Does Gatekeeper Really Supports Cloud and/or Virtualized Environment?

[hzc12321]

In the link below, I see multiple options for the environment setup, which includes AWS EC2 and KVM.

However, in the Hardware Requirements page, it has been mentioned that "...we have run into several issues with virtual machines, so at this point, we consider them unsupported". The “Cloud Deployment" milestone has also not been completed.

So, are these "Setup on EC2" and "Setup on Virtual Machine" guides reliable? I don't want to run into those several issues.

My wild guess trying to understand the underlying meaning is that dedicated hardware should be used for production environment, and it's okay to test in small-scale on Cloud or virtualized environment. Correct me if I'm wrong.

Can anyone give me more insights or clarifications on this please? Thank you.

[hzc12321]

Links mentioned are as follows :
"...which includes AWS EC2 and KVM" : https://github.com/AltraMayor/gatekeeper/wiki/Experimenting-with-Gatekeeper
Hardware Requirements page : https://github.com/AltraMayor/gatekeeper/wiki/Hardware-Requirements
“Cloud Deployment" milestone : https://github.com/AltraMayor/gatekeeper/milestone/5

[AltraMayor]

Short answer

You should deploy Gatekeeper on bare metal, no matter your deployment's size or purpose.

Long answer

Several challenges in virtual environments make these environments unsuitable for deploying Gatekeeper.

Virtual NICs. While Gatekeeper has software fallbacks for NICs lacking hardware support for some features, Gatekeeper requires NICs to support multiqueues and RSS over source and destination IP addresses. I'm not aware of a virtual NIC that meets this minimum requirement. If a virtual NIC supports multiqueues, a workaround is to have a single instance of the GK functional block. However, this solution comes with serious performance drawbacks when it works.

Network limitations. These limitations may not be documented and may be hard to identify. For some examples of these limitations, see section "2.4.2.2 AWS EC2" of Cody Doucette's PhD Thesis, which is available on our Publications page in our wiki.

Many cloud providers do not support BGP announcements. If one can overcome both challenges above, this hurdle limits one to select cloud providers.

Finally, the primary concern of Gatekeeper deployers is meeting peak attack capacity, so the current priority is higher performance enabled by hardware to reduce the cost of the infrastructure. Therefore, no one is currently working on supporting virtualization.

[hzc12321]

Understood, thanks for the detailed explanation.