7:[["$","$12",null,{"fallback":null,"children":["$","$L13",null,{"reason":"next/dynamic","children":["$","script",null,{"type":"application/ld+json","dangerouslySetInnerHTML":{"__html":"{\"@context\":\"https://schema.org/\",\"@type\":\"Article\",\"headline\":\"Isovalent Enterprise for Cilium 1.14: introducing Cilium Multi-Network\",\"image\":\"https://cdn.sanity.io/images/xinsvxfu/production/f78cf3148219b467a59bdb635952240c9b9c5a9f-1400x805.png\",\"datePublished\":\"2024-02-16T08:46:50.000Z\",\"dateModified\":\"2023-10-23T12:25:51.000Z\",\"description\":\"Learn how you can connect Kubernetes Pods to multiple interfaces with Isovalent Enterprise for Cilium 1.14 multi-network!\",\"author\":[{\"@type\":\"Person\",\"name\":\"Nico Vibert\",\"url\":\"https://isovalent.com/\"}]}"}}]}]}],["$","main",null,{"id":"top","children":[["$","header",null,{"className":"restricted mt-10 mb-14","children":[["$","$L18",null,{"href":"/blog/","className":"flex items-center justify-items-center gap-1 mb-6 text-sm font-bold text-action max-w-max","children":[["$","isov-icon",null,{"class":"block rotate-90","name":"arrow-right","size":"small"}],["$","isov-content",null,{"children":["$","span",null,{"className":"ui-text","children":"Blog"}]}]]}],["$","h1",null,{"className":"text-4xl text-nightfall font-bold mb-5 max-w-3xl","children":"Isovalent Enterprise for Cilium 1.14: introducing Cilium Multi-Network"}],["$","div",null,{"className":"article-details block sm:flex items-center justify-items-start sm:justify-items-center cursor-default","children":[[["$","isov-avatar","0ae51702-7dba-84ad-a28a-f771145d2ef7",{"size":"medium","name":"Nico Vibert","class":"mr-1","children":["$","$L19",null,{"src":"https://cdn.sanity.io/images/xinsvxfu/production/a8fa134c3d7583ee70832353c7ff0d8a2181ff16-200x200.jpg?auto=format&q=80&fit=clip&w=200","alt":"Nico Vibert Image","slot":"avatar","height":200,"width":200}]}]],["$","div",null,{"className":"text-charcoal","children":[["$","span",null,{"className":"hidden sm:inline","children":"| "}],["$","span",null,{"children":["Published:"," ",["$","strong",null,{"className":"font-bold","children":"October 23, 2023"}],[" ","| Updated:"," ",["$","strong",null,{"className":"font-bold","children":"February 16, 2024"}]]]}],false,"$undefined"]}]]}]]}],["$","section",null,{"id":"page-content","className":"mb-8","children":["$","$12",null,{"fallback":null,"children":["$","$L13",null,{"reason":"next/dynamic","children":["$","$L1a",null,{"content":[{"_key":"7f9dc07e-f87c-429d-994e-9fed9221bdad","_type":"block","children":[{"_key":"98b0f33e-5acf-4e75-a16c-f52ca44c2abd","_type":"span","marks":[],"text":"We are delighted to announce Isovalent Enterprise for Cilium 1.14, introducing Cilium Multi-Network! "}],"markDefs":[],"style":"normal"},{"_key":"611dd50a-8905-451a-86f8-2a0fbf742e61","_type":"block","children":[{"_key":"6bc00e75-d026-4bfb-8a24-7371e18ed5c7","_type":"span","marks":[],"text":"Isovalent Enterprise for Cilium is the hardened, enterprise-grade, and 24x7-supported version of the eBPF-based cloud networking platform Cilium. In addition to all features available in the open-source version of Cilium, the "},{"_key":"0bb410c4-bb0d-4a55-ad09-e4c5cfc38519","_type":"span","marks":["94f2e09a-3d68-4983-8ec7-177782201482"],"text":"enterprise edition"},{"_key":"c42f7cf8-1982-4d90-b311-ac26c00b5c6a","_type":"span","marks":[],"text":" includes advanced networking, security, and observability features popular with enterprises and telco providers. "}],"markDefs":[{"_key":"94f2e09a-3d68-4983-8ec7-177782201482","_type":"link","href":"/product/","openInNewTab":true}],"style":"normal"},{"_key":"20a6cdd9-e6f2-48ec-89bb-f277a061ff83","_type":"block","children":[{"_key":"04ddcbcd-db1b-4d71-a743-38bc2df6a475","_type":"span","marks":[],"text":"The highlight of this new enterprise release is undoubtedly "},{"_key":"4e806ce5-e534-416f-8a20-414f2b4d903b","_type":"span","marks":["strong"],"text":"native support for Multi-Network"},{"_key":"af2716c5-223b-450b-b793-3370b97354e9","_type":"span","marks":[],"text":": the ability to connect a Kubernetes Pod to multiple network interfaces. "}],"markDefs":[],"style":"normal"},{"_key":"553d1406-e8bd-4536-8114-904f65c6e050","_type":"block","children":[{"_key":"effb2e68-19a8-4c4d-8e26-3ef9d3cb2fe2","_type":"span","marks":[],"text":"This is tremendously useful for a variety of use cases:"}],"markDefs":[],"style":"normal"},{"_key":"0653179d18d9","_type":"block","children":[{"_key":"ff43f304446f","_type":"span","marks":["strong"],"text":"Network Segmentation: "},{"_key":"06305435bdc4","_type":"span","marks":[],"text":"Connecting Pods with multiple network interfaces can be used to segment network traffic. For example, you can have one interface for internal connectivity over a private network and another for external connectivity to the Internet."}],"level":1,"listItem":"bullet","markDefs":[],"style":"normal"},{"_key":"4a0912776d81","_type":"block","children":[{"_key":"ded534175e08","_type":"span","marks":["strong"],"text":"Multi-Tenancy:"},{"_key":"3b5648740950","_type":"span","marks":[],"text":" In a multi-tenant Kubernetes cluster, you can use Multi-Network alongside "},{"_key":"9352aa8e6998","_type":"span","marks":["5774c023140e"],"text":"Cilium Network Policies"},{"_key":"cbe50c10e8e7","_type":"span","marks":[],"text":" to isolate network traffic between tenants by assigning different interfaces to different tenants or namespaces."}],"level":1,"listItem":"bullet","markDefs":[{"_key":"5774c023140e","_type":"link","href":"/features/advanced-network-policy/"}],"style":"normal"},{"_key":"a74ace449b78","_type":"block","children":[{"_key":"e36427b8a0aa","_type":"span","marks":["strong"],"text":"Service Chaining: "},{"_key":"28c651b35e82","_type":"span","marks":[],"text":"Service chaining is a network function virtualization (NFV) use case where multiple networking functions or services are applied to traffic as it flows to and from a Pod. Multi-Network can help set up the necessary network interfaces for these services."}],"level":1,"listItem":"bullet","markDefs":[],"style":"normal"},{"_key":"d3296e5a4e67","_type":"block","children":[{"_key":"610bbd810316","_type":"span","marks":["strong"],"text":"IoT (Internet of Things) and Edge Computing:"},{"_key":"55ff6157ccaa","_type":"span","marks":[],"text":" For IoT and edge computing scenarios, Multi-Network can be used alongside Cilium Network Policies to impose network isolation on multi-tenant edge devices."}],"level":1,"listItem":"bullet","markDefs":[],"style":"normal"},{"_key":"fb04d8dc-246e-4445-b9ef-60daa818bf60","_type":"block","children":[{"_key":"79fc4b9f-544c-43a1-b7f7-82787fa983c7","_type":"span","marks":[],"text":"Importantly, "},{"_key":"c90fcbe7-52f6-4e3d-a23d-3f029f3cb9d2","_type":"span","marks":["strong"],"text":"Multi-Network with Isovalent Enterprise for Cilium is totally compatible with Cilium Network Policies and Hubble"},{"_key":"00eacc2e-24e2-4c8e-961f-4c6598d30f67","_type":"span","marks":[],"text":" - meaning you don’t have to compromise on security and observability while using this feature!"}],"markDefs":[],"style":"normal"},{"_createdAt":"2024-09-30T12:07:30Z","_id":"639153a7-5292-00c4-ea70-e2cb6366d509","_key":"3069f99a-bf17-4a05-9935-21fb2009afd1","_ref":"639153a7-5292-00c4-ea70-e2cb6366d509","_rev":"9px8ir0NfLa6aydsXGyWMQ","_type":"bodyCta","_updatedAt":"2024-09-30T12:38:23Z","backgroundImage":null,"ctas":[{"_createdAt":"2024-09-30T12:07:02Z","_id":"a28cfa60-3978-9529-435c-e53795676809","_rev":"P5GVFsWfT1LlxauxU4aX2v","_type":"cta","_updatedAt":"2024-09-30T12:33:53Z","label":{"en":"Start Multi-Network Lab"},"languages":["en"],"title":"\"Start Multi-Network Lab\" - Primary (Multi-Network Lab)","url":"/labs/isovalent-enterprise-for-cilium-cilium-multi-networking/","variant":"primary"}],"headline":{"en":"Multi-Network Lab"},"languages":["en"],"logo":null,"logoReference":null,"logoWhite":null,"text":{"en":[{"_key":"99e1b97d-868a-4463-8f81-c8f52d09b10f","_type":"block","children":[{"_key":"eecfe673-f07f-4474-adf7-aca970da88ac","_type":"span","marks":[],"text":"In this lab, learn about the new Isovalent Enterprise for Cilium 1.14 feature - Multi-Network!"}],"markDefs":[],"style":"normal"}]},"tinted":true,"title":"Multi-Network Lab - \"In this lab, learn about the new Isovalent Enterprise for Cilium 1.14 feature - Multi-Network!\" Body CTA"},{"_key":"ee179118-d8bb-4fa8-9473-61a0af4adef8","_type":"block","children":[{"_key":"236551d8-7cba-4440-8140-aa4cf7e90f6a","_type":"span","marks":[],"text":"But there’s more! Isovalent Enterprise for Cilium also includes all the features introduced in "},{"_key":"d8f665dc-8619-4c28-a99b-3b01d1f2b42c","_type":"span","marks":["fce1b210-b5ff-4aeb-8ff8-2d114fe4f4ac"],"text":"Cilium 1.14"},{"_key":"95baac5d-b491-422b-a7ec-cf1ed6bb88e9","_type":"span","marks":[],"text":"."}],"markDefs":[{"_key":"fce1b210-b5ff-4aeb-8ff8-2d114fe4f4ac","_type":"link","href":"/blog/post/cilium-release-114/","openInNewTab":true}],"style":"normal"},{"_key":"8e535950-967c-423f-bc5a-5ef6d037f319","_type":"block","children":[{"_key":"5910d3d2-7f94-4af2-b8d0-f70c23ae6ffa","_type":"span","marks":[],"text":"Let's review some of the Cilium 1.14 highlights before diving into Multi-Network!"}],"markDefs":[],"style":"normal"},{"_key":"a2913e3e-7237-4a10-aa1c-dcbc0407f5a8","_type":"block","children":[{"_key":"fbf6da00-5d66-4590-a134-97fbf0a592cd","_type":"span","marks":[],"text":"What is new in Cilium & Isovalent Enterprise for Cilium 1.14 ?"}],"markDefs":[],"style":"h2"},{"_key":"2d1a205f3cc5","_type":"block","children":[{"_key":"b821d6c4e33d","_type":"span","marks":["strong"],"text":"Mutual Authentication"},{"_key":"1183fbca5ae6","_type":"span","marks":[],"text":": improve your security posture with zero effort ("},{"_key":"e6268c26cf5c","_type":"span","marks":["6641ef86d626"],"text":"more details"},{"_key":"15540c7cee51","_type":"span","marks":[],"text":")"}],"level":1,"listItem":"bullet","markDefs":[{"_key":"6641ef86d626","_type":"link","href":"/blog/post/cilium-release-114/#mutual-authentication"}],"style":"normal"},{"_key":"326dd7fb0d74","_type":"block","children":[{"_key":"9be7320b802a","_type":"span","marks":["strong"],"text":"Envoy DaemonSet"},{"_key":"5038c0d7a2bf","_type":"span","marks":[],"text":": a new option to deploy Envoy as a DaemonSet instead of embedded inside the Cilium agent ("},{"_key":"a353308132e9","_type":"span","marks":["899f5e9daaac"],"text":"more details"},{"_key":"49e198884e9b","_type":"span","marks":[],"text":")"}],"level":1,"listItem":"bullet","markDefs":[{"_key":"899f5e9daaac","_type":"link","href":"/blog/post/cilium-release-114/#envoy-daemonset"}],"style":"normal"},{"_key":"32f621d40f67","_type":"block","children":[{"_key":"73698e505409","_type":"span","marks":["strong"],"text":"WireGuard Improvements"},{"_key":"5fb2f4141073","_type":"span","marks":[],"text":": encryption with Cilium is getting better – you can now encrypt the traffic from node-to-node and also use Layer 7 policies alongside WireGuard ("},{"_key":"3a8f7adedb12","_type":"span","marks":["ed30adb20a8a"],"text":"more details"},{"_key":"3c3fd4f0a407","_type":"span","marks":[],"text":")"}],"level":1,"listItem":"bullet","markDefs":[{"_key":"ed30adb20a8a","_type":"link","href":"/blog/post/cilium-release-114/#wireguard-node-to-node-encryption-and-layer-7-policies-support"}],"style":"normal"},{"_key":"588fd63dd767","_type":"block","children":[{"_key":"2fd37cf6a90c","_type":"span","marks":["strong"],"text":"Gateway API Update"},{"_key":"af8b3c0d68cc","_type":"span","marks":[],"text":": our leading Gateway API implementation is updated with support for the latest Gateway API version, additional route type support and multiple labs ("},{"_key":"7e0604f4e438","_type":"span","marks":["655d2d880061"],"text":"more details"},{"_key":"a3635bb885f8","_type":"span","marks":[],"text":")"}],"level":1,"listItem":"bullet","markDefs":[{"_key":"655d2d880061","_type":"link","href":"/blog/post/cilium-release-114/#gateway-api-improvements"}],"style":"normal"},{"_key":"d30427d136ad","_type":"block","children":[{"_key":"da220429b64a","_type":"span","marks":["strong"],"text":"L2 Announcements"},{"_key":"1a71eeaee1bc","_type":"span","marks":[],"text":": Cilium can now natively advertise External IPs to local networks over Layer 2, reducing the need to install and manage tools such as MetalLB ("},{"_key":"cd807a06d678","_type":"span","marks":["12e613e60355"],"text":"more details"},{"_key":"da01065fbc08","_type":"span","marks":[],"text":")"}],"level":1,"listItem":"bullet","markDefs":[{"_key":"12e613e60355","_type":"link","href":"/blog/post/cilium-release-114/#l2-announcements-beta"}],"style":"normal"},{"_key":"391c33b873df","_type":"block","children":[{"_key":"b35d1455a833","_type":"span","marks":["strong"],"text":"BGP Enhancements"},{"_key":"ab99820af91f","_type":"span","marks":[],"text":": introducing support for better operational tools and faster failover ("},{"_key":"721d76104806","_type":"span","marks":["cf16a5e08f71"],"text":"more details"},{"_key":"29d93954cfe5","_type":"span","marks":[],"text":")"}],"level":1,"listItem":"bullet","markDefs":[{"_key":"cf16a5e08f71","_type":"link","href":"/blog/post/cilium-release-114/#bgp-enhancements"}],"style":"normal"},{"_key":"e0fd2cf9b949","_type":"block","children":[{"_key":"41e3b54be79d","_type":"span","marks":["strong"],"text":"Multi-Pool IPAM"},{"_key":"34a7e06888f4","_type":"span","marks":[],"text":": introducing support to allocate IPs to Pods from multiple IPAM pools. Multi-Pool IPAM is a requirement for the Multi-Network feature described below ("},{"_key":"83ef29704680","_type":"span","marks":["3c5ad0a7fd48"],"text":"more details"},{"_key":"284af858f4f4","_type":"span","marks":[],"text":")"}],"level":1,"listItem":"bullet","markDefs":[{"_key":"3c5ad0a7fd48","_type":"link","href":"/blog/post/cilium-release-114/#multi-pool-ipam-beta"}],"style":"normal"},{"_key":"2365d4a9d911","_type":"block","children":[{"_key":"0603100be92e","_type":"span","marks":["strong"],"text":"BIG TCP for IPv4"},{"_key":"edae3da886bc","_type":"span","marks":[],"text":": after the introduction of BIG TCP support for IPv6 in Cilium 1.13, here comes IPv4 support. Ready for a 50% throughput improvement? ("},{"_key":"84f057706c5c","_type":"span","marks":["e3e4d18a0761"],"text":"more details"},{"_key":"0c64db392ed1","_type":"span","marks":[],"text":")"}],"level":1,"listItem":"bullet","markDefs":[{"_key":"e3e4d18a0761","_type":"link","href":"/blog/post/cilium-release-114/#big-tcp-for-ipv4-beta"}],"style":"normal"},{"_key":"1e4fcea8-0eb9-4b26-88bb-4a8bee134c95","_type":"block","children":[{"_key":"6eb97ba2-592d-44e7-8037-cc978ea7414c","_type":"span","marks":[],"text":"What is Multi-Network (Beta) in Isovalent Enterprise for Cilium 1.14?"}],"markDefs":[],"style":"h2"},{"_createdAt":"2024-09-30T16:35:21Z","_id":"36792d85-6215-dcd2-3167-59964c61a746","_key":"8eddb577-63f2-4b87-9d7f-5a8fd704af0f","_ref":"36792d85-6215-dcd2-3167-59964c61a746","_rev":"ZjbMTKKCyoKeNu9aEvzOk2","_type":"mediaImage","_updatedAt":"2025-06-04T19:27:09Z","alignment":"center","image":{"_type":"image","asset":{"_ref":"image-182a8443f7b566a40bc869c11bd811fc95e42320-864x848-png","_type":"reference"},"crop":{"_type":"sanity.imageCrop","bottom":0,"left":0,"right":0,"top":0},"hotspot":{"_type":"sanity.imageHotspot","height":1,"width":1,"x":0.5,"y":0.5}},"languages":["en"],"originalFilename":"W9jHwTSBC7ianTZxcZf3vs","size":"small","title":"W9jHwTSBC7ianTZxcZf3vs - \"Isovalent Enterprise for Cilium 1.14: introducing Cilium Multi-Network\" Image","url":"https://cdn.sanity.io/images/xinsvxfu/production/182a8443f7b566a40bc869c11bd811fc95e42320-864x848.png"},{"_key":"90eeccba-a6c8-4d2c-8238-4f34f37be005","_type":"block","children":[{"_key":"637552e8-5133-4c32-a59e-7acdf2d2e860","_type":"span","marks":[],"text":"Kubernetes is built on the premise that a Pod should belong to a single network. While this approach may work for most use cases, enterprises and telcos often require a more sophisticated and flexible networking model for their advanced deployments. "}],"markDefs":[],"style":"normal"},{"_key":"ebc4c843-4f9e-45a1-bfbe-f20fe5f79acc","_type":"block","children":[{"_key":"77efc73d-6ee7-4885-a7b6-0db04ec544eb","_type":"span","marks":[],"text":"There are many use cases where a Pod may require attachments to multiple networks with different properties via different interfaces. This is what Multi-Network in Isovalent Enterprise for Cilium 1.14 delivers."}],"markDefs":[],"style":"normal"},{"_key":"ad8bd8f0-f3e0-4c78-8316-84f6e19884e7","_type":"block","children":[{"_key":"687f995c-f474-44a8-9512-4acefe1abf4e","_type":"span","marks":[],"text":"Network Segmentation"}],"markDefs":[],"style":"h3"},{"_key":"9931089e-7e49-46a1-bbd8-389fe85acd46","_type":"block","children":[{"_key":"0c032a1b-115c-45de-bd1d-1d72cb408654","_type":"span","marks":[],"text":"In a typical Kubernetes environment, Pods will be attached to a single flat network, often with direct outbound Internet access. Certain organisations that operate within regulatory requirements often require more granularity. For example, there are cases where platform operators want certain Pods to have a public-facing interface to access the Internet and an internal private one. This becomes possible with Cilium Multi-Network. "}],"markDefs":[],"style":"normal"},{"_key":"44751f01-079f-4777-88b4-f96400bd4df6","_type":"block","children":[{"_key":"2915eda6-e161-4d4c-9519-a644f3e48b44","_type":"span","marks":[],"text":"It enables operators to build networking zones within their cluster to provide different levels of access and another method to enforce micro-segmentation."}],"markDefs":[],"style":"normal"},{"_key":"0afe947b-88f7-466c-8aa6-b25c77cc9db5","_type":"block","children":[{"_key":"eb2c6527-6521-4c65-b383-316f879761ee","_type":"span","marks":[],"text":"Multi-Tenancy Isolation"}],"markDefs":[],"style":"h3"},{"_key":"afcded7e-3f2a-443d-a2e9-24431e3852fd","_type":"block","children":[{"_key":"9a85c906-1175-41eb-b0b6-2f05719e2acd","_type":"span","marks":[],"text":"Kubernetes environments are commonly shared by multiple organizations. Each tentant would share cluster resources and would be segregated using namespaces, resource quotas and limits, RBAC, and network policies."}],"markDefs":[],"style":"normal"},{"_key":"7eb438d7-9220-4c68-89a8-db68a4a1e6b7","_type":"block","children":[{"_key":"05c104e3-5098-489c-ad5a-24d7b7b40e63","_type":"span","marks":[],"text":"Sometimes though, there’s a regulatory need to address a compliance requirement that segmentation not only happens in software but also in hardware."}],"markDefs":[],"style":"normal"},{"_key":"309bf162-db64-49f8-bcc5-62781620726f","_type":"block","children":[{"_key":"79c56c10-459c-4b69-9c65-8549dd2009b5","_type":"span","marks":[],"text":"Using Multi-Network alongside Cilium Network Policies, you can isolate network traffic between tenants by assigning different interfaces to tenants or namespaces."}],"markDefs":[],"style":"normal"},{"_key":"0fcd5138-058e-4a2c-9f00-bb03362411cb","_type":"block","children":[{"_key":"8f84c215-b24e-4b44-915b-36cef85e0ff4","_type":"span","marks":[],"text":"Service Chaining"}],"markDefs":[],"style":"h3"},{"_key":"f856c0c4-1699-4255-90a1-d8ba5c6027ff","_type":"block","children":[{"_key":"b73b25a2-8666-4245-bff9-bafc627dc1e1","_type":"span","marks":[],"text":"Most Telcos are adopting a Container Network Function (CNF) model where network functions are no longer enforced in hardware appliances but as virtual functions. With Cilium Multi-Network, operators can direct traffic to and from Pod to networks for service chaining."}],"markDefs":[],"style":"normal"},{"_key":"64cc62cc-b968-451b-874f-3a28bb643c99","_type":"block","children":[{"_key":"b6b69041-2cd2-4d1f-884e-3fba1304666b","_type":"span","marks":[],"text":"Cilium Multi-Network Walkthrough"}],"markDefs":[],"style":"h2"},{"_key":"78329b4e-e94e-4814-a79c-df0924863edb","_type":"block","children":[{"_key":"745f3bea-7a2a-4a98-b280-b5531658b6aa","_type":"span","marks":[],"text":"A Multi-Network model, where Pods have multiple network interfaces, imply the following requirements:"}],"markDefs":[],"style":"normal"},{"_key":"8714d84489e5","_type":"block","children":[{"_key":"55764bc1c12b","_type":"span","marks":[],"text":"Multiple pools of IPs the network interfaces can get their IPs from"}],"level":1,"listItem":"number","markDefs":[],"style":"normal"},{"_key":"446fd91790f8","_type":"block","children":[{"_key":"26c7a0fa23a2","_type":"span","marks":[],"text":"Multiple networks to which the network interfaces can be attached to"}],"level":1,"listItem":"number","markDefs":[],"style":"normal"},{"_key":"02b941168b06","_type":"block","children":[{"_key":"f15054137535","_type":"span","marks":[],"text":"Being able to apply different security policies depending on which network interface is being used"}],"level":1,"listItem":"number","markDefs":[],"style":"normal"},{"_key":"f2253c7fbcf5","_type":"block","children":[{"_key":"85dc1e78e10b","_type":"span","marks":[],"text":"Being able to observe the traffic using Hubble and discern between which network interface the traffic is coming from."}],"level":1,"listItem":"number","markDefs":[],"style":"normal"},{"_key":"99cac235-b422-4830-a38d-ad0c3969f46c","_type":"block","children":[{"_key":"85b022d1-2078-4276-b671-72654619aed0","_type":"span","marks":[],"text":"Let's walk through an entire example on how Cilium Multi-Network addresses each requirement:"}],"markDefs":[],"style":"normal"},{"_key":"9034b1b5-77cb-4bd4-88a1-1d1a7ea5a81a","_type":"block","children":[{"_key":"dd95eeed-90e8-435c-bb63-d482f87eda22","_type":"span","marks":[],"text":"Multi-Pool IPAM and Multi-Network"}],"markDefs":[],"style":"h3"},{"_key":"7c128c75-5737-45d0-9fcb-60c89815ef72","_type":"block","children":[{"_key":"f95e260d-0f49-4c02-aaf4-2a6f11bec874","_type":"span","marks":[],"text":"Cilium 1.14 introduced the "},{"_key":"8dd9406e-7788-4ab1-91d8-2911abd48ce6","_type":"span","marks":["2bacc8f4-1d20-4beb-8b01-739b2d5518cd"],"text":"Multi-Pool IP Address Management (IPAM) mode"},{"_key":"60609dfa-a72f-49e0-829d-a231917f8014","_type":"span","marks":[],"text":", where multiple pools of IP ranges can be created."}],"markDefs":[{"_key":"2bacc8f4-1d20-4beb-8b01-739b2d5518cd","_type":"link","href":"/blog/post/cilium-release-114/#multi-pool-ipam-beta","openInNewTab":true}],"style":"normal"},{"_key":"d30da423-11a5-480b-ac5c-9e35c54087ba","_type":"block","children":[{"_key":"ecfddae8-ced3-4707-a1c4-ffa20b88a890","_type":"span","marks":[],"text":"With Multi-Pool IPAM, you can deploy a "},{"_key":"284945f2-5cce-4452-88e4-b9008a3d4455","_type":"span","marks":["code"],"text":"CiliumPodIPPool"},{"_key":"24e2a77c-0836-4491-8495-148f925c3220","_type":"span","marks":[],"text":" specifying the network range that will be allocated. The example below uses the "},{"_key":"1df02597-cf58-40bc-9e49-41edeb347b2f","_type":"span","marks":["code"],"text":"192.168.16.0/20"},{"_key":"3d7405e7-8e7a-4b9f-8390-8fc66748eaf7","_type":"span","marks":[],"text":" prefix."}],"markDefs":[],"style":"normal"},{"_createdAt":"2024-09-30T12:07:02Z","_id":"b9624621-99ab-4f65-2e06-0935be732a89","_key":"35fc8daf-92d5-483e-a28c-7d92537d59d1","_ref":"b9624621-99ab-4f65-2e06-0935be732a89","_rev":"be3C7ysj1QqQyrHso4eBKV","_type":"codeBlock","_updatedAt":"2024-10-01T10:57:20Z","code":"apiVersion: cilium.io/v2alpha1\nkind: CiliumPodIPPool\nmetadata:\n name: jupiter-ip-pool\nspec:\n ipv4:\n cidrs:\n - 192.168.16.0/20\n maskSize: 27","language":"yaml","title":"yaml - \"Isovalent Enterprise for Cilium 1.14: introducing Cilium Multi-Network\" Code Block"},{"_key":"27836f6d-7531-415b-85d4-1d85357dc349","_type":"block","children":[{"_key":"529b59a3-1f96-4224-9d3d-c6e908675989","_type":"span","marks":[],"text":"The pool can then be attached directly to a network by using the "},{"_key":"40e3cd68-9b87-4dc1-99f6-94a8ff2fe17b","_type":"span","marks":["code"],"text":"IsovalentPodNetwork"},{"_key":"a847e128-18e3-4d05-bde4-cd9bd9215e69","_type":"span","marks":[],"text":" CRD. This CRD describes a virtual network a Pod can attach to. "}],"markDefs":[],"style":"normal"},{"_createdAt":"2024-09-30T12:07:03Z","_id":"dacbf1f9-a641-d236-a857-7883d9b06f3a","_key":"feb76c00-4f4b-482d-bc3f-f9867d8c3401","_ref":"dacbf1f9-a641-d236-a857-7883d9b06f3a","_rev":"P5GVFsWfT1LlxauxUA6diO","_type":"codeBlock","_updatedAt":"2024-10-01T10:57:21Z","code":"---\napiVersion: isovalent.com/v1alpha1\nkind: IsovalentPodNetwork\nmetadata:\n name: jupiter\nspec:\n ipam:\n mode: multi-pool\n pool:\n name: jupiter-ip-pool\n routes:\n - destination: 192.168.0.0/16\n gateway: 192.168.0.1","language":"yaml","title":"yaml - \"Isovalent Enterprise for Cilium 1.14: introducing Cilium Multi-Network\" Code Block"},{"_key":"bf8a48e0-4a90-447d-8c08-3dad76fe63a1","_type":"block","children":[{"_key":"3b7bda63-d00c-4b53-9227-14b098f4b31f","_type":"span","marks":[],"text":"When using the Multi-Network feature, you can use the "},{"_key":"faa024b5-6b02-4e04-9632-3e78ce1ad76b","_type":"span","marks":["code"],"text":"network.v1alpha1.isovalent.com/pod-networks=secondary_network"},{"_key":"6412021c-74ad-49e7-b813-e3d5f4ad22a3","_type":"span","marks":[],"text":" annotation to attach your Pod to "},{"_key":"cbb6d1c7-54c4-47a7-8608-40b22d800895","_type":"span","marks":["code"],"text":"secondary_network"},{"_key":"6b98457e-f7cd-4a55-882f-4562e3afcedd","_type":"span","marks":[],"text":" and get an IP address from the pool attached to the network (you will see more details about it shortly)."}],"markDefs":[],"style":"normal"},{"_key":"3e9a304c-023a-4ee1-8356-7eaa7b4522ab","_type":"block","children":[{"_key":"e7adc587-66f8-483a-bab3-2e30013eb370","_type":"span","marks":[],"text":"Let's try:"}],"markDefs":[],"style":"normal"},{"_createdAt":"2024-09-30T12:07:04Z","_id":"e04b0e9c-d336-884d-aa00-a10a6a44a8a1","_key":"feb3b584-0321-42e7-a0a7-d86aa3c32395","_ref":"e04b0e9c-d336-884d-aa00-a10a6a44a8a1","_rev":"P5GVFsWfT1LlxauxUA6do6","_type":"codeBlock","_updatedAt":"2024-10-01T10:57:22Z","code":"$$ kubectl run nginx --image nginx --annotations network.v1alpha1.isovalent.com/pod-networks=jupiter\npod/nginx created\n$ kubectl get pod nginx -o wide\nNAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES\nnginx 1/1 Running 0 30s 192.168.16.48 kind-worker2 ","language":"bash","title":"bash - \"Isovalent Enterprise for Cilium 1.14: introducing Cilium Multi-Network\" Code Block"},{"_key":"361f5f60-b341-487d-a331-f8ddcbb085f2","_type":"block","children":[{"_key":"805f3184-3466-4a12-af12-587462ba52e4","_type":"span","marks":[],"text":"The Pod has received an IP from the correct pool and network and as you can see below, the "},{"_key":"b98ea6ea-9d75-41b8-8310-3e9588da683f","_type":"span","marks":["code"],"text":"192.168.16.32/27"},{"_key":"9c1f9193-35e4-40c3-9af4-efbeb2a2a170","_type":"span","marks":[],"text":" network was carved out for the "},{"_key":"4a9310ad-fa9b-4181-9144-edcec6811255","_type":"span","marks":["code"],"text":"kind-worker2"},{"_key":"33a61017-0192-4d09-8412-693bd06f91db","_type":"span","marks":[],"text":" node."}],"markDefs":[],"style":"normal"},{"_createdAt":"2024-09-30T12:07:05Z","_id":"419608cf-9695-6275-1ed6-4302f5681cd3","_key":"01f779d2-97bc-4d4d-85a3-def4810bebe7","_ref":"419608cf-9695-6275-1ed6-4302f5681cd3","_rev":"9px8ir0NfLa6aydsXNSGYb","_type":"codeBlock","_updatedAt":"2024-10-01T10:57:23Z","code":"$$ kubectl get ciliumnode kind-worker2 -o json | jq \".spec.ipam.pools\"\n{\n \"allocated\": [\n {\n \"cidrs\": [\n \"10.10.1.0/24\"\n ],\n \"pool\": \"default\"\n },\n {\n \"cidrs\": [\n \"192.168.16.32/27\"\n ],\n \"pool\": \"jupiter-ip-pool\"\n }\n ],\n \"requested\": [\n {\n \"needed\": {\n \"ipv4-addrs\": 16\n },\n \"pool\": \"default\"\n },\n {\n \"needed\": {\n \"ipv4-addrs\": 3\n },\n \"pool\": \"jupiter-ip-pool\"\n }\n ]\n}","language":"bash","title":"bash - \"Isovalent Enterprise for Cilium 1.14: introducing Cilium Multi-Network\" Code Block"},{"_key":"86a5b406-122c-4f16-8c0c-a0589b24ab51","_type":"block","children":[{"_key":"0f645b4c-1e1d-405c-b328-23235050e43e","_type":"span","marks":[],"text":"One of the benefits of Multi-Pool is that it can dynamically allocate more CIDR blocks as demand for IPs grows."}],"markDefs":[],"style":"normal"},{"_key":"5cf1744a-3b10-480f-81ee-2600389273d4","_type":"block","children":[{"_key":"bd2fa3ac-152a-4466-ab98-ca685be80c2d","_type":"span","marks":[],"text":"Let’s verify this with a Deployment of 60 Pods attached to this network:"}],"markDefs":[],"style":"normal"},{"_createdAt":"2024-09-30T12:07:06Z","_id":"5a76fefc-19a9-53d0-bf64-12d868f39e04","_key":"f393dac6-41f4-4b92-b41a-7e87e3f0e68f","_ref":"5a76fefc-19a9-53d0-bf64-12d868f39e04","_rev":"be3C7ysj1QqQyrHso4eERH","_type":"codeBlock","_updatedAt":"2024-10-01T10:57:25Z","code":"---\napiVersion: apps/v1\nkind: Deployment\nmetadata:\n name: nginx-nico\nspec:\n selector:\n matchLabels:\n app: nginx-nico\n replicas: 60\n template:\n metadata:\n labels:\n app: nginx-nico\n annotations:\n network.v1alpha1.isovalent.com/pod-networks: jupiter\n spec:\n containers:\n - name: nginx\n image: nginx:1.25.1\n ports:\n - containerPort: 80","language":"yaml","title":"yaml - \"Isovalent Enterprise for Cilium 1.14: introducing Cilium Multi-Network\" Code Block"},{"_key":"5804b738-18bf-4c56-8b2f-dafa8d6197ad","_type":"block","children":[{"_key":"f5ae9aa2-54b0-407b-85b7-a8b72de7ad59","_type":"span","marks":[],"text":"Once deployed, you will see that an additional IP block - "},{"_key":"3f00b27c-ebff-4a04-87e5-dfe5bb13de38","_type":"span","marks":["code"],"text":"192.168.16.64/27"},{"_key":"21180ca1-63e8-4bcb-a863-bb56869cbabb","_type":"span","marks":[],"text":" - has been added to support the demand:"}],"markDefs":[],"style":"normal"},{"_createdAt":"2024-09-30T12:07:07Z","_id":"b35cd5be-230d-ad5e-2975-90173b41db7a","_key":"b547cb0a-022b-42c3-b716-d059d85592fa","_ref":"b35cd5be-230d-ad5e-2975-90173b41db7a","_rev":"be3C7ysj1QqQyrHso4eEdK","_type":"codeBlock","_updatedAt":"2024-10-01T10:57:25Z","code":"$$ kubectl get ciliumnode kind-worker2 -o json | jq \".spec.ipam.pools\"\n{\n \"allocated\": [\n {\n \"cidrs\": [\n \"10.10.1.0/24\"\n ],\n \"pool\": \"default\"\n },\n {\n \"cidrs\": [\n \"192.168.16.32/27\",\n \"192.168.16.64/27\"\n ],\n \"pool\": \"jupiter-ip-pool\"\n }\n ],\n \"requested\": [\n {\n \"needed\": {\n \"ipv4-addrs\": 16\n },\n \"pool\": \"default\"\n },\n {\n \"needed\": {\n \"ipv4-addrs\": 31\n },\n \"pool\": \"jupiter-ip-pool\"\n }\n ]\n}","language":"bash","title":"bash - \"Isovalent Enterprise for Cilium 1.14: introducing Cilium Multi-Network\" Code Block"},{"_key":"fc3fb8d2-49c8-40ad-be8b-33bcb4b38ba7","_type":"block","children":[{"_key":"f652eca8-448f-4c64-94ed-22343ccd2846","_type":"span","marks":[],"text":"Note the "},{"_key":"3493ce0c-e9cf-4448-894c-4906a665647f","_type":"span","marks":["code"],"text":"needed"},{"_key":"6759c80e-9684-4a5a-b55b-d5e6904bd2b9","_type":"span","marks":[],"text":" field above: as the number of required IPs has significantly increased, another "},{"_key":"507b7259-dc8d-4d31-9d4b-5db179809b8a","_type":"span","marks":["code"],"text":"/27"},{"_key":"a43ff042-95cb-4f4b-a300-a9a1d414704d","_type":"span","marks":[],"text":" CIDR was allocated to the Cilium Node."}],"markDefs":[],"style":"normal"},{"_key":"ab7d2cdc-7cd1-4219-ba5c-39ccb40016b8","_type":"block","children":[{"_key":"24d4b66b-f0e6-4bea-a9be-5b2bc06c1c83","_type":"span","marks":[],"text":"The other field in the IsovalentPodNetwork manifest to notice is the following:"}],"markDefs":[],"style":"normal"},{"_createdAt":"2024-09-30T12:07:08Z","_id":"21b506ce-a8a4-8920-0d21-f93e4ec69cf4","_key":"76b51650-6007-453a-ac36-d5369b1890c3","_ref":"21b506ce-a8a4-8920-0d21-f93e4ec69cf4","_rev":"P5GVFsWfT1LlxauxUA6e85","_type":"codeBlock","_updatedAt":"2024-10-01T10:57:26Z","code":"---\napiVersion: isovalent.com/v1alpha1\n[...]\nspec:\n [...]\n routes:\n - destination: 192.168.0.0/16\n gateway: 192.168.0.1","language":"yaml","title":"yaml - \"Isovalent Enterprise for Cilium 1.14: introducing Cilium Multi-Network\" Code Block"},{"_key":"6251a788-3f1b-468a-b765-5858700425f9","_type":"block","children":[{"_key":"e2a6c221-c304-4179-b802-cd22fd2557e9","_type":"span","marks":[],"text":"This adds a route to steer traffic towards the secondary network. Here is an illustration of the routing table once Multi-Network is configured."}],"markDefs":[],"style":"normal"},{"_createdAt":"2024-09-30T16:35:22Z","_id":"4a4ec08d-52d3-987f-8bc2-6ec56e2e6561","_key":"594f76e5-edeb-4f72-9297-8f368aef4c69","_ref":"4a4ec08d-52d3-987f-8bc2-6ec56e2e6561","_rev":"9px8ir0NfLa6aydsXId2oC","_type":"mediaImage","_updatedAt":"2024-09-30T16:35:22Z","alignment":"center","image":{"_type":"image","asset":{"_ref":"image-68930d8d0da31d6d50443640d5aabe1c7f489945-2018x664-png","_type":"reference"},"crop":{"_type":"sanity.imageCrop","bottom":0,"left":0,"right":0,"top":0},"hotspot":{"_type":"sanity.imageHotspot","height":1,"width":1,"x":0.5,"y":0.5}},"languages":["en"],"originalFilename":"9fkmDy3UamiZH541E54jii","size":"large","title":"9fkmDy3UamiZH541E54jii - \"Isovalent Enterprise for Cilium 1.14: introducing Cilium Multi-Network\" Image","url":"https://cdn.sanity.io/images/xinsvxfu/production/68930d8d0da31d6d50443640d5aabe1c7f489945-2018x664.png"},{"_key":"399ac6a3-fdd2-4f01-a89f-5b77bfc7e035","_type":"block","children":[{"_key":"4eb98271-30cc-4b63-acb3-c739328f4525","_type":"span","marks":[],"text":"With the network and pool configured, our Pod is ready to be attached to multiple networks."}],"markDefs":[],"style":"normal"},{"_key":"e29d5937-1309-4546-b92c-119ccb63a90d","_type":"block","children":[{"_key":"9ec2c812-c5d1-426e-be1a-5c388a807c23","_type":"span","marks":[],"text":"Multi-Network Interfaces"}],"markDefs":[],"style":"h3"},{"_key":"7aab860f-858d-4f6e-99b1-0e077233a408","_type":"block","children":[{"_key":"88695c41-ed69-45fe-afe1-d580b3b14124","_type":"span","marks":[],"text":"To connect a Pod to multiple interfaces, we need to annotate them accordingly."}],"markDefs":[],"style":"normal"},{"_key":"090b7cc9-ec4f-4dbe-94f1-6650f6eebf27","_type":"block","children":[{"_key":"f6c63161-2a0f-4e66-bdc4-00f9c132a3c1","_type":"span","marks":[],"text":"As you saw above, when we want to attach a Pod to additional networks, we use the "},{"_key":"fa986f95-fc8c-4ce3-b0be-ae153532364c","_type":"span","marks":["code"],"text":"network.v1alpha1.isovalent.com/pod-networks"},{"_key":"ff13ae33-a419-4f92-9d0b-89f58d3e09f3","_type":"span","marks":[],"text":" annotation."}],"markDefs":[],"style":"normal"},{"_key":"84e771fa-f514-4991-9122-1f2accefdfb4","_type":"block","children":[{"_key":"0c059870-c894-4ace-add7-11a4b53f7535","_type":"span","marks":[],"text":"This annotation consists of a comma-delimited list of "},{"_key":"c6d03132-45c8-4710-b92e-fc79acd5d3fe","_type":"span","marks":["code"],"text":"IsovalentPodNetwork"},{"_key":"19b54fef-188d-4c53-accf-3d7597446e77","_type":"span","marks":[],"text":" names. For example, the annotation "},{"_key":"d1ff7c21-a114-4061-b815-086118276240","_type":"span","marks":["code"],"text":"network.v1alpha1.isovalent.com/pod-networks: default,jupiter"},{"_key":"5327e488-ca4e-4a09-a6dd-bd10ea4adb7f","_type":"span","marks":[],"text":" causes Cilium to attach the "},{"_key":"2f0c07cc-629b-43d0-8c73-aa22b3964622","_type":"span","marks":["code"],"text":"client"},{"_key":"ad642c0a-d621-4c2e-b110-b681156a525f","_type":"span","marks":[],"text":" Pod to the "},{"_key":"d7f2364d-9326-4a49-9593-a36a6e1ab5f5","_type":"span","marks":["code"],"text":"default"},{"_key":"43094990-0edf-47e5-92ed-277047771e99","_type":"span","marks":[],"text":" and "},{"_key":"b0f42095-0a4e-4cb3-8837-6c1acc5dfc17","_type":"span","marks":["code"],"text":"jupiter"},{"_key":"5f073d32-d492-43e3-9375-15c56b8128ce","_type":"span","marks":[],"text":" networks. "}],"markDefs":[],"style":"normal"},{"_key":"daba92b7-0b4d-4c8b-97d8-6b7b84591c5b","_type":"block","children":[{"_key":"7491d5ab-25d1-4cd0-880f-a2fff5dde2d4","_type":"span","marks":[],"text":"Let's deploy three Pods, with three different annotations:"}],"markDefs":[],"style":"normal"},{"_createdAt":"2024-09-30T12:07:09Z","_id":"3e4fd596-f5b6-6151-9635-6cb7ca3d6463","_key":"2bd615a8-f27b-47fe-bbee-4045d8aaf225","_ref":"3e4fd596-f5b6-6151-9635-6cb7ca3d6463","_rev":"P5GVFsWfT1LlxauxUA6eDn","_type":"codeBlock","_updatedAt":"2024-10-01T10:57:27Z","code":"---\napiVersion: v1\nkind: Pod\nmetadata:\n name: client\n labels:\n app: client\n annotations:\n network.v1alpha1.isovalent.com/pod-networks: default,jupiter\nspec:\n containers:\n - name: client-container\n image: quay.io/cilium/alpine-curl:v1.5.0\n command:\n - /bin/ash\n - -c\n - sleep 10000000\n---\napiVersion: v1\nkind: Pod\nmetadata:\n name: server-default\n labels:\n app: server-default\n annotations:\n network.v1alpha1.isovalent.com/pod-networks: default\nspec:\n containers:\n - name: server-jupiter-container\n image: quay.io/cilium/json-mock:v1.3.5\n---\napiVersion: v1\nkind: Pod\nmetadata:\n name: server-jupiter\n labels:\n app: server-jupiter\n annotations:\n network.v1alpha1.isovalent.com/pod-networks: jupiter\nspec:\n containers:\n - name: server-jupiter-container\n image: quay.io/cilium/json-mock:v1.3.5","language":"yaml","title":"yaml - \"Isovalent Enterprise for Cilium 1.14: introducing Cilium Multi-Network\" Code Block"},{"_key":"ab16428e-d731-4f62-bcf9-da512a85fca1","_type":"block","children":[{"_key":"62adbe38-a2f4-4242-927d-cfb5497f1b71","_type":"span","marks":[],"text":"To summarize:"}],"markDefs":[],"style":"normal"},{"_key":"5cefd7c6ffb7","_type":"block","children":[{"_key":"88a479e9e529","_type":"span","marks":["code"],"text":"server-default"},{"_key":"eb22874da4f9","_type":"span","marks":[],"text":" will be connected to the "},{"_key":"7b92318ada11","_type":"span","marks":["code"],"text":"default"},{"_key":"5a10363478ba","_type":"span","marks":[],"text":" network"}],"level":1,"listItem":"bullet","markDefs":[],"style":"normal"},{"_key":"03983cd3837f","_type":"block","children":[{"_key":"a5f10a1b1d54","_type":"span","marks":["code"],"text":"server-jupiter"},{"_key":"a10a4ee49e60","_type":"span","marks":[],"text":" will be attached only to the "},{"_key":"1fe97f14bf35","_type":"span","marks":["code"],"text":"jupiter"},{"_key":"c99e10f0aac1","_type":"span","marks":[],"text":" network."}],"level":1,"listItem":"bullet","markDefs":[],"style":"normal"},{"_key":"97a7506c22dd","_type":"block","children":[{"_key":"68f635bb5821","_type":"span","marks":["code"],"text":"client"},{"_key":"9159014e16ee","_type":"span","marks":[],"text":" Pod will be attached to both."}],"level":1,"listItem":"bullet","markDefs":[],"style":"normal"},{"_key":"9afaa0e5-a49e-419f-9ae1-42cc5dab4a39","_type":"block","children":[{"_key":"c058a752-928f-474a-a1fe-3e477df8cd1f","_type":"span","marks":[],"text":"Let's verify that connectivity is working. First, let's check our Pods:"}],"markDefs":[],"style":"normal"},{"_createdAt":"2024-09-30T12:07:10Z","_id":"eb3804ea-9acc-4684-48d7-f87957649b88","_key":"96719c25-c2c0-45b8-ab65-5153ddadb432","_ref":"eb3804ea-9acc-4684-48d7-f87957649b88","_rev":"be3C7ysj1QqQyrHso4eExP","_type":"codeBlock","_updatedAt":"2024-10-01T10:57:28Z","code":"$$ kubectl get pods -o wide\nNAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES\nclient 1/1 Running 0 119s 10.10.2.159 kind-worker \nserver-default 1/1 Running 0 2m 10.10.2.105 kind-worker \nserver-jupiter 1/1 Running 0 119s 192.168.16.10 kind-worker ","language":"bash","title":"bash - \"Isovalent Enterprise for Cilium 1.14: introducing Cilium Multi-Network\" Code Block"},{"_key":"5a45e78f-ea5f-4686-a09e-5cabd48b94b8","_type":"block","children":[{"_key":"7f109919-6c1c-4eff-851a-37ff02e8376b","_type":"span","marks":[],"text":"Note that, from this output, you can only see the primary IP address attached to "},{"_key":"edc21acc-3174-4690-8375-e514a10e7c4a","_type":"span","marks":["code"],"text":"client"},{"_key":"98e6f61f-325a-4e16-8023-991e63a3f45b","_type":"span","marks":[],"text":"."}],"markDefs":[],"style":"normal"},{"_key":"d29f106f-25dd-400b-9e44-760723fe99f8","_type":"block","children":[{"_key":"7c87e195-c839-4bd1-a27b-a23e8ef00432","_type":"span","marks":[],"text":"Next, let's have a look at the Cilium Endpoints. All application containers which share a common IP address are considered a single Cilium Endpoint. All endpoints are assigned a security identity."}],"markDefs":[],"style":"normal"},{"_key":"ae1e9459-e025-4fb6-84a3-72ea29deb1ea","_type":"block","children":[{"_key":"fea2e61c-ba36-4252-bda8-5344b4c8ee3d","_type":"span","marks":[],"text":"Let's now verify that a "},{"_key":"6dfbcd80-f756-4408-9f96-5b694f3729e8","_type":"span","marks":["code"],"text":"CiliumEndpoint"},{"_key":"9a308ef9-96f4-45a0-b041-07e91b8a294e","_type":"span","marks":[],"text":" resource is present for each server Pod, and two "},{"_key":"f08050af-b922-4641-8593-602da685736d","_type":"span","marks":["code"],"text":"CiliumEndpoint"},{"_key":"821861b6-d592-479b-9150-2c979e3602f5","_type":"span","marks":[],"text":" resources are present for the client Pod:"}],"markDefs":[],"style":"normal"},{"_createdAt":"2024-09-30T12:07:11Z","_id":"eaf386e6-393e-293c-eae3-6a733c48f45d","_key":"1a582617-7301-458c-866d-5cb63c033cc8","_ref":"eaf386e6-393e-293c-eae3-6a733c48f45d","_rev":"9px8ir0NfLa6aydsXNSH0c","_type":"codeBlock","_updatedAt":"2024-10-01T10:57:29Z","code":"$$ kubectl get ciliumendpoints.cilium.io\nNAME ENDPOINT ID IDENTITY ID INGRESS ENFORCEMENT EGRESS ENFORCEMENT VISIBILITY POLICY ENDPOINT STATE IPV4 IPV6\nclient 1173 39016 ready 10.10.2.159 \nclient-cil1 1569 29052 ready 192.168.16.7 \nserver-default 2224 3321 ready 10.10.2.105 \nserver-jupiter 3784 29478 ready 192.168.16.10 ","language":"bash","title":"bash - \"Isovalent Enterprise for Cilium 1.14: introducing Cilium Multi-Network\" Code Block"},{"_key":"eb926285-cfae-4b6e-933b-0ccf46ea22b3","_type":"block","children":[{"_key":"a3abd48a-dc64-4253-8249-119c58b7b599","_type":"span","marks":[],"text":"The "},{"_key":"ceae0be3-af15-4ea5-a5cc-17b6e5147991","_type":"span","marks":["code"],"text":"client"},{"_key":"77b2d40b-9c0d-4cf4-9ced-0660b31bb50f","_type":"span","marks":[],"text":" endpoint represents the primary Pod interface and the "},{"_key":"01cc7b55-8a21-4c56-8606-1d73478fa94e","_type":"span","marks":["code"],"text":"client-cil1"},{"_key":"fe48ff52-a1a0-40cb-b397-95fdbdee9eee","_type":"span","marks":[],"text":" endpoint represents the secondary Pod interface of the "},{"_key":"bcf4c1b7-b974-4204-85de-4c0bd80dd846","_type":"span","marks":["code"],"text":"client"},{"_key":"d91f1487-06f7-454f-9cda-5b5a58f6c8bc","_type":"span","marks":[],"text":" Pod. Both server Pods only have a single endpoint because they are each only attached to a single network."}],"markDefs":[],"style":"normal"},{"_key":"f73b593c-2768-4868-91e0-4960ad86d65a","_type":"block","children":[{"_key":"8ac8acd0-c800-49a2-9b37-6335db3ec9cb","_type":"span","marks":[],"text":"Let's verify that a secondary network interface "},{"_key":"244aaf90-ae43-45ff-a79d-3e7d9ec39874","_type":"span","marks":["code"],"text":"cil1"},{"_key":"5ebadf12-d2ad-45e3-9adb-42a4a54a0f0c","_type":"span","marks":[],"text":" was created in the client Pod, connecting it to the "},{"_key":"ce79aed4-5983-4809-a7d6-e87ffd08218e","_type":"span","marks":["code"],"text":"jupiter"},{"_key":"f05ef9fa-1198-43cc-a3a8-2898bcaa9350","_type":"span","marks":[],"text":" network:"}],"markDefs":[],"style":"normal"},{"_createdAt":"2024-09-30T12:07:12Z","_id":"4b6fde7b-81a9-e397-479b-d226756c1e8c","_key":"cc16a876-1c6d-4fd8-adbd-4815d054421b","_ref":"4b6fde7b-81a9-e397-479b-d226756c1e8c","_rev":"be3C7ysj1QqQyrHso4eF5R","_type":"codeBlock","_updatedAt":"2024-10-01T10:57:30Z","code":"$$ kubectl exec -it client -- ip addr show\n1: lo: mtu 65536 qdisc noqueue state UNKNOWN qlen 1000\n link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00\n inet 127.0.0.1/8 scope host lo\n valid_lft forever preferred_lft forever\n inet6 ::1/128 scope host \n valid_lft forever preferred_lft forever\n15: eth0@if16: mtu 1500 qdisc noqueue state UP qlen 1000\n link/ether 7e:71:87:f9:ec:e1 brd ff:ff:ff:ff:ff:ff\n inet 10.10.2.159/32 scope global eth0\n valid_lft forever preferred_lft forever\n inet6 fe80::7c71:87ff:fef9:ece1/64 scope link \n valid_lft forever preferred_lft forever\n17: cil1@if18: mtu 1500 qdisc noqueue state UP qlen 1000\n link/ether 76:c2:81:95:6c:35 brd ff:ff:ff:ff:ff:ff\n inet 192.168.16.7/32 scope global cil1\n valid_lft forever preferred_lft forever\n inet6 fe80::74c2:81ff:fe95:6c35/64 scope link \n valid_lft forever preferred_lft forever","language":"bash","title":"bash - \"Isovalent Enterprise for Cilium 1.14: introducing Cilium Multi-Network\" Code Block"},{"_key":"b60d6dc0-0ce8-470c-997f-c8494ca36f85","_type":"block","children":[{"_key":"d8af1caa-3d10-451d-ad56-21b5bfb16f2f","_type":"span","marks":[],"text":"Note the "},{"_key":"45ed01f8-c819-4206-900f-37ecef06d870","_type":"span","marks":["code"],"text":"cil1"},{"_key":"a389b467-99e8-4bfc-b308-c406b23851e0","_type":"span","marks":[],"text":" IP ("},{"_key":"28094f29-ed5d-4173-add9-74c50eb70783","_type":"span","marks":["code"],"text":"192.168.16.7"},{"_key":"771ce40e-e52f-496a-a451-c97754ba625e","_type":"span","marks":[],"text":" in the example above) matches the "},{"_key":"ebcd8973-1240-4c30-aa68-e901adc2bc62","_type":"span","marks":["code"],"text":"client-cil1"},{"_key":"e4e889a5-51cc-4a3d-b9b1-d92ce9608f38","_type":"span","marks":[],"text":" interface IP address in the Cilium endpoint list above."}],"markDefs":[],"style":"normal"},{"_key":"bacf36b0-c7fe-4dee-8ba5-195c172cd862","_type":"block","children":[{"_key":"5b22b173-5f6a-41fd-8b4a-a8ab9db5e509","_type":"span","marks":[],"text":"Next, let's validate that the server is reachable by sending an HTTP GET request to the server's "},{"_key":"5500757c-1454-4860-a372-aeb827b859a8","_type":"span","marks":["code"],"text":"/client-ip"},{"_key":"f46b8bd9-1069-4b1e-bfdf-24764d345e64","_type":"span","marks":[],"text":" endpoint. In its reply, it will report the client's IP address:"}],"markDefs":[],"style":"normal"},{"_createdAt":"2024-09-30T12:07:14Z","_id":"7fb3b03e-cb39-a0f6-fc21-3fcd92af5784","_key":"2384b0c8-d70f-4e2a-91f1-f45ff06c3ba0","_ref":"7fb3b03e-cb39-a0f6-fc21-3fcd92af5784","_rev":"be3C7ysj1QqQyrHso4eFLV","_type":"codeBlock","_updatedAt":"2024-10-01T10:57:32Z","code":"$$ kubectl exec -it client -- curl $SERVER_DEFAULT_IP/client-ip\n{\n \"client-ip\": \"::ffff:10.10.1.173\"\n}","language":"bash","title":"bash - \"Isovalent Enterprise for Cilium 1.14: introducing Cilium Multi-Network\" Code Block"},{"_key":"b4727cfd-5cca-4063-a139-85212edd0c71","_type":"block","children":[{"_key":"1610c405-d643-48ee-add7-5755c1ecf25d","_type":"span","marks":[],"text":"Finally, let's validate connectivity in the "},{"_key":"607f2b5f-37f4-4346-b44f-5925e4d0497f","_type":"span","marks":["code"],"text":"jupiter"},{"_key":"674e7c30-5ffc-4071-8585-2940fc274100","_type":"span","marks":[],"text":" network (192.168.16.0/20) from the multi-networked "},{"_key":"35a5f4b1-5b83-4877-9bdf-d97cdf5c6a8d","_type":"span","marks":["code"],"text":"client"},{"_key":"fc8ff094-0459-489e-9dd9-8a7292f20c21","_type":"span","marks":[],"text":" pod to the "},{"_key":"49980729-9263-4622-88ed-c178adeecadb","_type":"span","marks":["code"],"text":"server-jupiter"},{"_key":"c3e1421b-3912-4b13-85dc-395dbf5b4d8f","_type":"span","marks":[],"text":" pod:"}],"markDefs":[],"style":"normal"},{"_createdAt":"2024-09-30T12:07:15Z","_id":"517784d6-5cfa-491d-9856-c968ff2fc3ab","_key":"508155d9-66f1-46f3-83a5-b2540a7bb338","_ref":"517784d6-5cfa-491d-9856-c968ff2fc3ab","_rev":"be3C7ysj1QqQyrHso4eFXY","_type":"codeBlock","_updatedAt":"2024-10-01T10:57:33Z","code":"$$ kubectl exec -it client -- curl $SERVER_JUPITER_IP/client-ip\n{\n \"client-ip\": \"::ffff:192.168.16.12\"\n}","language":"bash","title":"bash - \"Isovalent Enterprise for Cilium 1.14: introducing Cilium Multi-Network\" Code Block"},{"_key":"a0827d59-9106-4f2d-8f4b-8ac9fd613d07","_type":"block","children":[{"_key":"009c5425-3bbf-4ee4-8ccc-137f98d8c9b0","_type":"span","marks":[],"text":"Connectivity was successful. The responses to the packets sent from "},{"_key":"c2fa685f-fd5e-414f-95e4-165c79278e1e","_type":"span","marks":["code"],"text":"client"},{"_key":"5ca1601e-eb54-4db7-a280-c556766ba4d1","_type":"span","marks":[],"text":" to both servers Pods show that the original packets were sent from a different IP. The source IP wasn't masqueraded and remained that of the original Pod and it originated from the Pod's correct network interface. HTTP traffic tests were both successful."}],"markDefs":[],"style":"normal"},{"_key":"e4891261-7e08-4dd0-af41-91cffa852bb7","_type":"block","children":[{"_key":"3117e0f3-f8b2-42b3-96e0-e028ac241516","_type":"span","marks":[],"text":"But can we apply different network policies to these different network interfaces?"}],"markDefs":[],"style":"normal"},{"_key":"28c92f2f-fb37-4aae-afa8-c1ecccc62bf1","_type":"block","children":[{"_key":"5aaf5cce-7422-4d5a-9d89-0d2b1a26a21d","_type":"span","marks":[],"text":"Let's find out."}],"markDefs":[],"style":"normal"},{"_key":"4098fb91-8b74-4e59-aa11-bff96d36d902","_type":"block","children":[{"_key":"da2230bd-92c2-4724-bbc8-019e6b4cae33","_type":"span","marks":[],"text":"Multi-Network with Network Policies"}],"markDefs":[],"style":"h3"},{"_key":"c582b318-5bd7-4d57-b037-246e5c4ea7df","_type":"block","children":[{"_key":"1e0471f2-d701-4125-b6b2-d24d11bd9762","_type":"span","marks":[],"text":"Security enforcement architectures have been traditionally based on IP address filters. Given the churn and scale of micro-services, it's largely irrelevant in the cloud-native world. To avoid these complications, which can limit scalability and flexibility, Cilium entirely separates security from network addressing. Instead, security is based on the identity of a pod, which is derived through labels."}],"markDefs":[],"style":"normal"},{"_key":"02322e5c-e351-41d1-8c4e-9b1c1ff21cef","_type":"block","children":[{"_key":"63615f1e-d6be-47c6-8350-26e6ce92bcb5","_type":"span","marks":[],"text":"Let's have a look at the identity of the "},{"_key":"f0e25faa-8475-4907-96a0-4d15bfaf39e6","_type":"span","marks":["code"],"text":"client"},{"_key":"90603e33-4708-41fa-88de-a91ccb2bfe84","_type":"span","marks":[],"text":" endpoint. Its ID is "},{"_key":"522d9101-484d-448d-b312-91ce750c2bce","_type":"span","marks":["code"],"text":"32716"},{"_key":"95ac7670-7062-47c3-96f1-07d149484ca1","_type":"span","marks":[],"text":":"}],"markDefs":[],"style":"normal"},{"_createdAt":"2024-09-30T12:07:16Z","_id":"f36dec9d-1636-e986-c6ad-0b2e10b41226","_key":"5d9bda89-639e-49b4-b4a1-bb0b4b3dfff7","_ref":"f36dec9d-1636-e986-c6ad-0b2e10b41226","_rev":"be3C7ysj1QqQyrHso4eFjb","_type":"codeBlock","_updatedAt":"2024-10-01T10:57:33Z","code":"$$ kubectl get cep client -o json | jq .status.identity\n{\n \"id\": 32716,\n \"labels\": [\n \"k8s:app=client\",\n \"k8s:io.cilium.k8s.namespace.labels.kubernetes.io/metadata.name=default\",\n \"k8s:io.cilium.k8s.policy.cluster=default\",\n \"k8s:io.cilium.k8s.policy.serviceaccount=default\",\n \"k8s:io.kubernetes.pod.namespace=default\"\n ]\n}","language":"bash","title":"bash - \"Isovalent Enterprise for Cilium 1.14: introducing Cilium Multi-Network\" Code Block"},{"_key":"f07caf83-2818-4f22-a65e-748032393b9c","_type":"block","children":[{"_key":"fe5323f6-d7cf-4c41-bbab-915298d7ae6f","_type":"span","marks":[],"text":"Let's now have a look at the identity of the "},{"_key":"135b3b29-8a81-4791-97d2-4363c84fca4a","_type":"span","marks":["code"],"text":"client-cil1"},{"_key":"67315007-c068-4019-802b-127b7a6374ff","_type":"span","marks":[],"text":" endpoint - in other words, the secondary interface on the same "},{"_key":"9015977c-dacf-4030-ba74-a33282c98029","_type":"span","marks":["code"],"text":"client"},{"_key":"e08018e8-794c-4efd-95ee-c1ea320f4bbd","_type":"span","marks":[],"text":" Pod. Its ID is "},{"_key":"9c97768f-bbcc-4ddb-b1d3-2fcfb74cd58f","_type":"span","marks":["code"],"text":"1640"},{"_key":"a5ef73a9-fb4e-4868-8e3d-e0d5cb2b901e","_type":"span","marks":[],"text":": "}],"markDefs":[],"style":"normal"},{"_createdAt":"2024-09-30T12:07:17Z","_id":"bc772a25-f3a5-0c00-b8dd-8aa746a9075a","_key":"ba35b697-c159-4c0c-a693-eb2a27344765","_ref":"bc772a25-f3a5-0c00-b8dd-8aa746a9075a","_rev":"9px8ir0NfLa6aydsXNSHPW","_type":"codeBlock","_updatedAt":"2024-10-01T10:57:34Z","code":"$$ kubectl get cep client-cil1 -o json | jq .status.identity\n{\n \"id\": 1640,\n \"labels\": [\n \"cni:com.isovalent.v1alpha1.network.attachment=jupiter\",\n \"k8s:app=client\",\n \"k8s:io.cilium.k8s.namespace.labels.kubernetes.io/metadata.name=default\",\n \"k8s:io.cilium.k8s.policy.cluster=default\",\n \"k8s:io.cilium.k8s.policy.serviceaccount=default\",\n \"k8s:io.kubernetes.pod.namespace=default\"\n ]\n}","language":"bash","title":"bash - \"Isovalent Enterprise for Cilium 1.14: introducing Cilium Multi-Network\" Code Block"},{"_key":"7d6c7098-f381-48b0-875d-5431ad141825","_type":"block","children":[{"_key":"59f96f3d-e0ed-4883-bcb1-afb308da8de9","_type":"span","marks":[],"text":"Both IDs are different, and there different network policies can be applied to each network interface."}],"markDefs":[],"style":"normal"},{"_key":"b044f04f-002b-424f-ad34-5bcf3ff99d5d","_type":"block","children":[{"_key":"f4222897-2195-43f8-94e0-fccae97db18c","_type":"span","marks":[],"text":"Every Cilium Endpoint associated with a secondary pod interface has one additional label of the form "},{"_key":"6b24239c-0400-4f60-98b5-f620f1a04d71","_type":"span","marks":["code"],"text":"cni:com.isovalent.v1alpha1.network.attachment="},{"_key":"0ad38cd4-e01a-4b09-b824-4388028b3461","_type":"span","marks":[],"text":" added by the Cilium CNI plugin."}],"markDefs":[],"style":"normal"},{"_key":"73eedcb4-aac8-4349-81a9-05e3a42f1dac","_type":"block","children":[{"_key":"7a4996fa-6b51-449c-97b7-4bd97b7d6a9d","_type":"span","marks":[],"text":"This is how each network interface will have its own Cilium security identity, allowing us to write policies that only apply to a specific network by selecting this extra label."}],"markDefs":[],"style":"normal"},{"_key":"e5cb7d55-f60a-4507-90ec-92c6f1d7bb25","_type":"block","children":[{"_key":"57895064-8dce-4c12-9382-e48b78f5ca0a","_type":"span","marks":[],"text":"Let's review a couple of Cilium Network Policies:"}],"markDefs":[],"style":"normal"},{"_createdAt":"2024-09-30T12:07:18Z","_id":"6c7f2e6f-701f-32c2-3204-ac8e7da7cb49","_key":"4593d4f5-6905-4a99-9202-95acb47b4e9a","_ref":"6c7f2e6f-701f-32c2-3204-ac8e7da7cb49","_rev":"P5GVFsWfT1LlxauxUA6gL7","_type":"codeBlock","_updatedAt":"2024-10-01T10:57:35Z","code":"---\napiVersion: cilium.io/v2\nkind: CiliumNetworkPolicy\nmetadata:\n name: server-jupiter-policy\n namespace: default\nspec:\n endpointSelector:\n matchLabels:\n app: server-jupiter\n ingress:\n - fromEndpoints:\n - matchLabels:\n cni:com.isovalent.v1alpha1.network.attachment: jupiter\n toPorts:\n - ports:\n - port: \"80\"\n protocol: TCP\n rules:\n http:\n - method: \"GET\"\n path: \"/public\"\n---\napiVersion: cilium.io/v2\nkind: CiliumNetworkPolicy\nmetadata:\n name: server-default-policy\n namespace: default\nspec:\n endpointSelector:\n matchLabels:\n app: server-default\n ingress:\n - fromEndpoints:\n - matchLabels:\n app: client\n toPorts:\n - ports:\n - port: \"80\"\n protocol: TCP\n rules:\n http:\n - method: \"GET\"\n path: \"/client-ip\"","language":"yaml","title":"yaml - \"Isovalent Enterprise for Cilium 1.14: introducing Cilium Multi-Network\" Code Block"},{"_key":"5ef056b2-b011-4371-b783-ce2971d65a63","_type":"block","children":[{"_key":"029cb323-f441-43aa-a4fc-91c07fc41506","_type":"span","marks":[],"text":"The "},{"_key":"15fecc16-a353-4377-9fac-a4606c87d3e1","_type":"span","marks":["code"],"text":"server-default-policy"},{"_key":"4b030619-bff6-4da9-a301-268254e08d4a","_type":"span","marks":[],"text":" network policy allows traffic from the "},{"_key":"3b2da056-ac82-4eb3-838a-470bdb33b65e","_type":"span","marks":["code"],"text":"client"},{"_key":"fa73ba27-fe7a-457b-bbf4-32e64dbf39d1","_type":"span","marks":[],"text":" Pod to "},{"_key":"42758d49-802e-44ba-8c66-60918c73bb9d","_type":"span","marks":["code"],"text":"server-default"},{"_key":"805295f4-0bf2-4cb9-816e-3dd1c640337e","_type":"span","marks":[],"text":" and only HTTP traffic of the method "},{"_key":"16cecf5b-d1e2-4f3c-ba71-3be7b183d93c","_type":"span","marks":["code"],"text":"GET"},{"_key":"529aad05-3ef0-498c-88c2-fda3d309453c","_type":"span","marks":[],"text":" and to "},{"_key":"2d4ec1f5-1b4d-4639-912e-5218ffe09a03","_type":"span","marks":["code"],"text":"\"/client-ip\""},{"_key":"a3e34e53-f42d-478c-9b45-2cb131f584a2","_type":"span","marks":[],"text":" path."}],"markDefs":[],"style":"normal"},{"_key":"c6cad144-f831-4ba4-8487-165a8130a1b7","_type":"block","children":[{"_key":"d482d352-94d0-4272-90ea-0eeaaa485d5c","_type":"span","marks":[],"text":"The "},{"_key":"eaee6039-5167-4757-a3a2-f8697e219e12","_type":"span","marks":["code"],"text":"server-jupiter-policy"},{"_key":"1b0d4445-3806-4ee3-81a8-6b8f7ed3a360","_type":"span","marks":[],"text":" network policy allows traffic from endpoints in the "},{"_key":"4396d7b1-f847-424a-b9a2-80db154b585a","_type":"span","marks":["code"],"text":"jupiter"},{"_key":"de5da26b-2d9a-49e2-90b1-eb214f952b67","_type":"span","marks":[],"text":" network to "},{"_key":"b173641c-f0ae-45cf-95e0-09377b2d9546","_type":"span","marks":["code"],"text":"server-jupiter"},{"_key":"53e3ccaf-2334-4755-afcd-9f3fd1d43a74","_type":"span","marks":[],"text":" and only HTTP traffic of the method "},{"_key":"a7fb98f4-0cbf-4b72-b484-c0b3c8de8973","_type":"span","marks":["code"],"text":"GET"},{"_key":"14eab8fa-0dcd-40cb-b3d4-4f1d99f8e779","_type":"span","marks":[],"text":" and to "},{"_key":"25e3cef0-0d35-4834-99b0-550883cc1599","_type":"span","marks":["code"],"text":"\"/public\""},{"_key":"f84abef2-2725-4752-b0a8-f1c5736d7dda","_type":"span","marks":[],"text":" path."}],"markDefs":[],"style":"normal"},{"_key":"f7d70d39-eb61-4d11-a5ba-c30b69c44c77","_type":"block","children":[{"_key":"fc610368-74c2-41cb-9cd6-ec7b3c380ef3","_type":"span","marks":[],"text":"Therefore, doing a curl test from client to the servers would result in the following results:"}],"markDefs":[],"style":"normal"},{"_key":"736159c7-aca9-4288-a3ed-c81c9b335ff9","_type":"table","hasHLines":true,"hasLeftHeader":false,"hasTopHeader":true,"hasVLines":true,"rows":[{"_key":"1480105a-dad0-45de-8bbc-0f6999c4660a","_type":"tableRow","cells":["From `client`","`/client-ip`","`/public`"]},{"_key":"4f303319-d3d1-43dd-b603-0c397db60400","_type":"tableRow","cells":["To `server-default`","Forwarded","Denied"]},{"_key":"04ed8c14-c801-4bbc-a73d-4e758d347c2b","_type":"tableRow","cells":["To `server-jupiter`","Denied","Forwarded"]}]},{"_key":"5b87477e-94df-4eaa-82f5-d5dde8ce6cde","_type":"block","children":[{"_key":"80fe4039-1134-4906-96f8-04c0b151c81a","_type":"span","marks":[],"text":"Let's verify:"}],"markDefs":[],"style":"normal"},{"_createdAt":"2024-09-30T12:07:19Z","_id":"a226e77a-10b8-e7e3-6ec0-2d9ae8f8a84d","_key":"13c96320-3363-45b3-af44-79683b7c1a5e","_ref":"a226e77a-10b8-e7e3-6ec0-2d9ae8f8a84d","_rev":"be3C7ysj1QqQyrHso4eFrd","_type":"codeBlock","_updatedAt":"2024-10-01T10:57:36Z","code":"$$ kubectl exec -it client -- curl $SERVER_DEFAULT_IP/public\nAccess denied\n$ kubectl exec -it client -- curl $SERVER_DEFAULT_IP/client-ip\n{\n \"client-ip\": \"::ffff:172.18.0.3\"\n}\n$ kubectl exec -it client -- curl $SERVER_JUPITER_IP/public\n[\n {\n \"id\": 1,\n \"body\": \"public information\"\n }\n]\n$ kubectl exec -it client -- curl $SERVER_JUPITER_IP/client-ip\nAccess denied","language":"bash","title":"bash - \"Isovalent Enterprise for Cilium 1.14: introducing Cilium Multi-Network\" Code Block"},{"_key":"79147d7b-30e5-40b4-bb0a-78c8c9223424","_type":"block","children":[{"_key":"6ffcfd7b-a922-4e42-9094-b1509d2272c0","_type":"span","marks":[],"text":"What this simple example highlights is that you can apply different network policies to your network interfaces! "}],"markDefs":[],"style":"normal"},{"_key":"c429fe0e-c2c7-42f7-83db-ed851aca7cb1","_type":"block","children":[{"_key":"2b9defe0-c6ba-4abf-b4a6-b038ec03ebc6","_type":"span","marks":[],"text":"Multi-Network with Isovalent Enterprise for Cilium 1.14 can be secured with granular network policies. But how can you observe the resulting traffic and quickly identify whether traffic was dropped or forwarded by a specific policy? By using Hubble, of course!"}],"markDefs":[],"style":"normal"},{"_key":"fef03e33-07cf-47c1-8437-b898d1b51851","_type":"block","children":[{"_key":"829a3a8c-bf3a-41fd-8b29-77cea6f086eb","_type":"span","marks":[],"text":"Multi-Network Observability with Hubble"}],"markDefs":[],"style":"h3"},{"_key":"f78a42e9-a384-47d4-8a63-f496f3e9e52b","_type":"block","children":[{"_key":"9c558070-7631-498d-9e56-3d4df1aee1d2","_type":"span","marks":[],"text":"If you are not familiar with the Hubble observability tool, check out the "},{"_key":"f5d8efde-7e86-46fd-9600-72866dffb2f4","_type":"span","marks":["caece8c0-4311-4b54-8e20-83423b3ef656"],"text":"Hubble Series"},{"_key":"72e3fed3-f372-4bfa-941b-e47096cf22c1","_type":"span","marks":[],"text":" and download the "},{"_key":"72970dfb-2503-4472-acf2-df84a637b226","_type":"span","marks":["14eb0eb0-bd3c-4970-abed-24eba74ecb5e"],"text":"Hubble Cheatsheet"},{"_key":"7d7e2e81-7512-407d-94aa-60d2210c9928","_type":"span","marks":[],"text":"."}],"markDefs":[{"_key":"caece8c0-4311-4b54-8e20-83423b3ef656","_type":"link","href":"/blog/post/hubble-series-re-introducing-hubble/","openInNewTab":true},{"_key":"14eb0eb0-bd3c-4970-abed-24eba74ecb5e","_type":"link","href":"/blog/post/cilium-hubble-cheat-sheet-observability/","openInNewTab":true}],"style":"normal"},{"_key":"a4f1d343-0928-4bea-9862-27151d8a63aa","_type":"block","children":[{"_key":"ca239cd8-f697-4fee-a237-5185620142a3","_type":"span","marks":[],"text":"Using the "},{"_key":"9ad7f5d0-67fc-4265-a7bc-7ab129e11732","_type":"span","marks":["code"],"text":"hubble"},{"_key":"4fd61616-d751-42e1-9d77-3dae3ce6ee5b","_type":"span","marks":[],"text":" CLI, you can see all the requests from the "},{"_key":"9a3710af-49dd-449b-945a-6d0344494a46","_type":"span","marks":["code"],"text":"client"},{"_key":"31458952-ba21-4ebd-b2cb-e7590892815e","_type":"span","marks":[],"text":" Pod - across both network interfaces it's connected to:"}],"markDefs":[],"style":"normal"},{"_createdAt":"2024-09-30T12:07:20Z","_id":"e5e1248e-f8c2-3870-48f6-160b23a3681a","_key":"56e7b67d-105e-4ef9-96c1-ab11e360fc67","_ref":"e5e1248e-f8c2-3870-48f6-160b23a3681a","_rev":"P5GVFsWfT1LlxauxUA6gTg","_type":"codeBlock","_updatedAt":"2024-10-01T10:57:37Z","code":"$1b","language":"bash","title":"bash - \"Isovalent Enterprise for Cilium 1.14: introducing Cilium Multi-Network\" Code Block"},{"_key":"6adf11ff-62fe-440c-acbf-17ec196d0c01","_type":"block","children":[{"_key":"bbed888f-d5c5-49f9-96b5-4652e1baf51d","_type":"span","marks":[],"text":"You can filter on this criteria with the "},{"_key":"d5d1961a-1fa2-4f66-b43f-847cb288d2ca","_type":"span","marks":["code"],"text":"--verdict"},{"_key":"014ce7af-b21a-430c-9274-2d298684073f","_type":"span","marks":[],"text":" flag, for example, executing:"}],"markDefs":[],"style":"normal"},{"_createdAt":"2024-09-30T12:07:21Z","_id":"3889bd62-ac21-1880-6548-d2205d058c25","_key":"639868ce-d725-41e7-8010-de7b127a4cfe","_ref":"3889bd62-ac21-1880-6548-d2205d058c25","_rev":"9px8ir0NfLa6aydsXNSHoQ","_type":"codeBlock","_updatedAt":"2024-10-01T10:57:39Z","code":"$$ hubble observe --pod client --protocol icmp --last 50 --verdict=DROPPED\nOct 20 10:13:49.431: default/client (ID:28437) <> default/server-default (ID:22670) policy-verdict:none INGRESS DENIED (ICMPv4 EchoRequest)\nOct 20 10:13:49.431: default/client (ID:28437) <> default/server-default (ID:22670) Policy denied DROPPED (ICMPv4 EchoRequest)\nOct 20 10:13:55.652: default/client (ID:1613) <> default/server-jupiter (ID:12215) policy-verdict:none INGRESS DENIED (ICMPv4 EchoRequest)\nOct 20 10:13:55.652: default/client (ID:1613) <> default/server-jupiter (ID:12215) Policy denied DROPPED (ICMPv4 EchoRequest)","language":"bash","title":"bash - \"Isovalent Enterprise for Cilium 1.14: introducing Cilium Multi-Network\" Code Block"},{"_key":"82260afc-84eb-455b-89a3-4b6a8825e8bf","_type":"block","children":[{"_key":"b626a80c-df47-4c6e-a9e8-6fe901e6cff8","_type":"span","marks":[],"text":"If you want to see traffic coming from a particular interface, you can use the identity assigned to the endpoint of the interface. In the example above, "},{"_key":"8aaac844-7fb9-4f9d-9f94-635466dd088a","_type":"span","marks":["code"],"text":"28437"},{"_key":"2cbd6dbc-0d26-4fe3-9d6d-3dfe40a27154","_type":"span","marks":[],"text":" is the ID of the "},{"_key":"bdc9c523-d3b3-406d-b8f2-e057ed7e2570","_type":"span","marks":["code"],"text":"client"},{"_key":"8c1bb523-eae5-47e2-b807-dced81b22601","_type":"span","marks":[],"text":" and "},{"_key":"03141dc9-58bd-4f84-87e7-4c85d265aac5","_type":"span","marks":["code"],"text":"1613"},{"_key":"738eb141-7fff-4186-96cf-83f88e4561ea","_type":"span","marks":[],"text":" is the ID of the secondary interface ("},{"_key":"bbd081ef-d29c-401c-a9f8-28a9c65995cf","_type":"span","marks":["code"],"text":"client-cil1"},{"_key":"37086faa-c585-4787-a436-56139ed832d5","_type":"span","marks":[],"text":")."}],"markDefs":[],"style":"normal"},{"_key":"a3e7bcde-cdda-4a28-a200-a5162c9213e5","_type":"block","children":[{"_key":"873c64f4-f815-4868-84d7-032cb1f8bc5b","_type":"span","marks":[],"text":"Let's extract the identity of the "},{"_key":"94d10711-c2d7-4ba8-8bf2-b8d1041d9ef2","_type":"span","marks":["code"],"text":"client"},{"_key":"fa9e4979-1802-451e-a8a5-eb0f10a158a5","_type":"span","marks":[],"text":" and "},{"_key":"34166b31-f29c-464e-b073-159b633c4772","_type":"span","marks":["code"],"text":"client-cli1"},{"_key":"613a1749-3196-4f9e-9c65-15233a476a41","_type":"span","marks":[],"text":" endpoints and assign them to environment variables:"}],"markDefs":[],"style":"normal"},{"_createdAt":"2024-09-30T12:07:22Z","_id":"09a1d41e-7516-5fed-62b2-27d0d2bcc800","_key":"32fa9571-6fad-4957-ba98-97bffaaf0cd4","_ref":"09a1d41e-7516-5fed-62b2-27d0d2bcc800","_rev":"9px8ir0NfLa6aydsXNSHxl","_type":"codeBlock","_updatedAt":"2024-10-01T10:57:39Z","code":"$$ CLIENT_ID=$(kubectl get cep client -o jsonpath='{.status.identity.id}')\n$ CLIENT_CIL1_ID=$(kubectl get cep client-cil1 -o jsonpath='{.status.identity.id}')\n$ echo $CLIENT_ID\n28437\n$ echo $CLIENT_CIL1_ID\n1613","language":"bash","title":"bash - \"Isovalent Enterprise for Cilium 1.14: introducing Cilium Multi-Network\" Code Block"},{"_key":"1a09a4dc-6995-4167-9b3f-52e1ab2acfb1","_type":"block","children":[{"_key":"23107aec-fd0d-4435-a0f4-0c145285d301","_type":"span","marks":[],"text":"Filter to the interface of your choice with:"}],"markDefs":[],"style":"normal"},{"_createdAt":"2024-09-30T12:07:23Z","_id":"7717263a-2ca6-d219-09a7-7ab8752f5b22","_key":"8d715e00-1dcb-472d-ae20-5a8dd34963a1","_ref":"7717263a-2ca6-d219-09a7-7ab8752f5b22","_rev":"P5GVFsWfT1LlxauxUA6gqW","_type":"codeBlock","_updatedAt":"2024-10-01T10:57:40Z","code":"$$ hubble observe --pod client --protocol icmp --last 50 --verdict=DROPPED --identity $CLIENT_ID\nOct 20 10:13:49.431: default/client (ID:28437) <> default/server-default (ID:22670) policy-verdict:none INGRESS DENIED (ICMPv4 EchoRequest)\nOct 20 10:13:49.431: default/client (ID:28437) <> default/server-default (ID:22670) Policy denied DROPPED (ICMPv4 EchoRequest)","language":"bash","title":"bash - \"Isovalent Enterprise for Cilium 1.14: introducing Cilium Multi-Network\" Code Block"},{"_key":"24bb14a2-6c8c-4ea8-b76b-784e790a8725","_type":"block","children":[{"_key":"2a6d354c-9f6f-41e1-ab4d-0d598dfce273","_type":"span","marks":[],"text":"You can also filter based on HTTP attributes, like the HTTP status code. For example, you can find all successful responses with this command:"}],"markDefs":[],"style":"normal"},{"_createdAt":"2024-09-30T12:07:24Z","_id":"a87db2bd-893b-0089-1465-c0e9e9570592","_key":"b7d465a4-9286-4bf4-ab2d-d76ce384142c","_ref":"a87db2bd-893b-0089-1465-c0e9e9570592","_rev":"P5GVFsWfT1LlxauxUA6gwE","_type":"codeBlock","_updatedAt":"2024-10-01T10:57:41Z","code":"$$ hubble observe --http-status 200\nOct 20 10:13:46.284: default/client:35584 (ID:28437) <- default/server-default:80 (ID:22670) http-response FORWARDED (HTTP/1.1 200 3ms (GET http://10.10.2.192/client-ip))\nOct 20 10:14:02.526: default/client-cil1:42362 (ID:1613) <- default/server-jupiter:80 (ID:12215) http-response FORWARDED (HTTP/1.1 200 6ms (GET http://192.168.16.17/public))","language":"bash","title":"bash - \"Isovalent Enterprise for Cilium 1.14: introducing Cilium Multi-Network\" Code Block"},{"_key":"80db9bb6-f3a2-4f65-bac5-84dc585ac401","_type":"block","children":[{"_key":"2a2838b3-4d94-48ca-8e85-450b4ccbbde8","_type":"span","marks":[],"text":"As you see, Multi-Network with Isovalent Enterprise for Cilium 1.14 works seamlessly with other Cilium features such as security and observability!"}],"markDefs":[],"style":"normal"},{"_key":"ff06cadd-e49e-44d5-b604-4b8ad29f1e51","_type":"block","children":[{"_key":"6f1a5ba3-d9a8-4fb5-b96e-50f7cf7f41f1","_type":"span","marks":[],"text":"Multi-Network Status and Roadmap"}],"markDefs":[],"style":"h2"},{"_key":"f99e9b54-6e1f-4b21-a208-8e73324c36d1","_type":"block","children":[{"_key":"69bf94f4-0310-4ca8-bf1b-863d33a6844f","_type":"span","marks":[],"text":"While we are excited about the Multi-Network feature in Isovalent Enterprise for Cilium 1.14 - and I hope you are too! - it is a beta release and we plan to support more use cases in the future. We look forward to hearing from users on use cases it can unlock for you!"}],"markDefs":[],"style":"normal"},{"_key":"83d86829-35bc-4a9f-92c3-50cf9ff9a07d","_type":"block","children":[{"_key":"8db29dcf-31a6-40b9-9a27-2de8a3c17d8b","_type":"span","marks":[],"text":"In future releases, we will be including IPv6 support for Multi-Network, integration with Segment Routing version 6 (SRv6 support was added in the previous "},{"_key":"03b88c25-3b0d-4794-b674-eb8422244f83","_type":"span","marks":["80989354-172f-4f81-920e-b3dcce8d1954"],"text":"Isovalent Enterprise for Cilium"},{"_key":"9448f56d-f1c9-4ecd-8ef4-9188435e7943","_type":"span","marks":[],"text":" release), and much more! "}],"markDefs":[{"_key":"80989354-172f-4f81-920e-b3dcce8d1954","_type":"link","href":"/blog/post/isovalent-enterprise-1-13/#h-srv6-l3vpn-support","openInNewTab":true}],"style":"normal"},{"_key":"e862014c-d452-4b2c-9221-669b757cb35b","_type":"block","children":[{"_key":"34246d25-9d80-4818-9f27-1134295d89da","_type":"span","marks":[],"text":"We will also keep a close eye on the "},{"_key":"6d65d553-2856-4213-90e8-eac471e47fb9","_type":"span","marks":["e4d50a7c-6502-496b-9512-895078ce5a65"],"text":"Multi-Network Kubernetes Enhancement Proposal"},{"_key":"b8c6f1c4-7eb2-41cd-8965-ed74eabb2c79","_type":"span","marks":[],"text":" (KEP) as it matures."}],"markDefs":[{"_key":"e4d50a7c-6502-496b-9512-895078ce5a65","_type":"link","href":"https://docs.google.com/document/d/17LhyXsEgjNQ0NWtvqvtgJwVqdJWreizsgAZHWflgP-A/edit?usp=sharing","openInNewTab":false}],"style":"normal"},{"_key":"2a6d16fe-5951-4088-97ed-1b6bceb8c97d","_type":"block","children":[{"_key":"cddea7c7-5740-470e-ac76-006395e6cc29","_type":"span","marks":[],"text":"Core Isovalent Enterprise for Cilium features"}],"markDefs":[],"style":"h2"},{"_key":"a27ffca4-6fa0-49ea-932c-f7507c384194","_type":"block","children":[{"_key":"ce2a7420-05b2-4720-998c-63058458ba9b","_type":"span","marks":[],"text":"Advanced Networking Capabilities"}],"markDefs":[],"style":"h3"},{"_key":"e164322c-6582-412f-a8b6-762a40afa9e0","_type":"block","children":[{"_key":"eae23d3a-a897-4508-b25f-5c7962da78ec","_type":"span","marks":["c821a4e3-62c1-4e7d-944f-febd6742f6f9"],"text":"Isovalent Enterprise for Cilium 1.13"},{"_key":"239b69a8-5e07-45e4-80c8-fc4d7d7a6d72","_type":"span","marks":[],"text":" introduced a set of advanced routing and connectivity features popular with large enterprises and telco, including "},{"_key":"246f3f0a-fcee-42fe-a95f-d883ba1f8793","_type":"span","marks":["f4de4aca-29e6-4de4-82ad-29abe70be31b"],"text":"SRv6 L3 VPN"},{"_key":"7b33c1dd-5747-4d4b-8857-8ff77fea35f4","_type":"span","marks":[],"text":" support, "},{"_key":"f2591254-4165-4583-9a39-4b3106bd589f","_type":"span","marks":["2a9af8b1-3654-406a-abec-10fd9c1c2636"],"text":"Overlapping PodCIDR support for Cluster Mesh"},{"_key":"608f9802-91d0-4e03-add8-bc2291f69d46","_type":"span","marks":[],"text":", "},{"_key":"9bf903eb-c088-4c50-a96f-560d921cf2ef","_type":"span","marks":["20cfad80-1269-4730-8f0e-de160003f431"],"text":"Phantom Services for Cluster Mesh"},{"_key":"03d1793f-2637-49e1-9e36-aba474ce2aaf","_type":"span","marks":[],"text":" and much more. "}],"markDefs":[{"_key":"c821a4e3-62c1-4e7d-944f-febd6742f6f9","_type":"link","href":"/blog/post/isovalent-enterprise-1-13/","openInNewTab":true},{"_key":"f4de4aca-29e6-4de4-82ad-29abe70be31b","_type":"link","href":"/blog/post/isovalent-enterprise-1-13/#h-srv6-l3vpn-support","openInNewTab":false},{"_key":"2a9af8b1-3654-406a-abec-10fd9c1c2636","_type":"link","href":"/blog/post/isovalent-enterprise-1-13/#h-overlapping-podcidr-support-for-cluster-mesh","openInNewTab":false},{"_key":"20cfad80-1269-4730-8f0e-de160003f431","_type":"link","href":"/blog/post/isovalent-enterprise-1-13/#h-phantom-services-for-cluster-mesh","openInNewTab":false}],"style":"normal"},{"_key":"6972d68c-1cc0-4feb-b7ed-17c69ae7dcfb","_type":"block","children":[{"_key":"a8aff005-172b-40e9-ac8e-1d2502dffecc","_type":"span","marks":[],"text":"Platform Observability"}],"markDefs":[],"style":"h3"},{"_key":"d9f27d3e-b42f-4ca4-b595-0b9d9cc08c35","_type":"block","children":[{"_key":"f349771d-e7c9-4059-8164-5b340f6bec9d","_type":"span","marks":[],"text":"Isovalent Enterprise for Cilium includes Role-Based Access Control (RBAC) for platform teams to let users access dashboards relevant to their namespaces, applications, and environments."}],"markDefs":[],"style":"normal"},{"_key":"c257c325-bba3-4d80-b2ac-d0f6dbc5865d","_type":"block","children":[{"_key":"1a03cf77-a905-4214-9b4b-7a69ecc65a68","_type":"span","marks":[],"text":"This enables application teams to have self-service access to their Hubble UI Enterprise interface and troubleshoot application connectivity issues without involving SREs in the process."}],"markDefs":[],"style":"normal"},{"_createdAt":"2024-09-30T12:07:29Z","_id":"ed4acf58-f9f2-138b-2d3e-9118e2248224","_key":"eac40ba1-ba18-4e62-bd91-d01808799a85","_ref":"ed4acf58-f9f2-138b-2d3e-9118e2248224","_rev":"be3C7ysj1QqQyrHsnwHwU3","_type":"bodyCta","_updatedAt":"2024-09-30T12:38:22Z","backgroundImage":null,"ctas":[{"_createdAt":"2024-09-30T12:07:02Z","_id":"0b37ba9d-5853-6b56-9afa-0269cfc978f6","_rev":"be3C7ysj1QqQyrHsnwHcn9","_type":"cta","_updatedAt":"2024-09-30T12:33:53Z","label":{"en":"Start Zero Trust Visibility Lab"},"languages":["en"],"title":"\"Start Zero Trust Visibility Lab\" - Primary (Zero Trust Visibility Lab)","url":"/labs/cilium-enterprise-zero-trust-visibility/","variant":"primary"}],"headline":{"en":"Zero Trust Visibility Lab"},"languages":["en"],"logo":null,"logoReference":null,"logoWhite":null,"text":{"en":[{"_key":"aa2503e2-9057-4031-872f-c8ae07a5cc2a","_type":"block","children":[{"_key":"f51d8bb1-31e7-4453-ae72-b0b23aaea4bb","_type":"span","marks":[],"text":"Creating the right Network Policies can be difficult. In this lab, you will use Hubble metrics to build a Network Policy Verdict dashboard in Grafana showing which flows need to be allowed in your policy approach."}],"markDefs":[],"style":"normal"}]},"tinted":true,"title":"Zero Trust Visibility Lab - \"Creating the right Network Policies can be difficult. In this lab, you will use Hubble metrics to build a Network Policy Verdict dashboard in Grafana showing which flows need to be allowed in your policy approach.\" Body CTA"},{"_key":"75fe63ce-9ef3-4223-902a-31cb12682c25","_type":"block","children":[{"_key":"fbff62d1-aee5-474c-99d4-9403cf3251f7","_type":"span","marks":[],"text":"Forensics and Auditing"}],"markDefs":[],"style":"h3"},{"_key":"d45f9cd3-39b7-452b-94e1-e16d7578e34f","_type":"block","children":[{"_key":"6f85bffd-dd56-4f2e-9de3-5f9ba73d7feb","_type":"span","marks":[],"text":"From the Hubble UI Enterprise, operators have the ability to create network policies based on actual cluster traffic. "}],"markDefs":[],"style":"normal"},{"_key":"75898529-1ead-4598-9d9d-72588c67e0d7","_type":"block","children":[{"_key":"857cb460-dd4e-4865-a21d-5fe5ad68c119","_type":"span","marks":[],"text":"Isovalent Enterprise for Cilium also includes "},{"_key":"15d8aa3e-5607-401b-8fac-4ae694d8309a","_type":"span","marks":["4fd252ca-054b-4b91-a7ea-9c91fcc8161e"],"text":"Hubble Timescape"},{"_key":"15060ba4-4b79-431c-bb88-bf8e4d537501","_type":"span","marks":[],"text":" – a time machine for observability data with powerful analytics capabilities."}],"markDefs":[{"_key":"4fd252ca-054b-4b91-a7ea-9c91fcc8161e","_type":"link","href":"/features/hubble-timescape/","openInNewTab":true}],"style":"normal"},{"_key":"8ed05c8d-230c-4232-b714-3bdd5fc7bc03","_type":"block","children":[{"_key":"101ee775-c19a-497b-a231-e872da73d771","_type":"span","marks":[],"text":"While Hubble only includes real-time info, Hubble Timescape is an observability and analytics platform capable of storing & querying observability data that Cilium and Hubble collect. "}],"markDefs":[],"style":"normal"},{"_key":"4f2bf827-df51-4a82-80d2-9791aeb8dd1a","_type":"block","children":[{"_key":"8fd64c3f-13f3-4091-86fd-db4b856cf4cc","_type":"span","marks":[],"text":"Isovalent Enterprise for Cilium also includes the ability to "},{"_key":"e7f8a4de-867f-47fa-869b-dedb817d6e0c","_type":"span","marks":["444e78f6-f190-4ad2-96e3-4ac63fb777f0"],"text":"export logs to SIEM"},{"_key":"97cd2769-65a6-4c66-8c36-b3637331aa2f","_type":"span","marks":[],"text":" (Security Information and Event Management) platforms such as Splunk or an ELK (Elasticsearch, Logstash, and Kibana) stack."}],"markDefs":[{"_key":"444e78f6-f190-4ad2-96e3-4ac63fb777f0","_type":"link","href":"/features/siem-export/","openInNewTab":true}],"style":"normal"},{"_key":"b4dc8e88-4709-40af-835a-523079420b21","_type":"block","children":[{"_key":"0f65be4e-8425-47ee-a77b-fda0380c710d","_type":"span","marks":[],"text":"To explore some of these enterprise features, check out some of the labs:"}],"markDefs":[],"style":"normal"},{"_createdAt":"2024-09-30T12:07:26Z","_id":"65d407a0-9009-3651-b31d-2d7edd6b689a","_key":"f2544cf3-74bf-407d-9e61-b5262159cc82","_ref":"65d407a0-9009-3651-b31d-2d7edd6b689a","_rev":"P5GVFsWfT1LlxauxU4atW5","_type":"bodyCta","_updatedAt":"2024-09-30T12:38:24Z","backgroundImage":null,"ctas":[{"_createdAt":"2024-09-30T12:07:02Z","_id":"c80e2c17-8c51-d4cf-f416-cac65106efcf","_rev":"HrHvJpegt4pRwn8pM3lVOZ","_type":"cta","_updatedAt":"2024-09-30T12:33:53Z","label":{"en":"Start Network Policies Lab"},"languages":["en"],"title":"\"Start Network Policies Lab\" - Primary (Network Policies Lab)","url":"/labs/isovalent-cilium-enterprise-network-policies/","variant":"primary"}],"headline":{"en":"Network Policies Lab"},"languages":["en"],"logo":null,"logoReference":null,"logoWhite":null,"text":{"en":[{"_key":"f4c73bc4-c498-4a9b-a0bb-9725373ccd5f","_type":"block","children":[{"_key":"26b3d359-51e2-4c3b-89bd-28f63ddde132","_type":"span","marks":[],"text":"Create Network Policies based on actual cluster traffic!"}],"markDefs":[],"style":"normal"}]},"tinted":true,"title":"Network Policies Lab - \"Create Network Policies based on actual cluster traffic!\" Body CTA"},{"_createdAt":"2024-09-30T12:07:25Z","_id":"3bcce780-9bf4-a700-6227-49e88055ef5a","_key":"8fbc9db2-9734-4423-a4cd-ec9790735604","_ref":"3bcce780-9bf4-a700-6227-49e88055ef5a","_rev":"P5GVFsWfT1LlxauxU4asxp","_type":"bodyCta","_updatedAt":"2024-09-30T12:38:21Z","backgroundImage":null,"ctas":[{"_createdAt":"2024-09-30T12:07:02Z","_id":"2a422553-52a2-0ed1-78d7-755b649cc8ea","_rev":"P5GVFsWfT1LlxauxU4aX04","_type":"cta","_updatedAt":"2024-09-30T12:33:53Z","label":{"en":"Start Connectivity Visibility with Hubble Lab"},"languages":["en"],"title":"\"Start Connectivity Visibility with Hubble Lab\" - Primary (Connectivity Visibility with Hubble Lab)","url":"/labs/isovalent-cilium-enterprise-connectivity-visibility/","variant":"primary"}],"headline":{"en":"Connectivity Visibility with Hubble Lab"},"languages":["en"],"logo":null,"logoReference":null,"logoWhite":null,"text":{"en":[{"_key":"403cb8c8-a6fc-4ff5-b2e8-e7cfe15c71bc","_type":"block","children":[{"_key":"5ba90572-9cd3-48a4-9301-5e6a032d341e","_type":"span","marks":[],"text":"Visualize label-aware, DNS-aware, and API-aware network connectivity within a Kubernetes environment!"}],"markDefs":[],"style":"normal"}]},"tinted":true,"title":"Connectivity Visibility with Hubble Lab - \"Visualize label-aware, DNS-aware, and API-aware network connectivity within a Kubernetes environment!\" Body CTA"},{"_key":"95dd6be8-1bcd-46b4-b349-139cd8a2c290","_type":"block","children":[{"_key":"8a7ce6f4-4e2d-498f-a0d1-0c00fc7ee487","_type":"span","marks":["strong"],"text":"Advanced Security Capabilities via Tetragon "}],"markDefs":[],"style":"h3"},{"_key":"135bb8cf-9c00-4d5a-8c0d-7bec9f08b656","_type":"block","children":[{"_key":"c70f85f0-a901-4c42-971f-ed4be8fe16ff","_type":"span","marks":[],"text":"Tetragon provides advanced security capabilities such as protocol enforcement, IP and port whitelisting, and automatic application-aware policy generation to protect against the most sophisticated threats."}],"markDefs":[],"style":"normal"},{"_key":"715b6503-5d7c-4c9b-8277-67bf806a8275","_type":"block","children":[{"_key":"5b186dee-c2d1-4082-a40d-59498a3297c8","_type":"span","marks":[],"text":"To explore some of the Tetragon enterprise features, check out some of the labs:"}],"markDefs":[],"style":"normal"},{"_createdAt":"2024-09-30T12:07:29Z","_id":"95d8ef72-d43f-f00d-f68a-5c9778359d48","_key":"94367d31-2e5f-4393-a173-ceeba1ed9fda","_ref":"95d8ef72-d43f-f00d-f68a-5c9778359d48","_rev":"be3C7ysj1QqQyrHsnwHyEU","_type":"bodyCta","_updatedAt":"2024-09-30T12:38:25Z","backgroundImage":null,"ctas":[{"_createdAt":"2024-09-30T12:07:02Z","_id":"3a16e556-4137-172e-1975-a621136990b8","_rev":"P5GVFsWfT1LlxauxU4aWxD","_type":"cta","_updatedAt":"2024-09-30T12:33:53Z","label":{"en":"Start Security Visibility Lab"},"languages":["en"],"title":"\"Start Security Visibility Lab\" - Primary (Security Visibility Lab)","url":"/labs/isovalent-cilium-enterprise-security-visibility/","variant":"primary"}],"headline":{"en":"Security Visibility Lab"},"languages":["en"],"logo":null,"logoReference":null,"logoWhite":null,"text":{"en":[{"_key":"8710e666-736c-41e0-928c-83a80921f0ad","_type":"block","children":[{"_key":"88f02044-a105-4669-9275-f79a9fc9a9db","_type":"span","marks":[],"text":"In this lab, you will simulate the exploitation of a nodejs application, with the attacker spawning a reverse shell inside of a container and moving laterally within the Kubernetes environment.\n\nIn the lab, learn how Tetragon Enterprise can trace the Lateral Movement and Data Exfiltration of the attacker post-exploit."}],"markDefs":[],"style":"normal"}]},"tinted":true,"title":"Security Visibility Lab - \"In this lab, you will simulate the exploitation of a nodejs application, with the attacker spawning a reverse shell inside of a container and moving laterally within the Kubernetes environment.\n\nIn the lab, learn how Tetragon Enterprise can trace the Lateral Movement and Data Exfiltration of the attacker post-exploit.\" Body CTA"},{"_createdAt":"2024-09-30T12:07:27Z","_id":"8909bb05-f6b9-d6b2-16c4-4310601f890d","_key":"13af18aa-eb7d-4077-b126-795e6089c2c5","_ref":"8909bb05-f6b9-d6b2-16c4-4310601f890d","_rev":"9px8ir0NfLa6aydsXGyVuP","_type":"bodyCta","_updatedAt":"2024-09-30T12:38:20Z","backgroundImage":null,"ctas":[{"_createdAt":"2024-09-30T12:07:02Z","_id":"f32a3f49-aeb5-c9f0-483d-1b66ecec33d4","_rev":"P5GVFsWfT1LlxauxU4aWuM","_type":"cta","_updatedAt":"2024-09-30T12:33:53Z","label":{"en":"Start TLS Visibility Lab"},"languages":["en"],"title":"\"Start TLS Visibility Lab\" - Primary (TLS Visibility Lab)","url":"/labs/isovalent-cilium-enterprise-tls-visibility/","variant":"primary"}],"headline":{"en":"TLS Visibility Lab"},"languages":["en"],"logo":null,"logoReference":null,"logoWhite":null,"text":{"en":[{"_key":"d3499a41-8b64-4472-ab94-c6b7c5e3e07a","_type":"block","children":[{"_key":"8e331673-6807-4657-9d32-62b80def19d6","_type":"span","marks":[],"text":"In this lab, learn how you can use Isovalent Enterprise for Cilium to inspect TLS traffic and identify the version of TLS being used. You will also learn how to report to export events in JSON format to SIEM."}],"markDefs":[],"style":"normal"}]},"tinted":true,"title":"TLS Visibility Lab - \"In this lab, learn how you can use Isovalent Enterprise for Cilium to inspect TLS traffic and identify the version of TLS being used. You will also learn how to report to export events in JSON format to SIEM.\" Body CTA"},{"_key":"993a9454-ab96-4243-8369-15d7f05e6217","_type":"block","children":[{"_key":"2496a1e7-6787-4562-b464-c30b959a501f","_type":"span","marks":[],"text":"Enterprise-grade Resilience"}],"markDefs":[],"style":"h3"},{"_key":"8fc16e0b-4a75-4f49-bed1-0b124140868b","_type":"block","children":[{"_key":"0d39e1b4-2134-4ae7-816e-f31ccb106764","_type":"span","marks":[],"text":"Isovalent Enterprise for Cilium includes capabilities for organizations that require the highest level of availability. This includes features such as High Availability for DNS-aware network policy "},{"_key":"85b28569-ee61-4d2b-b784-9d18f6070f37","_type":"span","marks":["a6c5758d-f53a-4a0f-85ba-d3533e703960"],"text":"(video)"},{"_key":"eb7dc7a8-f87b-4467-8cfb-b8aa0065c91f","_type":"span","marks":[],"text":" and High Availability for the Cilium Egress Gateway "},{"_key":"97597753-92c1-4a4c-985e-2bbe5b910995","_type":"span","marks":["2d665a4b-f6f8-4d41-8c1a-f7b6bb85fbcb"],"text":"(video)"},{"_key":"92b7ddab-650f-499d-9976-a57905cbdeb1","_type":"span","marks":[],"text":"."}],"markDefs":[{"_key":"a6c5758d-f53a-4a0f-85ba-d3533e703960","_type":"link","href":"https://youtu.be/Am-xRnXb2d0","openInNewTab":false},{"_key":"2d665a4b-f6f8-4d41-8c1a-f7b6bb85fbcb","_type":"link","href":"https://youtu.be/Js-uqErsp0c","openInNewTab":true}],"style":"normal"},{"_key":"934ad3ab-0351-4110-a365-b604f9b09204","_type":"block","children":[{"_key":"59813002-42df-44bf-a8d7-9090f5073ac3","_type":"span","marks":[],"text":"Enterprise-grade Support"}],"markDefs":[],"style":"h3"},{"_key":"b755223a-b58d-4665-974d-7129ccda6647","_type":"block","children":[{"_key":"6de372c5-1462-415a-be30-8df41ced47f6","_type":"span","marks":[],"text":"Last but certainly not least, "},{"_key":"2b302e2e-54c7-45df-9913-6128e374febd","_type":"span","marks":["bb336cc3-d2c8-471e-bb9b-bfa5a5b2f6e1"],"text":"Isovalent Enterprise for Cilium"},{"_key":"369e4bab-fb68-4406-8483-2e48b5e2b9fb","_type":"span","marks":[],"text":" includes enterprise-grade support from Isovalent’s experienced team of experts, ensuring that any issues are resolved promptly and efficiently. Customers also benefit from the help and training from professional services to deploy and manage Cilium in production environments."}],"markDefs":[{"_key":"bb336cc3-d2c8-471e-bb9b-bfa5a5b2f6e1","_type":"link","href":"/product/","openInNewTab":true}],"style":"normal"},{"_key":"992bbbc1-00e5-42bf-9f4b-28708d0e9e69","_type":"block","children":[{"_key":"1068d5a5-8fb2-4c2e-9471-1e7944ee70ed","_type":"span","marks":[],"text":"Learn More"}],"markDefs":[],"style":"h2"},{"_key":"b2352592-8a0b-4c4e-a9d8-a2ef9cb23be8","_type":"block","children":[{"_key":"fd61787b-2286-4a63-b161-392a32244ba1","_type":"span","marks":[],"text":"If you’d like to learn more about Isovalent Enterprise for Cilium 1.14 and related topics, check out the following links:"}],"markDefs":[],"style":"normal"},{"_key":"65153ca44fa9","_type":"block","children":[{"_key":"7a885db754cc","_type":"span","marks":[],"text":"Join the "},{"_key":"08b1cf99b5ae","_type":"span","marks":["1ab688b283c9"],"text":"1.14 release webinar"},{"_key":"f05d260664c0","_type":"span","marks":[],"text":" – with Thomas Graf, Co-Creator of Cilium, CTO, and Co-Founder of Isovalent, to learn more about the latest and greatest open source and enterprise features of Isovalent Enterprise for Cilium and Cilium 1.14."}],"level":1,"listItem":"bullet","markDefs":[{"_key":"1ab688b283c9","_type":"link","href":"/events/2023-11-30-cilium-114-webinar/"}],"style":"normal"},{"_key":"0587a8364b98","_type":"block","children":[{"_key":"b94eaed1ea0c","_type":"span","marks":["e884af17c393"],"text":"Request a Demo"},{"_key":"e6fbba1ce9ed","_type":"span","marks":[],"text":" – Schedule a demo session with an Isovalent Solution Architect."}],"level":1,"listItem":"bullet","markDefs":[{"_key":"e884af17c393","_type":"link","href":"/request-demo/"}],"style":"normal"},{"_key":"f940faf0893a","_type":"block","children":[{"_key":"728fae872a3d","_type":"span","marks":[],"text":"Read more about the "},{"_key":"b9563a4a8cad","_type":"span","marks":["2e3fb2da7d38"],"text":"Cilium 1.14 release"},{"_key":"8b6482b3b789","_type":"span","marks":[],"text":" – Effortless Mutual Authentication, Service Mesh, Networking Beyond Kubernetes, High-Scale Multi-Cluster, and Much More."}],"level":1,"listItem":"bullet","markDefs":[{"_key":"2e3fb2da7d38","_type":"link","href":"/blog/post/cilium-release-114/"}],"style":"normal"},{"_key":"86e2ca50d699","_type":"block","children":[{"_key":"5b537f425310","_type":"span","marks":["2168b0d104e5"],"text":"Learn more about Isovalent & Cilium at our resource library"},{"_key":"625382a8a942","_type":"span","marks":[],"text":" – It lists guides, tutorials, and interactive labs."}],"level":1,"listItem":"bullet","markDefs":[{"_key":"2168b0d104e5","_type":"link","href":"/resource-library/"}],"style":"normal"},{"_key":"6a9127cc-87e9-4ed5-ab87-6b22b07606fd","_type":"block","children":[{"_key":"3974bbe4-401f-48aa-b850-5ddd0ab87fb9","_type":"span","marks":[],"text":"Feature Status"}],"markDefs":[],"style":"h2"},{"_key":"84bd1f91-4e02-472d-beb8-c63cc96a5d0d","_type":"block","children":[{"_key":"4d3fb16c-2e0e-44c3-af3d-31adc0b20e74","_type":"span","marks":[],"text":"Here is a brief definition of the feature maturity levels used in this blog post:"}],"markDefs":[],"style":"normal"},{"_key":"6151dad09492","_type":"block","children":[{"_key":"bd8e8ee84285","_type":"span","marks":["strong"],"text":"Stable"},{"_key":"b898f69e8949","_type":"span","marks":[],"text":": A feature that is appropriate for production use in a variety of supported configurations due to significant hardening from testing and use."}],"level":1,"listItem":"bullet","markDefs":[],"style":"normal"},{"_key":"7572e2bba392","_type":"block","children":[{"_key":"d4ba91b21611","_type":"span","marks":["strong"],"text":"Limited"},{"_key":"4ad0f429b88c","_type":"span","marks":[],"text":": A feature that is appropriate for production use only in specific scenarios and in close consultation with the Isovalent team."}],"level":1,"listItem":"bullet","markDefs":[],"style":"normal"},{"_key":"005fb2d2d1a5","_type":"block","children":[{"_key":"e903b7e4e987","_type":"span","marks":["strong"],"text":"Beta"},{"_key":"6a362520f845","_type":"span","marks":[],"text":": A feature that is not appropriate for production use, but where user testing and feedback is requested. Customers should contact Isovalent support before considering Beta features."}],"level":1,"listItem":"bullet","markDefs":[],"style":"normal"}],"featuredImage":["$","$L19",null,{"src":"https://cdn.sanity.io/images/xinsvxfu/production/f78cf3148219b467a59bdb635952240c9b9c5a9f-1400x805.png?auto=format&q=80&fit=clip&w=1080","alt":"2-1.png","className":"mx-auto mb-10 w-full max-w-[72.75]","placeholder":"blur","blurDataURL":"data:image/svg+xml;base64,CiAgICA8c3ZnIHdpZHRoPSIxMDgwIiBoZWlnaHQ9IjEwODAiIHZlcnNpb249IjEuMSIgeG1sbnM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnIj4KICAgICAgICA8ZGVmcz4KICAgICAgICAgICAgPGxpbmVhckdyYWRpZW50IGlkPSJnIj4KICAgICAgICAgICAgPHN0b3Agc3RvcC1jb2xvcj0iI0Y2RjhGRSIgb2Zmc2V0PSIyMCUiIC8+CiAgICAgICAgICAgIDxzdG9wIHN0b3AtY29sb3I9IiNFRkY1RkYiIG9mZnNldD0iNTAlIiAvPgogICAgICAgICAgICA8c3RvcCBzdG9wLWNvbG9yPSIjRjZGOEZFIiBvZmZzZXQ9IjcwJSIgLz4KICAgICAgICAgICAgPC9saW5lYXJHcmFkaWVudD4KICAgICAgICA8L2RlZnM+CiAgICAgICAgPHJlY3Qgd2lkdGg9IjEwODAiIGhlaWdodD0iMTA4MCIgZmlsbD0iI0Y2RjhGRSIgLz4KICAgICAgICA8cmVjdCBpZD0iciIgd2lkdGg9IjEwODAiIGhlaWdodD0iMTA4MCIgZmlsbD0idXJsKCNnKSIgLz4KICAgICAgICA8YW5pbWF0ZSBocmVmPSIjciIgYXR0cmlidXRlTmFtZT0ieCIgZnJvbT0iLTEwODAiIHRvPSIxMDgwIiBkdXI9IjFzIiByZXBlYXRDb3VudD0iaW5kZWZpbml0ZSIgIC8+CiAgICA8L3N2Zz4=","width":1080,"height":1080,"priority":true}],"articleData":{"title":"Isovalent Cilium Enterprise 1.14: Multi-Network","description":"Learn how you can connect Kubernetes Pods to multiple interfaces with Isovalent Enterprise for Cilium 1.14 multi-network!","url":"https://isovalent.com/blog/post/isovalent-enterprise-for-cilium-1-14-multi-network","download":"$undefined","authors":[{"_createdAt":"2024-09-27T10:02:38Z","_id":"0ae51702-7dba-84ad-a28a-f771145d2ef7","_rev":"6LVvD8xfzQrGEZvFexsj7u","_type":"person","_updatedAt":"2025-03-25T23:54:43Z","bio":{"en":[{"_key":"be6d1ddb-c534-48aa-9920-df188816a37a","_type":"block","children":[{"_key":"bb5153ab-f237-44b0-9510-a169a1950ad0","_type":"span","marks":[],"text":"Nico Vibert is a Senior Staff Technical Marketing Engineer at Isovalent, the company behind the open-source cloud-native solution Cilium. Prior to joining Isovalent, Nico worked in many different roles—operations and support, design and architecture, and technical pre-sales—at companies such as HashiCorp, VMware, and Cisco. In his current role, Nico focuses primarily on creating content to make networking a more approachable field and regularly speaks at events like KubeCon, VMworld, and Cisco Live. Nico has held over 15 networking certifications, including the Cisco Certified Internetwork Expert CCIE (# 22990). Nico is now the Lead Subject Matter Expert on the Cilium Certified Associate (CCA) certification."}],"markDefs":[],"style":"normal"},{"_key":"74d4f41ab634","_type":"block","children":[{"_key":"d11957993c26","_type":"span","marks":[],"text":"Outside of Isovalent, Nico is passionate about intentional diversity & inclusion initiatives and is Chief DEI Officer at the Open Technology organization OpenUK. You can find out more about him on his blog."}],"markDefs":[],"style":"normal"}]},"company":{"_ref":"35073912-4894-4a13-89f6-caa5d58ff52d","_type":"reference"},"firstName":{"en":"Nico"},"fullName":{"en":"Nico Vibert"},"headshot":{"_type":"image","asset":{"_ref":"image-a8fa134c3d7583ee70832353c7ff0d8a2181ff16-200x200-jpg","_type":"reference"}},"image":"https://cdn.sanity.io/images/xinsvxfu/production/a8fa134c3d7583ee70832353c7ff0d8a2181ff16-200x200.jpg","languages":["en"],"lastName":{"en":"Vibert"},"title":{"en":"Senior Staff Technical Marketing Engineer"}}]}}]}]}]}],"$undefined"]}]]