Container-as-a-Service – CaaS provider comparison

A container service is provided by a cloud-computing provider and allows users to develop, test, execute, or distribute software in so-called application containers across IT infrastructures. Application containers are a concept from the Linux realm. The technology allows for virtualization at operating system level. Individual applications, including all dependencies (libraries, configurations files etc.) are executed as encapsulated instances. This enables the parallel operation of several applications with different requirements on the same operating system as well as deployment across different systems.

CaaS typically refers to a complete container environment, including orchestration tools, an image catalog (also called the registry), cluster management software, and a set of developer tools and APIs (Application Programming Interfaces). Billing is usually the rental model.

When choosing a CaaS service for use in enterprise, users should take the following questions into consideration:

• Which orchestration tools are available?
• Which file formats do container applications support?
• Is it possible to operate multi-container applications?
• How are the clusters managed when operating a container?
• What networks and storage functions are supported?
• Does the provider issue a private registry for container images?
• How well is the container runtime environment integrated with other cloud services?
• Which billing models are available?

CLaaS is aimed at developers and IT operations and enables the provision, management, and scaling of container-based applications in Kubernetes clusters. The functional spectrum includes:

• Managed cloud nodes with dedicated server resources 

• Individual management of clusters
• Full access to application containers
• User-defined orchestration 
• Professional support when using and creating container clusters in the cloud panel via 1&1 IONOS first level support.
• If you have any questions about Kubernetes or the installed solutions, the 1&1 IONOS Cloud Community will help you.

Cluster nodes are managed via the 1&1 IONOS cloud panel. In order to orchestrate container applications, CLaaS relies on the orchestrator, Kubernetes. Users can manage Kubernetes using the command line tool kubectl, or the Kubernetes dashboard can be installed as a user interface. 1&1 IONOS support cover the provision and management of the container cluster. Direct support for kubectl or the Kubernetes dashboard is not offered.

Via the 1&1 IONOS cloud panel, users have access to various third-party applications as one-click solutions. The portfolio includes the following software solutions.

The DockerHub online service can be integrated as a registry for Docker images.

To set up a dedicated container cluster, users select at least 3 virtual machines from the 1&1 IONOS IaaS platform and use them as master or worker nodes if desired.

The master node is responsible for the control, load distribution, and coordination of the container cluster. Container applications are executed in so-called pods on the worker nodes. If required, containers can also be started directly on the master node.

Cluster nodes for container hosting are available in six price categories with different features: M, L, XL, XXL, 3XL, and 4XL. The range extends from small cluster nodes with a processor core, 2 GB RAM and 50 GB SSD memory to professional machines with 12 processor cores, 32 GB RAM, and 360 GB SSD memory. A Linux system runs on all nodes.

Users only pay for the resources that they use. The operation of the containers and the use of one-click solutions (with the exception of autoscalers) do not incur any further costs. The selected configuration is billed to the minute.

Amazon ECS provides users with various interfaces that enable isolated applications in the Amazon Elastic Compute Cloud (EC2) in Docker containers. The CaaS service is technically based on the following cloud resources:

• Amazon-EC2-Instances (Amazon Elastic Compute Cloud Instances): Amazon EC2 is the scalable computing capacity of the Amazon cloud computing service, which is leased in the form of so-called “Instances.”

• Amazon S3 (Amazon Simple Storage): Amazon S3 is a cloud-based object storage platform.

• Amazon EBS (Amazon Elastic Block Store): Amazon EBS provides high-availability block storage volumes for EC2 Instances.

• Amazon RDS (Amazon Relational Database Service): Amazon RDS is a database service for managing the relational database engines Amazon Aurora, PostgreSQL, MySQL, MariaDB, Oracle, and Microsoft SQL Server.

ECS only supports containers in Docker format.

Container management is handled by ECS by default using a proprietary orchestrator, which acts as a master and communicates with an agent on each node of the cluster that needs managing. Alternatively, an open source module is offered with Blox, which makes it possible to connect self-developed schedulers, as well as third-party tools such as Mesos in ECS. 

One of the strengths of the Amazon EC2 Container Service is its integration with other Amazon services, such as:

• AWS Identity and Access Management (IAM): AWS Identity and Access Management allows you to define user roles and groups, and to manage access to AWS resources by means of authorizations.

• Elastic Load Balancing: Elastic Load Balancing is a cloud-load balancer that automatically distributes incoming application traffic across multiple EC2 instances.

• AWS CloudTrail: AWS CloudTrail is a service that records all user activity and API calls within a cluster. This allows users to understand and analyze their processes as part of resource management and security analysis.

• Amazon CloudWatch: CloudWatch is Amazon’s service for monitoring cloud resources and applications. It is also available to AWS users to operate application containers.

• AWS CloudFormation: CloudFormation provides Amazon AWS users with a service that can be used to define templates for deploying AWS resources. It can be described as a container service in the form of a reusable JSON template. This includes the blueprint of the application, including the instances and storage capacities required for execution, as well as their interactions with other AWS services.

Amazon provides AWS users with private Docker repositories as part of the EC2 Container Registry (ECR) to carry out a central administration of their container images. Access to the registry can be managed using AWS IAM at resource level.

One disadvantage of the Amazon EC2 container service is that it restricts EC2 instances. Amazon’s CaaS service does not provide support for IT infrastructures outside of AWS – neither physically, nor virtually. Hybrid cloud scenarios, whereby multiple container applications are sometimes operated on the premises, are therefore just as impossible to run as a combination of the IT resources of different public cloud providers (multi-cloud). This is probably due to Amazon’s business model for the CaaS service: it is essentially free of charge through AWS. Users only pay for the provision of the cloud infrastructure, like a cluster of EC2 instances, which form the basis for operating container applications.

The Amazon EC2 container service at a glance

The following video shows a 5-minute tutorial on Amazon EC2 Container Service.

GKE relies on Google Compute Engine (GCE) resources and allows users to run container-based applications on Google Cloud Platform (GCP) clusters. However, users who have GKE are not just limited to the Google Cloud infrastructure: Kubernetes’ cluster federation system makes it possible to combine different computer cluster resources into a logical computing federation and, if necessary, create hybrid, multi-cloud environments.

Every cluster created with the GKE consists of a Kubernetes master endpoint which the Kubernetes API server runs on, and any number of worker nodes that service REST requests to the API servers, which support Docker containers.

While the master node monitors how resources are used and the cluster’s status, the contained applications are run on the worker node. If a worker node fails, the master distributes the tasks required for the application’s operation to other nodes.

GKE also supports the widely used Docker container format. To provide Docker images, users have a private container registry. A JSON-based syntax offers the option to define container services as templates.

Integration Kubernetes into GKE provides users with the following functions for orchestrating container applications:

• Automatic binpacking: Kubernetes automatically situates containers based on resource requirements and constraints so that the cluster is always optimally loaded. This prevents the availability of container applications from being compromised.

• Health checks with auto-repair: Kubernetes ensures that all accounts and containers work properly by running automatic health checks. Nodes or containers that do not respond are terminated and replaced by new ones.  

• Horizontal scaling: With Kubernetes, applications can be scaled up or down as required, either manually or using the command line on the graphic user interface, or automatically on the basis of CPU utilization.

• Service discovery and load-balancing: Kubernetes offers two modes for service discovery: services can be detected using environment variables and DNS records. Load balancing between different containers can be done using the IP address and DNS names.

• Storage orchestration: Kubernetes permits automatic storage on various storage systems – whether it is local storage, public cloud storage (via GCP or AWS), or network storage systems such as NFS, iSCSI, Gluster, Ceph or Flocker.

Similar to ECS in AWS, GKE is directly integrated into the Google Cloud platform so that container users have access to various features of the public cloud, in addition to the orchestration function range:

• Identity and Access Management: GKE’s IAM is implemented using Google Accounts and supports other role-based authorities.

• Stackdriver Monitoring: Google’s monitoring tool informs users about the performance, operating time, and state of cloud operations. To do this, Stackdriver collects monitoring metrics, events, and metadata, and prepares them in the form of a clear dashboard. As a data source, the tool supports the Google Cloud Platform, Amazon Web Services, and various applications, such as Cassandra, Nginx, Apache HTTP Server, and Elasticsearch.

• Stackdriver Logging: Google‘s logging tool allows users to store, monitor, and analyze log data and events. Stackdriver Logging supports the Google Cloud Platform and Amazon Web Services. 

• Container Builder: Through Container Builder, Google provides a tool for creating Docker images directly in the cloud. The application source code must first be loaded into Google Cloud Storage.

Google and Amazon have different plans in terms of pricing their CaaS services. A container management for clusters with up to five computer engine instances (nodes) is available to users free of charge. There are only costs for providing cloud services (CPU, memory etc.). If users want to run containers on larger clusters (six or more instances), Google also charges a usage fee for the container engine: pricing is per hour for a cluster.

Google Container Engine at a glance

The core component of the CaaS service from Microsoft is the Azure Container Engine, whose source code is available under the Open Source License on Github. The Azure Container Engine acts as a template generator that creates templates for the Azure Resource Manager (ARM). These can be managed using an API with one of the following orchestration tools: Docker Swarm, DC / OS and Kubernetes (since February 2017).

The choice of orchestrator depends primarily on the features available to ACS users when operating containment applications in the Azure cloud.

Mesosphere’s DC/OS Cluster Manager is part of the Azure Container Service, and needs to be combined with the orchestration platform Marathon to be used. This kind of structure provides users with the following functional spectrum:

• Web-based user interface: Administrating container clusters is done using Marathon’s web-based user interface orchestration.

• High availability: Marathon is run as an active/passive cluster. For each active node, a fully redundant passive node is provided, which can take over the tasks of a failed node should one appear.

• Service discovery and load balancing: DC/OS uses Marathon LB to provide a HAproxy-based load balancer and uses Mesos DNS, a DSN service-based discovery tool.

• Health checks: The status of an application can be queried through Marathon via http or TCP. Monitoring functions are available through a REST API, the command line or the web-based user interface.

• Metrics: Marathon provides detailed JSON-based metrics through an API, which can be accessed using monitoring tools such as Graphitehttps://graphiteapp.org/, statsD, or Datadog.

• Notification service: Those using DC/OS with Marathon in the Azure cloud have the option to reserve an HTTP endpoint for event-related notifications.

• Application groups: On request, containers can be grouped into so-called “pods,” which can be managed as self-contained units.

• Rule-based deployment: Restrictions allow you to define precisely where and how applications are distributed into the cluster.

In the Docker-Swarm version, ACS relies on the Docker stack, using the same open source technologies as the Dockers Universal Control Place (a basic component of the Docker Datacenter). Implemented in the Azure Container Service, Docker Swarm provides the following functionality for scaling and orchestrating container applications:

• Docker Compose: Docker’s solution for multi-container applications allows multiple containers to be linked together and centrally managed with a single command. Any number of containers, including all dependencies, are outlined in a control file based on the award language YAML.

• Control via the command line: The Docker CLI (command line interface) and the multi-container tool Docker Compose enable the direct administration of container clusters via the command line.  

• REST API: The Docker Remote API provides access to various third-party Docker ecosystem tools.

• Rule-based Deployment: The distribution of Docker containers in the cluster can be managed using labels and restrictions.  

• Service Discovery: Docker Swarm offers users a diverse range of service discovery functions.

Since February 2017, ACS users have also been able to access the orchestrator Kubernetes to automate administrating container applications, as well as deploying and scaling Azure clusters. Thanks to an implementation by ACS, Kubernetes provides all basic functions listed in the Google Container Engine section.

ACS is also integrated directly into the Azure cloud service:

• Azure Portal and Azure CLI 2.0: Users configure container clusters using the Azure portal – the central user interface for the cloud platform – or the command line interface Azure CLI 2.0.

• Azure Container Registry: The Azure Container Registry also provides Microsoft users with a private repository to deploy Docker images.

• Operations Management Suite (OMS): Monitoring and logging options for container services are provided by Microsoft Operations Management Suite (OMS).

• Azure Stack: Azure Stack can be used to help create a container operation in hybrid cloud environments.

Additionally, Microsoft has extended the ACS to include CI/CD (continuous integration and deployment) capabilities for multi-container applications, designed with Visual Studio Team Services, or the open source tool Visual Studio Code.

Identity and access management are controlled by Active Directory, whose basic functions are available free of charge to users up to a limit of 500,000 directory objects. Similar to Amazon ECS, the Azure Container Service does not incur any costs for using the container tools. Fees are only charged for using the infrastructure.

An overview of the Microsoft Azure Container Service

The following video show how to operate Docker containers on the Azure platform:

To be able to compare the aforementioned CaaS providers, we have compared them in the following table with the usual selection criteria that users have:

As an alternative to CaaS, you can keep your container tools on-site, i.e. on the premises. Both options have advantages and disadvantages.

Those who are against cloud computing services usually cite security concerns. Indeed, companies with a container environment in their own data center have the greatest possible control over their information. This includes maximum flexibility when selecting hardware and software components (underlying servers, runtime environment, operating systems, and management tools), as well as the certainty that all data is processed and stored exclusively within the company.

However, having this decision-making freedom means you need far more employees and will incur greater costs in the provision and maintenance of the container environment. Costly installations in data centers often require high investments. Whether these will be profitable in the long run can be uncertain. A cloud-based container environment on the other hand, makes it possible to provide new applications and software functions quickly and cost-effectively. Within the framework of CaaS, users only pay for the services that they actually use. Advance payments are unnecessary. This is particularly true for smaller companies, startups, and the self-employed, who need to be able to achieve their projects with manageable budgets.

Like other cloud services, CaaS allows for outsourcing your IT infrastructure to specialized service providers, who ensure that the technical foundations are always up-to-date and work flawlessly. Together with the billing model based on use, CaaS is aimed at companies with a high development and innovation pace. Companies opting for an on-premises solution forgo the flexibility and scalability that cloud providers offer their customers.

In addition, it is not always the case that data in a data center is safer than data in the cloud. For small and medium-sized enterprises, it is usually impossible to provide an IT infrastructure that can compete with established public cloud providers’ data centers in terms of availability, data security, and compliance.

Advantages and disadvantages of the CaaS model

Advantages and disadvantages of self-hosted container platforms