Home
Contribute Contact Us Browse all meetings
Home Contribute Contact Us Browse all meetings
VMware / vSphere Integrated Containers (VIC) Demos / 7 Jun 2018
VMware / vSphere Integrated Containers (VIC) Demos / 7 Jun 2018
Previous Meeting
Next Meeting
Add meeting Rate page Subscribe
youtube image
From YouTube: vSphere Integrated Containers (VIC) Networking with NSX

Description

In this demo presentation, Patrick Daigle provides an overview of NSX networking for vSphere Integrated Containers.

A

Hi, my name is Patrick Pegg I'm part of the product management team here at VMware in the cloud native applications business unit today, I'd like to talk to you about vSphere, integrated containers and specifically we're going to talk about how you can use NSX to complement your vSphere integrated containers deployment by simplifying some of the networking requirements, as well as bringing additional security to your container images that are instantiated on these for integrated containers.

A

So, let's get right to it in the native darker world, docker implements this bridge network, that's internal to the dr host and that acts as a way to connect. The containers together, connect the containers with the hosts and expose services to the outside world, and we mimic this behavior with vSphere integrated containers. Now these four integrated containers has this special way of instantiating the container images where each container image gets instantiated inside of its own VM.

A

So we actually use a vSphere port group to mimic the docker bridge so because this docker bridge needs to be isolated because we reuse the default network range that docker uses the 172 dot, 16 / 12, to 5 a way to isolate this traffic in the vSphere environment and there's two ways you can do that with a regular port group. You can use a VLAN to isolate this traffic and create the different Bridge port groups for each of your individual container hosts.

A

This also requires that you can figure the VLANs on the switch ports as well, where the ESX hosts are connected to ensure proper connectivity when the containers move around the other option, which is what we're going to look at today, is using NSX and using the V excellent for isolation to create that necessary bridge network connectivity and get away from some of the complexity that comes from having to configure the physical network so with NSX using it.

A

The excellent all the configuration is done in software in NSX and you can use NSX as the backend networking for the bridge network without having to make any changes to your physical network. So we're going to look at how that's done in the next couple of minutes here.

A

So we start with an existing vSphere environment in this environment. I have a compute cluster that I will be using for my virtual container host, so the virtual container host will get deployed on this compute cluster and then all of the container VMs will get deployed across this cluster as well. Using the RS for initial placement, I've deployed a couple of VMs here: I have a Linux workstation that I'm, using as my docker, client and I have the vSphere degraded containers OVA that I've already pre deployed. You can see that I have a second cluster.

A

This is my management cluster, where I've pre deployed and pre-configured most of the NSX constructs that we're going to use throughout this example. So, first, let's go into the nsx management tab, and this is where we will be able to set up the necessary bridge networking that we will use with vSphere integrated containers container host. So the first thing you need to do is head over to your transport zones, because the virtual container host will get deployed on our compute cluster.

A

We need to ensure that we have a transport zone that is configured on that cluster and that that spans only that cluster, because we want to keep that traffic local to the compute cluster. So the transport zone defines the boundary for any logical switches. So we need to make sure that we have that set up. So if I look currently I only have a transport zone, that's global that spans.

A

Both my clusters, so I'll create a new transport zone that spans only my compute cluster, so I give it a name that has my compute clusters, the name T Z, to indicate that it's a transport zone and I create it. Now that that's been created, I'm ready to go ahead and create my logical switch. So again, this logical switch will not require any type of special routing or anything like that.

A

We're creating this logical, switch to segment out or isolate the traffic, so it needs to span the whole cluster, but it doesn't need to route beyond that. So let me create this switch I'm gonna call the VC h01a, that's the name of the VCH I will create and then bridge. We need a unique bridge, logical switch for every container host, because if you remember we're reusing that 170 2016 slash 12, my p address space across every virtual container. No, so we need to have a dedicated switch to isolate that traffic.

A

That will allow us to mimic the the docker bridge. Networking so I select my newly created transport zone again. I want this logical switch to have the cluster as a boundary. I want to use a VX LAN to isolate this traffic, so I choose unicast and I want to make sure that IP discovery is enabled on this logical switch as well. So nsx created the switch for me. It assigned a VX LAN segment ID automatically out of the pool that's configured in nsx.

A

So now, I'm ready to start using this logical, switch and create my virtual container host using it.

A

So next we will switch over to the html5 client, where we will use the visa integrated containers wizard to create our virtual container host. So we're back in our environment using the html5 client, so I'll go into the vSphere integrated containers plug-in, and this plug-in will give me an easy wizard based workflow, to create my container host. So this is again an easy workflow that steps you through every step to configure your container host and provides hints along the way to help you make the right decisions so we'll select a name.

A

We're gonna call this VC h01a to be consistent in our naming. I'm, not gonna worry about any of these other settings for now. I'm gonna focus on the mandatory settings here as we go through this and then focus on the network settings which is what's interesting to us. So I'm selecting the image you can see that the mandatory settings are identified by a little red asterisks, and this is where things get interesting. Now, for my bridge, Network I'm gonna be able to select this newly created, NSX backed logical, switch I'm, not gonna change.

A

The default Bridge network range. That's the default that's used by darker and it's the one I'm gonna use in this example for my public network I'm using a regular port group with the static IP address that I'm setting here. That's one of the key things that that we can do with nsx is that you can have this phase deployment where we're starting to use some of the NSX constructs without making huge changes to our existing to our existing networking infrastructure.

A

So I'm using the network regular distributed switch for my public networking and I'm using NSX only to isolate that bridge traffic. There's a number of advanced networking options that you can set here as well. I'm not going to worry about those and then again, I'm going to keep things simple here: I'm just going to upload a certificate to access to this remote docker, API endpoint. If you're interested to learn more about the the wizard, we have documentation available on github at the Vig page and we have some videos on YouTube as well.

A

That can help you through configuring. This again here we're focusing on the use of the NSX bridge networking so I'm going to put some credentials for the operations of this virtual container host and then I can review my settings here.

A

I can see that I've selected the right bridge Network for my logical, switch and then hit finish, which will create this virtual container host for me now that the virtual container host has been created, I can look at the results by expanding here and get a lot of debugging information on how this was created and if any problems happened, it doesn't look like I've had any problems here. Hitting refresh will give me the information on how to access this docker API endpoints I'm going to go ahead and grab this information.

A

That's going to allow me to access this docker API endpoint, using regular docker tools. Now we will switch to the developer view or my command line view. First thing I need to do is set my environment variable so that my doctor client points to that newly created docker, API endpoint, so I'm going to point it to V CH dash zero, one, eighth Corp dot local.

A

Once I've done that I'm able to use the standard, docker, CLI and standard standard, docker CLI commands to talk to this endpoint, so using docker info can get some information about the engine. That's running and, as you can see, it's running these four integrated containers and then, if I want to look at the networks that are currently available, I see that I only have the default Bridge network available to me. So the first thing I'm going to do is I'm going to go ahead and create a new network.

A

So this is a user-defined bridge network and it's gonna make my life easier here, because the user-defined bridge network actually has built-in dns resolution so I'll be able to reference the containers that I create by names to run the different desks. I need to run so the next thing I want to do is I want to start a test container on this new network.

A

So I'm going to use the network test net I'm, going to use the darker facility to map a ports on mapping port 80 from the container to port 8080 of my container host I'm, going to give it a name of web 0. 1 we're going to run this detach because I want to run this as a service and I'll start. The nginx container.

A

Next I'm going to start a Linux container, so I'm using the VMware photon OS to do image here. Photon OS is a Linux distribution. That's maintained by VMware, so again, I'm connecting this to my test net bridge Network I am going to give it a name of Linux 0 1 running this in interactive mode. So once this starts up, it's going to drop me into a shell where I'm going to be able to run the next commands and test connectivity from this container.

A

So, let's switch over to the vSphere client to look at how this got provisioned, because this is V, so integrated containers. Each of the containers that I started was instantiated in its own VM. So the first one I have is this web 0 1. So this has the name of the container, as well as the docker container. Id and I can see that this was connected to my nsx logical, switch and received an IP of 170 216 dot, 0 dot 2 from docker.

A

Looking at the Linux container, it's going to refresh here real quick.

A

We see that it got a 172 1703 address, and this is also connected to my bridge network, because this user-defined bridge got created on this nsx backed logical switch. My two containers got created as VMs on separate ESX hosts. So let's switch over to my developer view and see if these two things can talk to one another, so I'm gonna do a simple curl to get the webserver on web 0, 1 and I can see that it answers just as expected.

A

Switching over to the browser, because I had this port redirection I should be able to access the nginx service on port 8080 on my VCH container host and if I test it in the browser. I see that again it behaves as expected. So my nsx logical switch provides the connectivity that I expect from a bridge network implemented in vSphere integrated containers.

A

Next, we're going to look at how we can use nsx to provide micro segmentation of the container workloads, because these four integrated containers provisions containers as VMs.

A

We have that that VM as a security boundary that we can use- and we can use NSX and the dynamic groups in NSX to provide security to the containerized workloads, so computerized workloads tend to be ephemeral, tends to create this very dynamic environment and the use of security groups with dynamic membership can help us ensure that containers have the right level of security policies applied to them as they get spun up. So, let's look at how this is implemented.

A

Switching over to our NSX configuration. The first thing we want to do is set up a security group that can be applied to our container VMs, so I'm gonna go into groups and tags and from here I'm going to add a security group. So a security group is basically a logical grouping of virtual machines that can be done on a number of different attributes.

A

So I'm gonna name this Webster security group and, as you can see here, I can select a number of different criteria for the purposes of this example: I'm going to use the VM name as the criteria to select members of the security group and I'm gonna select any VM that contains web in its name. So I expect that my already created web 0 1 container will get added to this group here.

A

I can select static objects to include or exclude Aspire this group as well I'm, not gonna, bother with that I just want to demonstrate the dynamic membership in this security group. Now that my security group has been created, I can use it to create a firewall rule. So let's go to the firewall and I'm going to add a rule here.

A

The first thing I'm gonna do is I'm gonna, add my newly created security group as a destination, so I select security group as the object type to apply this security rule select my web security group. Add it to the list. I can see that web 0-1 ones are already added to this group automatically as expected. So that's what I want at this security group as the destination for my firewall rule as the source I'm going to add my Linux zero 1 container VM that I created earlier so I just want to create a simple rule.

A

Here, that's going to take this container VM as a source. That's going to use my web security group as the destination, the service that I want to filter on I'm, going to filter on HTTP, because this is web service. Http I'm going to select the appropriate service from the list here. So look for HTTP.

A

This is TCP port 80. That's what I want so I'll. Add it to the services as part of this rule and the action I'm gonna take is reject. The only reason I'm using reject here is it's going to be faster and simpler in terms of a providing an example. So I expect this rule to block or reject traffic from my Linux container VM. That I was using previously to run my test to my web server.

A

So let's see how this, how this plays out now that I have this rule enabled so the next thing I'm gonna do is I'm going to create a second web server. My goal here is to test that this newly created web server will get automatically added to my security group. So when we're talking about dynamic membership, this is what we mean so containers before they even start up, get added to a security group and have policies associated with them. So again, again, I'm gonna use the nginx image.

A

I'm gonna give it a name of web 0-2 this time and I'm gonna use port 80 90, because 8080 is already in use by web 0, 1 and again, of course, connecting to my test and user-defined bridge. So now that it's up I have a second web server. That's available along with my linux server.

A

So two web servers linux server all connected to that test: net bridge so using private IP space, 170 2.17. So if I docker inspect I showed you before how to get the IP from the vSphere client. That information is of course, also available using the docker CLI.

A

So if I doctor inspect my newly created container, I can find out its IP address and I see here that it received a 172 about 17, that's here without for now, let's switch over to the security group and there we can see that my web 0-2 was automatically added to the group so automatically added to the firewall rules preventing web traffic from my Linux machine to these two web servers. So, let's see if this works I'm back in my Linux 0-1 container, and if this worked as expected.

A

Now, if I try to access the web server on web 0-1, I should get a reject and the same thing when I try to access web 0-2. So I can see that the rule is in effect. I cannot access these two web servers from my Linux 0-1, but if I go over to the portrait direction, it's still available because I'm not filtering these other IP addresses. So only this east-west traffic that I'm filtering from the Linux 0-1 container to the web containers is filtered out.

A

So in conclusion, we've showed you how you can use a nsx logical, switch to meet the bridge networking requirements and avoid having to make any changes to your physical network and as well. We've showed how the nsx security groups and the dynamic memberships can be applied to a container deployment on fees for integrated containers and allow you to bring additional security to your container image deployments with that I. Thank you for your time and have a great day.