AWS re:Invent Highlights – Security, EKS, Kubernetes
By Gary Duan
This was my first time attending AWS re:Invent. NeuVector was also a sponsor and our team was here to meet with customers and discuss their use cases. Although Microsoft Azure and Google Cloud are rising rapidly, the vast user base of AWS and countless new features and improvements introduced every week make AWS the dominant force for a public cloud platform.
I couldn’t help noticing that security was one of the most prominent topics throughout the conference. Often it was the first topic addressed in keynotes and technical sessions, no matter what the subject was — compute, governance, container, storage, serverless or IoT. AWS has been aggressively introducing new features in the security space, such as an identity service, encryption service and VPC peering. These will benefit AWS customers as well as security vendors through delivery of a hardened and secured cloud platform.
Monitoring was another hot topic at the conference. New features were introduced and case studies presented on how to accurately and efficiently provide run-time visibility into network and applications in complex cloud environments, such as hybrid clouds and multi-region deployments. This focus also aligns with our vision, which is to provide unprecedented visibility and protection for container environments, from networking to systems and applications during run-time, including not only network firewall and DPI, but also process, user and application behavior.
I am also excited about the introduction of the AWS managed Kubernetes service – EKS. The NeuVector security solution supports and integrates with all major container platforms, including ECS and Kubernetes, but recently we have seen that Kubernetes has emerged as the de facto container orchestration system.
NeuVector’s integration with Kubernetes based platforms can be summarized as follows:
- Native Deployment. The NeuVector solution, delivered as containers, can be deployed just like any application containers. Utilizing Deployment Controllers and Daemon Set constructs in Kubernetes, NeuVector’s Controllers and Enforcers can be easily deployed in the same scale as the container cluster. Whenever new nodes are added to the cluster, the Enforcers are automatically pushed to the new node to protect the workloads.
- Agnostic to the SDN Layer. This means that, no matter if you are using Calico, Flannel, Weave, OpenShift OVS-based plugins, or even in the mixed pod-networking, like CNI-genie, all NeuVector functions will work transparently and enforce network policies.
- Recognize Application Service Definitions. NeuVector containers automatically read application service definitions and understand how applications are deployed. This helps us build accurate networking and system behavior baselines.
- Granular Control with Namespace and Project. Customers often use namespace and project (OpenShift) to help them achieve role-based access control and network policies. By automatically learning which namespaces that applications are running, we provide granular control based on namespaces and simplify the network segmentation policy definition.
Because AWS EKS is a Kubernetes based platform, NeuVector’s solution will work ‘out of the box.’ We will continue to improve on this platform to provide better integration, visibility and protection for EKS users.
AWS also announced Fargate container services. This service allows users to deploy containers just like an EC2 instance but without losing the scalability and availability that container offers. As this new service evolves NeuVector will look to provide our leading container network security protections for our users. It’s exciting to work in this space with all the container innovations emerging every day, while helping customers to secure their environment along the way.
About the Author: Gary Duan
Gary is the Co-Founder and CTO of NeuVector. He has over 15 years of experience in networking, security, cloud, and data center software. He was the architect of Fortinet’s award winning DPI product and has managed development teams at Fortinet, Cisco and Altigen. His technology expertise includes IDS/IPS, OpenStack, NSX and orchestration systems. He holds several patents in security and data center technology.