Virtual container technology options for management, security
A comprehensive collection of articles, videos and more, hand-picked by our editors
As more organizations use container technology to deploy cloud applications, it seems containers and cloud will become joined at the hip. So it's no surprise that the three big cloud providers -- Amazon Web Services, Microsoft Azure and Google -- have their own container services on the market. However, these services are not created equal.
For the purposes of this article, Cloud Technology Partners, a cloud consulting firm based in Boston, performed an internal review of the Amazon Web Services (AWS), Google and Azure container services, polling consultants around the technology and examining use cases. The firm looked at several features that are important when evaluating or using cloud-based container services, including data management, scalability, performance, security, DevOps and integration with management and operations (results shown in Table 1). The uses cover development and operations -- in short, what you should experience if you build and deploy applications using each of these three technologies.
For the 1-5 scale, 1 is the lowest score and 5 is the highest. A designation of 1 means the technology does not provide support for the category at all, whereas 5 conveys that the technology meets most of the feature and function requirements for that category. One of the requirements we looked at for the DevOps category, is the ability for the container subsystem to support DevOps operations, or provide an integrated repository.
For enterprises evaluating Google, AWS or Azure container services, this article provides some of the basics. Individual application requirements should ultimately drive your final product decision.
Integration and data considerations
Azure Container Service (ACS) is based on Apache Mesos, an open source container orchestration system. That means you can make some good assumptions about the features and functions of ACS, considering the features and functions of Mesos, which pre-dates ACS. ACS, which is not generally available yet, is the newest of the three container services previously mentioned. Much will change as we obtain more data points around the Microsoft container offering going forward.
With the AWS EC2 Container Service (ECS), we're seeing a number of operational issues, such as the inability to monitor containers at a fine-grained level. When looking at ECS integration with management and ops, which should be as strong as any AWS offering, we had to knock it down to 4 points, relative to Google Container Engine (GKE)'s 5 points. ECS does, however, include CloudWatch integration, which could give it a leg up compared to ACS. Also, at this time, ACS supports Linux containers only. While Windows support is coming soon, as Microsoft ports Mesos over, .NET developers are left behind the curve for now.
On the data side of things, all of these services offer native data connections, without forcing the use of external APIs -- but there's room for improvement. One concern is they will bind containers with native data services and not provide open data access, which enhances portability. It's difficult to create portable containers if the data is tightly coupled to the containers. This is an emerging area that we're keeping an eye on for now.
AWS, Google and Azure container security
When considering security, we found Google's service, through its Kubernetes container orchestration system, has a "Secrets" functionality and some additional resource limitations that the other two services lack. As a result, GKE was given a higher ranking for security. Keep in mind that Microsoft also uses Kubernetes, but does so in different ways. Much of the technology itself is abstracted from the users.
However, when looking at the host platform -- or the public cloud platform where the container service resides -- it's interesting to note that the Google platform, when it comes to security, is less advanced in some ways than AWS or Azure. While Google can work with third-party identity access management (IAM) tools, it lacks native IAM support. Although this did not impact the rankings indicated in the table, it's something to consider as you move forward with any of these platforms.
DevOps and scalability
When it comes to DevOps, GKE and Amazon ECS have their own registries now, but Azure Container Service does not. Google and AWS provide better DevOps integration, when considering container services in their respective clouds.
Scalability is relative to the needs of your applications, so we made assumptions based upon the mechanisms they provide, such as Mesos, and some use cases that we see on projects. You can use the same approach when you look to these technologies to host and execute your containers. For instance, ACS, which uses Mesos, should provide fair scalability, but not as good as GKE, which provides better clustering capabilities.
Amazon ECS is known to provide quality scalability, driven largely by the highly scalable platform features that AWS brings to its container engine.
In summary, the Google offering is more advanced overall due largely to Google's tight integration with its own Kubernetes container cluster, and Google's development and operational support. However, Google is not so far ahead that AWS and Microsoft can't quickly catch up. Considering the hold that AWS has on the market, it will likely provide some better container tricks in the near future.
Note: Cloud Technology Partners' principal architects Mike Kavis, Sibu Kutty and Jonathan Baier contributed to this article.
An enterprise guide to Docker container technology
Would containers benefit my organization?
The top Docker container tips of 2015