To improve resource utilization, delivery efficiency, and business agility, enterprises are adopting cloud-native architectures and relying on the hybrid environment of VMs and containers for diverse application demands. However, the tight coupling between application components deployed across two environments necessitates a simple and efficient solution to ensure the secure interconnectivity between VMs and containers. Common approaches, such as gateways, controlled application registration addresses, and flat networks, each have advantages and disadvantages. Even the flat network, which is relatively superior to other approaches, presents security challenges, such as blurred network boundaries.

Facing these challenges, SmartX VM-Container Converged Infrastructure (VCCI) solution upgrades its capability and now supports the unified network security policy management of both VMs and containers. This enhanced feature ensures the efficient interoperability between virtualized and containerized applications while boosting the data security, visualization, and O&M simplicity of the entire SmartX Enterprise Cloud Platform (ECP). 

Common Approaches for VM-Container Interconnection and Their Shortcomings

We deployed an application to simulate business scenarios. In this setup, the frontend, gateway, Nacos, and backend components operate within a Kubernetes cluster utilizing the Calico network plugin in overlay mode. The rating service runs on a VM and interacts with the backend by retrieving its address through Nacos. However, due to the overlay network configuration, the rating service on the VM (IP: 192.168.28.213) cannot directly communicate with the containerized backend service inside the cluster (IP: 172.16.232.208), resulting in limited cross-environment connectivity.

In this case, enterprises need an effective solution to bridge the communication gap between VMs and containers. Common approaches include gateways, controlled application registration addresses, and flat networks.

Gateway

The gateway service in the Kubernetes cluster built on Spring Cloud Gateway serves as a unified entry point. It retrieves the addresses of the backend and rating services from Nacos and performs routing and forwarding of business I/O. The rating service, running on a VM, accesses the backend through the gateway as a proxy, enabling cross-environment communication:

  • Exposing the gateway service externally through NodePort and Ingress.
  • Adjusting the address used by the rating service to call the backend service to the gateway’s external address plus the corresponding path, ensuring that traffic is forwarded through the gateway.

Controlled application registration addresses

The rating service obtains backend addresses via Nacos for data transmission. However, since the backend registers with its Pod IP (e.g., 172.16.232.208, Pod CIDR: 172.16.0.0/16) and rating resides in the 192.168.28.213/20 subnet, cross-network communication is blocked by default, preventing direct access.

In this case, users can expose the backend service via NodePort or Ingress and register its external endpoint to Nacos to replace the Pod IP. The rating service can then retrieve the accessible address of backend from Nacos, enabling service interactions.

Flat Network

By establishing a unified Layer 2 network between VMs and containers, ​the flat network can achieve seamless communication between the backend and rating services by making the addresses registered by both services mutually reachable, facilitating seamless business interactions.

Comparisons of the three approaches are listed below.

As can be seen, the flat network is the most effective solution for VM-container interconnectivity:

  • Simplified architecture with easy deployment, minimal maintenance, and no need for business transformation.
  • Direct service-to-service communication ensures the shortest call path, enabling rapid troubleshooting and optimal performance.
  • Unified security management across VMs and containers enhances overall security governance.

However, the flat network approach still has shortcomings. As the Pod in containers can be directly accessed through Pod IP and lacks proper network isolation, this blurs security boundaries and expands attack surfaces. The key challenge lies in enabling seamless VM-container integration while enforcing granular zero-trust security policies at the workload level.

SmartX VCCI Enhanced Features for Unified Management of VM and Container Security Policies

Combining Zero Trust principles and micro-segmentation, SmartX VCCI enhances flat network security and enables unified security management for VMs and containers:

  • SMTX Kubernetes Service (SKS): Provide Kubernetes clusters based on flat networking (using EIC plugin), ensuring seamless VM-container communication.
  • Software-defined networking & security software – Everoute:
    • Distributed Firewall: Allow centralized management of security policies for VMs and containers to enhance isolation and access control across instances.
    • Load Balancing (LB): Auto-detect container creation, update, and termination within the Kubernetes cluster, and provide dynamic load balancing services for application’s multiple replicas.
  • Network Visualization: Provide all-around data flow monitoring and behavior analysis with enhanced data visualization, supporting threat detection and compliance auditing.

With these capabilities, SmartX VCCI solution enables seamless VM-container interconnection while providing an efficient, visible, and manageable network security mechanism.

Use Cases

#1 “East-West Traffic” Security (Pod/VM to Pod)

With Everoute, users can allow only specific VMs/Pods to access target containers while blocking data flows from other VMs or containers. Take the chart below as an example, users can restrict backend access to only apigateway and rating service.

#2 “East-West Traffic” Security (Pod/VM to VM) 

With Everoute, users can allow only specific VMs/Pods to access target VMs while blocking data flows from other VMs or containers. Take the chart below as an example, only apigateway is allowed to access rating VM.

#3 “North-South“ Security

With Everoute, users can only allow Pod to access trusted endpoints and restrict it from accessing other networks, like the internet. Take the chart below as an example, frontend service is only allowed to access apigateway and coredns.

Customer Story

Background

A leading securities institution was advancing its self-developed middle-end systems to a cloud-native architecture to support core online services like account opening and online business operations. During the digital transformation, the institution mainly faced two challenges.

  1. To transform an integrated IT stack into a cloud-native architecture requires a step-by-step upgrade of core systems. However, as some legacy components could not be easily containerized, the institution needed to manage both virtualized and containerized workloads while ensuring the compatibility between components and the unified management of the two environments.
  2. As user amounts and business volumes were surging, certain systems were grappling with insufficient responsiveness and limited scalability, making it challenging to handle high concurrency and large-scale data processing. To overcome these performance bottlenecks, the user needed a more elastic and scalable infrastructure.

To tackle these challenges, the institution aimed to achieve unified management and secure interoperability between VMs and containers while minimizing overall investment and configuration difficulty. Particular requirements include:

  1. As containers and VMs were foreseen to coexist for a long period and would interact frequently, the user demanded a reliable solution for network interconnection and unified security management.
  2. Expected to support both VMs and containers on existing hardware to avoid additional investments.
  3. Expected to unifiedly manage both virtualized and containerized environments to reduce the learning and O&M burden of the new IT stack.

Using SmartX VCCI to Bridge VMs and Containers While Ensuring Network Security 

By adopting SmartX VCCI solution, the user can create both VMs and Kubernetes clusters within a single SmartX ECP cluster. This enables the deployment of virtualization-based applications (such as trading systems) alongside containerized applications (like online services). A flat network architecture ensures seamless communication between the two environments, while Everoute provides unified security policy management for both VMs and containers.​

Features

  1. Unified Resource Pool: Support both virtualized and containerized applications on a unified resource pool, eliminating the need to purchase new hardware devices while maximizing utilization of hardware resources such as CPU, GPU, memory, storage, and networking.
  2. Virtualization-Driven Reliability: As SKS clusters are deployed on VMs, it combines the benefits of container agility and virtualization features such as DRS, VM HA, rapid scaling, automated node recovery, and smooth upgrades/rollbacks.
  3. Unified Management of Network Security: Establish flat network connectivity between containers and external systems via integrated network security components and EIC plugin, enforcing granular network access policies for workloads at VM/container levels.
  4. Simplified O&M: Monitor and manage VMs, Kubernetes clusters, and applications via a single GUI. Allow the user to draw insights of service dependencies and data status from the network visualization plane, enabling faster issue diagnosis and response.

Benefits

#1 Unified Management of Hybrid Computing

Optimize VM-container resource management with intelligent orchestration to ensure business stability and innovation.

  1. Unified Resource Orchestration: Integrate VM/container resources with centralized scheduling, monitoring and orchestration—maximizing compute efficiency and simplifying operations.
  2. Multi-Case Support: Run traditional and cloud-native applications seamlessly, enabling flexible migration and adaptive compute power for diverse workloads.
  3. Agile Development & Delivery: Accelerate application development, testing, and deployment via containerization, enhancing responsiveness and scalability.

#2 Flat Network Visualization and Secure Access Control

Enhance network stability and security through visualization, rapid fault localization, risk detection, and unified management.

  1. Real-Time Monitoring: Visualize network topology and dynamically monitor traffic, bandwidth, and device status to optimize resource utilization and prevent performance bottlenecks.
  2. Rapid Fault Localization: Utilize traffic anomaly detection and bottleneck analysis to quickly identify root causes of failures, reducing resolution time and improving operational efficiency.
  3. Security Risk Detection: Employ intelligent traffic analysis to monitor unauthorized access and malicious traffic in real time, providing automatic alerts to enhance security defenses.
  4. Unified Management and Visualization: Integrate security management for both virtual machine and container networks, centralizing configuration and monitoring to simplify operations and reduce the complexity of managing multiple platforms.

#3 Cost Reduction and Efficiency Improvement in IT Operations

Real-time monitoring and dynamic adjustment of IT resources optimize resource usage and improve business efficiency.

  • Resource Utilization: Dynamically adjust computing, storage, and network resources to reduce idle capacity and over-provisioning, minimizing rersource wastage.
  • Business Performance Optimization: Automatically scale services during peak periods to ensure response times, with load detection and auto-failover to minimize downtime.
  • Reduce O&M Costs: Intelligent monitoring and automated scheduling simplify management, with a unified platform reducing configuration and maintenance complexity.
  • Increase Business Agility: Rapidly adapt to business changes without additional deployment or scaling, accelerating product iteration and market responses.

For more information on SmartX ECP, please refer to SmartX ECP Product Portfolio Brief.

Continue Reading
Social Media
For more updates, join us on Slack and follow @SmartX on social media.
Join community on Slack
Resources
View More Content
Blog
You May Also Like