Multi-Cloud Networking and Security for Google Anthos
Istio is a commonly deployed Service Mesh project supported by Google. Service Mesh in itself provides application level discovery, segmentation, registry and discovery services. When traffic stays within a Kubernetes Cluster, which is typically within a VPC/VNet, the CNI plug-in aided by native VPC or VNet routing provides intra-node and intra-pod connectivity. However when the application traffic leaves the local VPC/VNet boundary and has to either go to a different VPC/VNet or to on-prem or egress to internet, you need advance networking and security services to control, secure and visualize the traffic. This is where Aviatrix Platforms comes in.
Aviatrix platform supports any Service Mesh offering, let’s look at Istio as an example, supported by Google Anthos.
Google Anthos promises a consistent management plane that supports Google Supported version of Istio across various Kubernetes deployments such as GKE, AKS, EKS and on-prem deployments. In this example, we see that GKE based Kubernetes clusters are deployed across multiple VPCs in GCP with Istio. This inter-vpc cluster communication is made possible by Aviatrix Transit that provides a robust hub-and-spoke architecture.
In addition to multiple GKE clusters, customer may also have EKS clusters deployed in AWS, or GKE on AWS. Aviatrix Transit makes it possible for the shared Istio Control Plane to be extended across clusters living in different regions and different clouds. This can be supported by the common management plane of Google Anthos as seen in the following diagram.
With the above architecture, Aviatrix platform enables Google Anthos to build secure and robust connectivity between GKE clusters wherever they reside, including on-prem. Aviatrix then provides superior add-ons such as
- Egress filtering based on FQDN to limit egress traffic to allowed domains only
- Multi-cloud security domains and segmentation policies to group VPCs and VNets that belong to same security policy and air gap them from other environments
- Build connection policy to allow VPCs and VNets in different security domains to communicate with each other
- Insert NextGen Firewall
- Connect Kubernetes and Non-Kubernetes clusters with each other
- Connect users such as developers and contractors to specific VPCs anywhere on Aviatrix Transit in the public cloud
- Provide deep visibility, flow analytics and fine grain troubleshooting capabilities
Google Anthos provides a management layer on top of Kubernetes Clusters and Service Mesh to improve developer productivity and reduce SRE workload. However, Google Anthos like any other Service Mesh and Management/Control Plane offering requires the network to be fast, reliable and secure that can provision on-demand connectivity and provides deep visibility and troubleshooting capabilities. Aviatrix Platform provides all the connectivity and visibility needs that Google Anthos require to work.