Microsoft and Isovalent bring eBPF-based Networking and Security to Azure

Dec 05, 2022Isovalent

Today, we are excited to announce a strategic partnership with Microsoft. The partnership brings the extensive eBPF-based capabilities of Cilium and Isovalent Cilium Enterprise to Azure and AKS. We have been hard at work together with Microsoft integrating Cilium, Hubble, and Tetragon with the Azure ecosystem. As a first milestone, we have announced Azure CNI powered by Cilium at KubeCon Detroit 2022. Azure CNI powered by Cilium combines Cilium’s advanced networking, security, and scalability & performance with the extensive IPAM capabilities of the existing Azure CNI.

In this blog, we will dive deeper into the existing integrations that the partnership will unlock for Azure and Cilium customers in the coming months.

Cilium for Azure

With Azure CNI Powered by Cilium AKS is now natively powered by Cilium. This integration is the result of a collaboration between Microsoft and Isovalent engineering. It combines the powerful eBPF-based Cilium datapath with the advanced IPAM capabilities of Azure CNI.

Azure Kubernetes Services will now be deployed with Cilium open sourced data plane and natively integrated with Azure CNI.

Microsoft will handle first-line support and collaborate with Isovalent on specific support
issues to their deep knowledge of the technology. We are thrilled to be expanding our
relationship with Isovalent and continuing our collaboration with the Cilium open-source
community.

Deepak Bansal CVP and Technical Fellow, Microsoft Azure.

As this integration becomes generally available, it will become the preferred choice for Cilium users on Azure. Existing users of Cilium benefit from the rich Azure IPAM implementation which unlocks the selection of the new Azure Overlay feature and a highly scalable VNET for direct routing. Users of AKS will benefit from all advanced Cilium features including a high-performance eBPF datapath, a scalable network policy and Kubernetes services implementation, and rich observability & troubleshooting capabilities.

One-Click Isovalent Cilium Enterprise Upgrade

AKS customers will also benefit from a seamless one-click upgrade experience from Azure CNI Powered by Cilium to the full Isovalent Cilium Enterprise platform. The enterprise platform will be available in the Azure Container Marketplace and makes the full set of advanced Cilium features including security and governance controls, extended network capabilities, Timescape, and the full set of Isovalent Tetragon Enterprise features available to Azure customers.

The tight integration into the Azure platform simplifies operations by enabling auto-upgrades and natively integrating into the Azure ecosystem for SIEM export, monitoring, and governance control. The unified billing experience will eliminate management overhead. Finally, the support collaboration will maximize the reliability and customer experience of the platform.

Microsoft Sentinel SIEM Integration

Export of networking-related security observability data into an external SIEM (Security Information and Event Management) platform is a core feature of the Isovalent Cilium Enterprise platform. By integrating with Microsoft Sentinel, security teams gain extensive visibility into AKS clusters including rich connectivity data, TLS visibility, network security violations, encryption status, and compliance monitoring events.

Hubble for Azure

Hubble is the observability layer of Cilium. It processes observability input from Cilium and Tetragon and makes the observability data available to platform and application teams to assist with monitoring, troubleshooting, and incident resolution.

Hubble RBAC with Azure Identity

Hubble UI and Prometheus metrics can be governed using Role Based Access (RBAC) rules. This enables platform teams to create self-service dashboards for application teams. The scope of the provided observability can be limited to what the particular teams are responsible for. Using the Azure Identity integration, Azure user roles can be tied to Hubble’s RBAC roles easily for a seamless experience.

hubble ui timescape

Azure Metadata Support

Hubble offers rich integration with external metadata providers to annotate observability data with identity and other metadata for accurate identification instead of relying on volatile network identifiers such as IP addresses. The Azure integration of Hubble will natively understand Azure identity and metadata such as names and labels of nodes, VPCs, network security groups, and so on.

This makes it trivial to understand HTTP tracing data between a Kubernetes pod and an Azure node out of an existing node pool:

az-nodepool1-3344:53410    sw/deathstar-695:80   HTTP/1.1 GET http://deathstar/
sw/deathstar-695:80        az-nodepool1-3344     HTTP/1.1 200 1ms (GET http://deathstar/)

The metadata is also used to enrich events such as network policy drops and other security-relevant information:

sw/enterprise-5775b:37800   aks-nodepool1-3402:53410:80(http)   Policy denied (L3)   TCP Flags: SYN

Azure Monitor with Native Prometheus & Grafana Integration

Prometheus metrics and Grafana dashboards form the core of Hubble’s observability experience. By integrating Hubble into Azure Monitor and Azure Managed Grafana, all Prometheus metrics covering use cases such as day-2 operations, incident troubleshooting, and security monitoring become easily available side-by-side to existing dashboards.

Tetragon for Azure

Tetragon is a quickly evolving security observability and runtime enforcement platform using eBPF. It defines a new generation of security visibility and enforcement for cloud native environments. Tetragon helps security teams understand security threats by providing a comprehensive data source for incident investigations. After achieving visibility, Tetragon offers enforcement policies to establish preventive security measures.

As part of the partnership, Tetragon is deeply integrated with the Azure ecosystem. This includes:

Microsoft Sentinel SIEM Integration

Tetragon’s SIEM export to Microsoft Sentinel enables groundbreaking security observability for cloud native environments. Tetragon expands the networking-focused view offered by Cilium and additionally covers the runtime and system spectrum. It addresses use cases such as file access, file integrity monitoring, syscalll activity logs, privilege and capabilities escalation alerting, and much more.

Learn More

We are excited about what is yet to come and are looking forward to continuing the collaboration with the Microsoft team to bring eBPF’s superpowers to the Azure ecosystem. If you want to learn more, get in touch with us by requesting a demo. A member of Isovalent’s Cilium team will reach out to schedule a demo or Q&A session:

Further Reading

Thomas Graf
AuthorThomas GrafCTO & Co-Founder Isovalent, Co-Creator Cilium, Chair eBPF Governing Board