High-level networking questions

Background: I’m a web2 sysadmin, devops engineer and CISO. Looking to both deploy and provide using Akash. I’ve got some questions about network security and usability at the network level.

  1. Is there a way for providers to protect deployments from DDOS attacks, assuming the deployer isn’t using Cloudflare or some other DDOS prevention themselves?
  2. If no, how do I as a provider protect my systems and other customers from being affected?
  3. Is a provider bound to continue hosting agreements that have been enacted, or can the mix of contracts be shifted around on some regular schedule? Is there an eject bad actor/under attack app process?
  4. Is there any recognition of uptime/reliability on the part of providers, such as an SLA? Any recourse for deployers to redeploy on an emergency basis if one fails?
  5. Is there any possibility (now or future) of deploying a distributed application? IE specify 3 deployments from geographically distributed providers for the same application (recognizing the deployer would have to take care of details such as db replication or file sync among the 3 deployment locations themselves)

Possible solution? Not sure if it’s been considered but if a private BGP cloud layer were enabled on Akash nodes, it would be possible for high availability, multinode deployment, automated redeployment, DDOS protection to be added.

Has this/is this being considered?

Thanks for the questions.

At this time deployments on Akash do not offer any form of DDOS or similar protection. In the future Akash intends to offer additional services around IP based networking & security. Each provider may choose to implement their own security measures.

A provider receives payment on network so long as a deployment is open and a lease is active. Providers may close their bid and discontinue providing services at any time. If a deployment owner has issues with a provider or the provider is unavailable, they may close the deployment at any time. Even if the provider is no longer reachable, the deployment can be closed.

If as a provider you wish to implement a custom bidding strategy, that can be done using the command line options --bid-price-strategy script and --bid-price-script-path /path/to/script.sh.

With regards to SLA, etc. of a provider the network does not attempt to track this. Each provider may declare any number of key-value attributes. Those attributes do not have any specific meaning. Anyone on the network can then sign those attributes cryptographically. For example, providers hosted by Akash have the attribute host: akash. It is by this means that a network of trust may be built between deployment owners, providers, and 3rd party auditors.

If you want to deploy an application to multiple providers you can do that by declaring multiple placements in your SDL with different attributes, then accepting the preferred bid for each group created. You would then send the manifest to each provider so that the deployment can be created. Synchronization and communication between each deployment’s containers is at this time up to the deployment owners.

1 Like

My questions too fall under “high level networking”. I am becoming familiar with the architecture of the Akash. I am somewhat familiar with k8s and saw mention of ingress/edge in docs but didn’t yet stumble upon this particular point about internet exposure/publishing to the internet edge.

How are Akash server workloads exposed/published to clients? That is, do clients also need to be running Akash or could ordinary server workloads be hosted by Akash and reachable at some internet address? I expect that’s the case and am curious about how that rendevous is brokered if the workloads themselves are typically deployed on the shared, distributed compute layer of Akash which is “physically” behind firewalls.

Is it the providers responsibility always to provide the internet edge, or is that a logically separate service a provider might host? If separate, how are discovery and routing accomplished, something like Istio?