Cloud-Native Contrail Networking
Download DatasheetProduct Overview
Service providers and enterprises are evolving to cloud-native using the same technologies as the public cloud providers to achieve greater agility, flexibility, and improved economics across a hybrid-cloud ecosystem. Contrail Networking is a Kubernetes-native SDN that secures and automates virtualized Infrastructure as a Service (IaaS) and multiple containerized application clusters into an integrated network. With support for OpenStack and Kubernetes orchestration, Contrail Networking delivers hybrid-SDN for a consistent NetOps and infrastructure-as-code model that is open, simple, and secure, allowing organizations to migrate to cloud-native at their own pace.
Product Description
Service providers and enterprises rely on the cloud-native operational model to run scalable applications in modern, dynamic environments such as private, public, and hybrid clouds. Beneath and alongside the cloud and cloud-native abstraction and platforms, legacy systems and applications must communicate with dynamic and ephemeral workloads across a physical network connecting end users, legacy systems, applications, and partners.
Cloud-native API-driven microservice architectures increase development, IT, and service agility, but they pose a networking challenge requiring massive API communication running over the network. Such networking infrastructure must be secure, automated, scalable, reliable, and programmable to deliver on the promise of cloud-native agility, elasticity economics, and digital-age expectations of service assurance. With Contrail® Networking™, organizations can extend Kubernetes to simplify DevOps and to orchestrate containerized microservices with intent-based declarative provisioning and APIs. By adding automation for security, management, and more through Contrail Networking, organizations can focus on developing and delivering innovative technology products and services to their customers quickly.
Contrail Networking is a cloud-native, SDN solution that automates the creation and management of virtualized networks to connect, isolate, and secure cloud workloads and services seamlessly across private and public clouds. Using the standard Neutron interface and Container Network Interface (CNI), Contrail Networking integrates with all OpenStack, OpenShift, and Kubernetes distributions delivering hybrid SDN orchestration for virtualized switching, routing, security, Network Address Translation (NAT), load balancing, and more.
Contrail Networking preserves investments in existing orchestration platforms, licenses, skills, and processes. It provides dynamic end-to-end virtual networking and security for cloud-native containerized workloads, as well as virtual machine (VM) workloads, across multicluster compute and storage environments, from a single point of operations. It is well suited to the requirement of hard multitenancy for single or multicluster environments shared across many tenants, teams, applications, or engineering phases. It scales well in tenants, virtual networks, policies, and compute nodes, where AT&T, eBay, NTT, and Workday, for example, use it to manage virtual networking in clusters of thousands of nodes.
Contrail Networking operates with centralized control over a distributed set of vRouter forwarding planes on all worker nodes in the cluster. Contrail Networking offers advanced networking but with simplified configurations and management for features like overlay and underlay forwarding; service chaining; federation of gateways, controllers, VNF workloads; remote-edge compute clusters; and dynamic network learning. Its carrier-grade feature set is why tier-1 service providers like British Telecom, Deustche Telekom, Etisalat, and Saudi Telecom rely on Contrail Networking for telco cloud.
Figure 1: Contrail Networking supports distributed policy enforcement with centralized policy definition.
Architecture and Key Components
Contrail Networking has the following key components:
Modern, Kubernetes-Native Management and Control Plane
Contrail Networking’s modernized control and management plane operates natively in Kubernetes to simplify its deployment and automate upgrades. Configurations are modeled with intent-based, declarative custom resources, extending Kubernetes and lending themselves well to infrastructure-as-code and GitOps. High availability and high scale are implemented in three or more nodes per cluster for carrier-grade production environments.
High-Performance Contrail Networking vRouter Data Plane
Contrail Networking’s vRouter forwarding plane delivers high-performance networking for VM, container, and bare-metal server workloads with kernel, Data Plane Development Kit (DPDK), and SmartNIC implementations to optimize CPU resources, space, and cost. The vRouter provides consistent, high-performance forwarding for both OpenStack and Kubernetes workloads to unify environments and simplify operations. Centrally managed and programmable, Contrail Networking's vRouter delivers distributed forwarding and security enforcement at the edge of the data center, cloud, and network to support low-latency, high-capacity applications.
Contrail Networking Management Web GUI and Plug-Ins
Contrail Networking has a plug-in for the open-source GUI. The Lens plug-in provides troubleshooting and debug tools across the multicluster that can work with any Kubernetes orchestration. A Web GUI further enhances Contrail Networking and Kubernetes multicluster provisioning and simultaneous observability. Both GUIs are optional as are all analytics add-ons that provide Grafana dashboards. Users can choose the types of operations tooling that works best for them.
Key Capabilities
Cloud-Native Networking
Built upon a Kubernetes-native control plane, Contrail Networking is cloud-native and Kubernetes-native, enabling SDN operations portability and a consistent experience across hybrid clouds and diverse orchestration distributions.
SDN for Hybrid and Mixed Orchestration
Contrail Networking integrates any Kubernetes and OpenStack platforms into a hybrid SDN to support virtualized and containerized workloads and operational investments as organizations evolve to cloud-native and need to straddle hybrid, multicloud, and multivendor orchestration platform distributions.
NetOps-Driven Automation
Contrail Networking is tested, qualified, and deployed using project Argo-based Contrail Networking with Pipelines, a GitOps and Continuous Integration/Continuous Delivery (CI/CD) model for NetOps to deliver reliability engineering at hyperscaler speed. Networking infrastructure-as-code, provisioning workflows-as-code, and test/staging workflows-as-code using the Contrail Networking Pipelines test suites simplify operator qualification and life-cycle management of Contrail Networking with any Kubernetes distribution, custom environments, and custom workloads.
Multicluster Management and Scale
Contrail Networking reduces the cost and complexity of multicluster operations, using a single Contrail Networking instance to serve as the CNI for many Kubernetes clusters for intra- and inter-cluster connectivity as well as cluster load balancing to enhance performance and availability. The Contrail Networking Web GUI also streamlines operations across user-defined groups of multiple clusters—by team, by deployment purpose, or by geography. In addition, network federation, Kubernetes federation, and Prometheus federation provide one-to-many centralized management and control to achieve operational scale and reduce costs for distributed and prolific multicluster deployments.
Edge and Remote Compute
Centrally managed and programmable, Contrail Networking’s low-profile vRouter data plane supports edge “Remote Compute,” a deployment model that simplifies cloud orchestration and operations for numerous space-constrained, distributed edge sites to deliver operational scale and reduced OpEx. This goes beyond the stretched OpenStack or Kubernetes cluster architecture to further optimize local network overlay-network gateways at each remote site without any distributed Contrail Networking Controller software overhead.
Application-Aware Security and Service Chaining
Contrail Networking features a logically centralized, policy-based rules engine to define, apply, and manage granular security policies that are enforced through the distributed fleet of vRouters on all cluster nodes. SecOps tasks of definition, application, and enforcement visibility are simpler and superior to Kubernetes Network Policy objects and complementary to optional service mesh policies. Using metadata, user-defined tags, and attributes, Contrail Networking’s security and encryption mode simplifies security and privacy administration at scale with dynamic security policies that follow namespaces, services, and workloads across clusters.
Contrail Networking’s security features are further extended and enhanced by Juniper Networks® vSRX Virtual Firewall and Juniper Networks cSRX Container Firewall. These are virtualized and containerized next-generation stateful firewalls that complement Contrail Networking’s service chaining and insertion capabilities. Service chaining is also compatible with third-party firewalls and virtualized network functions (VNFs). Moreover, Juniper Connected Security products help organizations safeguard their entire estate, data, and users through a threat-aware network. Juniper Cloud Workload Protection shields cloud-native workloads from zero-day threats, and Juniper Advanced Threat Prevention service protects against known and unknown threats while assessing and verifying server and workload risk, even in encrypted traffic.
Unmatched Advanced Networking Services
Embedded services like BGP as a Service (BGPaaS), native equal-cost multipath (ECMP) (without kube-proxy), and vRouter L2 multilink bonding and L3 multihoming eliminate the cost and complexity of integrating third-party products and simplify the delivery of advanced services. Typical cloud-native bolt-ons such as ingress controller, multi-NIC capabilities, load balancing, and firewalls are built in. Controller support for internal and external BGP (iBGP and eBGP) InterAS options seamlessly extends the network into existing MPLS networks to simplify legacy integrations.
Enhanced Observability
With optional and configurable analytics for monitoring and troubleshooting, Contrail Networking provides enhanced observability with plug-and-play usability for some of the most popular open-source projects like Prometheus, InfluxDB, Grafana, FluentD, and ElasticStack for ease of use, platform flexibility, and low cost. Traffic mirroring and flow analytics can be used for situational awareness, troubleshooting, and regulatory compliance.
Ultra-Fast, High Performance
The Contrail Networking vRouter forwarding plane delivers high-performance networking for VM and container workloads with kernel, DPDK, and SmartNIC implementations. This delivers an assured application experience while preserving valuable CPU resources for revenue-generating services. An eBPF form factor of Contrail Networking vRouter is in limited tech preview.
Key Benefits
- Simple: Automates Day-0 to Day-2 cloud networking using a NetOps model for CI/CD to simplify life-cycle management delivering quality, stability, and always-on reliability. Contrail Networking is easy to try in simplified Kubernetes environments like minikube and cloud-based Terraform automated deployments.
- Cloud-Native: Protects and integrates existing VNF workloads, tools, and operations into a hybrid OpenStack and Kubernetes cloud to reduce training requirements for internal teams, speed time to market for new services, and lower costs while seamlessly evolving to cloud-native.
- Operationally Consistent: Unifies operational expertise and processes to enable workload portability and operational independence across a hybrid-cloud ecosystem to improve economics and deliver partnership flexibility, simplicity, and choice.
- DevOps-Friendly: Enables larger multipurpose and multitenant clusters to be elegantly secured through isolation and still benefit from overlapping network addressing for consistency and conflict avoidance. Additionally, all of Contrail Networking’s configuration can be partitioned and managed as code alongside various applications driven by GitOps. This model streamlines DevOps and improves application security policy design and compliance.
- Advanced: Automates and simplifies cloud networking with highly scalable overlays and service chaining without limiting protocol support or requiring distributed routing protocol agents with complex configuration. Contrail Networking easily federates to share virtual networks and routes using standards-based BGP with other Contrail Networking instances, workloads, and external devices.
Contrail Networking Use Cases
Enterprises and service providers can use Contrail Networking to:
Deploy Distributed 5G Edge Clouds
- Deliver 5G enhanced Mobile Broadband (eMBB), massive Machine Type Communications (mMTC), and Ultra-Reliable Low-Latency Communications (URLLC) services distributing high-performance, low-profile remote compute cloud networking to the network edge
- Contain cluster sprawl with multicluster management and federation
- Operationally scale and simplify highly distributed edge clouds with Juniper Apstra collapsed-fabric integration
Secure Networking in the Cloud
- Mitigate lateral attacks and unrestricted cluster connectivity using dynamic networking policy to isolate network segments and traffic within and across clusters
- Distribute security policy at the edge using microsegmentation to protect worker node traffic, user data, and applications
- Partition and isolate namespaces, services, and pod networking to reduce your applications’ exposure to external networks
- Manage security policy at scale using global security policies across multicluster networks
- Extend and enhance security features through the Juniper Connected Security and zero touch security portfolios of physical, virtual, and containerized Juniper Networks SRX Series firewalls, Juniper Cloud Workload Protection, and Juniper Advanced Threat Prevention (malware protection)
Simplify Hybrid Cloud and Multicloud
- Simplify Kubernetes operations with a common network services model and API across multiple cloud and on-premises deployments
- Simplify operations across OpenStack, OpenShift, and Kubernetes and multiple distributions with this hybrid SDN tool and its consistent model, API, and operational experience
Automate VNF/CNF Deployments Through Service Chaining of Any Network and Security Service
- Provide service orchestration of any Juniper or third-party network and security service (physical or virtual)
- Instantly add, update, delete reachability for ephemeral telco workloads (5G, radio access network (RAN), etc.) through BGPaaS
- Insert waypoint advanced network services (next-generation firewall, IPsec, source NAT, destination NAT, etc.) with on-demand service chain insertion
- Provide virtualized subscriber or business edge with chaining of services, including deep packet inspection (DPI), security (firewall, anti-DDoS), proxies, and caching
Key Features
| Features | Feature Description |
| Advanced Networking | |
| Routing and bridging | Juniper has a full suite of L2 (EVPN, VLAN, VXLAN) and L3 (eBGP, iBGP, MP-BGP, MPLS) services to deploy full-featured, scalable networking solutions. Integration into existing data center fabrics and MPLS backbones is seamless. |
| Traffic mirroring and flow analytics | Statistics collection and monitoring of flows bring greater visibility into the behavior of the traffic and policy conformance in your cluster. Traffic can be mirrored to virtual and physical devices for integration with external analysis platforms. |
| Hub/spoke and mesh virtual networks topology | Contrail Networking constructs logical network topologies using flexible, virtual network routers. This mechanism enforces network isolation into virtual networks that are more elegant than security policies and shared easily through network federation. |
| Layer 3 multihoming | vRouter utilizes multiple next hops in the forwarding table when multiple uplinks in the underlay are present. Routing protocols can be leveraged in the hypervisor for dynamic load balancing and failure protection. |
| BGPaaS for containers and VMs | BGP as a Service is delivered locally on the hypervisor to establish BGP connections from the container or VM and proxies these advertisements to the rest of the network. This provides dynamic network reachability of network functions and applications in the cluster. |
| Load balancing | Contrail Networking vRouter load balancing for services is L4 native, non-proxy load-balancing-based on ECMP. This includes Kubernetes services type load balancer not available with other CNIs. The instance-ip (service-ip) is linked to the ports of each of the pods in the service. This creates an ECMP next-hop in Contrail Networking and traffic is load-balanced directly from the source pod. Contrail Networking also includes an add-on option for an Ambassador Ingress in Kubernetes for L7 load balancing and OpenStack LBaaS. It is fully compatible with other Ingress controllers as well. |
| Selective overlay tunneling | Overlay tunneling (MPLS over UDP, MPLS over GRE, or VXLAN) abstracts the physical underlay to scale networks with isolation, policy, and security. Utilize direct underlay routing to selectively bypass overlay tunnels and directly access physical networking resources. |
| High-performance forwarding | High-performance vRouter networking includes kernel, DPDK, and SmartNIC implementations. Reference the list of supported network interface partners for more details. |
| SDN gateway | Contrail Networking interoperates with most physical or VM-based routing and switching equipment that supports L3VPN or EVPN with the appropriate overlay network encapsulation standards (VXLAN, MPLSoGRE, MPLSoUDP). This includes interoperability with Juniper Networks MX Series Universal Routers and QFX Series Switches, as well as other vendors’ devices to seamlessly connect to the WAN or legacy networks and workloads. |
| Monitoring | Optional analytics based on Prometheus and Grafana integrate with existing cloud ecosystem components, providing a centralized platform for robust insight into SDN operations, cluster health, and diagnostics. Optional flow monitoring employs InfluxDB. Besides native Grafana dashboards, monitoring is simplified in the optional Contrail Lens plug-in and Web GUI. |
| Troubleshooting | Contrail Networking collects cluster health, network statistics, and flow data which is then aggregated and presented through the Contrail Networking Web GUI for troubleshooting. Contrail Networking also exposes a number of logging, introspect, and tracing features for deep troubleshooting, resulting in faster serviceability and mean time to repair (MTTR). |
| Advanced Security | |
| Microsegmentation | Networking and security policies are defined centrally, then applied to network objects through labels and enforced at the distributed vRouter, providing security enforcement at each virtualized and containerized workload. |
| Multitenant and namespace network isolation | The use of tenant domains and L3 VPNs to create virtual networks inherently provides a secure segregated environment, where virtual networks cannot talk to each other without policies. Securely partitioned clusters using virtual routing and forwarding (VRF) and namespaces optimize flexibility, agility, and compute across multiple applications, users, teams, and tenants. |
| Label-based security policy | Going beyond rudimentary Kubernetes NetworkPolicy, Contrail Networking’s additional security and firewall rules create flexible and granular policies using metadata, tags, and attributes (vs. routing/IP info alone) to create a layer of abstraction for finer grained isolation that is simpler to design and configure (e.g., isolation between development, test, and production). |
| Drop/deny alerting and visibility | Flow records and alert logs on Contrail Networking policies provide visibility and audit compliance (e.g., no flow) to quickly identify potential security threats and optimize traffic flows. |
| Service chaining transparent insertion of L7 next-generation firewall (NGFW) | Policy-driven, dynamic, service chaining helps users easily creates and deliver flexible security services (e.g., steering traffic to a vSRX/cSRX NGFW). |
| VPN services | VPN services include MPLS over GRE, MPLS over UDP, VXLAN overlays implementing network slicing in the cluster. |
| Advanced Federation and Multicluster | |
| One Contrail Networking to many clusters CNI and analytics | A single Contrail Networking SDN cluster configured to manage many Kubernetes clusters improves operational efficiency and reduces cluster sprawl. |
| Edge/remote compute | Centralized Contrail Networking SDN cluster management of remote vRouter worker nodes (e.g., distributed edge clouds) improve operational efficiency and reduce costs. |
| Multicluster policy federation for network/security | Using Contrail Networking with KubeFed allows a single primary Kubernetes control plane to coordinate multiple Kubernetes and Contrail Networking clusters to simplify higher scale, multicluster networks and services. |
| BGP cluster-to-cluster peering | Open standards-based BGP with Contrail Networking’s simplified peering configurations extends reachability between clusters and to the WAN providing end-to-end network and multicluster reachability and logically shared virtual networks. |
Ordering Information
| Model Number Structure | Model numbers and descriptions |
License tiers:
| S-CN-S1-* = standard tier, includes multitenant network overlays, service chaining for OpenStack or Kubernetes use cases. S-CN-A1-* = advanced tier, adds DPDK and SmartNIC vRouter, BGPaaS, remote compute architecture. S-CN-P1-* = premium tier, adds Juniper Apstra integration and containerized routing protocol process (daemon) (cRPD) support with vRouter routing. Apstra and cRPD sold separately.
|
Contrail Networking with Pipelines (CI/CD support)
| S-CN-S2-* = S1 tier with Contrail Networking with Pipelines full CI/CD support and Contrail Networking test suite. S-CN-A2-* = A1 tier with Contrail Networking with Pipelines full CI/CD support and Contrail Networking test suite. S-CN-P2-* = P1 tier with Contrail Networking with Pipelines full CI/CD support and Contrail Networking test suite. |
| Class types | S-CN-*-C4-* = Certified and integrated OpenStack (Red Hat RHOSP, Canonical/Juju). S-CN-*-C3-* = Red Hat OpenShift Operator integrated. S-CN-*-C2-* = Pre-integrated K8s (Juju/Canonical, Rancher). S-CN-*-C1-* = Upstream Kubernetes. Integration may be self-tested with Contrail Networking with Pipelines tier. |
| Subscription duration terms | S-CN-*-C1-1 = 1 year of support and software subscription. S-CN-*-C1-3 = 3 years of support and software subscription. S-CN-*-C1-5 = 5 years of support and software subscription. |
| Examples sold per vRouter compute node (controller node not licensed) | S-CN-S1-C4-1 = standard tier license for 1 year for OpenStack. S-CN-S1-C3-5 = standard tier license for 5 years for OpenShift. S-CN-S2-C2-5 = standard tier with Contrail Networking with Pipelines license for 5 years for Kubernetes. S-CN-A2-C2-1 = advanced tier with Contrail Networking with Pipelines license for 1 year Kubernetes integrations such as Amazon EKS, and Kubernetes from Canonical or Rancher. S-CN-A2-C1-1 = advanced tier with Contrail Networking with Pipelines license for 1 year Kubernetes integrations such as upstream K8s. |
Juniper Networks products are sold directly as well as through Juniper partners and resellers. Please contact your Juniper account team or partner for licensing. For more information on how to buy, please visit: https://www.juniper.net/us/en/how-to-buy/form.html.
About Juniper Networks
At Juniper Networks, we are dedicated to dramatically simplifying network operations and driving superior experiences for end users. Our solutions deliver industry-leading insight, automation, security, and AI to drive real business results. We believe that powering connections will bring us closer together while empowering us all to solve the world’s greatest challenges of well-being, sustainability, and equality.
1000521 - 010 - EN MARCH 2022