This document introduces container networking and some of the challenges it poses. It discusses how Docker's default bridge networking works but has limitations around port constraints and lack of "real IP networking". Overlay networks are presented as an alternative but have drawbacks around state, isolation between networks, and requiring developers to be networking experts. Project Calico is then introduced as an open source project that aims to enable scalable, simple and secure IP networking for containers through features like equal cost multi-path routing and rich micro-service policy frameworks.
2. @projectcalico
Host
Host
Networking – why do I care?
Application
A service
Host
Yet
another
service … and
another
application
…
… another
application
A service
… another
application
3. @projectcalico
Doesn’t Docker sort this out for me?
Host [10.0.0.1]
Application
[172.17.0.2]
A service
[172.17.0.3]
… another
[172.17.0.4]
Docker Bridge
Simple
Works “out of the box”
Easily understood
… but not “real IP
networking”
Onerous port assignment
constraints on applications
Requires app developers to
be aware of constraints
IP:10.0.0.1:80IP:10.0.0.1:80IP:10.0.0.1:8080
4. @projectcalico
What about multiple hosts, then?
Overlay networks
Connect each container to a virtual Layer 2
segment
Separate “overlay” domain over “underlay”
network with GRE, MPLS, VXLAN, or
proprietary tunneling protocols
Allows for isolation between networks
But…
Lots of state – 1,000 machines => full mesh
of 499,500 tunnels!
Breaking out of virtual network sandboxes
requires NAT / router
Requires app developers to be networking
experts
Host [10.0.0.1] Host [10.0.0.2]
192.168.0.1
192.168.0.2
192.168.0.5
192.168.0.3192.168.0.4 172.17.0.2
172.17.0.3
192.168.0.0/16
172.17.0.0/16
10.0.0.0/24
13. @projectcalico
An open source project to enable
scalable, simple and secure IP
networking in a data center / cloud
environment
What is Calico?
SimpleScalable Secure
Thousands of servers,
100k’s of workloads
Don’t demand users to
be networking experts
Rich micro-service
policy framework
14. @projectcalico
Life Before and after Calico
Before Calico After Calico
Scale challenges above few hundred
servers / thousands of workloads
Scale to millions of workloads with minimal
CPU and network overhead
Troubleshooting connectivity issues can
take hours
What is happening is “obvious” –
traceroute, ping, etc., work as expected
EXITOn/off ramps + NAT to break out of
overlay
Path from workload to non-virtual device
or public internet (or even between data
centers) is just a route
High availability / load balancing across
links requires LB function (virtual or
physical) and/or app-specific logic
Equal Cost Multi-Path (ECMP) & Anycast
just work, enabling scalable resilience and
full utilization of physical links
C
C
N
A
CCNA or equivalent required to
understand end-to-end networking,
deploy applications
Basic IP networking knowledge only
required
15. @projectcalico
Get Involved
Main project website:
www.projectcalico.org
Github
github.com/projectcalico
Mailing list, Slack info:
projectcalico.org/contact/
freenode IRC: #calico
Download & try it out
We welcome your
feedback and contributions
Follow us @projectcalico