Cloud providers have invested heavily in cloud infrastructure facilities and equipment, making it easy to distribute resources across the globe. Despite the global reach, users hoping to run additional network services like Nginx, HAproxy, or Snort have to use additional VMs and servers. Adding VMs to the network can get very expensive and quickly complicate a network topology.

Connecting Resources with Docker

When one of our customers asked us to help them simplify and save virtual machine runtime, we got creative and tried out a new technology called Docker. We integrated Docker into VNS3, our virtual networking product, to streamline how customers manage virtual networks. We bet on this technology even though it is less than a year old because Docker is solving an age-old problem of efficiently using virtual machines with the container concept. With Docker, VNS3 users can load applications into one device instead of separate VMs. VNS3 provides the core network functions in layers 2-4, while Docker providers a place to run additional layer 4-7 functions.

To add more geographic variety to the mix, we set up availability zones in HP Public Cloud data centers across the U.S. Manager 1 and the Sinatra app server are in US West AZ 1.  We put the primary database and Manager 2 in US West AZ 2, and put the backup database and Manager 3 in Virginia at US East AZ 1.

The overlay network joins them all together into one logical network. By spreading the topology across three different cloud regions, or even cloud providers, the overlay network can combat vendor lock-in. Overlay networks let the customer run the usual HTTP and SSL connections in addition to protocols like multicast that frequently aren’t supported in public clouds.

Nginx Web Servers and mySQL Databases

In the Cloudscaling private cloud data center, we set up a simple Ubuntu (News - Alert) server running Nginx. The Nginx web server acts as a reverse proxy: Nginx sits at the front end and redirects all traffic to the application server based in US West AZ 1. The Nginx server is connected to the Sinatra application server on that same IP address in HP cloud availability zone 1. In HP region US West 2, there is a MySQL database.  

The connection between the Nginx web server and VNS3 Manager 1 (as well as the Sinatra app server sitting behind it) is over a secure IPsec connection. Users can configure that IPsec connection in the VNS3 Manager administrator browser UI.  

In the Admin panel, the Manager IP address (192.168.56.253, in this case) has a single connected client. Users can also use the browser UI to view displays and set the client’s physical IP, set an overlay IP address, and set connections to other Managers.

The encrypted IPsec connection creates a tunnel between the subnets within this cloud and across the other three cloud availability zones. Any packets being sent to the Sinatra app server or the app server database are being sent down the encrypted tunnel.

The VNS3 Manager UI lets users manage and view the app server’s connections to Manager 1, the physical IP address, and the other end where the IPsec tunnel connects to the web server from the UI. Also, users can check their security settings with information on the Manager pages. If the Manager 2 and Manager 3 admin pages show the same checksum settings, and users can validate the Managers are peered together with the same cryptographic keys to form a single, secure subnet overlay.

Scaling Up for Savings

A standard extra small Linux instance type in the HP cloud would be suitable for a standalone Nginx VM. HP Cloud’s extra small currently costs $0.03 per hour, which comes out at $21.9 per month or $262.97 per year. While it is a relatively small savings for this single Nginx VM, think about the costs of running several VMs for a scaled-out enterprise project. If a project requires a distinct VM with larger RAM (News - Alert) requirements, the incremental cost can add up. By using containers to reduce both runtime fees and the number of VMs, using VNS3 with Docker saves money by an order of magnitude. 

Ultimately, our customer used the foundational functions of VNS3 – running an app server in one cloud while connected to a data center in another cloud – and the new Docker features in version 3.5 to do more with virtual networking. They economized cloud networking functions and saved VM runtime across multiple cloud regions. Their VMs can also be moved from one cloud to another using an overlay network.

Building overlay networks on top of the public clouds’ compute and network resources extends traditional LAN or WAN networks with extra security, such as SSL encryption of all data in motion and IPsec VPN connections.   

Our customer has saved roughly $21.60 per month on VM runtime fees of since using Nginx reverse proxy in public cloud inside VNS3 3.5. This use case is exciting because our customer is now able to reduce cloud runtime capex by simplifying the number of VMs needed to run application servers in the cloud. It also avoids vendor lock-in with the ability to move an IP address from one cloud to another by creating cryptographic identities based in the client packs. The flexibility of network topology helps bind VNS3 Managers in one network, allowing multi-availability zone, multi-region, and multi-provider capability. This approach also allows users and their partners to build industry-compliant security measures into the overlay network using SSL and IPsec in a virtual private network. The traffic to each cloud and inside each cloud region is encrypted and never stored in plain text. And it can simplify cloud networking by keeping multicast protocols while other cloud networks disable multicast. The UI-based management tool also helps network administrators keep tabs on the setup, security, and topology to reduce management headaches.