Container components and their roles

In addition to providing isolation, containers can provide scalability and security, depending upon the level of sophistication that is required. Scalability is provided by using virtual load balancers (VLBs) to distribute traffic among servers, and security is provided by using virtual firewalls (VFWs) to prevent unwanted traffic to or from servers.

A web service API is provided for management of VLBs (adding an LB pool to a VLB, and adding a server Network Interface Controller (NIC) entry to an LB pool) and VFWs (adding or removing entries in a VFW Access Control List (ACL)). The API can manage multiple ACLs defined on a VFW even though it is limited to handling a single ACL per web service call.

A container can optionally be segmented into one or more zones, each typically protected by its own VFW ACL, and therefore with its own level of security for the server NICs added to it. Each zone can have one or more networks that server NICs can be attached to via access switches in that zone.

The following figure shows the logical topology of a container (outlined with a dotted line) with two zones. Network segments (VLANs) belonging to Zone A are highlighted in orange, while those belonging to Zone B are highlighted in green. Zone A has 2 NIC segments, where server VM NICs can be attached, while Zone B has only 1 NIC segment. Zone A also has a Virtual Internet Protocol (VIP) segment, where the VIPs for the LB pools that balance traffic for the two NIC segments can be attached. Network segments of each zone are protected by a single ACL in the VFW. The VFW also has an ACL to protect the external segment which clients are connected to. How you configure these ACLs controls which segments can talk to which other segments, and over which protocols.

Container with two zones