Building Dataspaces in Multi-Cloud

Most Popular Insights

By offering multiple cloud providers like AWS, GCP, Azure, OTC, and GCP sovereign, we empower our customers to choose the cloud provider that aligns with their unique needs, preferences, and compliance requirements, giving them the flexibility and data sovereignty to optimize their cloud strategy. 

The business challenge of running dataspaces in a multi-cloud environment is managing the complexities that arise from utilizing multiple cloud providers. 

Based on my evaluation between the open-source Kubernetes orchestration solutions Gardener and Rancher, we have identified distinct characteristics for each solution that can inform the decision-making process: 

Gardener: 

  • Gardener is developed and supported by SAP, providing a level of credibility and industry expertise.
  • Supports various cloud providers, including AWS, Alibaba Cloud, Azure, GCP, Metal-Stack, OpenStack, and VMware vSphere. This flexibility allows you to choose the provider(s) that align with your requirements. 
  • Gardener offers potential cost savings by using seeds to manage multiple clusters efficiently.
  • Being an open-source project, Gardener benefits from community support and contributions.
  • Challenges with setup and upgrades.
  • No enterprise support, which can be a consideration depending on your organization's requirements. 

Rancher: 

  • Rancher is an open-source project supported by SUSE, another reputable player in the industry. 
  • Supports a wide range of cloud providers, including AWS, Azure, Google Cloud Platform, and on-premises environments. This flexibility allows you to leverage various cloud options. 
  • Rancher is known for its user-friendly setup process, making it easier for organizations to get started.
  • Rancher provides comprehensive documentation, which can aid in the setup and configuration process.
  • Rancher offers both community support and enterprise support options, providing different levels of assistance depending on your needs.
  • Continuous Delivery capabilities: Rancher includes features for continuous delivery, which can be beneficial for organizations with a focus on automation and DevOps practices. 

 

The infrastructure:  

The T-Systems Powerhouse team, as the premier partner for AWS, is involved in reviewing and ensuring the application of best practices, privacy, and security assessments to our AWS accounts. This partnership can provide us with valuable expertise and support to optimize our infrastructure. 

In our architecture, we are using Kubernetes to manage containers, which is a popular choice for container orchestration. By leveraging Rancher, we have a tool that facilitates the creation, management, deployment, and operation of our Kubernetes clusters in a multi-cloud environment. Rancher provides a user-friendly interface and additional features that enhance the management of our Kubernetes clusters, such as monitoring, scaling, and automated deployments.  

With Kubernetes and Rancher together, we have a robust solution for managing our containerized workloads in a multi-cloud architecture. 

Kubernetes ensures the scalability, portability, and resilience of our applications, while Rancher simplifies the administration and orchestration of our Kubernetes clusters across different cloud providers. 

We are making sure to leverage the expertise and support available from the T-Systems Powerhouse team to maximize the benefits of this infrastructure setup. Regularly updating and patching our Kubernetes clusters, following security best practices, and staying informed about the latest features and improvements will help us maintain a secure and efficient multi-cloud environment for our services.  

We have chosen AWS as our core service provider due to T-Systems Powerhouse team's premier partnership with AWS, the market leadership of AWS, and our expertise in leveraging AWS services to meet our customers' cloud requirements. 

Architecture:  

Deployed Rancher on EKS to manage our Kubernetes clusters in a private subnet. By configuring the EKS endpoint to be privately enabled and disabling the public endpoint, we ensure that the control plane of our Kubernetes clusters is accessible only through the private network. 

To enable Rancher to reach the control plane of all Kubernetes clusters, we have added static IPs to the control plane of any Kubernetes clusters created by Rancher. 

This allows Rancher to communicate with the control plane from within the Rancher VPC using the NAT gateway. This setup ensures secure communication between Rancher and the Kubernetes clusters. 

To ensure connectivity between the newly created Kubernetes clusters by Rancher and the Rancher Load Balancer, we add the IP addresses of the NAT gateway to the Security Group associated with the Rancher Load Balancer. Multi Cloud

Using the Rancher API, we can programmatically create new Kubernetes clusters for our customers in any cloud provider. This gives our customers the flexibility to choose their preferred cloud provider while still benefiting from the automation and management provided by Rancher.  

By leveraging Rancher Continuous Delivery, we can automatically deploy applications, monitoring, and policies, streamlining the deployment process and ensuring consistency across multiple clusters. 

The following architecture diagram illustrates the main components of the DIH Services, which is hosted in AWS:  

null

The architecture diagram includes the following components hosted in AWS: 

  • VPCs (Virtual Private Cloud): VPCs are isolated virtual networks within AWS that allow you to launch AWS resources. 
  • Private and Public Subnets: Within each VPC, there are three private and public subnets. Subnets are subdivisions of a VPC that are used to deploy resources. 
  • NAT Gateways: There are three NAT Gateways depicted in the diagram. NAT Gateways allow resources in private subnets to access the internet while keeping them isolated from incoming traffic. 
  • Bastion/Jump Host: this is a secure server that acts as a gateway for DevOps to access and manage resources in private subnets. 
  • Load Balancer (ELB) is shown in the diagram. ELBs distribute incoming network traffic across multiple targets, such as EC2 instances, to ensure high availability and fault tolerance. 
  • EKS Managed Nodes: EKS refers to Amazon Elastic Kubernetes Service, and the diagram indicates the presence of EKS Managed Nodes. These are worker nodes that are part of the managed Kubernetes cluster 
  • Aurora Cluster: is a fully managed relational database service, it is deployed within the private subnets of the VPC. 

This architecture provides a secure and scalable environment for hosting applications, with isolated subnets, load balancing, managed Kubernetes nodes, and database services. 

 

Open-Source Tools: 

On Kubernetes cluster, we have installed several common open-source tools, including: 

  • Kyverno: A Kubernetes-native policy management tool that helps enforce admission control policies and manage configuration-as-code.
  • HashiCorp Vault: A secrets management and data protection tool that securely stores and manages sensitive information such as API keys, passwords, and certificates.
  • Nginx Ingress Controller: An Ingress controller that enables the routing and load balancing of incoming traffic to services running on the Kubernetes cluster.
  • Cert-Manager: A certificate management controller that automates the issuance and renewal of TLS certificates from various certificate authorities, including Let's Encrypt.
  • Cluster Issuer: A component of Cert-Manager that manages the automatic issuance and renewal of TLS certificates for the cluster's ingress resources.
  • External Secrets: A tool that allows us to securely store and manage secrets outside of our Kubernetes cluster, retrieving them at runtime when needed by our applications.
  • Promtail: An agent that collects and sends logs from Kubernetes pods to a centralized logging system.
  • Prometheus: A monitoring and alerting toolkit that collects and stores metrics from various sources, providing powerful querying and visualization capabilities.
  • Loki: A log aggregation system that enables the storage, indexing, and querying of logs generated by applications running on the Kubernetes cluster.
  • Thanos: A set of components and tools that extend Prometheus, providing long-term storage, global querying, and high availability for Prometheus metrics.
  • Grafana: A popular open-source visualization and monitoring platform that integrates with Prometheus and other data sources, offering rich dashboards and alerting features.
  • Velero: A backup and restore tool for Kubernetes resources, allowing us to take snapshots and migrate applications and persistent volumes between clusters.
  • Crossplane: An open-source Kubernetes add-on that provides a control plane for managing infrastructure resources and integrating external cloud services.

These open-source tools collectively enhance the security, observability, scalability, and management capabilities of our Kubernetes cluster and the applications running on it. 

 

Offering 

We offer our customers the flexibility to choose between single tenant or multi tenant usage. By providing both options allows us to cater to different customer needs and preferences. 

Single Tenant: offering single tenant means that each customer is allocated cloud resources and infrastructure exclusively for their use, ensuring that no other customers share those resources, ensuring isolation and enhanced security. 

Single tenant usage typically offers higher levels of performance and customization, but it may come at a higher cost. 

We will create a new Virtual Private Cloud (VPC), NAT Gateway, Kubernetes cluster, databases, and Load Balancer exclusively for their use. This ensures that the customer's resources and infrastructure are isolated and tailored specifically to their requirements. 

Multi-Tenant : Multi-tenant involves sharing cloud resources and infrastructure among multiple customers. This approach enables cost efficiencies and resource optimization since customers share the underlying infrastructure. It is suitable for customers who prioritize cost-effectiveness and do not require the same level of isolation as single tenant usage.  

However, it's essential to ensure robust security measures and proper isolation mechanisms to protect customer data and maintain privacy.  

In each cloud provider, we have created Kubernetes clusters specifically designed for multi-tenant usage, allowing our customers to leverage the benefits of shared resources and infrastructure while maintaining the necessary isolation and security for their applications and data. 

Read more