AWS App Mesh, Security Groups and Network Flow Logs with CloudWatch
We wrapped up at AWS re:Invent 2018 and are thrilled to have been part of this amazing event that brought together over 40,000 IT professionals. Notably different from last years event was that many more booth visitors said they are in production with Kubernetes. In addition, more than half of the people we spoke with are actively researching managed Kubernetes services such as Amazon EKS.
On the topic of containers and Kubernetes, I want to thank AWS for all the support and our newly awarded AWS container competency. AWS recognized the completeness of Tigera’s container offerings and awarded the AWS Container Competency status! Check out Terry Wise’s reference to Tigera at his keynote session. Among all the cool AWS keynotes and announcements this week, I want to point out a few highlights:
- App Mesh: The concept of service mesh is something that Tigera has embraced with our integration of Istio into Tigera Secure. We are excited about AWS’s latest service mesh offering. AWS App Mesh makes it easy to run microservices by providing consistent visibility and network traffic controls for every microservice in an application.
- Tigera Secure Enterprise Edition: Our flagship product is now supported on EKS. Our enterprise product works on both self-managed Kubernetes and Amazon EKS clusters and adds enterprise-grade zero trust security and compliance capabilities on top of our Secure Cloud Edition, such as:
- Hierarchical policy controls with role-based access controls, to enable multiple teams to independently manage their respective security policies
- Dynamic graphical visualization of network flows
- Intrusion detection, alerting and remediation
- Security Group Integration: We received positive feedback at the show for our work with AWS Security Groups. Tigera enables you to integrate AWS Security Groups (SGs) with Kubernetes’ model for network security, known as Network Policy. Since Network Policy was designed to be platform agnostic, it is not aware of Security Groups (or any other cloud-specific security mechanism). Booth visitors were amazed at how Tigera found a way to enable this fine-grained policy control. All namespaces, service accounts, and pods can be added to a list of Security Group IDs, enabling you to define which Security Groups are applied to which pods with an RBAC model.
- Network Flow Logs with CloudWatch: Gaining visibility into accurate Kubernetes network traffic was another feature that our booth visitors couldn’t wait to try when they get back home. Tigera Secure CE captures network traffic at the container level, appends workload metadata to the flow logs, and pipes that data into CloudWatch. We also integrate with existing security operations center threat analytic and log aggregation systems. re:Invent attendees expressed concerns about traditional network logging methods providing only limited 5-tuple flow logs. Additional work in terms of adding context and correlations to traditional logs is needed and often involved very pricey volume-based SIEM solutions. Needless to say, attendees were relieved to see this Tigera feature address the limited Kubernetes visibility and SIEM issue.
One of the coolest giveaways, besides our Tiger mascot, was the 30-day free trial for our Secure Cloud Edition product that’s available on AWS Marketplace. If you missed the chance to sign up at our booth, here’s your opportunity again. We look forward to seeing you at the next AWS event.