Network isolation and security
Isolation with network namespaces
Each container endpoint is placed in its own network namespace. The management host vNIC and host network stack are located in the default network namespace. In order to enforce network isolation between containers on the same host, a network namespace is created for each Windows Server container and containers run under Hyper-V isolation into which the network adapter for the container is installed. Windows Server containers use a Host vNIC to attach to the virtual switch. Hyper-V isolation uses a Synthetic VM NIC (not exposed to the Utility VM) to attach to the virtual switch.
Depending on which container and network driver is used, port ACLs are enforced by a combination of the Windows Firewall and VFP.
Windows Server containers
These use the Windows hosts' firewall (enlightened with network namespaces) as well as VFP
Default Outbound: ALLOW ALL
Default Inbound: ALLOW ALL (TCP, UDP, ICMP, IGMP) unsolicited network traffic
- DENY ALL other network traffic not from these protocols
Prior to Windows Server, version 1709 and Windows 10 Fall Creators Update, the default inbound rule was DENY all. Users running these older releases can create inbound ALLOW rules with
docker run -p(port forwarding).
Containers running in Hyper-V isolation have their own isolated kernel and therefore run their own instance of Windows Firewall with the following configuration:
- Default ALLOW ALL in both Windows Firewall (running in the utility VM) and VFP
In a Kubernetes pod, an infrastructure container is first created to which an endpoint is attached. Containers that belong to the same pod, including infrastructure and worker containers, share a common network namespace (same IP and port space).
Customizing default port ACLs
If you want to modify the default port ACLs, please read our Host Networking Service documentation first (link to be added soon). You'll need to update policies inside the following components:
For Hyper-V isolation in Transparent and NAT mode, you currently can't reprogram the default port ACLs. This is reflected by an "X" in the table.
|Network driver||Windows Server containers||Hyper-V isolation|