Quantcast
Channel: CodeSection,代码区,网络安全 - CodeSec
Viewing all articles
Browse latest Browse all 12749

Backplane: Simplicity and security through reverse tunnels

$
0
0

How Backplane Agents phone home using HTTP/2

Backplane is designed to make routing, shaping, and securing network traffic easy and safe, for every application in any environment. One of the key aspects of Backplane’s design that makes this all possible is based on an extension to the HTTP/2 protocol extension that we call h2s. In this post I’ll tell you a little bit about h2s, and describe three of the key benefits that it provides: automatic service discovery, zero ingress traffic, and security by default.


Backplane: Simplicity and security through reverse tunnels
How Backplane Agents create tunnels usingh2s Extending HTTP/2 with h2s

When Backplane Agents come online, they make several outbound connections to distributed Backplane Edge servers using HTTP/2 over TLS. Through a novel extension to the HTTP/2 protocol that I call h2s, this outbound connection begins a series of handshakes which result in the Agent and the Edge switching roles: the Agent is now the server, and the Edge is the client. Data can now be transmitted from the Edges to the Agents , without creating additional ingress traffic.

After this process is complete, requests which reach the geographically distributed Edge servers can now securely transmit data to the Agents, which live alongside your applications inside your secure network. This role swap enables some pretty cool functionality that helps Backplane present a unified, simple interface to help you untangle your network.

Automatic Service Discovery

Service discovery is a necessary component of any infrastructure at moderate scale, but it is traditionally heavy to operate and requires a lot of buy-in: multiple data stores, multiple availability zones, and more. Because of h2s , applications which are running corresponding Backplane Agents are automatically registered with the globally distributed, fault tolerant Backplane Edge servers. That means we get automatic service discovery, without any extra effort on the part of the user (including zero-ingress, more on that later).


Backplane: Simplicity and security through reverse tunnels
Automatic service discovery with Backplane

Thanks to automatic service discovery, you can maintain consistent instance counts, ensure availability across geographical zones, and perform autoscaling, all based on the registration that automatically occurs when your Backplane Agents come online, without any extra configuration, and without having to think in regions and zones. Less configuration means less chance for error.

Zero Ingress Traffic

One of the coolest consequences of how Backplane works is the fact that because of h2s , you don’t need to allow ingress traffic into your private network to serve traffic to your applications. No poking special holes in firewalls. No fussing around with iptables. No configuration.

Sometimes it’s challenging for people to understand this point, both because it’s novel and because it’s counterintuitive: how does the data reach its destination without ingress traffic rules? The role swap enabled by h2s allows Agents and Edges to manage your traffic for you, which is one of the ways that Backplane encompasses all of the network operations you need to perform, and presents a unified interface to abstract over them.

Security by Default

Zero configuration and no ingress traffic by default are two of the ways that Backplane’s innovative h2s extension of HTTP/2 makes your network more secure. Network security relies heavily on reducing potential vectors for attack and minimizing surface area for misconfiguration. Poorly configured databases, firewalls, and other infrastructure can create potential problems. A network that is locked down by default can avoid a lot of these issues out of the box.

Along with providing a convenient and modern interface to network operations, Backplane’s architecture has helped us focus on what we care about the most: making sure our networks are flexible without sacrificing security.

Putting it all together

The idea to have Agents and Edges perform the h2s role swap was borne out of the desire to allow network management and orchestration to occur without the heavy weight configuration management component that so many architectures rely on by default. Using Agents as servers and Edges as clients allows for automatic service discovery, eliminates the need for ingress network traffic, and makes your network more secure by default.

Where you used to have a fractured set of services with different configurations and control planes, you now have one interface to help you untangle your network: Backplane .

Instantly see h2s in action with Backplane, click here to sign up !


Viewing all articles
Browse latest Browse all 12749

Trending Articles