Container Networking
On Cycle, containers are deployed into networks called environments. A container's specific network settings are managed using the container's network configuration.
Each container is assigned an IPv6 /96
address block, and each instance of the container is assigned a /112
subset of that block.
Legacy Mode
In a legacy mode environment, a single IPv4 is assigned to each instance of the container.
Private Traffic
Container to container traffic uses the raw port, no forwarding. This results in faster speeds.
Binding to localhost will result in no communication from outside the container being able to reach the process bound to the address. This should be done if a user is purposely trying to restrict access to a process.
Containers in an environment can communicate with other containers in the same environment over a private, encrypted network that is implicitly built when the environment is created. Containers utilize the discovery service for container-to-container communication via hostname.
Public Ingress Traffic
Inside an environment, the container sits behind a load balancer, which acts as the ingress: and web application firewall (WAF) for all public traffic destined for the container.
Container Public Network Mode
A container can have its public network configured in one of three ways.
- disable (default): The container will never be allowed to talk to the internet, and the load balancer will never forward traffic to this container. Only communication with other containers in the same environment over the private network is allowed.
- egress-only: The container can send outbound traffic to the internet (and receive responses), but the load balancer will never forward traffic to this container.
- enable: The container can send traffic to the internet, and the load balancer will forward requests to the container.
TLS and SSL
From an encryption standpoint, the platform supports TLS 1.2 and 1.3 (currently). SSL is too outdated and insecure. The platform uses AES-CBC 256 bit
encryption.
Container Communication
Containers can only communicate with other containers. The platform will only build networks into nodes (servers) that have container instances deployed to them.
Example:
A customer has 10 nodes in a cluster. The environment they're working in with container instances on nodes 1 and 5, the network for that environment would only ever connect nodes 1 and 5. There would be no traffic sent to the other nodes ever.
Connecting to the Load Balancer
A container will receive public traffic from the load balancer automatically when
- The public network mode is set to
enable
- A LINKED record is pointed at the container
- A port is open on the container
Cycle handles the complexity of building and managing the underlying networking to make this work, even across cloud providers. No special configurations need to be done on the load balancer for the vast majority of cases.
Container Ports
Containers define their ports in the network configuration. A container port mapping follows the format:
[external port]:[container internal port]
such as
80:80
3000:80
7777:7777
When receiving public traffic, the left side is the port the load balancer accepts traffic on and the right side is the port inside the container. This is an important distinction when dealing with https traffic.
Reusing Ports
There is no conflict if multiple containers in an environment are binding to the same port.
Opening ports on a public container automatically configures the load balancer to forward traffic over those ports to the container (assuming the traffic is directed to the container via a LINKED record). No customization on the load balancer is necessary to receive public traffic over a specific port.
Managing HTTPS Traffic
A special feature of the load balancer on Cycle is the automatic TLS termination for LINKED records. When a LINKED record is configured with TLS generation, the certificates are installed into the load balancer. The load balancer decrypts the traffic, and forwards the decrypted traffic to the container.
To configure a container to take advantage of this, the port configuration can be set to 443:80
to allow encrypted traffic via
the load balancer on port 443
, and forwarded to the container over port 80
, with decryption happening in the middle.
This eliminates the need for applications to be concerned with decrypting TLS traffic.
Advanced Networking with SDNs
For more advanced container networking between environments, see Networks (SDNs).
Get Started with Container Networking on Cycle
For an in-depth guide on configuring a publically accessible container, see our getting started guide.
For accessing container network configurations on Cycle, check out the interface-specific documentaion: