A Bold Leap Forward: AWS and Isovalent bring eBPF-based Networking and Security to AWS
Cilium is installed by default in any EKS-Anywhere Kubernetes cluster. With the partnership between Isovalent and AWS, we offer an enhanced version of the Cilium version shipped with EKS-A. Discover the advantages of advanced security, networking, and observability features in Isovalent Enterprise for Cilium, designed for EKS-A clusters of any size and complexity.
Cilium on AWS
Cilium, an open-source project by Isovalent, provides networking and security capabilities using eBPF. Integrating Cilium with AWS offers users the following benefits:
Combines the eBPF-based Cilium datapath which enables the dynamic insertion of programming logic into the Linux kernel. Cilium is available as a commercially supported Kubernetes CNI plugin that can be used on an Amazon EKS-A cluster.
Enhanced Cilium Features
Amazon Elastic Kubernetes Service (EKS) users can leverage the high-performance eBPF datapath, scalable network policy, Kubernetes services implementation, and rich observability & troubleshooting capabilities of Cilium.
Upgrade to Isovalent Enterprise for Cilium
EKS customers can upgrade from Cilium embedded in EKS to the full Isovalent Enterprise for Cilium platform unlocking advanced security, governance controls, extended network capabilities, Timescape, and Isovalent Tetragon Enterprise features.
The tight integration with AWS enables auto-upgrades, native integration into the AWS ecosystem for SIEM export, monitoring, governance control, and a unified billing experience, reducing management overhead.
Uncover the full potential with Isovalent Enterprise for Cilium
- Network Routing (CNI)
- Identity-based Network Policy (Labels, CIDR)
- Load-Balancing (L3/L4)
- Advanced Networking (Multi-Homing, SRv6, Bandwidth Management, ...)
- Advanced Network Policy (DNS, L7, TLS/SNI, ...)
- Multi-Cluster (Routing, Load-Balancing, Service Discovery, Policy)
- 3rd Party BGP Implementation Support
- Built-in BGP Support
- Transparent Encryption
- Egress Gateway
- Ingress via 3rd-party Ingress Controller
- Built-in Ingress & Gateway API Support
- Non-Kubernetes Workloads
- Service Mesh (eBPF & Envoy, sidecar-free)
- Canary Rollouts, Retries, Rate Limiting
- L7 Load-Balancing
- OpenTelemetry, Prometheus, Grafana Support
Cilium Service Mesh
- Hubble Network Observability (TCP, UDP, SCTP, DNS, HTTP, gRPC, TLS, ...)
- Prometheus, Grafana, OpenTelemetry, Fluentd export
- Service & Tracing Map
- SIEM Integration
- Timescape - Historic Flow/Tracing Data & Analytics
- Multi-Tenancy / RBAC
Hubble - (Network Observability)
- Security Observability (Process, Syscall, File, Network, ...)
- File Integrity Monitoring (FIM)
- Combined Network & Runtime Visibility
- Real-Time Enforcement
- SIEM Integration
- Timescape - Historic Security Visibility & Analytics
Tetragon - (Security Visibility and Enforcement)
- Collaborative Support Agreement
- Enterprise-hardened Cilium Versions and Testing
- 24x7 Enterprise Grade Support SLA
- Proactive Support Environment Reviews
Enterprise Distribution & Support
Hubble on AWS
Hubble, the network observability platform, is an integral part of the Cilium project. Integrating Hubble with AWS provides users with:
Hubble RBAC with AWS Identity
Hubble UI and Prometheus metrics can be governed using Role-Based Access (RBAC) rules, allowing platform teams to create self-service dashboards for application teams. By integrating with AWS Identity, AWS user roles can be easily mapped to Hubble's RBAC roles for a seamless experience.
AWS Metadata Support
Hubble's integration with AWS allows it to natively understand AWS identity and metadata, such as names and labels of nodes, VPCs, network security groups, and more. This enriches observability data and provides more accurate identification, simplifying the understanding of HTTP tracing data and other security-relevant information.
AWS Monitor with Native Prometheus & Grafana Integration
Hubble's integration with AWS Monitor and AWS Managed Grafana brings its Prometheus metrics and Grafana dashboards into the AWS ecosystem. This allows users to access all metrics covering day-2 operations, incident troubleshooting, and security monitoring alongside their existing dashboards.
Tetragon on AWS
Tetragon, an eBPF-based security observability and runtime enforcement platform, is transforming cloud-native security by providing comprehensive data for incident investigations and preventive security measures.Get started
Tetragon's SIEM export enables groundbreaking security observability for cloud-native environments. This integration expands the networking-focused view offered by Cilium and additionally covers runtime and system spectrums.
Comprehensive Security Insights
Tetragon addresses various use cases such as file access, file integrity monitoring, syscall activity logs, privilege and capabilities escalation alerting, and much more. By providing a comprehensive data source for incident investigations, Tetragon empowers security teams to better understand and respond to security threats
Preventive Security Measures
After achieving visibility into potential security threats, Tetragon offers enforcement policies that allow users to establish preventive security measures within their AWS environment. This helps to protect cloud-native applications and infrastructure from vulnerabilities and attacks.
Capabilities of Isovalent Enterprise for Cilium
Isovalent Enterprise for Cilium is a powerful networking and security solution for Kubernetes environments that goes beyond the capabilities of the open-source Cilium project. With Isovalent Enterprise for Cilium, you can benefit from:
Comprehensive cloud-native connectivity:
Isovalent Cilium Enterprise provides advanced network policy capabilities, including DNS-aware policy, L7 policy, and deny policy, enabling fine-grained control over network traffic for micro-segmentation and improved security.
Scalable, multi-tenant design
Built to scale, Isovalent Cilium Enterprise provides a powerful connectivity layer with built-in security functionality for Kubernetes that allows you to isolate and secure traffic between applications and other cloud-native infrastructure.
Achieve deep visibility into network traffic with detailed flow logs and packet captures for real-time monitoring and troubleshooting.
Protect against sophisticated threats with robust and scalable security features like micro-segmentation, encryption, and authentication.
Integrating Isovalent Enterprise for Cilium with a SIEM brings extensive visibility into EKS clusters for security teams. This integration offers:
- Rich Connectivity Data: Gain insights into the communication patterns and performance of your EKS cluster.
- TLS Visibility: Monitor the encryption status of your network traffic for enhanced security.
- Network Security Violations: Identify and respond to network security breaches in real-time.
- Compliance Monitoring Events: Keep track of compliance-related events and ensure adherence to security regulations.
Isovalent Enterprise for Cilium on AWS Marketplace
By integrating Isovalent's Cilium, Hubble, and Tetragon on AWS, users will benefit from all advanced Cilium features including a high-performance eBPF datapath, a scalable network policy and Kubernetes services implementation, and rich observability & troubleshooting capabilities.Contact us
Who is this for?
Advanced use cases that enterprises may look at when using this solution:
Cilium provides application-aware networking that enables microservices architectures to be easily deployed and managed in a secure and scalable way.
Large-scale Kubernetes deployments
Enterprises that have large-scale Kubernetes deployments with hundreds or thousands of nodes can benefit from the high-performance networking and observability features provided by Cilium.
Compliance and regulatory requirements
Cilium provides advanced network policy enforcement, making it easier for enterprises to comply with regulatory requirements such as HIPAA and GDPR.
Cilium provides advanced network security at the kernel level, making it an ideal solution for enterprises that require a cloud-native security approach.
Multi-cluster and hybrid-cloud environments
Cilium supports multi-cluster environments, allowing enterprises to easily connect and secure Kubernetes workloads across multiple EKS clusters. This solution also supports hybrid-cloud environments, where Kubernetes workloads are deployed across both on-premises and cloud infrastructure.
Frequently Asked Questions
- For new customers getting started with EKS-A using small clusters without any requirements beyond what “EKS-Anywhere” provides, the default Cilium image on EKS-A clusters is recommended. Once clusters and requirements develop, customers can upgrade to Isovalent Enterprise for Cilium seamlessly.
- For more advanced enterprise customers requiring support and/or usage of more advanced Networking, Security and Observability features, the preferred option is “Isovalent Enterprise for Cilium through the AWS Marketplace”.
- Customers with EKS-A clusters that have Cilium as the default CNI are provided a seamless migration to Isovalent Enterprise for Cilium.
- IPv4 and IPv6 CNI capabilities.
- Overlay routing using GENEVE encapsulation (default)
- Direct routing for directly connected L2 networks
- Kubernetes Network Policy for network segmentation
- Prometheus metrics for monitoring the health of the Cilium deployment.
- Support will be provided by AWS
- EKS Anywhere users with a need for advanced networking & security capabilities can easily upgrade to Isovalent Cilium Enterprise through the AWS Marketplace. These features can be added to any EKS Anywhere cluster and include::
- Hubble Observability and Hubble Timescape: eBPF-powered L3/L4/L7 network observability traces and metrics, made available via Hubble UI, CLI, and API. Long-term storage & querying is available via Hubble Timescape leveraging AWS S3 object storage.
- Advanced Network Policy: more powerful network segmentation capabilities, including DNS-aware network policy, HTTP-aware policies, deny policies, and hierarchical policies, as well as tools to simplify network policy creation and troubleshooting.
- Transparent Encryption: automatically encrypt all communication between workloads without requiring any changes to applications.
- Tetragon Runtime Security: eBPF-powered runtime security observability and enforcement with visibility into process execution, file access, capabilities changes, and more happening inside a container.
- BGP Routing, Load-Balancing, Egress Gateway: more advanced integration with external physical networking hardware for connections entering/leaving the Kubernetes cluster.
- Cilium Ingress & Service Mesh: a side-car free service mesh capable of cross-cluster connectivity and HTTP & gRPC-layer routing and retries.
- Support will be provided by Isovalent
- 24x7 Enterprise Support by Isovalent
- Enterprise-hardened and tested releases
- Proactive Support and Environment Reviews
- Hubble Enterprise
- Export Flows to SIEM platforms
- Advanced Metrics