VPNs can help containers at the network edge communicate securely—but they’re not for every use case
Let’s begin by agreeing to the fact that containers are widely adopted, from on-premises data centers to public cloud services providers. We have also seen rapid innovation in terms of new service delivery based on the microservices approach, under which companies can focus on scalability and security and stick to DevOps methodologies. This is helping companies launch new content at a speed previously unimaginable.
Now, containers can be deployed and orchestrated at the network edge to get optimal workload performance with lesser computation power. The edge cloud can be enterprise or telecom 5G. However, the edge cloud bundled with containers can give rise to issues related to security and network topology because workloads from one standalone data center have shifted to the heterogeneous edge nodes, which are explicitly connected to the central cloud. This shift introduces new challenges in terms of how the edge nodes will communicate securely with the cloud and what is the ideal structure of a network that can be followed by enterprises and telecom networks.
In such a scenario, one of the choices that can be evaluated is virtual private networks (VPN). It has been discussed that containers are completely isolated with no government barriers and can be deployed in an infrastructure to send encrypted traffic to other clouds. With VPNs, the routing of data is set up from different VPN servers that establish point-to-point communication.
Typical Container Networking Scenario
Typically, containers such as Docker communicate with each other or outside the scope of pods via the host using networking layers. Various networking options are available for different use cases. Docker typically has a default bridge network called Docker0, and Docker containers communicate with each other by broadcasting the container connect requirement on Docker0 or by linking directly. To communicate outside, Docker containers use subnets, exposed ports and forward traffic.
How VPNs Are Useful
In the cloud-edge environment, communication between orchestrator nodes and service endpoints is considered to be secure. But keeping aside this assumption of a secure communication channel, VPN is a robust network channel that transfers data securely.
Because an edge-based network contains various edge endpoints, it cannot be as perfect as a legacy network that is well-organized and homogeneous. Considering the network connection between different edge nodes is glitchy and can cause issues for container orchestration and deployment, it is better to avoid any catastrophic circumstances by implementing a VPN. VPN ensures a homogeneous network infrastructure in which the communication among the container orchestrator and containers can be glitch-free.
VPN Options for Edge-based Networks
Various VPN services are available for container-based clouds, both open source and proprietary.
In a recent study conducted by the University of Ghent in Belgium, researchers evaluated OpenVPN, WireGuard, ZeroTier, Tinc, and SoftEther VPN solutions for edge-based networks that are carrying workloads deployed in containers. A testbed was set up with eight machines powered by Ubuntu and Docker. Kubernetes was deployed to one machine and seven were dedicated as worker nodes. Kubernetes master-held the VPN server and VPN clients were distributed among worker nodes. All the traffic from pods in seven worker nodes machines used the VPN clients for communication.
Image source: https://biblio.ugent.be/publication/8634434
The focus of this study was to check the scalability (in terms of response time and failure rate) of the edge nodes’ interconnection and the effect of network degradation (metrics such as packet loss and latency) on VPN. The scalability test was focused on how VPN solutions can handle a large number of connections and service calls. A definite network degradation was observed when the VPN was deployed by edge and IoT data transmission. It was necessary to check for packet loss and latency as edge and IoT use cases demand accurate and real-time actions based on analysis done at the edge.
You can access the research PDF to know more about testbed and the results here.
The use of VPN solutions can be a quick option for most enterprise-level, edge-based networks. For large-scale use cases such as 5G telecom networks, which have mobile edge computing (MEC) and a huge amount of data with added latency requirements, a VPN solution has to deliver an optimal performance. The testbed discussed in this article forms the base for multiple other implementations.