Distributed Services Fabric for Container-Based Applications Powered by Avi Network

In the first blog post of this series I discussed the challenge and requirements for providing application services to container-based applications and introduced the Avi Networks distributed services fabric. In this post I will highlight many of the performance and automation benefits of using the integrated OpenShift and Avi Networks solution.

Scale and Performance

Avi Controller intelligently manages the available capacity of the pool of Avi Service Engines. There are two service types:

East-West or Internal Services — These services are just visible within the cluster accessed using a non-routable VIP (virtual IP) per service. These virtual services are always proxied by the local Avi Service Engine on every node.

North-South or External Services — These are externally visible services accessed using a routable virtual IP address (VIP) per service. These virtual services are proxied by one or a small number (usually up to four) of Avi Service Engines. Avi Controller uses a combination of load and connectivity to find eligible Service Engines and “places” these virtual services on those Service Engines. Avi Vantage also offers the flexibility to create variable sized Service Engines for proxying North-South vs. East-West virtual services.

Scaling North-South Services

Avi Vantage scales North-South services using a variety of techniques:

Distributed Placement — Virtual services are proxied by different Avi Service Engines, so the load is spread across the services fabric. When combined with advanced data plane programming using data scripting or deployed with Web Application Firewalling, both of which require CPU intensive processing, a distributed placement architecture is the only way to scale.

Hierarchical Scale-Out — A single virtual service can be scaled out across four Avi Service Engines using a scheme by which a single Avi Service Engine acts as a Tier-1 load balancer and other Avi Service Engines provide Tier-2 load balancing.

Equal Cost Multi-Pathing (ECMP) — A single virtual service can be scaled out by programming multiple VIP/32 routes with different Avi Service Engines as next hops. A single virtual service can be scaled out across upto 64 Avi Service Engines. The upstream router load balances TCP/UDP flows to Avi Service Engines. Avi has empirically demonstrated how this approach elastically scales to over a million TLS/SSL transactions/sec for a single virtual service.

Enterprise-Class ADC Feature Set

The Avi Vantage Platform offers a rich, enterprise-class load balancing for mission-critical application deployments in OpenShift clusters:

  • Load Balancing – Layer-4 (TCP/UDP) and Layer-7 (HTTP/S, DNS)
  • Global Server Load Balancing (GSLB)
  • TLS termination, configurable TLS profile (ciphers) per Route
  • Programmable health monitoring
  • Connection multiplexing
  • Session persistence – HTTP cookie, source IP, TLS ticket
  • Content/URL switching, redirection, error page
  • Content modification – header and payload re-write
  • Request surge queuing
  • Caching
  • Compression
  • Priority pool and graceful traffic migration for blue-green, canary deployment patterns
  • Application autoscaling

Global Service Load Balancing (GSLB)

Avi Vantage provides GSLB for two use cases:

Inter-site/region Load Balancing — Enterprise applications are deployed across multiple datacenters and/or public cloud regions. Avi’s GSLB service provides active-active and active-standby load balancing by returning the appropriate virtual IP address for an application for every DNS query. Active-standby load balancing is primarily for application high-availability. Active-active load balancing uses a combination of geo-location, site persistence, and availability to direct users to the appropriate site/region’s VIP.

DNS Load Balancing — Avi Vantage provides DNS load balancing for appropriate services. The workflow is similar to a virtual service creation. The app owner requests for a GSLB service using annotations. Avi Controller creates and synchronizes a GSLB service instead of a virtual service.

Software-Defined Application Services

IP Address Management (IPAM) for Virtual IP Addresses — Avi Vantage offers built-in IPAM for virtual IP address allocation; alternately Avi Controller provides native integration with IPAM provides such as Infoblox for IP address allocation.

Service Discovery — Service discovery bridges the gap between a service’s name and access information (IP address) by providing a dynamic mapping between a service name and its IP address. Users of all services (users using browsers or apps or other services) use well-known DNS mechanisms to obtain service IP addresses. The service discovery database must be kept up to date with this mapping as services are created and destroyed. The “global state” (available service IP addresses) of the application across sites and regions also resides in the service discovery database and is accessible by DNS.

The global application app1.os.acme.com is associated with 2 Virtual IPs (10.10.10.100 and 10.20.10.100) belonging to the 2 clusters in different zones/regions. Data Center 1 has VIP1 10.10.10.100 and Data Center2 has VIP2 10.20.10.100. When the user does a DNS lookup for app1.os.acme.com, the user is returned an A record with either 10.10.10.100 or 10.20.10.100 depending on:

  • Is the service active/active or active/passive?
  • Are both Virtual IPs responsive/available?
  • Is the uses geographically closer to Data Center 1 or Data Center 2?
  • Does the user have a site persistence cookie directing the user to a specific Data Center?

Avi Vantage provides an authoritative DNS server for users’ devices and other services to map host/domain names to virtual IP addresses (VIPs). Every service, route, and an ingress object creates an A record in Avi’s DNS server mapping the service’s host/ domain name to its VIP. Usually, the cluster’s sub-domain is delegated at the corp or datacenter DNS to Avi’s DNS server.

Avi Vantage provides a variety of DNS configuration options and the ability to add static A and CNAME records to the DNS server. In addition, Avi Vantage provides built-in integration to third-party DNS and IPAM services such as Infoblox.

Continuous Integration and Delivery (CI/CD) — Applications can be upgraded using a Blue-Green or canary deployment pattern. Avi Vantage offers an out-of-the-box non- disruptive, graceful application upgrade capability. Operators can direct a portion of traffic to a new application version. Avi Service Engines direct new users to the new application version while existing users continue to be serviced by the older version. Once the operator is satisfied with the new version, all new traffic is directed entirely towards the new version. After a sufficient period, when all existing users have disconnected, the older version is safely deleted. The entire process can be controlled by the operator or Avi Vantage provides a policy based Blue-Green orchestration that automates the entire process.

Application Autoscaling — Avi Vantage constantly monitors several metrics that represent load on application instances. Operators can configure an autoscaling policy to automatically scale up or scale down application instances based on load. In addition, Avi Vantage also learns application access patterns and can perform intelligent, predictive autoscaling based on learnt access patterns.

In our next blog post we will focus on the intelligence and security features that Avi Networks and OpenShift provide for container-based applications.

For more information, please download the white paper Application Networking Services for OpenShift-Kubernetes Clusters.

All entries in this series

Categories
Kubernetes, News, OpenShift Ecosystem
Tags
, , ,