Understanding native container routing with Alias IPs
On Google Cloud Platform (GCP), Alias IPs allow you to configure secondary IPs or IP ranges on your virtual machine (VM) instances, for a secure and highly scalable way to address and deliver traffic to your applications hosted in a VM instance.
In the past, you could deploy applications hosted in GCP VM instances by using static routes that point to a hosted application IP, then adjusting the next-hop VM of that VIP destination. With the introduction of Alias IPs, GCP networking fabric natively programs and routes the traffic to your applications configured with Alias IPs in the hosted VM instances.
Specifically, this capability is useful in containerized environments, like Google Kubernetes Engine (GKE). When Kubernetes was first introduced, there were many ways to implement container IP connectivity. Some techniques used encapsulated overlay while others used network route programming to direct container traffic. With both of these techniques, container networking is somewhat “bolted” on to the cloud infrastructure with restricted mobility and a list of caveated features.
With Alias IPs, GKE supports VPC-native clusters in which GKE Pod IPs are natively integrated into the GCP infrastructure, providing a way to natively route traffic to containers. GKE Clusters are first-class citizens in the VPC.
With this support to address and route applications natively in GCP, you can now rely on GCP’s IP address management capabilities to carve out flexible IP ranges for your VMs. This delivers the following benefits:
Improved security: Containerized applications that use Alias IP allow us to apply anti-spoofing checks that validate the source and destination pod IP, and allow any traffic with any source or destination to be forwarded. In contrast, static routes require that you disable anti-spoof protection for a VM. This allows disabling the can IPForward bit on the VMs for traffic that is coming from the pod IPs.
Connectivity through VPN / Google Cloud Interconnect: Alias IP addresses can be announced by Cloud Router via BGP to an on-premises network connected via VPN or Cloud Interconnect. This is important if you are accessing a highly available application from your on-premises data center.
Better IP management: Alias IPs allow you to manage VM IPs (allocated from primary range) and pod IPs (allocated from primary or secondary ranges) centrally in your organization. By aggregating pod IPs to be allocated from a secondary range, you can configure firewall rules separately for your pod IPs from the VM IPs.
You can also use Alias IP with applications running within containers and being managed by container orchestration systems such as Kubernetes or Mesos. Click here to learn more about how Kubernetes uses Alias IPs.
Drop us a line about how you use Alias IPs, and other networking features you’d like to see on GCP.
This post was updated October 19, 2018