View Only
last person joined: one month ago 

Ask questions and share experiences with Juniper’s Cloud-Native Contrail Networking (CN2).

Network Connectivity in Kubernetes

  • 1.  Network Connectivity in Kubernetes

    Posted 05-08-2023 19:38

    Network Connectivity in Kubernetes

    Virtual networking has revolutionized the way organizations build and manage their application infrastructure. With virtual networks, administrators can create complex network topologies that are tightly coupled to their application demands without compromising scalability or manageability. In this blog post, we will explore the concept of virtual networking in Kubernetes and examine two popular logical topologies: mesh and hub-spoke.

    Previously we discussed the importance of network segmentation in your cluster. In this blog we will build on that topic by demonstrating how network segment connectivity can be automated and simplified. While there are multiple topology options, network operators generally deploy one of two network patterns – fully meshed or hub-and-spoke. These topologies are found throughout all communications and transportation networks – most recognizably in the airline industry. Many complex communications architectures can be created through the combination of these two simple patterns. 

    Airline Topology Meme

    Virtual Networks and Virtual Network Topologies

    In the previous blog we learned to create virtual networks for any Kubernetes workloads (aka,  microservices).  A Virtual Network is a logical grouping of workloads which can span multiple physical hosts and geographical locations. Using routing protocols and tunneling technologies, virtual networks can interconnect virtual machines and container workloads to cloud services, resources, or other workloads. 

    Virtual Networks are isolated by default, but by using logical constructs like virtual network routers (VNRs) connectivity can be enabled between workloads of different virtual networks in an automated and dynamic fashion.

    Behind the scenes Virtual Network Routers (VNR) perform route leaking between Virtual Networks. Route leaking establishes connectivity between Virtual Networks by importing routes and the routing tables associated with these instances. As a result, endpoints in one virtual network can access endpoints in another virtual network.

    Fully Meshed Topologies

    In a mesh topology, all selected endpoints are interconnected enabling bidirectional communication for any-to-any connectivity. The mesh topology provides a highly flexible and scalable way to interconnect workloads, allowing for rapid deployment and dynamic scaling of applications. It simplifies network management and reduces operational burden, while also providing reliable and fast communication between applications and workloads.

    Mesh topologies are well suited for any to any communication required between networks' endpoints.

    This topology is achieved by deploying a Virtual Network Router (VNR) with a "mesh" type configuration, which connects separate virtual networks and allows for full workload-to-workload communication among all the workloads of the virtual networks. 

    Mesh Topology Example: 

    Mesh Topology


    Hub and Spoke Topologies

    In a hub and spoke topology, bidirectional connectivity is allowed between spoke endpoints to hub endpoints. Hub virtual networks are non-transitive, where endpoints in a spoke cannot connect to endpoints in another spoke. The hub and spoke topology provides a centralized architecture for managing and distributing network traffic across hub and spoke networks.

    Hub-and-spoke topologies are well suited to provide access to common services like telemetry, or any other management functions, where the hub networks provide access to common services.

    To create a hub-and-spoke topology you must create at least two VNRs, one to act as the hub, and any number of spokes. A Virtual Network Router (VNR) with a 'hub' type configuration is deployed to bring together the workloads of separate virtual networks. Similarly, create Virtual Network Router (VNR) with 'spoke' type configuration to bring together the workloads of separate virtual networks in to spoke, then pair these two Virtual Network Routers to connect them together.

    Hub-Spoke Topology Example:

    Hub-Spoke Topology


    Hybrid Topologies

    In a hybrid deployment, multiple topologies are combined to create a forwarding paradigm that perfectly matches the application requirements. For example, a mesh topology may be used for core application communications with a hub-and-spoke topology used to connect subtended microservices. A hybrid topology optimizes reachability and isolation with flexibility and security. 

    Hybrid Topology

    How can network topologies enhance Kubernetes application security?

    Using Kubernetes Custom Resource (CR), virtual networking can be brought to cloud-native ecosystems to enhance the scalability and security beyond Kubernetes default connectivity. As applications are defined and pods are deployed, CRs , annotations, and labels are used to dynamically associate pods to targeted virtual networks.  Kubernetes CRs and label-based resource selection are a powerful mechanism using abstraction to automate the assignment of compute, storage, and networking resources in a dynamic environment. Using the network topologies connect only needed virtual networks for communication across networks.

    BGP for networks and topologies

    Because clouds are essentially networks, the use of familiar protocols like BGP is both important and intentional. Using the same protocols supported by traditional networking equipment also simplifies connectivity between on-premises and cloud-hosted workloads and networks. 

    CN2 uses Virtual Routing and Forwarding (VRF) and Multiprotocol BGP (MP-BGP) to implement virtual networks. When a virtual network is created in CN2, a separate VRF is also created to isolate virtual network traffic from other virtual networks. This provides an additional layer of security and ensures that virtual network traffic is only visible within the virtual network. BGP is used by CN2 to exchange routing information between different virtual networks. When a workload in one virtual network needs to communicate with a workload in another virtual network, CN2 will use BGP to exchange prefixes  between the VRFs. Overall, the combination of VRFs and BGP in CN2 provides a robust and scalable mechanism for implementing virtual networks and exchanging routing information with the physical network.


    Virtual networks provide a powerful and flexible way to create segmentation and security in our application delivery environments. Mesh and Hub-Spoke topologies are two popular network topologies to connect virtual networks used within cloud-native environments to easily enforce isolation and security between applications. By mapping the concepts of virtual networks and network topologies to Kubernetes, a highly scalable and fault-tolerant secure application infrastructure is created to meet the needs of your business and your customers.  

    What's Next?

    Tune in to the next blog in the series to learn how to easily connect multiple Kubernetes clusters.

    Prasad Miriyala