The beta release of Docker Enterprise Edition has seen incredible activity. The highlight of the upcoming Docker Enterprise Edition (Docker EE) release is the integration of Kubernetes and bringing all of the advanced security, RBAC and management capabilities of Docker EE to Kubernetes. At the same time, we have been working to improve Swarm, delivering the only container platform that allows you to run both orchestrators in the same cluster. In this blog post, we’ll highlight some the key new capabilities around application-layer (Layer 7) routing and load balancing for Swarm-deployed applications. These enhancements come from the new Interlock 2.0 architecture which provides a highly scalable and highly available routing solution for Swarm. The new architecture brings some additional features to the platform, including path-based routing and SSL termination.
Layer 7 load balancing allows traffic going to host domains like acme.com to be distributed across specific containers in your environment. With path-based routing, traffic headed to sub-domains within acme.com (eg. acme.com/app1 or acme.com/app2) can be separately routed to different sets of containers. This can be especially useful for optimizing application performance by driving different requests to different groups of containers.
HTTPS traffic ensures secure, encrypted communications from the client to your application, but there are many reasons to decrypt the message once it has reached the load balancer. Layer 7 routing often requires decrypting the incoming message in order to make the intelligent routing decision within the trusted network; in addition, managing multiple certificates at the container level does not necessarily scale well. SSL termination at a proxy service allows for secure external communications to end when it is already within your secure network, allowing you to manage certificates in one location and making it much more scalable.
The new Interlock architecture in Docker EE includes a pluggable extension service that can connect to different load-balancing proxies. As part of Docker’s “batteries included” strategy, the service comes with a supported NGINX proxy today and other proxy solutions will be pluggable into the architecture in the future. The pluggable framework allows you to use industry standard solutions while still having the simplicity of configuring them using standard Docker rolling updates.
The new version of Docker EE also introduces the concept of Service Clusters which provides a separate instance of the reverse proxy to each application, making application traffic isolated to each service cluster. This allows you to segregate application clusters at Layer 7. Some of the benefits to this feature include isolating service disruptions, reconfiguration downtimes, mis-configurations, and update errors to a single application as opposed to the entire cluster.
Layer 7 routing with Swarm is fully Docker native. It runs on Docker Swarm and routes traffic using cluster networking and Docker services, leverages Docker APIs, and is configurable via CLI and UI. It is also designed to be both scalable and highly available, meeting the needs of production applications.
To learn more: