1. Overview

Cloud Native Network Firewall (CNNF) is a Layer 4 network monitoring tool. CNNF automatically discovers how entities in your environment communicate, and shows the communication mesh on Radar. Radar has a container view, which shows the network topology for your containerized apps. Radar also has a host view, which shows the network topology for hosts.

2. Architecture

Defender monitors how your containers and hosts connect to each other in real-time.

Defender inspects connections before they’re set up. After a connection is established, traffic flows directly between source and destination without any further oversight from Defender.

Defender adds iptables rules to observe TCP’s three-way handshake. The three-way handshake sets up new connections using SYN messages. For each pod or container IP address, Defender adds an iptables rule with the target set to NFQUEUE. NFQUEUE is an iptables target which delegates the decision of how to handle a packet to a userspace program (in this case Defender). When SYN messages arrive, Defender evaluates them to track connections. From this vantage point, Defender can see all connections.

cnnf arch

The following screenshot shows the mesh Radar draws for a typical microservices app. Radar draws directed edges for each connection, and displays the associated port number. An instance count for each node shows how many copies of the image are running as containers. Black bubbles mean the runtime model is in enforcement mode. Blue bubbles mean the runtime model is in learning mode.

cnnf scenario1

3. Network objects

You might have resources that interact with external, non-containerized services. For example, a payment gateway might pass information to an external service to verify transactions.

Network objects represent sources and destinations. Network objects can represent container images, subnets, and hosts. You can create new network objects representing a range of IP addresses or a single IP. Radar shows any connections established to the network object:

cnnf scenario5

To create a network object, go to Defend > Firewalls > Cloud Native Network Firewall, click Add Network Object, and specify an IP address or subnet.

4. Enabling CNNF

CNNF runs in one of two modes: Disabled or Enabled.

Disabled

CNNF displays limited traffic flow data on Radar, including outbound connections to the Internet and connections local to the node iteself. By default, CNNF ships in the disabled state.

Enabled

CNNF monitors all connections, including connections across hosts and connections to any configured network objects.

  1. Open Console.

  2. Go to Defend > Firewalls > Cloud Native Network Firewall.

  3. Enable CNNF for hosts and containers.