practical design patterns in docker networking
TRANSCRIPT
![Page 1: Practical Design Patterns in Docker Networking](https://reader030.vdocuments.mx/reader030/viewer/2022021508/5a64796f7f8b9a4c568b4691/html5/thumbnails/1.jpg)
Practical Design Patterns in Docker Networking
Dan Finneran
EMEA Solutions Architect, Docker
![Page 2: Practical Design Patterns in Docker Networking](https://reader030.vdocuments.mx/reader030/viewer/2022021508/5a64796f7f8b9a4c568b4691/html5/thumbnails/2.jpg)
Why this topic?
![Page 3: Practical Design Patterns in Docker Networking](https://reader030.vdocuments.mx/reader030/viewer/2022021508/5a64796f7f8b9a4c568b4691/html5/thumbnails/3.jpg)
Agenda● The evolving architecture of application networking
● Docker networking
● Infrastructure design patterns
● Design Patterns when modernizing a traditional application
● [REDACTED]
● Summary and Q/A
![Page 4: Practical Design Patterns in Docker Networking](https://reader030.vdocuments.mx/reader030/viewer/2022021508/5a64796f7f8b9a4c568b4691/html5/thumbnails/4.jpg)
The evolving architecture of application networking
![Page 5: Practical Design Patterns in Docker Networking](https://reader030.vdocuments.mx/reader030/viewer/2022021508/5a64796f7f8b9a4c568b4691/html5/thumbnails/5.jpg)
Physically hosted applications● Services, application components are 1:1 with network addresses
and architecture.
● Often flat or simplistic networks defined by physical network ports or VLANs used to segregate the application from the network.
● High availability is provided by clustering software or DNS/load-balancer across multiple deployments/sites.
![Page 6: Practical Design Patterns in Docker Networking](https://reader030.vdocuments.mx/reader030/viewer/2022021508/5a64796f7f8b9a4c568b4691/html5/thumbnails/6.jpg)
[Active VIP]
10.1.0.310.1.0.2
Witness host
Physically hosted applicationsDNS
10.0.0.310.0.0.2 10.0.0.4 10.0.0.5 10.0.0.6
Tier 1
Storage Replicationto secondary site
Tier 2
![Page 7: Practical Design Patterns in Docker Networking](https://reader030.vdocuments.mx/reader030/viewer/2022021508/5a64796f7f8b9a4c568b4691/html5/thumbnails/7.jpg)
Virtual (Machine) applications● Services and Applications are broken down into smaller VM
allocations resulting in an explosion of network resources
● The tight-packing of numerous VMs per host has resulted in numerous networks being provisioned to every host.
● Virtual LANs are used as the method for providing segregation between applications and application tiers.
![Page 8: Practical Design Patterns in Docker Networking](https://reader030.vdocuments.mx/reader030/viewer/2022021508/5a64796f7f8b9a4c568b4691/html5/thumbnails/8.jpg)
Virtual (Machine) applications
VM Host
VM Host
VLAN101 (F/E)
VLAN101 (F/E)
VLAN102 (App)
VLAN102 (App)
VLAN103 (B/E)
VLAN103 (B/E)
Load Balancer
![Page 9: Practical Design Patterns in Docker Networking](https://reader030.vdocuments.mx/reader030/viewer/2022021508/5a64796f7f8b9a4c568b4691/html5/thumbnails/9.jpg)
Docker networking
![Page 10: Practical Design Patterns in Docker Networking](https://reader030.vdocuments.mx/reader030/viewer/2022021508/5a64796f7f8b9a4c568b4691/html5/thumbnails/10.jpg)
Docker Networkingdocker network ls
NETWORK ID NAME DRIVER SCOPE4507d8b4dd86 bridge bridge local8866a19c0751 docker_gwbridge bridge localb88e79e31749 host host localvlujsum8my0u ingress overlay swarme12df2f39d06 none null localed60df3f6402 mac_net macvlan local
[dan@dockercon ~]$
[dan@dockercon ~]$
![Page 11: Practical Design Patterns in Docker Networking](https://reader030.vdocuments.mx/reader030/viewer/2022021508/5a64796f7f8b9a4c568b4691/html5/thumbnails/11.jpg)
172.17.0.1
172.17.0.1
Host/Bridge Networking
Docker Engine Bridge | NAT
Docker Engine Bridge | NAT
Docker Engine Bridge | NAT
172.17.0.1
10.0.0.1
10.0.0.2
10.0.0.3
:80
docker run –-net=host nginx
[dan@dockercon ~]$
[dan@dockercon ~]$
● The host flag will start the container in the same namespace as the host itself allowing a container to use the hosts networking stack directly.
● Provides near metal speed, however can result in port conflicts.
:80
![Page 12: Practical Design Patterns in Docker Networking](https://reader030.vdocuments.mx/reader030/viewer/2022021508/5a64796f7f8b9a4c568b4691/html5/thumbnails/12.jpg)
172.17.0.1
172.17.0.1
Host/Bridge Networking
Docker Engine Bridge | NAT
Docker Engine Bridge | NAT
Docker Engine Bridge | NAT
172.17.0.0/16
172.17.0.1
10.0.0.1
10.0.0.2
10.0.0.3
docker run dockerimage:latest
[dan@dockercon ~]$
[dan@dockercon ~]$
● Containers are started and connected by default to the internal bridge network.
● These containers wont expose any network connectivity to the outside world by design, however can speak to one another whilst on the same host.
:80:80
![Page 13: Practical Design Patterns in Docker Networking](https://reader030.vdocuments.mx/reader030/viewer/2022021508/5a64796f7f8b9a4c568b4691/html5/thumbnails/13.jpg)
172.17.0.1
172.17.0.1
Host/Bridge Networking
Docker Engine Bridge | NAT
Docker Engine Bridge | NAT
Docker Engine Bridge | NAT
172.17.0.1
172.17.0.2
:80
10.0.0.1
10.0.0.2
10.0.0.3
docker run –p 80:80 nginx
[dan@dockercon ~]$
[dan@dockercon ~]$
● The –p flag will expose an external port on the host and map it to a port on the container.
● Only containers with services need to expose their ports potentially solving port-conflicts.
:80
:80:80
172.17.0.0/16
![Page 14: Practical Design Patterns in Docker Networking](https://reader030.vdocuments.mx/reader030/viewer/2022021508/5a64796f7f8b9a4c568b4691/html5/thumbnails/14.jpg)
Swarm Overlay networking
Docker Engine Overlay
Docker Engine Overlay
Docker Engine Overlay
10.0.0.1
10.0.0.2
10.0.0.3
docker service create –-name web \--replicas 2 \--publish 8080:80 \nginx
[dan@dockercon ~]$
:8080
:8080
:8080
:80
:80
● The Overlay network makes use of VXLAN in order to create an overlay network over the underlying network.
● The tunnel allows containers across hosts to communicate.
![Page 15: Practical Design Patterns in Docker Networking](https://reader030.vdocuments.mx/reader030/viewer/2022021508/5a64796f7f8b9a4c568b4691/html5/thumbnails/15.jpg)
Swarm Overlay networking
Docker Engine Overlay
Docker Engine Overlay
Docker Engine Overlay
10.0.0.1
10.0.0.2
10.0.0.3
:80
:80
:8080
:8080
:8080
● By default the overlay is encrypted with the AES algorithm and hosts will rotate their keys every 12 hours.
● Publishing a port applies to all nodes in the swarm cluster. Regardless of node connected to, the request is forwarded to a node running the task.
docker service create –-name web \--replicas 2 \--publish 8080:80 \nginx
[dan@dockercon ~]$
![Page 16: Practical Design Patterns in Docker Networking](https://reader030.vdocuments.mx/reader030/viewer/2022021508/5a64796f7f8b9a4c568b4691/html5/thumbnails/16.jpg)
Swarm Overlay networking
Docker Engine Overlay
Docker Engine Overlay
Docker Engine Overlay
10.0.0.1
10.0.0.2
10.0.0.3
:80
:80● Each container gets a pair of
IP addresses.
● One IP address exists on the Overlay network, this allows all containers on the network to communicate
● The other IP address carries the tunnel to other hosts in the cluster and contains all the actual data that needs to leave the host.
10.0.0.3
10.0.0.4
172.18.0.3
172.18.0.4
![Page 17: Practical Design Patterns in Docker Networking](https://reader030.vdocuments.mx/reader030/viewer/2022021508/5a64796f7f8b9a4c568b4691/html5/thumbnails/17.jpg)
Macvlan driver Docker Engine
10.0.0.1
10.1.0.1
10.1.0.2
Docker Engine
10.0.0.2
10.1.0.3
10.1.0.4
● The Macvlan driver provides a hardware (MAC) address for each container, allowing them to have a full TCP/IP stack.
● Allows containers to become part of the traditional network, and use things like external IPAM or VLAN trunking when numerous networks are needed.
● No overhead from technologies such as VXLAN or NAT.
![Page 18: Practical Design Patterns in Docker Networking](https://reader030.vdocuments.mx/reader030/viewer/2022021508/5a64796f7f8b9a4c568b4691/html5/thumbnails/18.jpg)
Macvlan driver Docker Engine
10.0.0.1
10.1.0.2
10.1.0.3
Docker Engine
10.0.0.2
10.1.0.4
10.1.0.5docker network create -d macvlan \
--subnet=10.1.0.0/24 \--gateway=10.1.0.1 \-o parent=eth0 mac_net
[dan@dockercon ~]$
● Create a network using the macvlannetwork and assign the ranges/gateway and the parent adapter (or sub-adapter for vlanse.g eth0.120)
![Page 19: Practical Design Patterns in Docker Networking](https://reader030.vdocuments.mx/reader030/viewer/2022021508/5a64796f7f8b9a4c568b4691/html5/thumbnails/19.jpg)
Macvlan driver Docker Engine
10.0.0.1
10.1.0.2
10.1.0.3
Docker Engine
10.0.0.2
10.1.0.4
10.1.0.5docker run --net=mac_net \
--ip=10.1.0.2 \nginx
[dan@dockercon ~]$
● When starting a container you can apply a physical IP address on that network.
● The container is effectively another host on the underlay network.
![Page 20: Practical Design Patterns in Docker Networking](https://reader030.vdocuments.mx/reader030/viewer/2022021508/5a64796f7f8b9a4c568b4691/html5/thumbnails/20.jpg)
Macvlan driver 10.1.0.1
10.1.0.2
10.1.0.3
10.1.0.4
● The use of the macvlan driver essentially makes a Docker container a first class citizen on the network.
● This functionality however carries additional overhead in terms of network management, as each container will now exist on the network as its own entity.
10.1.0.5
10.1.0.6
10.1.0.7
10.1.0.8
10.1.0.9
10.1.0.10
10.1.0.11
10.1.0.12
10.1.0.13
10.1.0.14
10.1.0.15
10.1.0.16
![Page 21: Practical Design Patterns in Docker Networking](https://reader030.vdocuments.mx/reader030/viewer/2022021508/5a64796f7f8b9a4c568b4691/html5/thumbnails/21.jpg)
Networking plugins
Docker Engine
10.0.0.2
PluginDocker Engine
10.0.0.1
Plugin
● Docker networking plugins allow vendors to extend the functionality of their network devices and technologies into the Docker Engine.
● Providing features such as vendor specific IP Address Management or enabling the network to configure itself to provide functionality to containers through their lifecycle such as (overlays/QOS/Load balancing).
Configuration
![Page 22: Practical Design Patterns in Docker Networking](https://reader030.vdocuments.mx/reader030/viewer/2022021508/5a64796f7f8b9a4c568b4691/html5/thumbnails/22.jpg)
Infrastructure design patterns
![Page 23: Practical Design Patterns in Docker Networking](https://reader030.vdocuments.mx/reader030/viewer/2022021508/5a64796f7f8b9a4c568b4691/html5/thumbnails/23.jpg)
Separate data/control planes
Docker Engine
Docker Engine
10.0.0.1
10.0.0.2
docker swarm init \--advertise-addr eth0 \--data-path-addr eth1
[dan@dockercon ~]$ Overlay
10.1.0.1
10.1.0.2
● When initially configuring a Docker swarm cluster on hosts with multiple NICs there is the option of separating the data and control planes.
● This provides physical and logical separation of traffic leaving the host.
![Page 24: Practical Design Patterns in Docker Networking](https://reader030.vdocuments.mx/reader030/viewer/2022021508/5a64796f7f8b9a4c568b4691/html5/thumbnails/24.jpg)
Separate data/control planes
Docker Engine
Docker Engine
10.0.0.1
10.0.0.2
docker swarm join \--token XYZ --advertise-addr eth0 \--data-path-addr eth1 \10.0.0.1:2377
[dan@dockercon ~]$
Overlay
Overlay
10.1.0.1
10.1.0.2
● Joining additional nodes to the swarm cluster takes two additional flags to specify the traffic carried by a particular adapter.
● Any services created will then be part of the data plane and have traffic segregated from the control plane.
![Page 25: Practical Design Patterns in Docker Networking](https://reader030.vdocuments.mx/reader030/viewer/2022021508/5a64796f7f8b9a4c568b4691/html5/thumbnails/25.jpg)
Design Patterns when modernizing a traditional application
![Page 26: Practical Design Patterns in Docker Networking](https://reader030.vdocuments.mx/reader030/viewer/2022021508/5a64796f7f8b9a4c568b4691/html5/thumbnails/26.jpg)
Docker Enterprise Edition● Docker Enterprise Edition provides a
full CaaS platform (Containers as a Service).
● Comes with Integrated Container Orchestration, management platform and increased security (RBAC, images scanning etc.)
● Enterprise supported platform for production deployments.
![Page 27: Practical Design Patterns in Docker Networking](https://reader030.vdocuments.mx/reader030/viewer/2022021508/5a64796f7f8b9a4c568b4691/html5/thumbnails/27.jpg)
Universal Control Plane● The Docker UCP provides a clustered
enterprise grade management platform for Docker.
● A centralized platform for managing and monitoring swarm container clusters and container infrastructure.
● Extended functionalisation of the Docker platform making it easier to deploy applications at scale.
● Can be controlled through the UI or through the CLI (client bundle) or through the Docker APIs.
![Page 28: Practical Design Patterns in Docker Networking](https://reader030.vdocuments.mx/reader030/viewer/2022021508/5a64796f7f8b9a4c568b4691/html5/thumbnails/28.jpg)
Docker Trusted Registry● Enterprise grade storage for all your
Docker Images, allowing users to host their images locally.
● Can become part of the CI/CD processes simplifying the process to build, ship and run your applications.
● Images can be automatically scanned for vulnerabilities ensuring that only compliant images can be deployed.
![Page 29: Practical Design Patterns in Docker Networking](https://reader030.vdocuments.mx/reader030/viewer/2022021508/5a64796f7f8b9a4c568b4691/html5/thumbnails/29.jpg)
Application ArchitectureVLAN101 (F/E) VLAN102 (app)
VLAN101 (F/E) VLAN102 (app)
VM Host
VM Host
Load Balancer
VLAN103 (DB)
DB Host(s)
VLAN103 (DB)
VLAN103 (DB)
![Page 30: Practical Design Patterns in Docker Networking](https://reader030.vdocuments.mx/reader030/viewer/2022021508/5a64796f7f8b9a4c568b4691/html5/thumbnails/30.jpg)
“Behind the scenes the developers and application maintainers have repackaged our applications into containers”
![Page 31: Practical Design Patterns in Docker Networking](https://reader030.vdocuments.mx/reader030/viewer/2022021508/5a64796f7f8b9a4c568b4691/html5/thumbnails/31.jpg)
Application ArchitectureVLAN101 (F/E) VLAN102 (app)
VLAN101 (F/E) VLAN102 (app)
VM Host
VM Host
Load Balancer
VLAN103 (DB)
DB Host(s)
VLAN103 (DB)
VLAN103 (DB)
● The explosion of VMs also drove the explosion of VLANs, which were a recommended network architectural choice in order to provide segregation of tiers of virtual infrastructure.
● However we can simplify the network greatly by making use of overlays (VXLAN), which not only provide segregation but also encryption.
![Page 32: Practical Design Patterns in Docker Networking](https://reader030.vdocuments.mx/reader030/viewer/2022021508/5a64796f7f8b9a4c568b4691/html5/thumbnails/32.jpg)
Front-End with HRMWorker 1 Worker X
Docker Engine Docker Engine
Overlay
● Docker EE provides the HTTP Routing Mesh capability, which simplifies the routing between services.
● The HRM will inspect the hostname that has been requested and route the traffic to that particular service.
● This allows multiple overlays to exist in harmony and traffic to be routed to them as requests hit the HRM port.
Overlaywww.petstore.com
api.petstore.com
:80
![Page 33: Practical Design Patterns in Docker Networking](https://reader030.vdocuments.mx/reader030/viewer/2022021508/5a64796f7f8b9a4c568b4691/html5/thumbnails/33.jpg)
Scalable servicesWorker 1 Worker X
Docker Engine Docker Engine
Overlay
● Taking the existing and now packaged applications, we can deploy them as services.
● We can deploy and scale them up as needed across our cluster.
● Exposing service ports will provide load balancing across service tasks and ensure traffic is routed to where those tasks are running.
OverlayApp Service
Store Service
![Page 34: Practical Design Patterns in Docker Networking](https://reader030.vdocuments.mx/reader030/viewer/2022021508/5a64796f7f8b9a4c568b4691/html5/thumbnails/34.jpg)
Application Architecture
VM Host
VLAN103 (DB)
Load Balancer
VM Host
DB Host(s)
VLAN101 (F/E) VLAN102 (app) VLAN103 (DB)
VLAN101 (F/E) VLAN102 (app) VLAN103 (DB)
● Some elements of an application require direct access to the network to provide low-level services.
● Other elements may have a requirement that they have to be part of an existing network or VLAN to provide direct access to other services.
● Some elements are also based upon fixed or hard-coded IP addresses and in some cases a licensing restriction.
![Page 35: Practical Design Patterns in Docker Networking](https://reader030.vdocuments.mx/reader030/viewer/2022021508/5a64796f7f8b9a4c568b4691/html5/thumbnails/35.jpg)
Preserving existing integrationsWorker 1 Worker X
Docker Engine Docker Engine
● The Use of Macvlan allows a container with specific requirements such as packet inspection directly on the network.
● Custom singleton applications that are hardcoded to interact with databases can make use of their original IP addresses and be part of the same segregated VLAN in which the database server(s) reside.
10.1.0.47
10.20.0.19
10.20.0.20
VLAN103
![Page 36: Practical Design Patterns in Docker Networking](https://reader030.vdocuments.mx/reader030/viewer/2022021508/5a64796f7f8b9a4c568b4691/html5/thumbnails/36.jpg)
Design Patterns●Where possible, there is a great opportunity to provide simplification of networking.
●The use of overlays (VXLAN) is all handled in software, providing software defined networking “as code”. This also has the additional benefit of simplifying network device configurations.
●Overlay provided load balancing again is specified as part of the service design simplifying the application and the network architecture design.
●Cases where VLANs or hard pinned IP connectivity are required can be met through the use of containers attached through macvlan.
![Page 37: Practical Design Patterns in Docker Networking](https://reader030.vdocuments.mx/reader030/viewer/2022021508/5a64796f7f8b9a4c568b4691/html5/thumbnails/37.jpg)
Explore the hands on labs in the experience centre for some real experience.!
![Page 38: Practical Design Patterns in Docker Networking](https://reader030.vdocuments.mx/reader030/viewer/2022021508/5a64796f7f8b9a4c568b4691/html5/thumbnails/38.jpg)
Upcoming networking with the Universal Control Plane
![Page 39: Practical Design Patterns in Docker Networking](https://reader030.vdocuments.mx/reader030/viewer/2022021508/5a64796f7f8b9a4c568b4691/html5/thumbnails/39.jpg)
“Disclaimer”
![Page 40: Practical Design Patterns in Docker Networking](https://reader030.vdocuments.mx/reader030/viewer/2022021508/5a64796f7f8b9a4c568b4691/html5/thumbnails/40.jpg)
UCP ArchitectureUCP Node(s) Worker 1 Worker 2 Worker 3
Docker EngineDocker EngineDocker Engine
UCP-Agent
![Page 41: Practical Design Patterns in Docker Networking](https://reader030.vdocuments.mx/reader030/viewer/2022021508/5a64796f7f8b9a4c568b4691/html5/thumbnails/41.jpg)
UCP ArchitectureUCP Node(s) Worker 1 Worker 2 Worker 3
Kube API
Kubelet
Docker Engine Docker Engine Docker Engine
![Page 42: Practical Design Patterns in Docker Networking](https://reader030.vdocuments.mx/reader030/viewer/2022021508/5a64796f7f8b9a4c568b4691/html5/thumbnails/42.jpg)
UCP Architecture
UCP Node(s)
Service Swarm
Docker Engine(s)
Service Kube
Docker Engine(s)
Ingress-Controller
swarm.dockercon.com
kube.dockercon.com
![Page 43: Practical Design Patterns in Docker Networking](https://reader030.vdocuments.mx/reader030/viewer/2022021508/5a64796f7f8b9a4c568b4691/html5/thumbnails/43.jpg)
Summary● Applications that can be re-homed on a network can make use of Docker networking
features that will simplify their deployment and their scaling.
● Overlay networks provide the capability to place workloads through the cluster without the headache of having to be aware of task location.
● Services that are tied or hard coded to specific network requirements can still be deployed in containers.
![Page 44: Practical Design Patterns in Docker Networking](https://reader030.vdocuments.mx/reader030/viewer/2022021508/5a64796f7f8b9a4c568b4691/html5/thumbnails/44.jpg)
Interested in MTA●Stop by the booth (MTA pod)
●Download the kit www.docker.com/mta
●Look for a MTA Roadshow near you
●Contact your Account Team
![Page 45: Practical Design Patterns in Docker Networking](https://reader030.vdocuments.mx/reader030/viewer/2022021508/5a64796f7f8b9a4c568b4691/html5/thumbnails/45.jpg)
Docker EE Hosted Demo
Add picture here
docker.com/trial● Free 4 Hour Demo● No Servers Required● Full Docker EE
Cluster Access
![Page 46: Practical Design Patterns in Docker Networking](https://reader030.vdocuments.mx/reader030/viewer/2022021508/5a64796f7f8b9a4c568b4691/html5/thumbnails/46.jpg)
Practical Design Patterns in Docker NetworkingDan Finneran @thebsdbox
![Page 47: Practical Design Patterns in Docker Networking](https://reader030.vdocuments.mx/reader030/viewer/2022021508/5a64796f7f8b9a4c568b4691/html5/thumbnails/47.jpg)
Q/A
![Page 48: Practical Design Patterns in Docker Networking](https://reader030.vdocuments.mx/reader030/viewer/2022021508/5a64796f7f8b9a4c568b4691/html5/thumbnails/48.jpg)
cat docker-compose.yamlversion: "3.1" services:
migrated-application: image: dockercon/frontend:1.0 ports: - 8080 networks: - back-end- ucp-hrmdeploy: mode: replicated replicas: 5
labels: com.docker.ucp.mesh.http.8080=external_route=http://${DOMAIN},internal_port=8080 networks: back-end: - driver: - overlay ucp-hrm: - external: - name: ucp-hrm
[dan@dockercon ~]$