Cilium is a powerful solution for networking, observability, and security. Due to its flexibility, but also extensive features, it is used in a plethora of different use cases. I had a look at publications and presentations about how people use Cilium and identified my personal top 20 Cilium use cases – including Tetragon and Hubble, of course! The list is unordered, I cannot tell which are my most important ones.
Run a highly performant Kubernetes platform
A quite obvious use case for Cilium: running Kubernetes, and running it well. The larger the Kubernetes platform grows, the more important performance becomes – networking performance, but also observability and security. When throughput and request response time become crucial, the limits of other CNIs quickly become visible. Cilium outperforms the competition regularly, making it the ideal choice for high-performance Kubernetes platforms.
We’d like to highlight two users of Cilium for high performance here: e-commerce provider Trendyol, and data center operator Hetzner Online. You might also be interested in our Cilium CNI benchmark by Isovalent.
Performance Testing Cilium Ingress at Hetzner Cloud
Cilium was the best option for Hetzner's requirements to upgrade the company's ingress architecture.Read the blog on cilium.io
Cilium has proven to be a game changer for Trendyol’s Kubernetes clusters. With its advanced capabilities in networking, observability, and security, Cilium has met our expectations, outperforming previous CNIs.Emin Aktaş, specialist in Kubernetes
Unleashing the Power of Cilium CNI to Propel Trendyol’s Performance Up to 40%!
Trendyol implemented Cilium as the default CNI for the Kubernetes Cluster starting from version 1.26. Discover our journey.Read the blog on medium.com
Improve security stance with Zero Trust
Another obvious top use case is based on the advanced network policy capabilities of Cilium: Zero Trust Security. Zero Trust Security is a model that assumes that all network traffic is potentially dangerous and should not be trusted by default, even if it originates from within the network perimeter. There are multiple ways to work towards zero trust, and Tetragon and Cilium have a range of features to implement them. For a telecommunication industry company, FQDN-based network policy rulesets were crucial for their security-sensitive solution:
Cilium User Story: Zero Trust Networking at Scale
A telecommunications company used Cilium to implement a zero trust networking model.Read the blog on cilium.io
Reduce Tool Sprawl
Kubernetes is never installed on its own. It is there to run workloads – and as part of that, multiple tools and add-ons are usually added over time. This can lead to tool sprawl, increasing the number of tools to a state that becomes hard to maintain.
With the use cases listed here that Cilium can cover, quite some tools can be replaced, reducing tool sprawl, and bringing down the complexity of the IT infrastructure to a more maintainable set again. Examples of Cilium reducing tool sprawl are seen through use cases in observability tools, additional service meshes, and security components. Isovalent’s customer, the IT software and service company Tietoevry, is a good example of this:
Cilium can be crucial for platform maintainers: since it already is so powerful, there are fewer different pieces of a puzzle you have to install into the cluster. You don’t need an extra Ingress or Service Mesh.Endre Karlson, SRE Tietoevry Industries
Better policies, less tool sprawl: Tietoevry uses Cilium and Hubble
Tietoevry uses Cilium with Hubble to have advanced network policies (DNS!) and reduce tool sprawl.Read the blog on isovalent.com
Avoid vendor lock-in
Almost everyone is using public cloud vendors. But how do you keep the flexibility and agility of the public cloud, without sacrificing your independence? The answer is Kubernetes – with the crucial ingredient Cilium. Cilium abstracts away the vendor-specific bits of the clusters, and simplifies cross-cloud networking and maintenance. Isovalent’s customer Form3, a payment technology provider for banks and other financial institutions, is doing just that:
As a platform team it was key to pick a common CNI running on any cloud.Kevin Holditch, VP of Engineering at Form3
Avoiding cloud vendor lock-in with Kubernetes and Cilium – Form3
Form3 is building out a multi-cloud strategy and avoids cloud vendor lock-in by using Kubernetes and Cilium.Read the blog post on isovalent.com
Modernize your own IT towards a cloud-like experience
When your business is not a fresh start-up, you have legacy IT. You have IT that is not yet as modern as you want it to be. It often is a big challenge to start the journey of modernization. Cilium can help on your cloud-native journey, though. Be it that you want to move to the public cloud, to a microservices architecture, or that your teams want to become more agile.
Hear it from a large Cilium user from the retail industry who presented their modernization journey at CiliumCon Europe:
Some Assembly Required: Private Cloud, Cloud Native Networking
Hear the modernization journey experience and how Kubernetes with Cilium helped there.Watch the video on YouTube
Reduce support burden
Introducing Kubernetes into a new environment is exciting – but sometimes people forget the less exciting part: day 2 operations. In larger and more complex setups maintenance and support can be a challenging business, often consuming large shares of the IT team’s time. This directly translates into operational costs.
Cilium can help here: By leveraging Cilium’s observability component Hubble and its user-friendly self-service access, internal and/or external customers can have direct data insights into their application service connectivity, reducing the support burden and thus reducing operational costs.
Isovalent’s partner VSHN, an IT service provider, is doing just that:
It lowers our support burden. We can give users access to the Hubble interface.Tobias Brunner, CTO of VSHN
Reducing the Kubernetes support burden with Cilium - VSHN
VSHN required an intuitive user interface to visualize connectivity, down to the API request. Cilium provided just that.Read about the use case on isovalent.com
Troubleshoot Kubernetes Networking
Speaking about day 2 operations, network troubleshooting is a very often occurring task running Kubernetes environments. What is going wrong where? How can we even look into this? And even if it is again a DNS problem – how do we find and solve it?
Watch Isovalent’s own Thomas Graf answered these troubleshooting questions quickly using Cilium during a session at CiliumCon during KubeCon 2023. Additionally, the media company Meltwater recently discussed how Hubble helped them swiftly identify and debug Kubernetes networking issues.
All aspects of Cilium are being done using a technology called eBPF, and that’s actually what’s enabling a lot of the observability in Cilium.Thomas Graf, CTO & Co-Founder Isovalent
Surviving Day 2 - How to Troubleshoot Kubernetes Networking
Learn how to troubleshoot Kubernetes networking with Cilium and how to monitor to prevent incidents.Watch the video on YouTube
Besides just the UI, Hubble is an easier way to debug network issues and see network traffic. I don’t need to use tcpdump anymore. We understand better what is going on between all the different components and workloads in our system.Federico Hernandez, Principal Engineer, Meltwater
Meltwater's Live Migration to Cilium for Richer Features
Meltwater turned to Cilium as their preferred networking and observability solution to take advantage of its performance, a rich set of features, and maturity in the cloud native ecosystem.Reach the case study post at cncf.io
Create a multi-tenant architecture
Larger enterprises tend to use more than one Kubernetes cluster. Often, they have multiple teams, setting up their own infrastructure and workloads. Missing standardization and lack of insight across all clusters can impact the team’s cooperation and make support hard.
The answer is to create multi-tenant Kubernetes architecture: guaranteed isolation between tenants ensures different teams can safely run on the same platform. Self-service observability, clear separation of duties, and the corresponding workload isolation help establish the platform and get buy-in from related teams. Cilium supercharges Kubernetes in this use case with enhanced network policies and deep, RBAC-backed observability with Hubble. Two users of this popular Cilium use case are a well-known publishing company, and Adobe, the well-known software company home to all creative workers and a customer of Isovalent.
Guaranteed isolation between tenants was needed to ensure different teams could safely run on the same platform.Staff Software Engineer, publishing industry
Cilium User Story: Securing 100,000+ RPS in a Multi-Tenant Environment
Learn how to troubleshoot Kubernetes networking with Cilium and how to monitor to prevent incidents.Read the blog on cilium.io
For network policies, we rely on Cilium CNI.Victor Varza, Adobe
Lightning Talk: What Makes a Good Multi-tenant Kubernetes Solution? - Victor Varza, Adobe
Kubernetes does not support running workloads in a multi-tenant architecture. Learn how Open Source technologies can help.Watch the presentation on YouTube
Build isolated environments
When your Kubernetes workloads process client data, you better have clearly separated, isolated data sandboxes. Bloomberg – a financial, software, data, and media company – uses Cilium’s policies to restrict cluster network access to specific ports and host names to restrict data egress to build those sandboxes.
When we were evaluating different options, we found Cilium was the least disruptive to implement in our tech stack.Anne Zepecki, Team Lead for the BQuant Enterprise Identity Management team, Bloomberg
Using Network Policy to Build Data Sandboxes at Bloomberg
Bloomberg built data sandboxes with Cilium.Read the blog at cncf.io
Scale the Kubernetes Platform
When a business develops well, infrastructure often grows accordingly. While Kubernetes is built to scale, not all components support it in the same way. Especially iptables-based CNIs can become a serious bottleneck.
In the case of Cilium user PostFinance, the financial services unit of Swiss Post, gaining networking insights with traditional, iptables-based CNI plugins became difficult. Moving to Cilium helped them build out a scalable Kubernetes platform.
Cilium and Isovalent helped our team to build a scalable Kubernetes platform which meets our demanding requirements to run mission-critical banking software in production!Thomas Gosteli, Linux Systems Specialist PostFinance
PostFinance picks Cilium for Cloud Native Networking
By replacing their previously used CNI with Cilium PostFinance was able to solve their scale challenges.Read the use case
High-churn on Kubernetes
High-churn is a typical use case in data processing when pods have only a short lifetime, similar to functions-as-a-service. The Kubernetes network must be able to host a high pod density and need to be able to not run out of IPs quickly.
Backed by eBPF, Robinhood, an American financial services company, and Ascend, a data pipeline automation company, were both able to use Cilium to run their high-churn Kubernetes use cases.
When we looked closer at Cilium, we saw a few things like network policy, Hubble, and little things like the network policy editor. It’s delightful. It’s really easy to use and it’s the only one I’ve seen.Joe Stevens, Member of the Technical Staff, Ascend.
How Ascend leverages Cilium as a networking layer
Ascend turned to Cilium as their CNI which simplified integrating into customer networks, eliminated their IP churn and density issues, and provided them with reliable encryption and network policies.Read the blog on cncf.io
We were able to pack at least 2x more pods than we were able to pack in the flat networking model.Madhu C.S., Robinhood
More Churn No Problem: Lessons Learned Running Cilium in Production
Robinhood’s war stories from running Cilium in a high-churn near-production environment.Watch the presentation on YouTube
Segment Telco networks
Telco is special. Everyone who has ever worked in this field will probably agree. The networks often grow through mergers and acquisitions that take years, they have a lot of legacy technologies, are bound by regulations, and have diversified offerings but at the same time constantly have evolved due to new technologies like 5G.
Help can come in the form of IPv6-based routing, SRv6. It greatly simplifies network routing – and Cilium supports it, as Isovalent’s customer Bell Canada, a Canadian telecommunications company, shows:
eBPF is changing the telco networking spaceDaniel Bernier, Technical Director Bell Canada
Leveraging Cilium and SRv6 for Telco Networking
Cilium and its eBPF data plane was extended to support telco networking requirements in a cloud-native way.Watch the recording on YouTube
Deploy to multi-cluster, multi-cloud
Enterprises are using more and more public clouds and in general more and more clusters. As shown above, one way is to consolidate those into single clusters, with multi-tenancy. Another way is to connect those clusters: install Cilium on all of them, and connect them manually or via cluster mesh.
Form3, a payment technology provider for banks and other financial institutions, used this approach, where they installed Cilium as the default networking layer, and connected them all with each other via Cilium’s cluster mesh.
The data centers are clustered using Cilium Cluster Mesh, allowing us to easily load balance and share information between data centers.Adelina Simion, Technology Evangelist, Form3
Multi-cluster networking with Cilium at Form3 - Adelina Simion
Form3 uses Cilium cluster mesh to connect our FPS Gateway, which is 3 Kubernetes clusters, 2 in our data centres and one in AWS EKS.Watch the recording on YouTube
Kubernetes is made for scale. And some users push it to its boundaries – like Datadog, which runs 10s of clusters with 10k+ nodes and 100k+ pods. Iptables, like in other use cases, becomes a bottleneck at scale. And even cloud-specific CNIs are not built for that scale.
Datadog, the well-known observability service for cloud-scale applications, uses Cilium to overcome these CNI performance challenges and has spoken a lot about their use of Cilium, like at CiliumCon at KubeCon 2023 in Amsterdam speaking about a Murder Mystery, or with their eBPF journey at Datadog two years ago at eBPF Summit. But nothing shows their scale challenges better than the case study done with the CNCF, showing the advantages of Cilium as a CNI at massive scale.
When you scale, and you have a large number of services and endpoints, iptables becomes challenging. We can use iptables for load balancing, but it was not designed for it.Laurent Bernaille, Staff Engineer, Datadog
How Datadog uses Cilium & eBPF to power their data plane
Datadog turned to Cilium as their CNI and kube-proxy replacement to take advantage of the power of eBPF.Read the case study at cncf.io
Improve compliance with Zero Trust networking for SOC 2 Type II and ISO 27001
We already talked about Zero Trust further above. An enhanced use case of that is to focus on compliance, to fulfill the requirements of frameworks like SOC 2 Type II and ISO 27001. In compliance use cases Cilium network policies by default blocks all traffic, and with Hubble’s observability platform and Tetragon’s runtime insights engineers and/or application developers can allow only the traffic really needed.
Utmost is a provider of insurance-based wealth solutions and handles sensitive personal data. In working towards specific SOC 2 Type II and ISO 27001 use cases, they used Cilium and Hubble to implement zero-trust networking.
Cilium ticked all the boxes for us in terms of maturity, stability, performance, visibility, debugging, monitoring and the list goes on.Andrew Holt, Senior Systems Engineer
Zero Trust Networking with Cilium
Utmost implemented Cilium as their CNI for network policies to default deny all traffic and created automated pipelines for their developers to create new policies.Read the use case at cncf.io
Migrate applications to Kubernetes
Kubernetes is perfect for cloud-native applications. But what about monolithic, legacy apps? Those need to be migrated. But that is easier said than done. Even if you manage to slice them into components, how do you troubleshoot components? How do you secure network communication?
Isovalent’s customer Tietoevry, an IT software and service company, uses Cilium, apart from other things for just this: Cilium’s self-service monitoring helps to understand the communication and fine-tune policies – and of course during troubleshooting.
Using Cilium on the legacy app saved us most likely a whole year.David Haugli, SRE Tietoevry Industries
Tietoevry: More than just a CNI - Cilium and Hubble as the cloud native network stack
In this video, learn how Cilium and Hubble can help IT service providers with many teams and clusters to standardize on a powerful, fully cloud-native network stack.Watch the webinar
Eliminate team silos
Team silos can be painful. This is especially true in the cloud-native world, where networking is sometimes expected to happen just that. In reality, networking needs to be planned and executed correctly, even in Kubernetes-based ecosystems.
Cilium helped S&P Global, a financial information and analytics company, to bring together network engineers and developer teams, combine their knowledge to make the cloud-native network invisible to the developer teams, and enable rapid application deployment by boosted developer efficiency.
We started to use Cilium CNI to standardize the delivery of multi-cloud Kubernetes network services.Guru Ramamoorthy
eBPF, a road to invisible network: S&P Global's Network Transformation Journey
S&P Global’s network engineers leveraged eBPF-based networking with Cilium to power their application journey into Kubernetes.Watch the video on YouTube
Improve Kubernetes with Better Network Policies
Probably the most fundamental use case for Cilium is having a good network policy engine in Kubernetes. To isolate customer processes, to separate customers, to enhance security.
The database software company ClickHouse uses Cilium to create dedicated CiliumNetworkPolicies for each customer’s Kubernetes namespace. This secures the environment, even if a malicious user would break into a pod.
We checked a few performance comparisons and I just like [Cilium’s] eBPF approach a lot more. It worked out of the box, and the documentation was really nice. We also trust in Cilium because it has really broad adoption.Marcel Birkner, Cloud Software Engineer, ClickHouse.
How ClickHouse is Using Cilium to Implement Efficient Network Policies
ClickHouse turned to Cilium as their preferred networking solution to take advantage of eBPF performance.Read the case study at cncf.io
Enhance scale and efficiency – BGP style
The last use case is a bit special to me: before I joined Isovalent, I always thought that BGP is only interesting for the large ISPs. I quickly realized this assumption was wrong – BGP peering with external routers can quickly be a game changer! Reduced broadcast traffic, seamless integration, and scaling are becoming much easier with a CNI that supports BGP on-premises integration.
A Cilium user on LinkedIn recently described his experience in migrating from Flannel to Cilium and described the difference the BGP support makes.
With Cilium’s BGP-based networking mode, I experienced enhanced scalability and more efficient handling of routes and network segments.Greg A.
Kubernetes - Migrating from Flannel and Friends to Cilium
Kubernetes Fine Tuning - Migrating from Flannel, Nginx Ingress, MetalLB, and kube-proxy to Cilium with BGP Routing for Enhanced ScalabilityRead the use case on LinkedIn
Global IT is often associated with the big cloud vendors. But there is more to it: if you create content that offers close interaction with customers, you need to be close to them. Everywhere.
The brazil gaming company Wildlife serves users in over 150 countries. In 20218 they started to rethink their infrastructure, and with the help of Cilium went global.
I’ve been working as a Site Reliability Engineer at Wildlife Studios, using and building infrastructure tools on top of Kubernetes in order to support millions of users around the world.Luan Guimarães
How Wildlife Studios built a Global Multi Cluster Gaming Infrastructure with Cilium
Rethinking a networking infrastructure for Kubernetes to support better integration between different regions.Read the use case on cilium.io
Summary of my top 20 Cilium use cases
As you can see, Cilium is used extensively, and for many different use cases. At the same time, this is just the tip of the iceberg. There are many more ways in which Cilium can help solve daily (Kubernetes) problems. Even if you check out each individual Cilium user above, you will often encounter more than just one use case!
If you are using Cilium, feel free to submit your use case in the GitHub USERS file. In addition, we are always happy to discuss use cases in our regular Cilium AMA. Last but not least, I would be happy if you would share your favorite use case directly with me on LinkedIn or Twitter/X!
- Run a highly performant Kubernetes platform
- Improve security stance with Zero Trust
- Reduce Tool Sprawl
- Avoid vendor lock-in
- Modernize your own IT towards a cloud-like experience
- Reduce support burden
- Troubleshoot Kubernetes Networking
- Create a multi-tenant architecture
- Build isolated environments
- Scale the Kubernetes Platform
- High-churn on Kubernetes
- Segment Telco networks
- Deploy to multi-cluster, multi-cloud
- Scale massively
- Improve compliance with Zero Trust networking for SOC 2 Type II and ISO 27001
- Migrate applications to Kubernetes
- Eliminate team silos
- Improve Kubernetes with Better Network Policies
- Enhance scale and efficiency – BGP style
- Go global
- Summary of my top 20 Cilium use cases