cSRX Deployment in AWS Using Elastic Kubernetes Service (EKS)
SUMMARY This topic provides you an overview of cSRX Container Firewall Kubernetes orchestration in AWS Cloud using AWS Elastic Kubernetes Service (EKS).
cSRX with Kubernetes Orchestration in AWS
Kubernetes (K8s) is an open-source system for automating deployment, scaling, and management of containerized applications. With Kubernetes support, the cSRX scales out in a cluster running as an elastic firewall service with smaller footprint when compared to virtual machines (VMs). Kubernetes groups containers that make up an application into logical units for easy management and discovery.
Kubernetes defines a set of building objects that collectively provide mechanisms that orchestrate containerized applications across a distributed cluster of nodes, based on system resources (CPU, memory, or other custom metrics). Kubernetes masks the complexity of managing a group of containers by providing REST APIs for the required functionalities.
For more information, see cSRX Container Firewall with Kubernetes.
AWS provides managed Kubernetes for services as part of their offerings. The orchestration and management of the cSRX in a Kubernetes environment using the Multus Container Network Interface (CNI) is already supported. With Kubernetes support, you can deploy, manage, and orchestrate, scale out and scale in the cSRX in a cluster that provides an elastic firewall service to application containers along with other container workloads in the AWS environment. You can deploy cSRX as Kubernetes Service or Pods.
AWS provides two orchestration services for containers: Amazon Elastic Container Service (ECS) and Amazon Elastic Kubernetes Service (EKS).
Amazon Elastic Kubernetes Service (EKS): This is a fully managed Kubernetes service. An open source Kubernetes adaptation and fully supports the open source version. EKS is Amazon managed service that helps in running Kubernetes application on AWS cloud. EKS helps in setting up Kubernetes control plane on multiple zones providing high-availability, EKS has the capability to detect and replace unhealthy control plane instances with automated version upgrades and patches as when required. EKS is fully integrated with Elastic Container Registry (ECR) which holds container images, Identity and Access Management (IAM) roles for authentication, AWS VPC for network isolation and Elastic Load Balancing for load distribution.
You can deploy and manage cSRX in the AWS cloud using EKS orchestration for cluster management with the bring your own license (BYOL) licensing model.
Benefits
-
The managed Kubernetes services reduce the dependencies on setting up and operating the Kubernetes environment.
-
Automated service provisioning and orchestration
-
Distributed and multitenancy traffic securing
-
Scalable security services with small footprints
Amazon EKS
Overview
Amazon Elastic Kubernetes Service (Amazon EKS) gives you the flexibility to start, run, and scale Kubernetes applications in the AWS cloud or on-premises. Amazon EKS helps you provide highly available and secure clusters and automates key tasks such as patching, node provisioning, and running updates.
EKS runs upstream Kubernetes and is certified Kubernetes conformant for a predictable experience. You can easily migrate any standard Kubernetes application to EKS without needing to refactor your code.
EKS makes it easy to standardize operations across environments. You can run fully managed EKS clusters on AWS. You can have an open source, proven distribution of Kubernetes wherever you want for consistent operations with Amazon EKS. You can host and operate your Kubernetes clusters on-premises and at the edge and have a consistent cluster management experience with Amazon EKS.
You can completely utilize the open-source Kubernetes functionality with its Elastic Kubernetes Service (EKS) on the AWS cloud. All latest Kubernetes updates are available in the EKS framework.
cSRX is supported only on EKS with EC2 instances. EKS is fully integrated with Amazon cloud watch, Autoscaling groups, AWS Identity and Access Management (IAM) and Amazon Virtual Private Cloud (VPC) enabling seamless environment to monitor and load balance the cloud application.
AWS with EKS provides a highly scalable control plane that runs on two different zones to provide high availability support. EKS is completely compatible with open-source Kubernetes, and you can easily migrate any standard Kubernetes application to EKS.
Figure 1 illustrates AWS EKS abstraction architecture.
AWS proprietary Multus with flannel CNI is supported for EKS cluster deployments.
The cSRX also integrates with other next-generation cloud orchestration tools such as Kubernetes.
The cSRX adds security enforcement points where none have existed before, offering the most comprehensive network security for Kubernetes deployments.
Benefits
-
Provides faster boot time.
-
Supports small footprint to deliver highly agile, advanced security services in a container form factor.
cSRX supports easy, flexible, and highly scalable deployment options covering various customer use cases, including application protection, and microsegmentation through a Docker container management solution.
The cSRX deployed as a service in a deployment object, allows scale-up and scale down of the cSRX on demand. It functions as a firewall, protecting workloads deployed in the cluster with the configuration of rich advanced services.
Some deployments require highly agile and lightweight security virtual network functions (VNFs) that can scale massively. For such deployments, a VM-based VNF is not a scalable solution and requires a container-based security VNF.
-
Supports network function service chains, allowing high availability as well as containerized security that scales in individual network functions as needed.
-
Provides management flexibility with NETCONF and Junos Space(R) Security Director to support integration with third-party management and cloud orchestration tools such as Kubernetes. Junos Space(R)
Also, with EKS, the latest security patches are applied to your cluster’s control plane to ensure security of your cluster.