Dev Manager, Project Calico @eepyaich Metaswitch Sequoia-backed software company SDN & IP Multimedia Communications 1,000+ global customers Project Calico Open source project, sponsored by Metaswitch Pure Layer 3 cloud networking solution Containers, virtual machines & bare metal Introductions
Main Models Port forwarding / NAT Simple Works “out of the box” Easily understood … but not “real IP networking” Won’t work with all applications (e.g. IPsec) Onerous port assignment constraints on applications Overlay networks Give each container its own private IP address (or subnet) Separate “overlay” domain over “underlay” network with GRE, MPLS, VXLAN, or proprietary tunneling protocols But…
in software by virtual switch The Standard Overlay Virtual Networking Model vSwitch vSwitch vSwitch Linux Linux Linux Encap / de- encap (& flooding!) Outer MAC Outer IP Outer UDP VXLAN Inner MAC Inner IP Inner TCP/UDP Payload Data Router services required to hop between tenants NAT required for public Internet access On/off-ramp required to get to NAS, etc. Virtual L2 segments, implemented in software by virtual switch
Low scale limits ☹ Performance issues ☹ Inefficient resource utilization ☹ Difficulty troubleshooting ☹ Demands placed on application developers to be networking experts This leads to… ALL solutions that use overlay / underlay model suffer from these effects, however they are mitigated. These issues become critical with containers due to the higher scale than VMs (100s vs 10s per server) … It doesn’t have to be this way!
a Data Center like the Internet? IP App IP App IP App IP App IP App IP App IP App IP App BGP BGP Compute Node Compute Node VMs / LXCs Router Router Router VMs / LXCs … this is Project Calico!
Perform layer 3 forwarding at each compute node Leverage Linux kernel’s efficient IP forwarding engine – no separate vSwitch BGP Distribute routes using proven Border Gateway Protocol, with route reflectors for scale Program routes into Linux kernel on each host (and into physical fabric if required) Separate policy decisions from routing information Translate global policy into distributed firewall on each host, enabling tenant isolation & more
the Calico Approach With Overlays Pure Layer 3 (Calico) Simplified Diagnostics. What is happening is “obvious” – traceroute, ping, etc., work as expected EXIT No on/off ramp required. Path from workload to non-virtual device or public internet (or even between data centers) is just a route Other IP techniques “just work”. E.g. Equal Cost Multi-Path (ECMP) & Anycast enable scalable resilience and full utilization of physical links
Policy Group 1 (“GROUP1”) L2 Policy Group 2 Core 2 Felix BIRD calico-node Container Felix BIRD calico-node Container Linux 172.17.8.101 Linux 172.17.8.102 Container B 192.168.1.2 Container A 192.168.1.1 Workloads Container C 192.168.1.3 Container E 192.168.1.5 Workloads Container D 192.168.1.4
Policy Group 1 (“GROUP1”) L2 Policy Group 2 Core 2 Linux 172.17.8.101 Linux 172.17.8.102 Felix BIRD calico-node Container Felix BIRD calico-node Container Container B 192.168.1.2 Container A 192.168.1.1 Workloads Container C 192.168.1.3 Container E 192.168.1.5 Workloads Container D 192.168.1.4
A 192.168.1.1 Workloads Container C 192.168.1.3 Demo Time… Core 1 Policy Group 1 (“GROUP1”) L2 Policy Group 2 Core 2 Linux 172.17.8.101 Linux 172.17.8.102 Felix BIRD calico-node Container Felix BIRD calico-node Container Container E 192.168.1.5 Workloads Container D 192.168.1.4
eepyaich
meow_noisy
maroon1st
databricksjapan
nagix
thomasvitale
sansantech
oracle4engineer
masahirokawahara
kaz1437
freee
yajihum
yasumuusan
addyosmani
hatefulcrawdad
destraynor
eileencodes
paigeccino
bkeepers
sstephenson
colly
philnash
keathley
speakerdeck
quramy
