deep diveamylynn11
 
New Features of Kubernetes v1.2.0 beta
New Features of Kubernetes v1.2.0 betaNew Features of Kubernetes v1.2.0 beta
New Features of Kubernetes v1.2.0 betaGiragadurai Vallirajan
 
Infinit's Next Generation Key-value Store - Julien Quintard and Quentin Hocqu...
Infinit's Next Generation Key-value Store - Julien Quintard and Quentin Hocqu...Infinit's Next Generation Key-value Store - Julien Quintard and Quentin Hocqu...
Infinit's Next Generation Key-value Store - Julien Quintard and Quentin Hocqu...Docker, Inc.
 
Dockercon 2015 Recap
Dockercon 2015 RecapDockercon 2015 Recap
Dockercon 2015 Recapehazlett
 
Metal³ – Metal Kubed, Bare Metal Provisioning for Kubernetes | Kim Bảo Long
Metal³ – Metal Kubed, Bare Metal Provisioning for Kubernetes | Kim Bảo LongMetal³ – Metal Kubed, Bare Metal Provisioning for Kubernetes | Kim Bảo Long
Metal³ – Metal Kubed, Bare Metal Provisioning for Kubernetes | Kim Bảo LongVietnam Open Infrastructure User Group
 
Container Networking - State of the Ecosystem [ContainerConf, Mannheim, Nov 2...
Container Networking - State of the Ecosystem [ContainerConf, Mannheim, Nov 2...Container Networking - State of the Ecosystem [ContainerConf, Mannheim, Nov 2...
Container Networking - State of the Ecosystem [ContainerConf, Mannheim, Nov 2...Karthik Prabhakar
 

What's hot (20)

Multi host container networking
Multi host container networkingMulti host container networking
Multi host container networking
 
OpenEBS - Containerized Storage for Containers
OpenEBS - Containerized Storage for ContainersOpenEBS - Containerized Storage for Containers
OpenEBS - Containerized Storage for Containers
 
AWS ECS Quick Introduction
AWS ECS Quick IntroductionAWS ECS Quick Introduction
AWS ECS Quick Introduction
 
Overlay/Underlay - Betting on Container Networking
Overlay/Underlay - Betting on Container NetworkingOverlay/Underlay - Betting on Container Networking
Overlay/Underlay - Betting on Container Networking
 
Metaswitch Project Calico
Metaswitch Project CalicoMetaswitch Project Calico
Metaswitch Project Calico
 
Istio on Kubernetes
Istio on KubernetesIstio on Kubernetes
Istio on Kubernetes
 
Java Microservices with Netflix OSS & Spring
Java Microservices with Netflix OSS & Spring Java Microservices with Netflix OSS & Spring
Java Microservices with Netflix OSS & Spring
 
Kubernetes integration with ODL
Kubernetes integration with ODLKubernetes integration with ODL
Kubernetes integration with ODL
 
Building Micro-Services with Scala
Building Micro-Services with ScalaBuilding Micro-Services with Scala
Building Micro-Services with Scala
 
Migration of Microsoft Workloads
Migration of Microsoft WorkloadsMigration of Microsoft Workloads
Migration of Microsoft Workloads
 
DockerCon EU 2015: The Missing Piece: when Docker networking unleashing soft ...
DockerCon EU 2015: The Missing Piece: when Docker networking unleashing soft ...DockerCon EU 2015: The Missing Piece: when Docker networking unleashing soft ...
DockerCon EU 2015: The Missing Piece: when Docker networking unleashing soft ...
 
Kubernetes Policy As Code usando WebAssembly | Flavio Castelli
Kubernetes Policy As Code usando WebAssembly | Flavio CastelliKubernetes Policy As Code usando WebAssembly | Flavio Castelli
Kubernetes Policy As Code usando WebAssembly | Flavio Castelli
 
Kuryr-Kubernetes: The perfect match for networking cloud native workloads - I...
Kuryr-Kubernetes: The perfect match for networking cloud native workloads - I...Kuryr-Kubernetes: The perfect match for networking cloud native workloads - I...
Kuryr-Kubernetes: The perfect match for networking cloud native workloads - I...
 
Cloud networking deep dive
Cloud networking deep diveCloud networking deep dive
Cloud networking deep dive
 
New Features of Kubernetes v1.2.0 beta
New Features of Kubernetes v1.2.0 betaNew Features of Kubernetes v1.2.0 beta
New Features of Kubernetes v1.2.0 beta
 
VMWare Networking Basic
VMWare Networking BasicVMWare Networking Basic
VMWare Networking Basic
 
Infinit's Next Generation Key-value Store - Julien Quintard and Quentin Hocqu...
Infinit's Next Generation Key-value Store - Julien Quintard and Quentin Hocqu...Infinit's Next Generation Key-value Store - Julien Quintard and Quentin Hocqu...
Infinit's Next Generation Key-value Store - Julien Quintard and Quentin Hocqu...
 
Dockercon 2015 Recap
Dockercon 2015 RecapDockercon 2015 Recap
Dockercon 2015 Recap
 
Metal³ – Metal Kubed, Bare Metal Provisioning for Kubernetes | Kim Bảo Long
Metal³ – Metal Kubed, Bare Metal Provisioning for Kubernetes | Kim Bảo LongMetal³ – Metal Kubed, Bare Metal Provisioning for Kubernetes | Kim Bảo Long
Metal³ – Metal Kubed, Bare Metal Provisioning for Kubernetes | Kim Bảo Long
 
Container Networking - State of the Ecosystem [ContainerConf, Mannheim, Nov 2...
Container Networking - State of the Ecosystem [ContainerConf, Mannheim, Nov 2...Container Networking - State of the Ecosystem [ContainerConf, Mannheim, Nov 2...
Container Networking - State of the Ecosystem [ContainerConf, Mannheim, Nov 2...
 

Similar to Cloud Native Lou - Networking

EKS New features - Re:invent 2022 recap at AWSUGNL Benelux
EKS New features - Re:invent 2022 recap at AWSUGNL BeneluxEKS New features - Re:invent 2022 recap at AWSUGNL Benelux
EKS New features - Re:invent 2022 recap at AWSUGNL BeneluxMasoom Tulsiani
 
Amazon Virtual Private Cloud VPC Architecture AWS Web Services
Amazon Virtual Private Cloud VPC Architecture AWS Web ServicesAmazon Virtual Private Cloud VPC Architecture AWS Web Services
Amazon Virtual Private Cloud VPC Architecture AWS Web ServicesRobert Wilson
 
Bitbucket Pipelines - Powered by Kubernetes
Bitbucket Pipelines - Powered by KubernetesBitbucket Pipelines - Powered by Kubernetes
Bitbucket Pipelines - Powered by KubernetesNathan Burrell
 
Best Practices with Azure Kubernetes Services
Best Practices with Azure Kubernetes ServicesBest Practices with Azure Kubernetes Services
Best Practices with Azure Kubernetes ServicesQAware GmbH
 
PLNOG 17 - Tomasz Stachlewski - Infrastruktura sieciowa w chmurze AWS
PLNOG 17 - Tomasz Stachlewski - Infrastruktura sieciowa w chmurze AWSPLNOG 17 - Tomasz Stachlewski - Infrastruktura sieciowa w chmurze AWS
PLNOG 17 - Tomasz Stachlewski - Infrastruktura sieciowa w chmurze AWSPROIDEA
 
Containers Meetup (AWS+CNCF) Milano Jan 15th 2020
Containers Meetup (AWS+CNCF) Milano Jan 15th 2020Containers Meetup (AWS+CNCF) Milano Jan 15th 2020
Containers Meetup (AWS+CNCF) Milano Jan 15th 2020Massimo Ferre'
 
From One to Many: Evolving VPC Design (ARC401) | AWS re:Invent 2013
From One to Many: Evolving VPC Design (ARC401) | AWS re:Invent 2013From One to Many: Evolving VPC Design (ARC401) | AWS re:Invent 2013
From One to Many: Evolving VPC Design (ARC401) | AWS re:Invent 2013Amazon Web Services
 
Kubernetes: Container Orchestration for Production-grade People
Kubernetes: Container Orchestration for Production-grade PeopleKubernetes: Container Orchestration for Production-grade People
Kubernetes: Container Orchestration for Production-grade PeopleASPEX_BE
 
(ARC205) Creating Your Virtual Data Center: VPC Fundamentals and Connectivity...
(ARC205) Creating Your Virtual Data Center: VPC Fundamentals and Connectivity...(ARC205) Creating Your Virtual Data Center: VPC Fundamentals and Connectivity...
(ARC205) Creating Your Virtual Data Center: VPC Fundamentals and Connectivity...Amazon Web Services
 
Amazon Virtual Private Cloud (VPC): Networking Fundamentals and Connectivity ...
Amazon Virtual Private Cloud (VPC): Networking Fundamentals and Connectivity ...Amazon Virtual Private Cloud (VPC): Networking Fundamentals and Connectivity ...
Amazon Virtual Private Cloud (VPC): Networking Fundamentals and Connectivity ...Amazon Web Services
 
High Availability Application Architectures in Amazon VPC (ARC202) | AWS re:I...
High Availability Application Architectures in Amazon VPC (ARC202) | AWS re:I...High Availability Application Architectures in Amazon VPC (ARC202) | AWS re:I...
High Availability Application Architectures in Amazon VPC (ARC202) | AWS re:I...Amazon Web Services
 
Eks and fargate
Eks and fargateEks and fargate
Eks and fargateAsaf Abres
 
打破時空藩籬,輕鬆存取您的雲端工作負載
打破時空藩籬,輕鬆存取您的雲端工作負載打破時空藩籬,輕鬆存取您的雲端工作負載
打破時空藩籬,輕鬆存取您的雲端工作負載Amazon Web Services
 
打破時空藩籬-輕鬆存取您的雲端工作負載
打破時空藩籬-輕鬆存取您的雲端工作負載打破時空藩籬-輕鬆存取您的雲端工作負載
打破時空藩籬-輕鬆存取您的雲端工作負載Amazon Web Services
 
Container network security
Container network securityContainer network security
Container network securityDaisuke Nakajima
 
Docker clusters on AWS with Amazon ECS and Kubernetes
Docker clusters on AWS with Amazon ECS and KubernetesDocker clusters on AWS with Amazon ECS and Kubernetes
Docker clusters on AWS with Amazon ECS and KubernetesJulien SIMON
 
Elastic Kubernetes Services (EKS)
Elastic Kubernetes Services (EKS)Elastic Kubernetes Services (EKS)
Elastic Kubernetes Services (EKS)sriram_rajan
 
Criando o seu datacenter virtual vpc e conectividade
Criando o seu datacenter virtual vpc e conectividadeCriando o seu datacenter virtual vpc e conectividade
Criando o seu datacenter virtual vpc e conectividadeAmazon Web Services LATAM
 
컴퓨팅 서비스 업데이트 - EC2, ECS, Lambda (김상필) :: re:Invent re:Cap Webinar 2015
컴퓨팅 서비스 업데이트 - EC2, ECS, Lambda (김상필) :: re:Invent re:Cap Webinar 2015컴퓨팅 서비스 업데이트 - EC2, ECS, Lambda (김상필) :: re:Invent re:Cap Webinar 2015
컴퓨팅 서비스 업데이트 - EC2, ECS, Lambda (김상필) :: re:Invent re:Cap Webinar 2015Amazon Web Services Korea
 

Similar to Cloud Native Lou - Networking (20)

EKS New features - Re:invent 2022 recap at AWSUGNL Benelux
EKS New features - Re:invent 2022 recap at AWSUGNL BeneluxEKS New features - Re:invent 2022 recap at AWSUGNL Benelux
EKS New features - Re:invent 2022 recap at AWSUGNL Benelux
 
Amazon Virtual Private Cloud VPC Architecture AWS Web Services
Amazon Virtual Private Cloud VPC Architecture AWS Web ServicesAmazon Virtual Private Cloud VPC Architecture AWS Web Services
Amazon Virtual Private Cloud VPC Architecture AWS Web Services
 
Advanced Container Security
Advanced Container Security Advanced Container Security
Advanced Container Security
 
Bitbucket Pipelines - Powered by Kubernetes
Bitbucket Pipelines - Powered by KubernetesBitbucket Pipelines - Powered by Kubernetes
Bitbucket Pipelines - Powered by Kubernetes
 
Best Practices with Azure Kubernetes Services
Best Practices with Azure Kubernetes ServicesBest Practices with Azure Kubernetes Services
Best Practices with Azure Kubernetes Services
 
PLNOG 17 - Tomasz Stachlewski - Infrastruktura sieciowa w chmurze AWS
PLNOG 17 - Tomasz Stachlewski - Infrastruktura sieciowa w chmurze AWSPLNOG 17 - Tomasz Stachlewski - Infrastruktura sieciowa w chmurze AWS
PLNOG 17 - Tomasz Stachlewski - Infrastruktura sieciowa w chmurze AWS
 
Containers Meetup (AWS+CNCF) Milano Jan 15th 2020
Containers Meetup (AWS+CNCF) Milano Jan 15th 2020Containers Meetup (AWS+CNCF) Milano Jan 15th 2020
Containers Meetup (AWS+CNCF) Milano Jan 15th 2020
 
From One to Many: Evolving VPC Design (ARC401) | AWS re:Invent 2013
From One to Many: Evolving VPC Design (ARC401) | AWS re:Invent 2013From One to Many: Evolving VPC Design (ARC401) | AWS re:Invent 2013
From One to Many: Evolving VPC Design (ARC401) | AWS re:Invent 2013
 
Kubernetes: Container Orchestration for Production-grade People
Kubernetes: Container Orchestration for Production-grade PeopleKubernetes: Container Orchestration for Production-grade People
Kubernetes: Container Orchestration for Production-grade People
 
(ARC205) Creating Your Virtual Data Center: VPC Fundamentals and Connectivity...
(ARC205) Creating Your Virtual Data Center: VPC Fundamentals and Connectivity...(ARC205) Creating Your Virtual Data Center: VPC Fundamentals and Connectivity...
(ARC205) Creating Your Virtual Data Center: VPC Fundamentals and Connectivity...
 
Amazon Virtual Private Cloud (VPC): Networking Fundamentals and Connectivity ...
Amazon Virtual Private Cloud (VPC): Networking Fundamentals and Connectivity ...Amazon Virtual Private Cloud (VPC): Networking Fundamentals and Connectivity ...
Amazon Virtual Private Cloud (VPC): Networking Fundamentals and Connectivity ...
 
High Availability Application Architectures in Amazon VPC (ARC202) | AWS re:I...
High Availability Application Architectures in Amazon VPC (ARC202) | AWS re:I...High Availability Application Architectures in Amazon VPC (ARC202) | AWS re:I...
High Availability Application Architectures in Amazon VPC (ARC202) | AWS re:I...
 
Eks and fargate
Eks and fargateEks and fargate
Eks and fargate
 
打破時空藩籬,輕鬆存取您的雲端工作負載
打破時空藩籬,輕鬆存取您的雲端工作負載打破時空藩籬,輕鬆存取您的雲端工作負載
打破時空藩籬,輕鬆存取您的雲端工作負載
 
打破時空藩籬-輕鬆存取您的雲端工作負載
打破時空藩籬-輕鬆存取您的雲端工作負載打破時空藩籬-輕鬆存取您的雲端工作負載
打破時空藩籬-輕鬆存取您的雲端工作負載
 
Container network security
Container network securityContainer network security
Container network security
 
Docker clusters on AWS with Amazon ECS and Kubernetes
Docker clusters on AWS with Amazon ECS and KubernetesDocker clusters on AWS with Amazon ECS and Kubernetes
Docker clusters on AWS with Amazon ECS and Kubernetes
 
Elastic Kubernetes Services (EKS)
Elastic Kubernetes Services (EKS)Elastic Kubernetes Services (EKS)
Elastic Kubernetes Services (EKS)
 
Criando o seu datacenter virtual vpc e conectividade
Criando o seu datacenter virtual vpc e conectividadeCriando o seu datacenter virtual vpc e conectividade
Criando o seu datacenter virtual vpc e conectividade
 
컴퓨팅 서비스 업데이트 - EC2, ECS, Lambda (김상필) :: re:Invent re:Cap Webinar 2015
컴퓨팅 서비스 업데이트 - EC2, ECS, Lambda (김상필) :: re:Invent re:Cap Webinar 2015컴퓨팅 서비스 업데이트 - EC2, ECS, Lambda (김상필) :: re:Invent re:Cap Webinar 2015
컴퓨팅 서비스 업데이트 - EC2, ECS, Lambda (김상필) :: re:Invent re:Cap Webinar 2015
 

Recently uploaded

UNIT - IV - Air Compressors and its Performance
UNIT - IV - Air Compressors and its PerformanceUNIT - IV - Air Compressors and its Performance
UNIT - IV - Air Compressors and its Performancesivaprakash250
 
Extrusion Processes and Their Limitations
Extrusion Processes and Their LimitationsExtrusion Processes and Their Limitations
Extrusion Processes and Their Limitations120cr0395
 
Introduction to Multiple Access Protocol.pptx
Introduction to Multiple Access Protocol.pptxIntroduction to Multiple Access Protocol.pptx
Introduction to Multiple Access Protocol.pptxupamatechverse
 
Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...
Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...
Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...roncy bisnoi
 
ONLINE FOOD ORDER SYSTEM PROJECT REPORT.pdf
ONLINE FOOD ORDER SYSTEM PROJECT REPORT.pdfONLINE FOOD ORDER SYSTEM PROJECT REPORT.pdf
ONLINE FOOD ORDER SYSTEM PROJECT REPORT.pdfKamal Acharya
 
VIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 BookingVIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 Bookingdharasingh5698
 
College Call Girls Nashik Nehal 7001305949 Independent Escort Service Nashik
College Call Girls Nashik Nehal 7001305949 Independent Escort Service NashikCollege Call Girls Nashik Nehal 7001305949 Independent Escort Service Nashik
College Call Girls Nashik Nehal 7001305949 Independent Escort Service NashikCall Girls in Nagpur High Profile
 
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...ranjana rawat
 
Glass Ceramics: Processing and Properties
Glass Ceramics: Processing and PropertiesGlass Ceramics: Processing and Properties
Glass Ceramics: Processing and PropertiesPrabhanshu Chaturvedi
 
UNIT-III FMM. DIMENSIONAL ANALYSIS
UNIT-III FMM. DIMENSIONAL ANALYSISUNIT-III FMM. DIMENSIONAL ANALYSIS
UNIT-III FMM. DIMENSIONAL ANALYSISrknatarajan
 
High Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur EscortsHigh Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur Escortsranjana rawat
 
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...Call Girls in Nagpur High Profile
 
Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...
Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...
Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...Dr.Costas Sachpazis
 
Java Programming :Event Handling(Types of Events)
Java Programming :Event Handling(Types of Events)Java Programming :Event Handling(Types of Events)
Java Programming :Event Handling(Types of Events)simmis5
 
Online banking management system project.pdf
Online banking management system project.pdfOnline banking management system project.pdf
Online banking management system project.pdfKamal Acharya
 
Call Girls in Nagpur Suman Call 7001035870 Meet With Nagpur Escorts
Call Girls in Nagpur Suman Call 7001035870 Meet With Nagpur EscortsCall Girls in Nagpur Suman Call 7001035870 Meet With Nagpur Escorts
Call Girls in Nagpur Suman Call 7001035870 Meet With Nagpur EscortsCall Girls in Nagpur High Profile
 
Processing & Properties of Floor and Wall Tiles.pptx
Processing & Properties of Floor and Wall Tiles.pptxProcessing & Properties of Floor and Wall Tiles.pptx
Processing & Properties of Floor and Wall Tiles.pptxpranjaldaimarysona
 
Coefficient of Thermal Expansion and their Importance.pptx
Coefficient of Thermal Expansion and their Importance.pptxCoefficient of Thermal Expansion and their Importance.pptx
Coefficient of Thermal Expansion and their Importance.pptxAsutosh Ranjan
 
CCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete Record
CCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete RecordCCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete Record
CCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete RecordAsst.prof M.Gokilavani
 

Recently uploaded (20)

UNIT - IV - Air Compressors and its Performance
UNIT - IV - Air Compressors and its PerformanceUNIT - IV - Air Compressors and its Performance
UNIT - IV - Air Compressors and its Performance
 
Extrusion Processes and Their Limitations
Extrusion Processes and Their LimitationsExtrusion Processes and Their Limitations
Extrusion Processes and Their Limitations
 
Introduction to Multiple Access Protocol.pptx
Introduction to Multiple Access Protocol.pptxIntroduction to Multiple Access Protocol.pptx
Introduction to Multiple Access Protocol.pptx
 
Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...
Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...
Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...
 
ONLINE FOOD ORDER SYSTEM PROJECT REPORT.pdf
ONLINE FOOD ORDER SYSTEM PROJECT REPORT.pdfONLINE FOOD ORDER SYSTEM PROJECT REPORT.pdf
ONLINE FOOD ORDER SYSTEM PROJECT REPORT.pdf
 
VIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 BookingVIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 Booking
 
College Call Girls Nashik Nehal 7001305949 Independent Escort Service Nashik
College Call Girls Nashik Nehal 7001305949 Independent Escort Service NashikCollege Call Girls Nashik Nehal 7001305949 Independent Escort Service Nashik
College Call Girls Nashik Nehal 7001305949 Independent Escort Service Nashik
 
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
 
Glass Ceramics: Processing and Properties
Glass Ceramics: Processing and PropertiesGlass Ceramics: Processing and Properties
Glass Ceramics: Processing and Properties
 
UNIT-III FMM. DIMENSIONAL ANALYSIS
UNIT-III FMM. DIMENSIONAL ANALYSISUNIT-III FMM. DIMENSIONAL ANALYSIS
UNIT-III FMM. DIMENSIONAL ANALYSIS
 
High Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur EscortsHigh Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur Escorts
 
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
 
Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...
Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...
Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...
 
Java Programming :Event Handling(Types of Events)
Java Programming :Event Handling(Types of Events)Java Programming :Event Handling(Types of Events)
Java Programming :Event Handling(Types of Events)
 
Online banking management system project.pdf
Online banking management system project.pdfOnline banking management system project.pdf
Online banking management system project.pdf
 
Call Girls in Nagpur Suman Call 7001035870 Meet With Nagpur Escorts
Call Girls in Nagpur Suman Call 7001035870 Meet With Nagpur EscortsCall Girls in Nagpur Suman Call 7001035870 Meet With Nagpur Escorts
Call Girls in Nagpur Suman Call 7001035870 Meet With Nagpur Escorts
 
Processing & Properties of Floor and Wall Tiles.pptx
Processing & Properties of Floor and Wall Tiles.pptxProcessing & Properties of Floor and Wall Tiles.pptx
Processing & Properties of Floor and Wall Tiles.pptx
 
Coefficient of Thermal Expansion and their Importance.pptx
Coefficient of Thermal Expansion and their Importance.pptxCoefficient of Thermal Expansion and their Importance.pptx
Coefficient of Thermal Expansion and their Importance.pptx
 
CCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete Record
CCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete RecordCCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete Record
CCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete Record
 
Roadmap to Membership of RICS - Pathways and Routes
Roadmap to Membership of RICS - Pathways and RoutesRoadmap to Membership of RICS - Pathways and Routes
Roadmap to Membership of RICS - Pathways and Routes
 

Cloud Native Lou - Networking

  • 1. Cloud Native Lou - 10/21/2021 James Strong AWS APN AMBASSADOR
  • 2. Agenda ● k8s Sig-Network updates ● Ingress-nginx CVE ● 1.22 k8s updates ● Kubernetes and Networking Book ● AWS Containers and Networking Review
  • 3. SIG Network Update ● Dual-Stack (now GA in 1.23 ● Gateway API (v1alpha2 for L4/L7 ● Topology keys deprecated in 1.21, 1.23 Topology hints ● KPNG (kube-proxy NG ● ClusterNetworkPolicy ● Cilium CNCF Project
  • 5. v1 ingress-nginx 1.22 Release updates + • v1 upgrade • Update manifests • Ingress Class Definitions • https://kubernetes.io/blog/20 21/07/26/update-with-ingres s-nginx/ • networking.k8s.io/v1 went GA in 1.22 • Ingress and IngressClass • CustomResourceDefinition Among many others • https://kubernetes.io/docs/re ference/using-api/deprecatio n-guide/#v1-22
  • 6. Notable Changes in Ingress Manifest apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: simple-fanout-example spec: rules: - host: foo.bar.com http: paths: - path: /foo pathType: Prefix backend: service: name: service1 port: number: 4200 - path: /bar pathType: Prefix backend: service: name: service2 port: number: 8080
  • 7. Ingress-nginx CVE202125742 ● Disable config snippets ● Multitenant environments where non-admin users have permissions to create Ingress objects are most affected by this issue. ● Secrets can be accessed by malicious config snippet Set allow-snippet-annotations to false in your ingress-nginx https://github.com/kubernetes/ingress-nginx/issues/7837
  • 9. Networking and Kubernetes package main import ( "fmt" "net/http" ) func hello(w http.ResponseWriter, r *http.Request) { fmt.Fprintf(w, "Hello") } func main() { http.HandleFunc("/", hello) http.ListenAndServe("0.0.0.08080", nil) }
  • 10. James Strong AWS APN AMBASSADOR 1. Networking 2. Linux Networking 3. Container Networking 4. Kubernetes Networking 5. Kubernetes Networking Abstractions 6. Kubernetes and Cloud networking https://learning.oreilly.com/library/view/networ king-and-kubernetes/9781492081647/
  • 11. AWS Network and Container Review James Strong AWS APN AMBASSADOR
  • 12. EKS Anywhere ● Run on-prem, laptop, vSphere ● EKS Connector ● Demo - https://aws.amazon.com/blogs/containers/introducing-general-ava ilability-of-amazon-eks-anywhere/ ● More Info - https://aws.amazon.com/eks/eks-anywhere/ https://aws.amazon.com/eks/eks-anywhere/
  • 13. Network Review – Customer-Managed VPC VPC 192.168.0.0/16 Availability Zone Availability Zone Availability Zone Public subnet Public subnet Public subnet Private subnet Private subnet Private subnet NAT gateway Security group Internet gateway EKS Control Plane
  • 14. Network Review – Customer-Managed VPC AWS NETWORK REVIEW VPC 192.168.0.0/16 Availability Zone Availability Zone Availability Zone Public subnet Public subnet Public subnet Private subnet Private subnet Private subnet Node group NAT gateway Internet gateway Security group EKS Control Plane Node group EKS Control Plane
  • 15. Amazon VPC CNI James Strong AWS APN AMBASSADOR
  • 16. Availability Low Latency Minimal Network Jitter KUBERNETES NETWORK AWS VPC CNI Apply VPC Best Practices
  • 17. KUBERNETES NETWORK AWS VPC CNI Security Groups Apply VPC Best Practices VPC Routing Policies VPC Flow Logs AWS Native Integrations
  • 18. CNI IPAMD Amazon VPC CNI Components AMAZON VPC CNI + • Configures the ENI IPAM daemon responsible for: • Responsible for pod’s networking stack • Pool of IP Addresses • Assigning out IP Address
  • 19. Amazon VPC CNI AMAZON VPC CNI Customer VPC Pod 3 eth0 10.200.1.7 10.200.1. 7 Node 1 VPC Subnet – 10.200.1.0/24 Pod 4 eth0 10.200.1. 9 Pod 1 eth0 10.200.1. 6 Secondary IPs: 10.200.1.6 Pod 2 eth0 10.200.1. 8 Secondary IPs: 10.200.1.8 10.200.1. 9 Node 2
  • 20. AWS VPC CNI Configuration Variables AMAZON VPC CNI AWS VPC CNI NODE PORT SUPPORT Node port support on worker nodes 1 AWS VPC K8S CNI CUSTOM NETWORK CFG Security group creation per pod 2 AWS VPC ENI MTU MTU setting 3 AWS VPC K8S CNI EXTERNAL SNAT Specifies whether an external NAT gateway should be used to provide SNAT of secondary ENI IP addresses 4 WARM ENI TARGET Number of ENI IP address to keep ready 5 AWS VPC K8S CNI EXCLUDE SNAT CIDRS Exclude CIDIRs from SNAT 6
  • 21. AWS EKS Cluster James Strong AWS APN AMBASSADOR
  • 22. EKS Communication AWS EKS CLUSTER EKS Managed VPC Customer VPC Node group ENI EKS Control Plane Kubectl Application User EKS Control Application Admin
  • 23. EKS Networking Mode - Public Endpoint Only AWS EKS CLUSTER EKS Managed VPC Kubectl Availability Zone 1 Customer VPC AZ 1 Kubelet Kube-proxy Kubelet Kube-proxy EKS Control Plane EKS Owned ENI
  • 24. EKS Networking Mode – Public and Private Endpoint Only AWS EKS CLUSTER Customer VPC AZ 1 Kubelet Kube-proxy Kubelet Kube-proxy Private Hosted Zone 56d02fd4cb4ef6f7.eks. amazonaws.com Kubectl EKS Managed VPC Availability Zone 1 EKS Control Plane EKS Owned ENI
  • 25. EKS Networking Mode – Private Endpoint Only AWS EKS CLUSTER EKS Managed VPC Customer VPC AZ 1 Kubelet Kube-proxy Kubelet Kube-proxy 56d02fd4cb4ef6f7.eks. amazonaws.com kubectl Availability Zone 1 EKS Control Plane EKS Owned ENI
  • 26. VPC Subnet Considerations AWS EKS CLUSTER Public Only Using only public subnets. Nodes and ingress resources, load balancers, are deployed in the same public subnets. 1 Private Only Using only private subnets. Nodes are instantiated in private subnets. 2 Public and Private Using public and private subnets. Nodes are deployed in the private subnets and ingress resources (like load balancers) are instantiated in the public subnets. 3
  • 27. AWS ALB Ingress Controller AWS ALB AND ALB INGRESS CONTROLLER LAB AWS Resources K8 Cluster Ping Data Admin Node Node Node Ping Pod 1 Admin Pod 2 Data Pod 3 NP NP NP NP Data Pod 3 ALB Controller NP Ping Pod 1 Admin Pod 3 Data Pod 3 NP API Server NP 1 2 3 4 5 30040 192.168.1.7
  • 28. AWS App Mesh James Strong AWS APN AMBASSADOR
  • 29. AWS App Mesh Functionality 1 Point-to-Point Communication 2 Network Traffic Control 3 Observability Fault Isolation 4
  • 30. AWS App Mesh Components AWS APP MESH Application User App Mesh Ping Virtual Router Data Virtual Router Admin Virtual Router Ping Virtual Node Data Virtual Node Admin Virtual Node Data Virtual Service Ping Virtual Service Admin Virtual Service
  • 31. AWS App Mesh Envoy Communication AWS APP MESH Applicatio n User Application Pods Application XRay Agent AWS XRay Amazon CloudWatch Metrics Amazon CloudWatch Logs Metrics Ingress Egress