How VKS works?
Below are the current concepts being provided to you by VKS:
1. Public Cluster
When you create a Public Cluster with Public Node Group , the VKS system will:
Create a VM with Floating IP (ie Public IP). Now these VMs (Nodes) can directly join the K8S cluster through this Public IP. By using Public Cluster and Public Node Group, you can easily create Kubernetes clusters and expose services without using Load Balancer. This will contribute to cost savings for your cluster.
When you create a Public Cluster with a Private Node Group , the VKS system will:
Create VM without Floating IP (ie without Public IP). At this time, these VMs (Nodes) cannot join the K8S cluster directly. In order for these VMs to join the K8S cluster, you need to use a NAT Gateway ( NATGW ). NATGW acts as a relay station, allowing VMs to connect to the K8S cluster without needing a Public IP. With VNG Cloud, we recommend you use Pfsense or Palo Alto as a NATGW for your Cluster. Pfsense will help you manage incoming and outgoing network traffic (inbound and outbound traffic) effectively, ensuring network security and access management. Besides, using Private Node Group will help you control applications in the cluster more securely, specifically you can limit control plane access rights through the Whitelist IP feature.
2. Private Cluster
When you create a Public Cluster with Public/Private Node Group , the VKS system will:
To enhance the security of your cluster, we have introduced the private cluster model. The Private Cluster feature helps make your K8S cluster as secure as possible, all connections are completely private from the connection between nodes to the control plane, the connection from the client to the control plane, or the connection from nodes to products. Other services in VNG Cloud such as: vStorage, vCR, vMonitor, VNGCloud APIs,...Private Cluster is the ideal choice for services that require strict access control, ensuring compliance with security regulations and data privacy.
3. Comparison between using Public Cluster and Private Cluster
Below is a comparison table between creating and using Public Cluster and Private Cluster on the VKS system:
Criteria | Public Cluster | Private Cluster |
Connect | Use Public IP addresses to communicate between nodes and control plane, between clients and control plane, between nodes and other services in VNG Cloud. | Use Private IP addresses to communicate between nodes and control plane, between clients and control plane, between nodes and other services in VNG Cloud. |
Security | Medium security since connections use Public IP. | Higher security with all connections private and limited access. |
Access management | More difficult to control, access can be managed through the Whitelist feature | Strict access control, all connections are within VNG Cloud's private network, thereby minimizing the risk of external network attacks. |
Scalability (AutoScaling) | Easily scalable through Auto Scaling feature . | Easily scalable through Auto Scaling feature . |
AutoHealing | Automatically detect errors and restart the node ( Auto Healing ) | Automatically detect errors and restart the node ( Auto Healing ) |
Accessibility from outside | Easy access from anywhere with internet. | Access from outside must be through other security solutions. |
Configuration and deployment | Simpler because it does not require setting up an internal network. | More complex, requires private and secure network configuration. |
Cost | Usually lower because there is no need to set up a complex security infrastructure. | Higher cost due to additional security and management components required. Specifically, when using a private cluster, you need to pay for 4 automatically created private service endpoints to connect to services on VNG Cloud. |
Flexibility | High, easy to change and access services. | More flexible in applications that require security, but less flexible for applications that require external access. |
Therefore:
Public Cluster : Suitable for applications that do not require high security and need flexibility and access from multiple locations. Easy to deploy and manage but has higher security risks.
Private Cluster : Suitable for applications that require high security, strictly complying with security and privacy regulations. Provides stable and secure connectivity, but requires more complex configuration and management, as well as higher costs.
Last updated