Skip to content

Quad-pod Fan-out-in Blueprint

This 4-app blueprint improves the speed and simplicity of deploying HTTP applications in a communications architecture that fans-out and then fans-in (in a single Kubernetes cluster). The app network is secure by design and secure by default. The four pods are deployed with Hopr's Workload Security Proxy (WoSP) - sidecars which provide Zero Trust identity verification and an Automated Moving Target Defense (AMTD).

The Quad-pod Blueprint with Fan-out and Fan-in Pattern
The Quad-pod Fan-out-in Bluepint

What the Blueprint Does

The quad-pod fan-out blueprint is a simple HTTP application network of four pods that are 'authrorized by design' to interconnect securely and communicate without the complexity of using PKI or TLS. Pod-1 is the intiator (sender) that sends messages to Pod-2 (receiver) and Pod-3(receiver) in a fan-out pattern. Pods -2 and -3 become senders after they receive the Pod-1 message, and separately send their outbound messages to Pod-4 (aggregator).

Blueprint Architecture

The blueprint deploys 4 pods in a single cluster. Each pod has 3 containers.

flowchart LR
    subgraph K8s["Kubernetes Cluster"]
        subgraph NS1["Namespace: web-app-1"]
            P1[("Pod-1<br/><b>Initiator</b><br/>━━━━━━━<br/>web-app:8000<br/>WoSP IN:18000<br/>WoSP OUT:18001,18002")]
        end

        subgraph NS2["Namespace: web-app-2"]
            P2[("Pod-2<br/><b>Middle-Tier</b><br/>━━━━━━━<br/>web-app:8000<br/>WoSP IN:18000<br/>WoSP OUT:18001")]
        end

        subgraph NS3["Namespace: web-app-3"]
            P3[("Pod-3<br/><b>Middle-Tier</b><br/>━━━━━━━<br/>web-app:8000<br/>WoSP IN:18000<br/>WoSP OUT:18001")]
        end

        subgraph NS4["Namespace: web-app-4"]
            P4[("Pod-4<br/><b>Aggregator</b><br/>━━━━━━━<br/>web-app:8000<br/>WoSP IN:18000<br/>WoSP OUT:18001")]
        end
    end

    P1 ==>|Egress:18001| P2
    P1 ==>|Egress:18002| P3
    P2 ==>|Egress:18001| P4
    P3 ==>|Egress:18001| P4
    P4 ==>|Egress:18001| P1

    style P1 fill:#4CAF50,stroke:#2E7D32,stroke-width:3px,color:#fff
    style P2 fill:#2196F3,stroke:#1565C0,stroke-width:3px,color:#fff
    style P3 fill:#2196F3,stroke:#1565C0,stroke-width:3px,color:#fff
    style P4 fill:#FF9800,stroke:#E65100,stroke-width:3px,color:#fff
    style K8s fill:#f5f5f5,stroke:#424242,stroke-width:2px
    style NS1 fill:#E8F5E9,stroke:#4CAF50,stroke-width:2px
    style NS2 fill:#E3F2FD,stroke:#2196F3,stroke-width:2px
    style NS3 fill:#E3F2FD,stroke:#2196F3,stroke-width:2px
    style NS4 fill:#FFF3E0,stroke:#FF9800,stroke-width:2px

Key Features:

  • Green (Pod-1): Initiator - starts the cycle
  • Blue (Pod-2 & Pod-3): Middle-Tier - receive from initiator, forward to aggregator
  • Orange (Pod-4): Aggregator - collects from both middle-tier pods, sends back to initiator
  • Complete Cycle: Shows the full fan-out (1→2,3), fan-in (2,3→4), and return (4→1) pattern

Services mapping:

  • Pod-1: NodePort 30011
  • Pod-2: NodePort 30012
  • Pod-3: NodePort 30013
  • Pod-4: NodePort 30014

Customization

Pod-1 initiates a new message cycle every 20 seconds in a repeating cycle. DevOps and Platform Engineers are able to modify the simple app business logic in any pod, replacing it with their own business logic, re-purposing the apps without altering the WoSP configuration or communications which proxy both networking (e.g., envoy proxy) and security (hence the name Workload Security Proxy)

In effect, this 4-app blueprint represents an expansion of other Lane7 Blueprints (tri-pod fan-out and tri-pod fan-in) and illustrates the flexibility of Lane7 in building Zero Trust application networks while preserving the Zero Trust and AMTD performance of the apps across the network. This simplifies and accelerates deployment of secure application (HTTP apps) networks without the complexity and friction of conventional PKI, TLS, and mTLS implementations.