Integration with Service Mesh for Microservices on AWS brings deep network visibility and protection for microservices on Amazon ECS and Amazon EKS
Today NeuVector is announcing that the NeuVector container security platform is now integrated and compatible with AWS App Mesh. This means that the NeuVector container firewall can extend its deep network visibility and protection for Kubernetes to microservices running on AWS App Mesh. The NeuVector Layer 7 container firewall provides network inspection, threat detection, and automated segmentation to both service mesh and non-service mesh workloads. In addition, the end-to-end container security solution provides vulnerability management, admission controls, and run-time security.
What is AWS App Mesh?
AWS App Mesh is a service mesh that allows you to easily monitor and control communications across microservices applications on AWS. You can use App Mesh with microservices running on Amazon Elastic Container Service (Amazon ECS), Amazon Elastic Container Service for Kubernetes (Amazon EKS), and Kubernetes running on Amazon EC2.
The benefits of App Mesh include:
End-to-end visibility. App Mesh consistently captures metrics, logs, and traces from every microservice.
Ensure high availability. App Mesh gives you controls to configure how traffic flows between your microservices.
Streamline operations. App Mesh deploys and configures a proxy that manages all communications traffic to and from your containers.
NeuVector Secures Service Mesh Workloads and System Containers
Service mesh platforms provide routing and authentication of pod-to-pod (container-to-container) connections and can encrypt the communication between pods. NeuVector’s unique and patented technology adds another layer of security by enabling deep packet inspection before the AWS App Mesh encryption begins. This integration with service mesh technologies enables NeuVector to deliver strong network threat detection and application layer visualization for AWS App Mesh, Istio, Linkerd2 and other service mesh-based applications – including their sidecar containers – from the moment the NeuVector container network security solution is deployed to Kubernetes environments.
As seen in the screen shot below, NeuVector discovers the AWS App Mesh pods, and provides unique visualization and monitoring of all traffic between application containers (workloads) and the Envoy sidecar container, as well as encrypted communication between Envoy proxies.
The benefits of the NeuVector container security solution for customers using AWS App Mesh include:
- Discovery and monitoring of all AWS App Mesh system containers including control plane and data plane connections. These system container connections can be hidden to focus on application workloads.
- Network threat detection, even within trusted connections between pods. Attacks can be detected using deep packet inspection for DDoS, sql injection, and other threats, even for encrypted traffic between pods.
- Automated segmentation using behavioral learning. Connections are learned and automatically whitelisted to segment traffic across namespaces, hosts and other boundaries, enabling true scalability for cloud microservices.
- Multi-protocol and hybrid protections. NeuVector supports a broader range of HTTP protocols than a service mesh supports, as well as ICMP and UDP to support applications and detect attacks. Hybrid service mesh and non-service mesh workloads are protected within a single cluster.
- Data Loss Prevention (DLP). DLP protection, requiring inspection of network payloads, to detect credit card data, PII, and other sensitive data as announced last month.
- Monitor ingress/egress connections from the service mesh to other AWS services. Connections between containers and non-containerized services or those running outside the cluster are monitored, with threats and violations being detected and prevented.
“We selected NeuVector to protect containers in production because it combines network and run-time security with vulnerability management for compliance,” said Christian Hüning, System Architect, figo GmbH. “NeuVector is continuing its innovation by providing deep network visibility into service mesh encrypted traffic.”
For more details on how NeuVector protects service mesh deployments, please see this article and demo video by Chip Hwang.