Join eCHO livestream - eBPF & Cilium Office Hours - every Friday!

eBPF-based Networking, Observability, and Security

Kubernetes logo
Cilium logo
Technical Training

Securing Kubernetes w/ Network Policies

Learn more
Highly Scalable Kubernetes CNI
Highly Scalable Kubernetes CNI
Cilium’s control and data plane has been built from the ground up for large-scale and highly dynamic cloud native environments where 100s and even 1000s of containers are created and destroyed within seconds. Cilium’s control plane is highly optimized, running in Kubernetes clusters of up to 5K nodes and 100K pods. Cilium’s data plane uses eBPF for efficient load-balancing and incremental updates, avoiding the pitfalls of large iptables rulesets. Cilium is fully IPv6-aware.
Kube-proxy Load Balancer Replacement
Kube-proxy Load Balancer Replacement
Service-based load-balancing is a core network function in Kubernetes, but using kube-proxy for load-balancing is hamstrung by well-known limitations in iptables. This has become more critical as users implement more and more load balancing between Kubernetes services, not just at the edge of the network. Implementing this load-balancing in eBPF instead enables significant improvements in latency and performance and eliminates the need for kube-proxy entirely.
Multi-cluster Connectivity
Multi-cluster Connectivity
With standard Kubernetes networking each cluster is an island, requiring proxies to connect workloads across clusters for the purposes of migration, disaster-recovery, or geographic locality. Cilium Cluster Mesh creates a single zone of connectivity for load-balancing, observability and security between nodes across multiple clusters, enabling simple, high-performance cross-cluster connectivity.
Identity-aware Network Visibility
Identity-aware Network Visibility
Production-grade networks require rich observability. However, the highly dynamic nature of Kubernetes reduces the value of traditional IP-based visibility tools. Because Cilium leverages eBPF for a native understanding of Kubernetes label identity (for pods) and DNS-aware identity (for external workloads), Cilium provides the right level of information to troubleshoot application and connectivity issues. Cilium’s Hubble framework exposes this via API, CLI, and a graphical UI.
Network Metrics + Troubleshooting
Network Metrics + Troubleshooting
Building on rich network identity, Cilium provides Prometheus compatible metrics for L3/L4 and L7 network flow data and to simplify detecting and investigating network behavior and faults. Both flow and metrics data include rich information about what traffic has been allowed or denied by network policies, simplifying policy troubleshooting.
API-aware Network Observability
API-aware Network Observability
Traditional firewalls limit their inspection to the IP and TCP layers. Cilium uses eBPF to accelerate getting data in and out of L7 proxies such as Envoy, enabling efficient visibility into API protocols like HTTP, gRPC, and Kafka. This data is available via Cilium’s Hubble flow UI, CLI, a service map UI, and Prometheus-compatible flow metrics. TLS-interception enables visibility into HTTPS traffic.

Watch a video to learn more.
Advanced Network Policy
Advanced Network Policy
Cilium implements basic Kubernetes Network Policy (e.g. Label + CIDR matching) but also uses its identity-aware and API-aware visibility to enable both DNS-aware policies (e.g. allow to * and API-aware policies (e.g. allow HTTP GET /foo). Cilium also supports cluster-wide network policy, and host-layer firewalling. Get started here or watch a video to learn more.
Security Forensics + Audit
Security Forensics + Audit
IPs and ports are nearly meaningless for network security forensics and audit, given that identity in a Kubernetes cluster is highly dynamic. The identity-aware flow logs from Cilium’s Hubble can be stored to enable long-term forensics of network connectivity to identify attacks and subsequent lateral movement. Cilium’s API-awareness, optionally combined with TLS-termination enables security visibility even at the HTTP-layer.
Transparent Encryption
Transparent Encryption
Securing data in flight is an increasingly important requirement in security sensitive environments. Cilium’s transparent encryption capabilities use the highly efficient IPsec capabilities built into the Linux kernel to automatically encrypt communications between all workloads within, or between, Kubernetes clusters. This mechanism is simple: it requires only a single configuration setting in Cilium and no application changes. It is also efficient, with no side-car or other application layer proxying required.

Getting Started Guides

Try Cilium on any Kubernetes distribution in under 15 minutes

User Community

Cilium Enterprise

Our philosophy

Cilium Open Source

Cilium Open Source provides eBPF-based networking, observability, and security with optimal scale and performance for platform teams operating Kubernetes environments across cloud and on-prem infrastructure.

Cilium Enterprise

Cilium Enterprise addresses the complex workflows related to security automation, forensics, compliance, role-based access control, and integration with legacy infrastructure that arise as platform teams engage with application and security teams within an enterprise organization.

Cilium Editions

Get a Demo

Cilium Open Source

Features that are part of the open source Cilium community codebase.

Cilium Enterprise

Hardened & supported
distribution of Cilium plus advanced observability and security workflows.

Core Secure & Scalable Connectivity

Highly scalable IPv4 and IPv6 Kubernetes CNI

Overlay, Direct, and Cloud Provider Routing Modes

High-performance L3/L4 Pod Load-balancing (kube-proxy replacement)

Kubernetes Label & CIDR Network Policies

DNS-aware Network Policies

Host Network Policies

Deny Network Policies

Advanced Secure & Scalable Connectivity

Transparent IPsec Encryption

Multi-cluster Routing, Load-balancing & Security

Advanced L3/L4 External Load-balancing (including XDP-acceleration, Direct Server Return, Maglev)

Advanced Bandwidth Management for Pods through EDT (Earliest Departure Time) model

L7-Aware Network Policy & Visibility

TLS-termination for L7 Visibility

Non-containerized VM / Bare-metal Workloads

3rd-party BGP integrations (MetalLB, BIRD, etc.)

Ops-Centric Connectivity Observability

Hubble Cluster-wide Flow Visibility CLI / API

Hubble Service Map + Flow Visibility UI

Identity-aware Network Metrics (Prometheus)

HTTP/gRPC-aware Connectivity Metrics

Historical Flow Data and Analytics

Application Team Troubleshooting & Policy Workflows

Multi-tenant RBAC for Flows, Metrics, and UI

Historical Flow Data and Analytics

Advanced Policy Troubleshooting UI

Simplified Policy Creation Tools & APIs

Automated Security Policy Approvals

SecOps Observability Workflows

Integration with External SIEM (Splunk, ELK, etc.) for Incident Investigation, Forensics + Audit

SIEM – Identity + DNS-aware Flow Data Export

SIEM – Process/Syscall Data Export

SIEM – TLS Handshake Compliance Monitoring

SIEM – Network Policy Compliance Monitoring

Identity-aware Tap/Mirror (IDS insertion)

Enterprise Distribution & Support

Enterprise-hardened Cilium Versions and Testing

24x7 Enterprise Grade Support SLA

Proactive Support Environment Reviews

Cilium + Hubble Technical Training

Dedicated Solutions Architect

Directed Development / Custom Integrations