Popular Docker Networking and Kubernetes Networking Tools
In a previous post, we explored six tools for storing data for Docker containers. Another challenge in container environments is getting containers to network in a consistent and secure manner - especially as container workloads may appear on different hosts as applications scale out, then disappear when they’re not needed. On a single host, Docker creates a virtual bridge that containers can use to communicate. However, when it comes to connecting multiple Docker hosts together, networking can quickly become a complicated process.As a result, several container tools were designed to tackle the problem of fast, scalable, cross-host container networking. These tools were designed to:
- Aid in creating software-defined networks (SDNs) for containers running on multiple systems
- Transparently connect containers across hosts
- Allow containers to communicate both inside and outside the host
- Manage constantly changing IP addresses, container locations, and hosts
- Open certain containers to the outside world without exposing the entire network
Each of the tools in this list works by creating an overlay network on top of an existing infrastructure. Containers that attach to these networks are assigned a unique IP address, which they can use to directly reach other containers. This eliminates the need to set up complex networking rules on the host, since all cross-container traffic passes through the overlay network.
The tools in this list also support the Container Network Interface (CNI), a standard for configuring network interfaces in Linux containers. The CNI allows these plugins to work on Kubernetes, OpenShift, Amazon ECS, and others.
Flannel is a virtual network designed for Kubernetes. Each host in a flannel cluster runs an agent called flanneld. Flanneld assigns each host a subnet which acts as the IP address pool for containers running on the host. Containers can then contact other containers directly using their IP address.
Flannel supports multiple backend for encapsulating packets. The recommended choice is Virtual Extensible LAN (VXLAN), which runs a layer 2 network on top of a layer 3 infrastructure. Flannel also supports host-gw, which maps direct routes between hosts in a manner similar to Calico.
Flannel is an open source project managed by CoreOS.
Project Calico (known simply as Calico) is best known for its strong network policy management and access control lists (ACLs). Using Calico, you can configure inbound and outbound rules by port, direction, protocol, and other attributes. Like Flannel, Calico runs an agent on each host.
Unlike flannel, Calico uses a pure layer 3 approach to networking. Calico connects hosts using the Border Gateway Protocol (BGP). Each host runs a BGP client which tracks routes and distributes them to other hosts. Not only does this reduce the overhead of encapsulating packets, but it lets you scale and distribute clusters more easily.
Calico is an open source project maintained by Tigera, Inc.
3. Weave Net
Weave Net is a complete networking solution offering a virtual network with service discovery, policy management, and fault tolerance. Weave Net automatically routes around network failures and can even link containers hosted in different data centers using multi-cloud networking. Using a feature called fast datapath, it encapsulates and routes VXLAN packets in the kernel instead of user space, saving CPU overhead and latency.
Internally, Weave Net uses a DNS service called weaveDNS. WeaveDNS provides name resolution, automated service discovery, load balancing, and fault tolerance. In addition, Weave Net includes a built-in encryption system for securing all traffic between hosts.
Weave Net is an open source project maintained by Weaveworks.
Canal combines two of the projects in this list—Flannel and Calico—to create a unified networking solution. More specifically, it combines Flannel's network architecture with Calico's policy management API. Canal is more of a deployment tool for installing and configuring both Flannel and Calico, as well as integrating them into your orchestration engine. The result is an open source networking fabric with built-in policy management that leverages the best components of both networking tools.
Canal is an open source project hosted by Tigera.
Big Switch Networks' Big Cloud Fabric (BCF) is a software-defined networking (SDN) solution for managing virtual and physical networks. Compared to the other entries in this list, BCF offers much broader control over your network architecture, from layer 2 to layer 7. For containers, BCF lets you define virtual networks and assign containers to a specific network on creation. It also supports multiple container orchestrators including Kubernetes, OpenShift, and DC/OS.
A limited version of BCF is available as part of the Big Switch Network Community Edition. Big Switch Networks also offers an online demo in their hosted environment, Big Switch Labs.
Container networking has come a long way in a very short time. Just two years ago, Docker released its Overlay driver for connecting containers across hosts. Today, Kubernetes networking tools and Docker networking tools are capable and resilient enough to satisfy the needs of most deployments.