Cloud-native has reached the edge. And Cilium is at its center.
In this blog post, we will examine cloud-native computing at the edge, its challenges, and how Isovalent Enterprise for Cilium can overcome them.
What is Edge IT?
Edge IT is still evolving quickly, and the definition of edge IT can vary from use case to use case. The Linux Foundation for example defines in the “white paper Sharpening the Edge: Overview of the LF Edge Taxonomy and Framework” edge computing as a continuum. It differentiates the “User Edge” and the “Service Provider Edge”, with the first further divided into “Constrained Device Edge” like sensors, “Smart Device Edge” like IoT and “On-Prem Data Center Edge” with on-prem servers.
For our view about Isovalent Enterprise for Cilium at the edge, we focus on “On-Prem Data Center Edge.” In these cases computing takes place on-site, like at a factory, in warehouses, in retail stores, but also in remote locations of telecommunication providers. The defining factor is the computing power: we look at use cases with enough computing power to run multiple IT workloads, that can run Kubernetes. Such systems can process data locally, do real-time analytics, run batch jobs, and control local IT like a production line. Even AI training is already an option for on-prem data centers, for example, in running and training models around processing and analyzing digital images.
There are several benefits companies are seeing in edge IT according to the CNCF white paper “Edge Native Applications Principles Whitepaper”:
- Reduced latency
- Bandwidth management
- Increased privacy for sensitive data
- Uninterrupted operations with unreliable networks
Of course, edge IT is not a silver bullet and can have its own challenges:
- Limited bandwidth to the central data center
- Faulty connectivity
- Insecure communication on-site or to the central data center
- Lack of standardization in hard- and software
- Lacking insights into on-site workloads and data flows
- Threat of local access
- Compliance requirements
This is where Kubernetes and Cilium come into the mix, offering enhanced security and compliance, improved observability, and resource efficiency.
What is the role of cloud native in Edge Computing?
A special case of edge IT is cloud native computing: when edge devices have enough computing power to run Kubernetes as the underlying platform to manage and run the workloads. This can range from small machines with a lightweight, specialized Kubernetes distribution to a rack of servers running a full-blown suite.
In all cases, businesses benefit from streamlined operations, using the same tools at the edge as in the data center, abstracting away differences in setups. As mentioned in the CNCF blog post “View From The Edge”, a successful edge architecture benefits from a common platform. Kubernetes can be that common platform for building edge IT architecture. It also simplifies typical operational tasks like application deployments and management. Scalability helps manage workloads on-site when resource demand changes significantly and when fault tolerance and high availability are paramount.
Given the right components, a Kubernetes setup can also significantly improve the security posture of an edge installation.
What are the challenges of cloud native at the edge?
Managing workloads on Kubernetes, especially in resource-constrained environments like edge IT can become troublesome. The Kubernetes data plane usually relies on a flat network with little control and visibility. By having IPs as identifiers and IPtables as the means to control network traffic, efficiency is challenging:
- Dynamic Workload Management – Containers’ life cycles are volatile, requiring scalable solutions. Load balancing and access control mechanisms must constantly adapt, managing potentially thousands of rules. This can become a bottleneck for resource-constrained systems.
- Networking Complexity – Reliance on IP addresses and TCP/UDP ports as primary identifiers is inefficient due to the frequent change of IP addresses and the multiplicity of containers per IP. Managing and separating multi-tenant networking becomes increasingly difficult.
- Security Inefficiency – Securing connections between these dynamically changing services becomes increasingly difficult. Ensuring secure communication where IP addresses and ports can no longer reliably identify services is challenging.
- Visibility Reduction – Providing operators with meaningful insights into their systems is problematic. IP based approaches fall short in offering visibility, the use of common protocol ports across services complicates traffic differentiation and monitoring.
The answer to these challenges is Cilium: its cloud native architecture is the answer to those challenges, giving Kubernetes an efficient and secure data plane.
How can Cilium solve edge IT challenges?
Isovalent Enterprise for Cilium offers a unified networking solution across existing Kubernetes installations in both Edge IT and data centers, standardizing operations in heterogeneous environments. Using extended network policies, Cilium enhances control over communications, ensuring that only authorized traffic flows between services or that all traffic goes through a central proxy only. These policies also govern access and service interactions, mitigating risks inherent in edge computing’s distributed nature and enabling a zero trust approach. Integrated with Tetragon, Cilium provides deep visibility into network traffic and processes, essential for monitoring and troubleshooting in complex edge scenarios.
Isovalent Enterprise for Cilium requires no additional hardware or application modifications. This ease of adoption enables rapid deployment, making it a practical solution for enhancing network management, security, and visibility in edge computing environments.
What are the key features of Cilium at the edge?
Isovalent Enterprise for Cilium’s comprehensive suite of features can greatly help address the unique challenges faced in distributed edge environments.
Enhanced security and compliance
- Secure remote and local access to the Kubernetes API, protecting sensitive data and operations.
- Implement granular access controls and policies for North-South and East-West traffic, ensuring compliance with strict regulatory standards.
- Leverage multi-tenancy in control and observability, enforcing clear separation of workloads.
- Control external connections via multi-tenant capable policies, supporting network segmentation and controlling what apps can connect to which “out of cluster” endpoints.
Improved observability
- Monitor security events and changes to the host system, providing extensive insights at the system level, separated by tenants.
- Inspect network and application flows in real-time in a multi-tenant, self-service UI, supporting troubleshooting of workloads and enabling faster problem mitigation.
- Visualize traffic relations and policies, enhancing the understanding of complex setups.
- Integrate with existing, central data aggregation platforms by exporting data to SIEMs like Splunk and monitoring systems like Grafana.
Resource efficiency
- Facilitate cluster-internal communication such as efficient load balancing, significantly reducing the load on the affected systems.
- Observe system events at less than 2% overhead with the help of Tetragon, enabling broad observability in highly resource-constrained environments.
Existing customers
Roche, one of the largest global healthcare companies, has started to build a modern, cloud native edge computing platform that helps run applications on customer premises, such as laboratories or hospitals. They are leveraging Isovalent Enterprise for Cilium Service Mesh to bring “the firewall” closer to the workloads. This allows for more fine-grained traffic control, as well as simplified operations and configuration of network policies.
Conclusion
Cloud native is present in more and more edge IT use cases. Isovalent Enterprise for Cilium can bring standardization, control, and security, which are otherwise hard to obtain. It enables more secure, efficient scalable operations, contributing to operational efficiency, and reducing overhead and therefore cost. At the same time, due to the capabilities of rich network visibility and granular network control, Cilium provides a better security posture and crucially supports compliance efforts.
If your organization needs enhanced support, advanced features, and a tailored solution for its edge project, talk to us! The number one feature of Isovalent Enterprise for Cilium is our expertise. With the experience of successful edge projects and the enterprise-grade offering, Isovalent Enterprise for Cilium enables reliability, security, performance, and support for the edge IT running your business-critical applications at scale. Cloud native at the edge is still evolving – and Isovalent is the right partner at your side helping you to succeed in your platform goals.
If you want to learn more about Isovalent Enterprise for Cilium:
- Watch the short “What is Cilium” intro video by Thomas Graf, co-founder of Isovalent and Cilium.
- Discover the major technical capabilities firsthand by running our Cilium discovery labs for platform, security, and networking practitioners.
- Download our white paper about how you can master Kubernetes compliance with the help of Isovalent Enterprise for Cilium.
Read more about our support program and our Customer Testing Environments (CuTEs).
Roland Wolters is Head of Technical Marketing at Isovalent where he and his team are responsible for communicating the technical value of eBPF, Cilium, and Isovalent Cilium Enterprise to customers, prospects, and partners. His areas of expertise include security, automation, and open source. He is a keen driver of agile processes and would be lost without his Kanban boards. Outside of work, he is usually most remembered for trying to frantically keep up with his rambunctious young triplets.
