HiveBrain v1.2.0
Get Started
← Back to all entries
patterndockerMinor

When would I choose IPTables over an Ambassador pattern for port forwarding?

Submitted by: @import:stackexchange-devops··
0
Viewed 0 times
chooseambassadorwouldforportwhenforwardingoverpatterniptables

Problem

In an environment of Secured Virtual Private Clouds, in a Cluster of Docker Containers, we have to setup some routes.

We can do that with the Ambassador pattern, which is simple and easy to maintain. (Docker does have some usage of IPTables under the hood - but from what I can see the Ambassador pattern uses socat, and not IPTables to achieve its forwarding.

We can setup NAT rules with IPTables to achieve a similar goal.

My question is: When would I choose IPTables over an Ambassador pattern for port forwarding?

Solution

iptables will probably scale better than socat because socat runs completely in user space. There's a common impression that iptables is hard to deal with, but I find it easier that most routers to fiddle with. There are a number of iptables wrappers available to make it easier to handle.

If you're willing to accept the performance hit of running in user space then consider haproxy over socat because it is intended to run over longer periods and provides statistics, failover, SSL termination, and lots of other conveniences.

Context

StackExchange DevOps Q#1253, answer score: 1

Revisions (0)

No revisions yet.