Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Understanding cSRX Deployment in AWS using Elastic Kubernetes Service (EKS)

SUMMARY This topic provides you an overview of cSRX Kubernetes Orchestration in AWS Cloud using AWS Elastic Kubernetes Service (EKS).

Understanding cSRX with Kubernetes

The cSRX Container Firewall is a containerized version of the SRX Series Services Gateway with a low memory footprint. cSRX provides advanced security services, including content security, AppSecure, and unified threat management in the form of a container. By using a Docker container the cSRX can substantially reduce overhead as each container shares the Linux host’s OS kernel. Regardless of how many containers a Linux server hosts, only one OS instance is in use. Also, because of the containers’ lightweight quality, a server can host many more container instances than virtual machines (VMs), yielding tremendous improvements in utilization. With its small footprint and Docker as a container management system, the cSRX Container Firewall enables deployment of agile, high-density security service.

Kubernetes (K8s) is an open-source system for automating deployment, scaling, and management of containerized applications. With K8s support, cSRX scales out in a cluster running as elastic firewall service with smaller footprint when compared to virtual machines. It groups containers that make up an application into logical units for easy management and discovery. cSRX running in K8s cluster provides advantages such as:

  • Runs services with smaller footprint

  • Enables faster scale out and scale in of cSRX

  • Automated management and controlled workflow

K8s defines a set of building objects that collectively provide mechanisms that orchestrate containerized applications across a distributed cluster of nodes, based on system resources (CPU, memory, or other custom metrics). K8s masks the complexity of managing a group of containers by providing REST APIs for the required functionalities.

A node refers to a logical unit in a cluster, such as a server, which can either be physical or virtual. In context of Kubernetes clusters, a node usually refers specifically to a worker node. Kubernetes nodes in a cluster are the machines that run the end user applications.

There are two type of nodes in a Kubernetes cluster, and each one runs a well-defined set of processes:

  • head node: also called primary, or primary node, it is the head and brain that does all the thinking and makes all the decisions; all of the intelligence is located here.

  • worker node: also called node, or minion, it’s the hands and feet that conducts the workforce.

The nodes are controlled by the primary in most cases.

The interfaces between the cluster and you is the command-line tool kubectl. It is installed as a client application, either in the same primary node or in a separate machine.

Kubernetes’s objects are:

  • Pod

  • Service

  • Volume

  • Namespace

  • Replication

  • Controller

  • ReplicaSet

  • Deployment

  • StatefulSet

  • DaemonSet

  • Job

Figure 1: cSRX Service in Kubernetes cSRX Service in Kubernetes

In K8s deployment, you can use Multus with both Flannel and Weave CNI.

To support Kubernetes Node Port/Ingress controller with cSRX, environment variable CSRX_MGMT_PORT_REORDER allows cSRX to use container management interface as revenue interface. The Kubernetes Node Port/Ingress controller feature with cSRX is only supported with Flannel/Weave CNI. With CSRX_MGMT_PORT_REORDER set to "yes", you can explicitly control the re-configuration of the management port behavior. Like the access to cSRX shell or SD discovery on to the interface attached to cSRX using Multus CNI.

For example, if cSRX is brought up with eth0/eth1/eth2 with CSRX_MGMT_PORT_REORDER=yes, you can use eth2 as the new management interface.

Note:

The traffic forwarding to this eth2 has to be done through the iptables rules defined explicitly by you.

See Junos OS Features Supported on cSRX for a summary of the features supported on cSRX.

cSRX Kubernetes Orchestration in AWS Overview

AWS provides Managed Kubernetes (K8s), for short) services as part of their offerings. These managed services benefit you by reducing the dependencies on setting up and operation of the K8s environment. The orchestration and management of the cSRX in a K8s environment using the Multus CNI is already supported. With support for the K8s, you can now deploy, manage and orchestrate the cSRX along with other container workloads in their environment.

The cSRX Container Firewall protects your containerized environments with advanced security services, including content security, intrusion prevention system (IPS), AppSecure, and unified threat management (UTM).

Benefits:

  • Automated service provisioning and orchestration

  • Distributed and multi-tenancy traffic securing

  • Scalable security services with small footprints

Currently, the orchestration and management of the cSRX in a Kubernetes (K8s) environment using the Multus CNI is supported. You can deploy cSRX as Kubernetes Service or Pods. With Kubernetes support, you can deploy, manage, and orchestrate, scale out and scale in cSRX in a cluster that provides an elastic firewall service to application containers along with other container workloads in AWS environment.

For more information, see cSRX Deployment Guide Kubernetes.

AWS provides managed K8s for short services as part of their offerings. With these managed services you can benefit by reducing dependencies on setting up and operation of the K8s environment. Customers also need to be provided with an option for deploying a containerized Firewall (cSRX) to secure their workloads in the public cloud on public cloud platform. While companies migrating to container workloads rely on K8s for management and orchestration of the containers, services provided by the AWS (and GCP and Microsoft Azure) are increasing in demand for their ease of use and low maintenance.

AWS provides two orchestration services for containers: Elastic Container Service (ECS) and Elastic Kubernetes Service (EKS).

Elastic Kubernetes Service (EKS): This is a fully managed Kubernetes service. An open source Kubernetes adaptation and fully supports the open source version. EKS is Amazon managed service that helps in running Kubernetes application on AWS cloud. EKS helps in setting up Kubernetes control plane on multiple zones providing high-availability, EKS has the capability to detect and replace unhealthy control plane instances with automated version upgrades and patches as when required. EKS is fully integrated with Elastic Container Registry (ECR) which holds container images, Identity and Access Management (IAM) roles for authentication, AWS VPC for network isolation and Elastic Load Balancing for load distribution.

You can deploy and manage cSRX on the AWS cloud using Elastic Kubernetes Services (EKS) orchestration for cluster management with bring your own license (BYOL) licensing model.

Amazon Elastic Kubernetes Service

Amazon Elastic Kubernetes Service (Amazon EKS) gives you the flexibility to start, run, and scale Kubernetes applications in the AWS cloud or on-premises. Amazon EKS helps you provide highly-available and secure clusters and automates key tasks such as patching, node provisioning, and updates.

EKS runs upstream Kubernetes and is certified Kubernetes conformant for a predictable experience. You can easily migrate any standard Kubernetes application to EKS without needing to refactor your code.

EKS makes it easy to standardize operations across every environment. You can run fully managed EKS clusters on AWS. You can have an open source, proven distribution of Kubernetes wherever you want for consistent operations with Amazon EKS. You can host and operate your Kubernetes clusters on-premises and at the edge and have a consistent cluster management experience with Amazon EKS.

You can completely utilize the open-source Kubernetes functionality with their Elastic Kubernetes Solution (EKS) on AWS cloud. All latest Kubernetes updates are available on EKS framework.

cSRX is supported only on EKS with EC2 instances. EKS is fully integrated with Amazon cloud watch, Autoscaling groups, AWS Identity and Access Management (IAM) and Amazon Virtual Private Cloud (VPC) enabling seamless environment to monitor and load balance the cloud application.

AWS with EKS provides highly scalable control plane which will be running on two different zones to provide high availability support. EKS is completely compatible with open-source Kubernetes and any standard Kubernetes application can be easily migrated to EKS.

Figure 2: AWS EKS Abstraction Architecture AWS EKS Abstraction Architecture

AWS proprietary Multus with flannel CNI is supported for EKS cluster deployments.

Benefits

The cSRX also integrates with other next-generation cloud orchestration tools such as Kubernetes.

The cSRX adds security enforcement points where none have existed before, offering the most comprehensive network security for Kubernetes deployments.

  • Efficient and cost effective-AWS migrating to containerized cloud-based microservices can take advantage of the cost savings, faster boot time, and greater visibility while maintaining the same security posture across their public and private cloud environments.

  • Highly agile and scalable-mposes a small footprint to deliver highly agile, advanced security services in a container form factor.

    The cSRX supports easy, flexible, and highly scalable deployment options covering various customer use cases, including application protection, and microsegmentation through a Docker container management solution.

    The cSRX deployed as a service in a deployment object, will allow for scale-up and scale down of the cSRX on demand. It functions as a firewall, protecting workloads deployed in the cluster with the configuration of rich advanced services.

    Some deployments require highly agile and lightweight security VNF that can scale massively. For such deployments VM based VNF is not a scalable solution and requires container based security VNF.

  • Improved availability and observability-Participates in network function service chains, offering high availability as well as containerized security that scales in individual network functions as needed.

  • Highly secure environment-Provides management flexibility with NETCONF and Security Director to support integration with third-party management and cloud orchestration tools like Kubernetes.

    Also, with EKS, the latest security patches are applied to your cluster’s control plane to ensure security of your cluster.