Intelligence and Security for Container-Based Applications through Avi Networks and OpenShift

In the final post of this series I will provide an overview of the intelligence and analytics capabilities of the OpenShift and Avi Networks solution. Visibility and trust are critically important for deploying containerized workloads, and Avi Networks brings improved monitoring and analytics tools to the OpenShift ecosystem.

Monitoring/Analytics

Application owners and operators need to know how the application is performing currently and many times, how it did at some point in the past; they want alerts when services degrade or go down; and they need to understand if an outage is caused by infrastructure, the application, or an operator error to take corrective action. Applications also suffer from brownouts and degraded performance for some fraction of users. A uniform, scalable, and robust monitoring/analytics system is required to collect, aggregate, accumulate, store, and rollup metrics and logs for all applications; preferably without having to instrument all applications.

Avi Service Engines collect over five hundred individual metrics and log every HTTP or TCP/UDP transaction. Avi Controller aggregates and makes this information available via dashboards and REST APIs for quick utilization by network admins.

Application Map — Avi Vantage builds a real-time dynamic map of communications between microservices and makes this information available as a dependency map. Operators can extract critical metrics such as latency, bandwidth, request rate, etc. across microservices.

Analytics Dashboard — For every application, Avi Controller provides an end-to-end latency view of all transactions including the past transactions (past five minutes, a day, a week, a month, a quarter, a year). In addition, current and historic views of critical metrics such as requests/transaction/connection rate, throughput, etc. is available.

Log Analytics — Avi Service Engines log every significant transaction (errors and excessive latencies) and Avi Controller indexes such logs and provides analytics by several dimensions such as pool member, response time, device type, etc. Log Analytics also provides a Google-like search. Application logs can also be directly forwarded by Avi Service Engines to an external log analytics platform like Splunk.

Client Analytics — Client Analytics inserts a JavaScript resource into responses that reports back navigation and resource timing information to Avi Controller. This provides aggregate page load times, dimensional analytics by dimensions such as device type, country, etc. and details resource timing information for every page in the application.

Security Analytics — Security Analytics page provides a breakdown of TLS/SSL versions and transaction rate, SSL score based on the SSL security profile and certificates used, DDoS attack analytics including information about type of attacks and bots performing the attacks.

Security

Enterprise applications need to be deployed securely. This requires the following security capabilities:

  • TLS/SSL protocol offload, secure TLS certificate/key management
  • Micro-segmentation: IP address and microservices-based security access policies including Whitelist/Blacklists
  • Web Application Firewall (WAF) for Layer7 applications
  • DDoS detection and mitigation for Layer4 and Layer7 attacks

Avi Vantage offers a secure services fabric for enterprise-class applications deployment:

TLS/SSL Protocol Offload & TLS Certificate Management — Avi Service Engines offload TLS/SSL encryption/decryption from application containers. Avi Controller securely encrypts and stores TLS keys in a secure database. TLS certificate keys are never transmitted across the network or stored on the disk in clear text, unlike open-source solutions with the default HAProxy router. Avi Vantage also natively integrates with industry leading HSMs for secure TLS handshakes, key storage and custom workflows for certificate management.

Micro-segmentation — Operators can configure network security policies with microservices as sources or destinations. Avi Vantage automatically resolves microservices to IP Addresses and ports and enforces whitelist/blacklist security access policies.

Web Application Firewall — Avi Vantage protects against Layer7 application attacks with an integrated, simple Web Application Firewall for enterprise applications.

DDoS Detection and Mitigation — Avi Service Engines detect and mitigate a wide variety of Layer4 (TCP/UDP) and Layer7 (HTTP) DDoS attacks against applications. In addition, Avi Controller provides rich analytics information about the type and nature of attacks and attackers.

Conclusion

Enterprises adopting OpenShift need a cloud-native approach for traffic management. Traditional, appliance-based load balancing solutions are architecturally restricted in offering an automated application deployment framework for container-based workloads.

The Avi Vantage Platform from Avi Networks Services such as traffic management (load balancing) within a cluster and across clusters/regions), service discovery, monitoring/analytics, and security are a critical component of an application deployment framework.

Avi Networks enables scalable, enterprise-class, and elastic application services fabric to deploy business-critical workloads in production environments using OpenShift clusters.

For more information, please download the white paper Application Networking Services for OpenShift-Kubernetes Clusters.

All entries in this series

Categories
Kubernetes, News, OpenShift Ecosystem
Tags
, , ,