AWS picks Cilium for Networking & Security on EKS Anywhere

Back

September 9, 2021
Author: Thomas Graf, CTO & Co-Founder Isovalent, Co-Creator Cilium

AWS has just announced the availability of EKS Anywhere to manage on-premises Kubernetes clusters. As part of this, AWS picked Cilium as the built-in default for networking and security. So, as you create your first EKS-A cluster, you will automatically have Cilium installed and benefit from the powers of eBPF.

AWS joins other cloud providers in picking Cilium as the networking and security layer. Managed Kubernetes offerings from Google Cloud, Alibaba, DigitalOcean, and several smaller platforms already leverage Cilium. With this latest announcement, three out of the big four cloud providers are now standardizing on Cilium for their cloud native networking and security needs.

The Unique Needs of Kubernetes On-Premises

The community has built Kubernetes with the assumption of scalable cloud infrastructure (compute, networking, storage, and security controls) running underneath it. Kubernetes has essentially standardized the use of such scalable infrastructure by building portable higher-level abstractions, creating a well-established experience for operators and application developers.

Up until recently, this scalable infrastructure has primarily been implemented using public clouds. Kubernetes is now finding its way into more and more on-premises environments, where there is a broader range of underlying networking and storage infrastructure and equipment. A need arises to preserve the established experience and guarantees of Kubernetes, while integrating natively with more traditional technologies found in on-premises environments.

What does this mean? Suddenly, the cloud native networking and security layer can no longer assume the presence of well-known cloud provider networks, elastic IP addresses, and scalable security group controls. Instead, it has to become capable of providing all of this functionality itself while integrating with established on-premises technologies.

This is where Cilium comes in. When running in the context of a public cloud provider, Cilium can natively integrate with the SDN of the cloud provider. In an on-premises environment, Cilium can speak BGP, route traffic on the network, and represent existing network endpoints with cloud native identities. To the application team using Kubernetes on a daily basis, the user experience will be the same regardless of whether the workload is running in Kubernetes cluster backed by public or private cloud infrastructure. Entire application stacks or even entire clusters become portable across clouds.

Cilium is able to achieve this through its foundation in eBPF technology. The programmability of eBPF allows to glue together traditional enterprise networking and security principles with modern cloud native concepts into a scalable and high-performing architecture - in public clouds, but also in on-premise installations. This allows tight integration with existing enterprise networking and security solutions while providing a true cloud native user experience with all the guarantees and promises Kubernetes has established.

What is Cilium

Cilium is an open source project that provides networking, security, and observability for cloud native environments such as Kubernetes clusters and other modern compute infrastructure.

At the foundation of Cilium is a new Linux kernel technology called eBPF, which enables the dynamic insertion of powerful security, visibility, and networking control logic into the Linux kernel. eBPF is used to provide high-performance networking, multi-cluster routing, load balancing, transparent encryption, extensive network security capabilities, transparent observability, and much more.

Besides providing traditional network-level security, eBPF enables security with the context of application protocols, DNS requests/responses, and rich application and service identity. Cilium is tightly integrated with Envoy and provides an extension framework based on Go. Furthermore, because eBPF runs at the operating system level, all Cilium functionality can be applied without any changes to the application code or container configuration.

About Isovalent

Isovalent is the company founded by the creators of Cilium and eBPF. Isovalent builds open-source software and enterprise solutions solving networking, security, and observability needs for modern cloud native infrastructure. The flagship technology Cilium is the choice of leading global organizations including Adobe, AWS, Capital One, Datadog, GitLab, Google, and many more. Isovalent is headquartered in Mountain View, CA and is backed by Andreessen Horowitz, Google and Cisco Investments. To learn more, visit isovalent.com or follow @isovalent.

Learn More