Table of Contents
- Introduction
- Understanding the Virtual Application Network
- The Heart of the System: Skupper Router
- Communication Flows and Protocols
- Configuration Management and Control
- Security and Authentication
- Deployment Patterns and Topologies
- Service Discovery and Load Balancing
- Observability and Monitoring
- Architectural Evolution
- Deployment Considerations
- Conclusions
Introduction
In today’s technological landscape, organizations increasingly find themselves managing distributed applications across multiple cloud infrastructures, private data centers, and edge environments. This complexity has given rise to new challenges in ensuring secure and reliable communications between geographically distributed services. Skupper emerges as an innovative solution that redefines the concept of application networking through the Virtual Application Network paradigm.
One of Skupper’s key strengths lies in its simplicity and accessibility. Unlike traditional networking solutions that require complex administrative privileges and extensive infrastructure modifications, Skupper can be deployed with minimal overhead and standard user permissions. The platform demonstrates remarkable versatility by running seamlessly across diverse environments including Kubernetes clusters, Podman containers, and bare metal edge devices, making it an ideal choice for heterogeneous infrastructure deployments.
Skupper operates in the networking stack between Layer 4 (transport) and Layer 7 (application), providing intelligent application-aware routing while maintaining the reliability and performance characteristics of lower-level protocols. This positioning allows it to understand service semantics while abstracting the underlying network complexity, creating a unique value proposition in the modern networking landscape.
To facilitate understanding of this complex architecture, this article is accompanied by a series of detailed diagrams that illustrate different aspects of the system: from general architecture to communication flows, from security models to deployment patterns. These diagrams provide complementary visual representations to the technical descriptions, making advanced architectural concepts more accessible.
Understanding the Virtual Application Network
At the core of Skupper’s architecture lies the concept of Virtual Application Network, a virtual network that abstracts the complexity of the underlying infrastructure to provide direct and secure connectivity between applications. Unlike traditional VPN solutions that operate at the network level, Skupper works at the application level, creating an intelligent communication fabric that semantically understands services and their interactions.
The Virtual Application Network distinguishes itself from traditional TCP/IP-based solutions by eliminating the need for complex network configurations, firewall rule management, and exposed public endpoints. While traditional networking requires careful coordination of IP addressing, routing tables, and security policies across multiple environments, Skupper’s VAN creates a service-centric overlay that abstracts these concerns entirely.
The following diagram illustrates the general architecture of a Virtual Application Network extending across multiple cloud infrastructures, showing how different components collaborate to create a unified communication plane:
skupperv2alpha1.Site] RA[Skupper Router A
Interior Mode
AMQP 1.0] SCA[Service Controller A
skupper-service-controller] subgraph "Application Services A" APPA1[Frontend Service] APPA2[API Gateway] PODA1[Pod A1] PODA2[Pod A2] end subgraph "Configuration A" CMA[ConfigMap
Router Config JSON] SECA[Secrets
TLS Certificates] end SA --> RA SCA --> CMA SCA --> SECA CMA --> RA SECA --> RA RA <--> APPA1 RA <--> APPA2 APPA1 --> PODA1 APPA2 --> PODA2 end subgraph "Ingress/Gateway A" ING_A[LoadBalancer/Ingress
TLS Termination] GW_A[Gateway API
skupper-router-access] end RA --> ING_A ING_A --> GW_A end end subgraph "Cloud Provider B" subgraph "Kubernetes Cluster B" subgraph "Namespace B" SB[Site B
skupperv2alpha1.Site] RB[Skupper Router B
Interior Mode
AMQP 1.0] SCB[Service Controller B
skupper-service-controller] subgraph "Application Services B" APPB1[Database Service] APPB2[Analytics Service] PODB1[Pod B1] PODB2[Pod B2] end subgraph "Configuration B" CMB[ConfigMap
Router Config JSON] SECB[Secrets
TLS Certificates] end SB --> RB SCB --> CMB SCB --> SECB CMB --> RB SECB --> RB RB <--> APPB1 RB <--> APPB2 APPB1 --> PODB1 APPB2 --> PODB2 end subgraph "Ingress/Gateway B" ING_B[Route/Ingress
TLS Termination] GW_B[Gateway API
skupper-router-access] end RB --> ING_B ING_B --> GW_B end end subgraph "Edge Location" subgraph "Edge Cluster" subgraph "Namespace C" SC[Site C
skupperv2alpha1.Site] RC[Skupper Router C
Edge Mode
AMQP 1.0] SCC[Service Controller C
skupper-service-controller] subgraph "Application Services C" APPC1[IoT Service] APPC2[Edge Analytics] PODC1[Pod C1] PODC2[Pod C2] end subgraph "Configuration C" CMC[ConfigMap
Router Config JSON] SECC[Secrets
TLS Certificates] end SC --> RC SCC --> CMC SCC --> SECC CMC --> RC SECC --> RC RC <--> APPC1 RC <--> APPC2 APPC1 --> PODC1 APPC2 --> PODC2 end end end subgraph "Network Observer" NO[Network Observer
Telemetry Collection] CON[Skupper Console
Web UI] PROM[Prometheus Metrics
Port 9090] NO --> CON NO --> PROM end end %% Inter-Router Connections GW_A -.->|"Inter-Router Link
AMQP 1.0 over TLS
Mutual Authentication"| GW_B GW_B -.->|"Inter-Router Link
AMQP 1.0 over TLS
Mutual Authentication"| GW_A %% Edge Connections RC -.->|"Edge Connection
AMQP 1.0 over TLS
Outbound Only"| GW_A RC -.->|"Edge Connection
AMQP 1.0 over TLS
Outbound Only"| GW_B %% Monitoring Connections NO -.->|"Telemetry Collection
AMQP Management"| RA NO -.->|"Telemetry Collection
AMQP Management"| RB NO -.->|"Telemetry Collection
AMQP Management"| RC %% Service Communication Examples APPA1 -.->|"Service Call
via VAN"| APPB1 APPA2 -.->|"Service Call
via VAN"| APPB2 APPC1 -.->|"Service Call
via VAN"| APPA1 %% Styling classDef siteBox fill:#e3f2fd,stroke:#1565c0,stroke-width:2px classDef routerBox fill:#f3e5f5,stroke:#7b1fa2,stroke-width:2px classDef controllerBox fill:#e8f5e8,stroke:#2e7d32,stroke-width:2px classDef appBox fill:#fff8e1,stroke:#f57c00,stroke-width:2px classDef configBox fill:#fce4ec,stroke:#c2185b,stroke-width:2px classDef infraBox fill:#f1f8e9,stroke:#558b2f,stroke-width:2px classDef observabilityBox fill:#ede7f6,stroke:#5e35b1,stroke-width:2px class SA,SB,SC siteBox class RA,RB,RC routerBox class SCA,SCB,SCC controllerBox class APPA1,APPA2,APPB1,APPB2,APPC1,APPC2 appBox class CMA,CMB,CMC,SECA,SECB,SECC configBox class ING_A,ING_B,GW_A,GW_B,PODA1,PODA2,PODB1,PODB2,PODC1,PODC2 infraBox class NO,CON,PROM observabilityBox
The Skupper Virtual Application Network distinguishes itself by its ability to operate without requiring modifications to existing applications or opening ports in the perimeter network. This approach eliminates many of the complexities associated with configuring traditional VPN tunnels and significantly reduces the attack surface for potential security threats.
The Heart of the System: Skupper Router
The fundamental element of Skupper’s architecture is the router, a high-performance software component based on the AMQP 1.0 protocol. This router represents a specialized fork of the qpid-dispatch project, optimized specifically for Skupper use cases and the needs of modern multi-cloud networking.
The Skupper router implements sophisticated routing logic that goes beyond simple packet forwarding. Each router maintains a complete view of the network topology and uses advanced algorithms to determine optimal paths for message delivery. This distributed intelligence enables the system to automatically adapt to changes in network topology, such as adding new sites or temporary loss of connectivity.
From an architectural perspective, Skupper routers can operate in different modes. Interior routers represent complete network nodes that actively participate in routing protocols and can serve as transit points for traffic destined for other nodes. Edge routers, on the other hand, are designed for lighter deployments and connect to interior routers to gain access to the wider network, without providing transit capabilities.
Communication Flows and Protocols
To fully understand the architecture’s operation, it’s essential to analyze communication flows between different system components. The following diagram illustrates the temporal sequence of interactions, from connection establishment phases to operational application communications:
(Frontend) participant RA as Router A
(Interior) participant TLS_A as TLS Gateway A
(LoadBalancer) participant TLS_B as TLS Gateway B
(Ingress) participant RB as Router B
(Interior) participant App2 as Application B
(Database) participant RC as Router C
(Edge) participant App3 as Application C
(IoT) participant NO as Network Observer Note over RA,RB: Inter-Router Link Establishment RA->>TLS_A: Bind Listener (Port 5671) TLS_A->>TLS_B: TLS Handshake + Client Cert TLS_B->>RB: AMQP Open (Inter-Router) RB->>TLS_B: AMQP Open Response TLS_B->>TLS_A: SASL EXTERNAL Auth TLS_A->>RA: Connection Established Note over RA,RB: Routing Protocol Exchange RA->>RB: Link State Update (LSU) RB->>RA: Mobile Address Update (MAU) RA->>RB: Router Advertisement (RA) Note over RC,RA: Edge Connection RC->>TLS_A: Outbound Connection (Edge Role) TLS_A->>RA: AMQP Open (Edge) RA->>TLS_A: AMQP Open Response Note over App1,App2: Service Discovery & Exposure App2->>RB: Service Registration RB->>RA: Address Propagation (MAU) RA->>RC: Address Propagation (MAU) Note over App1,App2: Application Communication App1->>RA: HTTP Request (to Database Service) RA->>TLS_A: AMQP Message (Transfer) TLS_A->>TLS_B: Encrypted AMQP over TLS TLS_B->>RB: AMQP Message (Transfer) RB->>App2: HTTP Request Delivery App2->>RB: HTTP Response RB->>TLS_B: AMQP Message (Settlement) TLS_B->>TLS_A: Encrypted AMQP over TLS TLS_A->>RA: AMQP Message (Settlement) RA->>App1: HTTP Response Delivery Note over App3,App1: Edge to Interior Communication App3->>RC: Service Request RC->>TLS_A: AMQP Message via Edge Link TLS_A->>RA: Message Processing RA->>App1: Service Request Delivery Note over NO,RA: Telemetry Collection NO->>RA: AMQP Management Query RA->>NO: Router Statistics NO->>RB: AMQP Management Query RB->>NO: Router Statistics NO->>RC: AMQP Management Query RC->>NO: Router Statistics Note over RA,RB: Health Monitoring loop Every 30 seconds RA->>RB: Link State Heartbeat RB->>RA: Link State Heartbeat end Note over RA,RB: Load Balancing App1->>RA: Service Request (Round Robin) RA->>RB: Route to Least Loaded Instance RB->>App2: Deliver to Available Endpoint
The diagram shows how the AMQP 1.0 protocol is used not only for transporting application messages but also for managing routing protocols, authentication, and monitoring. This protocol unification reduces operational complexity and improves system observability.
Configuration Management and Control
Skupper infrastructure management is handled by a controller component that implements the reconciliation pattern typical of the Kubernetes ecosystem. This controller continuously monitors the desired configuration state, specified through Custom Resource Definitions, and works to maintain alignment between desired and actual infrastructure state.
The controller manages dynamic router configuration through a ConfigMap-based mechanism containing configuration in JSON format. This configuration includes listener definitions, connectors, SSL profiles, and routing rules. The reconciliation process ensures that any configuration changes are automatically propagated to all interested components.
Certificate management represents a critical aspect of the architecture. Skupper implements a flexible Public Key Infrastructure that allows users to provide their own certificates when necessary, while maintaining the ability to automatically generate certificates for simpler scenarios. Certificates are managed through Kubernetes secrets and used to establish secure TLS connections between routers.
Security and Authentication
Skupper’s security architecture is designed around the zero-trust principle, where every communication must be authenticated and encrypted. The system uses the SASL EXTERNAL authentication mechanism for mutual TLS authentication, ensuring that every connection is bidirectionally authenticated using X.509 certificates.
The security model implements multiple layers of protection, from Certificate Authority management for each site to the use of dedicated SSL profiles for each connection type. The following diagram illustrates the complete PKI structure and access control mechanisms:
skupper-site-ca] SERVER_A[Server Cert A
skupper-site-server] CLIENT_A[Client Cert A
skupper-local-client] CA_A --> SERVER_A CA_A --> CLIENT_A end subgraph "Site B PKI" CA_B[Site CA B
skupper-site-ca] SERVER_B[Server Cert B
skupper-site-server] CLIENT_B[Client Cert B
skupper-local-client] CA_B --> SERVER_B CA_B --> CLIENT_B end subgraph "Cross-Site Trust" TRUST[Certificate Exchange
Inter-Site Trust] CA_A -.-> TRUST CA_B -.-> TRUST end end subgraph "Security Layers" subgraph "Transport Security (TLS)" TLS_MUTUAL[Mutual TLS Authentication
X.509 Certificate Validation] TLS_ENCRYPT[End-to-End Encryption
AES-256 / ChaCha20-Poly1305] TLS_MUTUAL --> TLS_ENCRYPT end subgraph "AMQP Security" SASL_EXT[SASL EXTERNAL
Certificate-based Auth] AMQP_AUTH[AMQP Authentication
Container Identity] SASL_EXT --> AMQP_AUTH end subgraph "Application Security" SVC_MESH[Service Mesh Layer
L7 Security Policies] RBAC_K8S[Kubernetes RBAC
Resource Access Control] SVC_MESH --> RBAC_K8S end end subgraph "Router A Security Context" RA_SEC[Router A Security] RA_LISTENER[Listener Security
Port 5671 AMQPS] RA_CONNECTOR[Connector Security
Outbound TLS] RA_PROFILE[SSL Profile
skupper-local-server] RA_SEC --> RA_LISTENER RA_SEC --> RA_CONNECTOR RA_SEC --> RA_PROFILE SERVER_A --> RA_PROFILE CLIENT_A --> RA_CONNECTOR end subgraph "Router B Security Context" RB_SEC[Router B Security] RB_LISTENER[Listener Security
Port 5671 AMQPS] RB_CONNECTOR[Connector Security
Outbound TLS] RB_PROFILE[SSL Profile
skupper-local-server] RB_SEC --> RB_LISTENER RB_SEC --> RB_CONNECTOR RB_SEC --> RB_PROFILE SERVER_B --> RB_PROFILE CLIENT_B --> RB_CONNECTOR end subgraph "Secure Communication Flow" HANDSHAKE[TLS Handshake
1. ClientHello
2. ServerHello + Cert
3. Client Cert
4. Key Exchange] VALIDATION[Certificate Validation
1. Chain Verification
2. Hostname Matching
3. Expiry Check
4. Revocation Check] SESSION[Secure Session
1. Symmetric Key Derivation
2. AMQP Channel Encryption
3. Message Authentication] HANDSHAKE --> VALIDATION VALIDATION --> SESSION end subgraph "Access Control" subgraph "Kubernetes RBAC" SA_ROUTER[ServiceAccount
skupper-router] ROLE_ROUTER[Role
skupper-router] BINDING[RoleBinding
Resource Access] SA_ROUTER --> BINDING ROLE_ROUTER --> BINDING end subgraph "Skupper Policies" LINK_ACCESS[LinkAccess Policy
Inter-Site Connectivity] SVC_EXPOSURE[Service Exposure
Allowed Services] NET_POLICY[Network Policy
Traffic Isolation] LINK_ACCESS --> SVC_EXPOSURE SVC_EXPOSURE --> NET_POLICY end end %% Security Flow Connections RA_CONNECTOR -.->|"Mutual TLS
Client Cert Auth"| RB_LISTENER RB_CONNECTOR -.->|"Mutual TLS
Client Cert Auth"| RA_LISTENER TLS_MUTUAL -.-> HANDSHAKE SASL_EXT -.-> VALIDATION %% Trust Relationships TRUST -.->|"Cross-Site
Certificate Trust"| TLS_MUTUAL BINDING -.->|"Resource
Authorization"| RA_SEC BINDING -.->|"Resource
Authorization"| RB_SEC %% Styling classDef caBox fill:#ffebee,stroke:#c62828,stroke-width:2px classDef securityBox fill:#e8eaf6,stroke:#3f51b5,stroke-width:2px classDef routerSecBox fill:#f3e5f5,stroke:#7b1fa2,stroke-width:2px classDef flowBox fill:#e0f2f1,stroke:#00796b,stroke-width:2px classDef accessBox fill:#fff3e0,stroke:#f57c00,stroke-width:2px classDef trustBox fill:#fce4ec,stroke:#ad1457,stroke-width:2px class CA_A,CA_B,SERVER_A,SERVER_B,CLIENT_A,CLIENT_B caBox class TLS_MUTUAL,TLS_ENCRYPT,SASL_EXT,AMQP_AUTH,SVC_MESH,RBAC_K8S securityBox class RA_SEC,RA_LISTENER,RA_CONNECTOR,RA_PROFILE,RB_SEC,RB_LISTENER,RB_CONNECTOR,RB_PROFILE routerSecBox class HANDSHAKE,VALIDATION,SESSION flowBox class SA_ROUTER,ROLE_ROUTER,BINDING,LINK_ACCESS,SVC_EXPOSURE,NET_POLICY accessBox class TRUST trustBox
Inter-router connections exclusively use encrypted TLS channels, with each router presenting its own certificate during the connection handshake. This architecture eliminates the need for pre-shared keys or other more fragile authentication mechanisms.
Regarding external cluster access, Skupper supports multiple service exposure strategies. It can integrate with LoadBalancers, OpenShift Routes, standard Kubernetes Ingress Controllers, and more recently with the Gateway API. This flexibility allows adaptation of deployments to specific security policies and underlying infrastructure capabilities.
Deployment Patterns and Topologies
Skupper supports various deployment topologies to adapt to different architectural scenarios. Supported topological patterns include full mesh configurations for high availability scenarios where every site needs direct connectivity with all others, hub-and-spoke topologies for centralized architectures with many edge sites, and multi-tier hierarchical deployments that reflect enterprise infrastructure organizational structure.
The following diagram illustrates these different approaches and their specific characteristics in detail:
Interior Mode
Full Routing Table] APPA1[Applications A] RA1 <--> APPA1 end subgraph "Site B1" RB1[Router B
Interior Mode
Full Routing Table] APPB1[Applications B] RB1 <--> APPB1 end subgraph "Site C1" RC1[Router C
Interior Mode
Full Routing Table] APPC1[Applications C] RC1 <--> APPC1 end subgraph "Site D1" RD1[Router D
Interior Mode
Full Routing Table] APPD1[Applications D] RD1 <--> APPD1 end %% Full mesh connections RA1 -.->|"Inter-Router Link
Direct Connection"| RB1 RA1 -.->|"Inter-Router Link
Direct Connection"| RC1 RA1 -.->|"Inter-Router Link
Direct Connection"| RD1 RB1 -.->|"Inter-Router Link
Direct Connection"| RC1 RB1 -.->|"Inter-Router Link
Direct Connection"| RD1 RC1 -.->|"Inter-Router Link
Direct Connection"| RD1 end subgraph "Topology Pattern 2: Hub and Spoke (Interior + Edge)" subgraph "Hub Sites" subgraph "Hub A" RA2[Router A
Interior Mode
Hub Router] APPA2[Core Applications A] RA2 <--> APPA2 end subgraph "Hub B" RB2[Router B
Interior Mode
Hub Router] APPB2[Core Applications B] RB2 <--> APPB2 end RA2 -.->|"Inter-Router Link
Hub-to-Hub"| RB2 end subgraph "Spoke Sites (Edge)" subgraph "Edge Site 1" RE1[Router E1
Edge Mode
Limited Routing] APPE1[Edge Applications 1] RE1 <--> APPE1 end subgraph "Edge Site 2" RE2[Router E2
Edge Mode
Limited Routing] APPE2[Edge Applications 2] RE2 <--> APPE2 end subgraph "Edge Site 3" RE3[Router E3
Edge Mode
Limited Routing] APPE3[Edge Applications 3] RE3 <--> APPE3 end subgraph "Edge Site 4" RE4[Router E4
Edge Mode
Limited Routing] APPE4[Edge Applications 4] RE4 <--> APPE4 end end %% Hub and spoke connections RE1 -.->|"Edge Connection
Outbound Only"| RA2 RE2 -.->|"Edge Connection
Outbound Only"| RA2 RE3 -.->|"Edge Connection
Outbound Only"| RB2 RE4 -.->|"Edge Connection
Outbound Only"| RB2 end subgraph "Topology Pattern 3: Hierarchical (Multi-Tier)" subgraph "Tier 1: Core Data Centers" subgraph "Core DC A" RAT1[Router A
Interior Mode
Core Tier] APPAT1[Core Services A] RAT1 <--> APPAT1 end subgraph "Core DC B" RBT1[Router B
Interior Mode
Core Tier] APPBT1[Core Services B] RBT1 <--> APPBT1 end RAT1 -.->|"High-Bandwidth Link
Core Interconnect"| RBT1 end subgraph "Tier 2: Regional Sites" subgraph "Region 1" RAT2[Router R1
Interior Mode
Regional Tier] APPAT2[Regional Apps 1] RAT2 <--> APPAT2 end subgraph "Region 2" RBT2[Router R2
Interior Mode
Regional Tier] APPBT2[Regional Apps 2] RBT2 <--> APPBT2 end end subgraph "Tier 3: Edge Locations" subgraph "Edge A" RAT3[Router E1
Edge Mode
Edge Tier] APPAT3[Edge Apps A] RAT3 <--> APPAT3 end subgraph "Edge B" RBT3[Router E2
Edge Mode
Edge Tier] APPBT3[Edge Apps B] RBT3 <--> APPBT3 end subgraph "Edge C" RCT3[Router E3
Edge Mode
Edge Tier] APPCT3[Edge Apps C] RCT3 <--> APPCT3 end end %% Hierarchical connections RAT2 -.->|"Regional Uplink"| RAT1 RBT2 -.->|"Regional Uplink"| RBT1 RAT3 -.->|"Edge Uplink"| RAT2 RBT3 -.->|"Edge Uplink"| RAT2 RCT3 -.->|"Edge Uplink"| RBT2 end subgraph "Deployment Characteristics" subgraph "Interior Router Features" INT_FEAT[Interior Router
━━━━━━━━━━━━━━
• Full routing protocol
• Transit capability
• Link state exchange
• Mobile address updates
• Network resilience
• Auto-discovery] end subgraph "Edge Router Features" EDGE_FEAT[Edge Router
━━━━━━━━━━━━━━
• Lightweight deployment
• Outbound connections only
• No transit capability
• Simplified configuration
• Resource efficient
• Firewall friendly] end subgraph "Connection Types" CONN_TYPES[Connection Types
━━━━━━━━━━━━━━
• Inter-Router: Full mesh
• Edge: Hub-spoke only
• Route-Container: App integration
• Normal: Client connections
• Inter-Edge: Limited scenarios] end end %% Styling classDef interiorBox fill:#e3f2fd,stroke:#1565c0,stroke-width:2px classDef edgeBox fill:#f3e5f5,stroke:#7b1fa2,stroke-width:2px classDef appBox fill:#e8f5e8,stroke:#388e3c,stroke-width:2px classDef coreBox fill:#ffebee,stroke:#d32f2f,stroke-width:2px classDef regionalBox fill:#fff3e0,stroke:#f57c00,stroke-width:2px classDef featureBox fill:#f1f8e9,stroke:#689f38,stroke-width:2px class RA1,RB1,RC1,RD1,RA2,RB2,RAT1,RBT1,RAT2,RBT2 interiorBox class RE1,RE2,RE3,RE4,RAT3,RBT3,RCT3 edgeBox class APPA1,APPB1,APPC1,APPD1,APPA2,APPB2,APPE1,APPE2,APPE3,APPE4 appBox class APPAT1,APPBT1 coreBox class APPAT2,APPBT2,APPAT3,APPBT3,APPCT3 regionalBox class INT_FEAT,EDGE_FEAT,CONN_TYPES featureBox
A distinctive feature of the architecture is its ability to operate through NAT and firewalls without requiring specific configurations. Routers can establish outbound connections to other routers, eliminating the need to open inbound ports in perimeter firewalls. This capability is particularly valuable in enterprise environments where security policies strictly limit inbound connectivity.
Resilience is built into the architecture through automatic failover mechanisms and routing reconvergence. When a router becomes unreachable, the routing protocol automatically adapts to route traffic through alternative paths. This self-healing occurs without manual intervention and with minimal service interruption.
Service Discovery and Load Balancing
Skupper’s service discovery system operates through automatic propagation of service information across the network. When a service is exposed at a site, this information is automatically propagated to all other sites in the Virtual Application Network, making the service immediately available for connection by remote clients.
Load balancing is implemented at the router level using various configurable strategies. Balancing can be based on round-robin, least connections, or other more sophisticated algorithms. The system maintains information about service endpoint health status and can automatically exclude unresponsive endpoints from the balancing pool.
An advanced feature of the system is its ability to understand application protocol semantics. For HTTP protocols, for example, the router can implement routing based on headers, paths, or other protocol elements, providing service mesh capabilities without the complexity of a traditional service mesh deployment.
Observability and Monitoring
The architecture includes dedicated components for network observability and monitoring. The network observer is a separate component that connects to the Virtual Application Network to collect operational telemetry from all sites. This data is exposed through standard APIs and Prometheus metrics, providing complete visibility into network status and performance.
The system collects detailed metrics on latency, throughput, error rate, and resource utilization. This information is crucial for troubleshooting, performance optimization, and capacity planning. The Skupper web console provides intuitive visualization of these metrics, including topological network maps and real-time performance dashboards.
Architectural Evolution
Skupper version 2 represents a significant architectural evolution from the previous version. The main focus has been on supporting a fully declarative model that facilitates automation and integration with CI/CD frameworks. The introduction of Custom Resource Definitions provides a more intuitive and flexible interface for Kubernetes users.
Architectural improvements in the main components have increased system modularity and maintainability. The new design clearly separates responsibilities between controller, router, and observability components, facilitating testing, debugging, and future system evolution.
Deployment Considerations
When designing a Skupper deployment, several architectural considerations influence design decisions. The choice between mesh and hub-and-spoke topologies depends on application traffic patterns and latency requirements. Deployments requiring low latency between all sites might benefit from direct connections, while architectures with predominantly centralized traffic might prefer a hub-and-spoke model.
Capacity planning must consider not only application traffic throughput but also routing protocol and telemetry overhead. Skupper routers are designed to be efficient, but in large deployments with many sites and services, resources dedicated to maintaining network state can become significant.
Security strategy must balance management ease with compliance requirements. While Skupper can operate with auto-generated certificates for simplicity, enterprise environments might require integration with existing Certificate Authorities and more rigorous certificate rotation processes.
Conclusions
Skupper’s architecture represents an innovative approach to modern multi-cloud networking challenges. Through its Virtual Application Network, it provides an elegant solution that abstracts infrastructure complexity while maintaining high performance and robust security. Its modular design and support for declarative deployments make it particularly suitable for cloud-native environments and modern DevOps practices.
The architectural diagrams presented in this article illustrate the sophistication of Skupper’s design: from orchestration of distributed components to granular security management, from advanced communication protocols to flexibility of topological patterns. This visual representation highlights how every aspect of the architecture has been designed to operate synergistically, creating a system that is greater than the sum of its parts.
The ability to operate without modifications to existing applications and without opening perimeter firewall ports makes it a pragmatic solution for organizations requiring multi-cloud connectivity without the operational complexity of traditional VPN solutions. As technology continues to evolve, Skupper positions itself as a fundamental component in the arsenal of architects designing modern distributed systems, offering an optimal balance between operational simplicity, robust security, and architectural flexibility.