Ambassadors

The ambassador pattern

Ambassadors are containers that "masquerade" or "proxy" for another service.

They abstract the connection details for this services, and can help with:

discovery (where is my service actually running?)
migration (what if my service has to be moved while I use it?)
fail over (how do I know to which instance of a replicated service I should connect?)
load balancing (how to I spread my requests across multiple instances of a service?)
authentication (what if my service requires credentials, certificates, or otherwise?)

The ambassador pattern:

Takes advantage of Docker's per-container naming system and abstracts connections between services.
Allows you to manage services without hard-coding connection information inside applications.

To do this, instead of directly connecting containers you insert ambassador containers.

The web container uses normal Docker networking to connect to the ambassador.
The database container also talks with an ambassador.
For both containers, the ambassador is totally transparent.
(There is no difference between normal operation and operation with an ambassador.)
If the database container is moved (or a failover happens), its new location will be tracked by the ambassador containers, and the web application container will still be able to connect, without reconfiguration.

Use case:

The ambassador will be:

Use case:

my application code still connects to redis,
my Redis service runs somewhere else,
my Redis service is moved to a different host+port,
the location of the Redis service is given to me via e.g. DNS SRV records,
I want to use an ambassador to automatically connect to the new location, with as little disruption as possible.

The ambassador will be:

Use case:

The ambassador will be:

a container using the name redis (or a link),
passed the credentials to use,
running a custom proxy that accepts connections on Redis default port,
performing authentication with the target Redis service before forwarding traffic.

Use case:

The ambassador will be:

There are many ways to implement the pattern.

Different deployments will use different underlying technologies.

On-premise deployments with a trusted network can track container locations in e.g. Zookeeper, and generate HAproxy configurations each time a location key changes.
Public cloud deployments or deployments across unsafe networks can add TLS encryption.
Ad-hoc deployments can use a master-less discovery protocol like avahi to register and discover services.
It is also possible to do one-shot reconfiguration of the ambassadors. It is slightly less dynamic but has much less requirements.
Ambassadors can be used in addition to, or instead of, overlay networks.

We've learned how to:

Understand the ambassador pattern and what it is used for (service portability).

For more information about the ambassador pattern, including demos on Swarm and ECS: