[translation] how to choose a network gateway for your private cloud

Guest article , Originally published in Netris The blog of On , author Alex Saroyan

Tell the truth , No one wants to deal with the Internet , But if you don't invest time and money to develop a good network design and set up some basic operating procedures , We can't provide services for our applications . How do we put our application island （ Probably Kubernetes） Connect with the rest of the world , It can determine the quality of user experience .

Back when my team and I operated the data center network , The edge of the network must use a considerable number of technologies and exist together . Border router 、 Load balancer 、 A firewall 、VPN Concentrator -- We have at least two such devices in every data center , To achieve redundancy . We receive service change and implementation requests from application and business departments almost every day . The biggest challenge is , Minor errors in the cumbersome configuration of network devices will lead to terrible failures . The implementation of changes takes time , Engineers rush back and forth , Resulting in a long delay . at that time , People think that " Networks are difficult and complex , So you need to wait ".

The network interruption caused by human error still exists , No matter how big your company is

We can't blame network engineers . The problem is , Standard network products are too complex , Basically , Not designed for automation or Automation .

The public cloud has raised the standards for the implementation of infrastructure changes .

Every private network needs some kind of gateway to peer with other networks . Public cloud providers automatically provide network services on demand . When you need any resources with VPC When communicating with other hosts （ For example, access to the Internet ）, Your traffic will be served through the Internet Gateway （AWS The term ）, or NAT（ Network address translation ） Gateway service .

When your traffic needs to leave the boundary of the data center （AWS The term is area ） when , You need to use the service of the border router . Border routers work with many Internet providers （ Top Internet operators and Internet switching points ） Keep connected . For each network packet that needs to leave a specific area , The border router needs to target IP Address and complete Internet routing table （900k The above routing records ） Compare , To determine what is the best forwarding route .

The flow in the opposite direction is also applicable here . When you expose applications to the public Internet , You will use the service of on-demand load balancer , This is another service belonging to the gateway layer . The load balancer should work with the border router , Receive traffic from the Internet , In addition, it should also be with your Kubernetes node （ Or any of your server backend ） cooperation , Allocate traffic to target applications （ Read more about the cloud native load balancer service of the local cloud ）.

These web services are critical to the cloud native environment . In the public cloud , We take the existence of these services for granted .

This is good , Because it enables cloud computing practitioners to focus on applications that are central and unique to their business !

Self supporting network infrastructure service on demand is the most advanced technology in the cloud environment . The same should be true of the private cloud within your enterprise . otherwise , It is not a private cloud , Just a traditional enterprise .

Which network gateway services are critical to the private cloud ？

• Border router - On the edge of your private network , Deal with your Internet provider and Internet exchange point BGP conversation . Use the best path available at any time , Route export traffic to the Internet . Also make your public IPv4/IPv6 The address space can be accessed worldwide , And accept the inlet flow .
• NAT（ Network address translation ）- Allow private IP The host of the address communicates with the Internet .
• L4 Load balancer - Expose applications to the Internet , And route traffic to your Kubernetes ingress（ Or any of your application stacks ）.
• Site to site VPN- Make hosting private IP Address space applications can interact with private... Located in another data center or remote office IP Address managed applications to communicate （ Through encrypted tunnel transmission on the Internet ）.

For gateways in the private cloud / What is the minimum expectation of boundary service ？

• Instant service change and configuration （ Self operation / Automatic cloud like experience ）
• Yes DevOps Friendly interface .Kubernetes CRD、Terraform、RestAPI、 Intuitive GUI
• And Kubernetes Native Integration （ Through observation kube-api Automatically adjust the network ）
• Provide basic network services （ Border Routing 、 The fourth layer is load balancing 、NAT、 Site to site VPN)
• High availability
• Horizontal scalability
• Run on commodity hardware

Where is your traditional network device suitable ？

Traditional network equipment , Such as Cisco ASR Series or Juniper MX series , Very fast and quite stable . They performed very well , Unless you write the necessary network configuration into the production equipment in your daily work CLI in , There is " error ".

Every year we see some significant network failures caused by human errors .

It's people who are wrong . The supplier should provide easier operation 、 Solutions that are less prone to human error .( The public cloud has proved that this is possible )

Special routers can do countless different routing functions （ You may only need a few ）, But it is very common , They cannot provide load balancing or NAT Or other basic network services . therefore , According to design , When you use traditional network hardware , You have to maintain special equipment for different network functions （ One for routers , The other is for the load balancer , The other is for firewalls , wait ）, And don't forget to multiply 2（ For redundancy ）. More devices lead to more network integration and need to be maintained , This will eventually lead to more complexity . This is the opposite of the cloud computing experience .

With the original thinking of cloud , You can't every time your application team needs a new load balancer instance , Or a new one every time Kubernetes The node needs to be in Calico And the physical network BGP Peer to peer configuration （ Just a few examples. ）, Put your network at risk .

These old-fashioned traditional network equipment are good for static use cases , But in the modern dynamic environment, it is easy to make mistakes .

If you now encounter supply chain problems with physical infrastructure , raise your hand !

Besides , You don't want to mix and match brands and models , Because everyone knows that this is the best way to deal with incompatibility . Customers usually end up being locked in the supplier and model of the equipment they choose . If you surpass 5 year , You probably dealt with supply chain problems when trying to buy additional equipment . therefore , When you are the first Cloud computing repatriation Project time , You may want to consider additional options , Not just a supplier you are familiar with .

When modern commodity hardware , If managed properly , When the advantages of cost and supply chain diversity can be released , Why on earth should we lock ourselves in a single supplier ？

We can use it in private cloud Linux The machine and SmartNIC Conduct border network ？

I have managed routers of different sizes in various applications , From in a small embedded Linux Forward on board Kbps To use Cisco and Juniper Mobile in multiple countries Tbps. I've always enjoyed Linux, Even happened to set up a wireless ISP The Internet , The network uses highly distributed networks Linux The server - Router , Covering a city as big as San Francisco .

I admire it Linux An important reason for routers is , It's universal , You don't need to use different hardware for different functions . Your server can act as a border router 、 Load balancer 、 A firewall 、VPN gateway , Everything can be carried out . You just need to have the right amount of resources . And it's Linux, So you can install anything you need , You can easily create any unique business requirements with scripts .

however , Limitation is always a performance problem . The flexibility of general-purpose machines has one drawback , The performance of network forwarding applications is limited .

Smart network card 、DPDK and FRR Changed my mind .

Border routers need to work with many Internet providers （ and IXP） Conduct BGP dialogue , And have the ability to handle a complete routing table （90 More than 10000 routes ）. For decades, , This task requires special hardware .FRR（ Free range routing ） Changed that . With FRR, We can work in ordinary Linux The server processes the complete routing table sent by dozens of peers .

however , We can use one Linux Server forwarding 100Gbps The above data ？

Usually , Everyone enters Linux Router packets will generate a CPU interrupt , And enter the kernel for forwarding . Border routers need to forward millions of packets per second , Millions per second CPU interrupt , This can easily overburden the kernel , Cause bottleneck .

SmartNIC It's one with ASIC（ Application specific integrated circuits ） Network interface card . By using DPDK（ Data plane development kit ）, You can use this ASIC To speed up network traffic processing .

combination SmartNIC and DPDK, It is possible to uninstall some network functions to ASIC in , This bypasses standard interrupts and kernel processing , And handle network traffic at the user level （ Use preallocated CPU kernel ）.

therefore , A about 1000 The dollar SmartNIC And appropriate software can put 5000 Dollar server becomes a high-performance gateway , You can do Border Routing 、 Load balancing 、NAT、VPN etc. , Forwarding per second 100Gbps The above flow and 2000 More than 10000 packets .
This solution can be compared with traditional （ pronounce as ： Costly 2 ten thousand -20 Thousands of dollars ） Network devices are comparable .

Another benefit is ： It can run on the commodity hardware provided by your favorite server supplier . We Netris Want to simplify the network , Bring it closer to Linux、DevOps and NetOps Community . We've created it Netris SoftGate' This software solution , Help handle Linux The server becomes a fully functional gateway .