Lifting The Lid On Microsoft Advanced Container Networking Services
Microsoft Advanced Container Networking Services arrived this month. The service follows a move in March 2024 to open source project Retina, a cloud-agnostic cloud-native container networking observability platform for Kubernetes developers and sysadmins to visualize, observe, debug and analyze Kubernetes’ workload traffic irrespective of Container Network Interface (CNI), operating system or cloud.
With Redmond’s cloud team perhaps envisioning some form of systematic synchronous serendipity, close cousins working on Microsoft’s Azure Container Networking say that the project is a suite of services built on top of existing networking solutions for Azure Kubernetes Services (AKS) to address the challenges around observability, security and compliance i.e. not wholly dissimilar goals from Retina.
The debut feature here is an Advanced Network Observability function designed to provide monitoring and diagnostics tools for visibility into containerized workloads.
Designed to enhance the operational capabilities of Azure Kubernetes Service (AKS) clusters, Advanced Container Networking Services is a suite of services that aims to address what Microsoft calls the “multifaceted and intricate needs” of modern containerized applications – which, arguably, is a somewhat glossy way of saying that this service provides a deep dive into network traffic and application performance.
High-Resolution Observability Goggles?
Why are Kubernetes so tough to manage per se i.e. to such a degree that Microsoft wants to provide these higher-resolution observability goggles? There are many reasons, but we could mention the challenges associated with automating security guardrails across and throughout the software container lifecycle. Delivering real-time threat protection where container workloads shoulder new streams of real-time data is no point-and-click task, especially as systems scale and expand. Being able to continuously validate for compliance with industry standards such as PCI and NIST Azure Kubernetes Service (AKS) clusters across both build and runtime deployment zones and vendors like Sysdig have sought to address this challenge with tailored solutions. Complex software deployments in this space with exacting performance and reliability goals will need a precision-engineered service to provide observability analysis, so this is all part of the validation for additional insight at this level.
“Advanced Network Observability is the inaugural feature of the Advanced Container Networking Services suite bringing the power of Hubble’s control plane to both Cilium and non-Cilium Linux data planes,” writes Microsoft Azure’s Deepak Bansal, corporate VP and technical fellow & Chandan Aggarwal, partner group engineering manager, on an Azure blog channel. “It unlocks Hubble metrics, Hubble’s command line interface (CLI) and the Hubble user interface (UI) on AKS clusters providing deep insights into your containerized workloads. Advanced Network Observability empowers customers to precisely detect and root-cause network related issues in a Kubernetes cluster.”
As a reminder, Hubble is a fully distributed networking and security observability platform for cloud-native workloads. It is built on top of Cilium and eBPF to enable deep visibility into the communication and behavior of services as well as the networking infrastructure in a completely transparent manner. This capability provides network flow information in the form of metrics or flow logs at pod-level granularity by collecting data in real-time from Linux Kernel using extended Berkeley Packet Filter (eBPF) technology.
Cloud-focused developers will be able to use this service to trace packet flows across clusters to understand and debug complex networking behaviors with on-demand Hubble command line interface (CLI) network flows.
They can also visualize network dependencies and interactions between services to ensure optimal configuration and performance with an unmanaged Hubble UI. Ultimately, they will be able to generate detailed metrics and logs to meet compliance requirements and enhance security postures.