Microsoft and Isovalent bring eBPF-based Networking and Security to Azure
Elevate Your AKS Clusters with Isovalent Enterprise for Cilium. Azure Kubernetes Services will now be deployed with Cilium open sourced data plane and natively integrated with Azure CNI. Discover the advantages of advanced security and observability features in Isovalent Enterprise for Cilium, designed for AKS clusters of any size and complexity. Try it now on Azure Marketplace and experience the benefits first-hand.
Azure Kubernetes Service will now be deployed with Cilium open sourced data plane and natively integrated with Azure CNI. Microsoft will handle first-line support and collaborate with Isovalent on specific support issues to their deep knowledge of the technology.
Isovalent Enterprise for Cilium on Microsoft Azure Marketplace
By integrating Isovalent's Cilium, Hubble, and Tetragon on Microsoft Azure, users will benefit from all advanced Cilium features including a high-performance eBPF datapath, a scalable network policy and Kubernetes services implementation, and rich observability & troubleshooting capabilities.
Contact usUncover the full potential with Isovalent Enterprise for Cilium
- Network Routing (CNI)
- Identity-based Network Policy (Labels, CIDR)
- Load-Balancing (L3/L4)
- Advanced Networking (BGP, Multi-Homing, SRv6, Bandwidth Management, ...)
- Advanced Network Policy (DNS, L7, TLS/SNI, ...)
- Multi-Cluster (Routing, Load-Balancing, Service Discovery, Policy)
- Transparent Encryption
- Egress Gateway
- Ingress & Gateway API Support
- Non-Kubernetes Workloads
Cilium
- Service Mesh (eBPF & Envoy, sidecar-free)
- Canary Rollouts, Retries, Rate Limiting
- L7 Load-Balancing
- OpenTelemetry, Prometheus, Grafana Support
Cilium Service Mesh
- Hubble Network Observability (TCP, UDP, SCTP, DNS, HTTP, gRPC, TLS, ...)
- Prometheus, Grafana, OpenTelemetry, Fluentd export
- Service & Tracing Map
- SIEM Integration
- Timescape - Historic Flow/Tracing Data & Analytics
- Multi-Tenancy / RBAC
Hubble - (Network Observability)
- Security Observability (Process, Syscall, File, Network, ...)
- File Integrity Monitoring (FIM)
- Combined Network & Runtime Visibility
- Real-Time Enforcement
- SIEM Integration
- Timescape - Historic Security Visibility & Analytics
Tetragon - (Security Visibility and Enforcement)
- Collaborative Support Agreement
- Enterprise-hardened Cilium Versions and Testing
- 24x7 Enterprise Grade Support SLA
- Proactive Support Environment Reviews
Enterprise Distribution & Support
Cilium on Azure
Cilium, an open-source project by Isovalent, provides networking and security capabilities using eBPF. Integrating Cilium with Azure offers the following benefits:
Powerful Integration
Combines the eBPF-based Cilium datapath with the advanced IPAM capabilities of Azure CNI, resulting in a highly scalable VNET for direct routing and the selection of the new Azure Overlay feature.
Enhanced Cilium Features
Azure Kubernetes Service (AKS) users can leverage the high-performance eBPF datapath, scalable network policy, Kubernetes services implementation, and rich observability & troubleshooting capabilities of Cilium.
One-Click Upgrade to Isovalent Enterprise for Cilium
AKS customers can seamlessly upgrade from Azure CNI Powered by Cilium to the full Isovalent Enterprise for Cilium platform with a single click, unlocking advanced security, governance controls, extended network capabilities, Timescape, and Isovalent Tetragon Enterprise features.
Simplified Operations
The tight integration with Azure enables auto-upgrades, native integration into the Azure ecosystem for SIEM export, monitoring, governance control, and a unified billing experience, reducing management overhead.
Microsoft Sentinel SIEM Integration:
Integrating Isovalent Enterprise for Cilium with Microsoft Sentinel brings extensive visibility into AKS clusters for security teams. This integration offers:
- Rich Connectivity Data: Gain insights into the communication patterns and performance of your AKS cluster.
- TLS Visibility: Monitor the encryption status of your network traffic for enhanced security.
- Network Security Violations: Identify and respond to network security breaches in real-time.
- Compliance Monitoring Events: Keep track of compliance-related events and ensure adherence to security regulations.
Hubble on Azure
Hubble, the network observability platform, is an integral part of the Cilium project. Integrating Hubble with Azure provides users with:
Hubble RBAC with Azure Identity
Hubble UI and Prometheus metrics can be governed using Role-Based Access (RBAC) rules, allowing platform teams to create self-service dashboards for application teams. By integrating with Azure Identity, Azure user roles can be easily mapped to Hubble's RBAC roles for a seamless experience.
Azure Metadata Support
Hubble's integration with Azure allows it to natively understand Azure identity and metadata, such as names and labels of nodes, VPCs, network security groups, and more. This enriches observability data and provides more accurate identification, simplifying the understanding of HTTP tracing data and other security-relevant information.
Azure Monitor with Native Prometheus & Grafana Integration
Hubble's integration with Azure Monitor and Azure Managed Grafana brings its Prometheus metrics and Grafana dashboards into the Azure ecosystem. This allows users to access all metrics covering day-2 operations, incident troubleshooting, and security monitoring alongside their existing dashboards.
Adobe has used Isovalent Enterprise for Cilium in production for many years, and we were excited to learn of the enterprise features and support provided on Microsoft Azure Kubernetes Service by the Isovalent team.
Tetragon on Azure
Tetragon, an eBPF-based security observability and runtime enforcement platform, is transforming cloud-native security by providing comprehensive data for incident investigations and preventive security measures. The integration of Tetragon with Azure brings several advantages to users.
Get started
Microsoft Sentinel SIEM Integration
Tetragon's SIEM export to Microsoft Sentinel enables groundbreaking security observability for cloud-native environments. This integration expands the networking-focused view offered by Cilium and additionally covers runtime and system spectrums.
Comprehensive Security Insights
Tetragon addresses various use cases such as file access, file integrity monitoring, syscall activity logs, privilege and capabilities escalation alerting, and much more. By providing a comprehensive data source for incident investigations, Tetragon empowers security teams to better understand and respond to security threats.
Preventive Security Measures
After achieving visibility into potential security threats, Tetragon offers enforcement policies that allow users to establish preventive security measures within their Azure environment. This helps to protect cloud-native applications and infrastructure from vulnerabilities and attacks.
Capabilities of Isovalent Enterprise for Cilium
Isovalent Enterprise for Cilium is a powerful networking and security solution for Kubernetes environments that goes beyond the capabilities of the open-source Cilium project. With Isovalent Enterprise for Cilium, you can benefit from:
Comprehensive cloud-native connectivity
Isovalent Cilium Enterprise provides advanced network policy capabilities, including DNS-aware policy, L7 policy, and deny policy, enabling fine-grained control over network traffic for micro-segmentation and improved security.
Scalable, multi-tenant design
Built to scale, Isovalent Cilium Enterprise provides a powerful connectivity layer with built-in security functionality for Kubernetes that allows you to isolate and secure traffic between applications and other cloud-native infrastructure.
Deep observability
Achieve deep visibility into network traffic with detailed flow logs and packet captures for real-time monitoring and troubleshooting.
Robust security
Protect against sophisticated threats with robust and scalable security features like micro-segmentation, encryption, and authentication.
Who is this for?
Advanced use cases that enterprises may look at when using this solution:
Microservices architectures
Azure CNI powered by Cilium provides application-aware networking that enables microservices architectures to be easily deployed and managed in a secure and scalable way.
Large-scale Kubernetes deployments
Enterprises that have large-scale Kubernetes deployments with hundreds or thousands of nodes can benefit from the high-performance networking and observability features provided by Azure CNI powered by Cilium.
Compliance and regulatory requirements
Azure CNI powered by Cilium provides advanced network policy enforcement, making it easier for enterprises to comply with regulatory requirements such as HIPAA and GDPR.
Cloud-native security
Azure CNI powered by Cilium provides advanced network security at the kernel level, making it an ideal solution for enterprises that require a cloud-native security approach.
Multi-cluster and hybrid-cloud environments
Isovalent Enterprise for Cilium supports multi-cluster environments, allowing enterprises to easily connect and secure Kubernetes workloads across multiple AKS clusters. This solution also supports hybrid-cloud environments, where Kubernetes workloads are deployed across both on-premises and cloud infrastructure.
We needed a very quick networking solution that would form the backbone of our entire multi-cloud architecture. We choose Cilium as it supports Network Policies at Layer 3/4/7, Cloud agnostic & easy deploy everywhere.
Frequently Asked Questions
- Azure CNI powered by Cilium
- Isovalent Cilium Enterprise through Microsoft Azure Marketplace
- AKS BYOCNI with either Cilium OSS or Isovalent Cilium Enterprise
- AKS with Cilium & Azure IPAM ("legacy Azure IPAM")
- AKS with Azure CNI & Cilium via CNI Chaining
- For new customers getting started with AKS using small clusters without any requirements beyond what “Azure CNI powered by Cilium” provides, the Azure CNI powered by Cilium is recommended. Once clusters and requirements develop, customers can upgrade to Isovalent Enterprise for Cilium seamlessly.
- For more advanced enterprise customers requiring support and/or usage of more advanced Networking, Security and Observability features, the preferred option is “Isovalent Enterprise for Cilium through the Microsoft Microsoft Azure Marketplace”. Microsoft Azure Marketplace Cilium Enterprise offering brings full flexibility in terms of access to Cilium features to the delegated IPAM solution, while retaining the advantageous ease of use and integration with Azure.
- Optionally “AKS BYOCNI” is also an option for advanced customers wanting to be in control of their configuration, who need usage of all advanced capabilities or those which are not ready to invest in Isovalent Enterprise for Cilium. Cilium OSS on BYOCNI is then a good option.
- Customers on “Azure CNI powered by Cilium” are provided a seamless migration to Isovalent Enterprise for Cilium.
- Customers on “AKS BYOCNI with Cilium OSS” can upgrade to Isovalent Enterprise for Cilium. However, this is a manual migration process.
- Azure CNI powered by Cilium provides native support for the next generation Cilium eBPF dataplane in AKS clusters running Azure CNI. It offers Pod networking, basic Kubernetes Network Policies, and high-performance service load balancing. The eBPF dataplane is available in both VNet mode and Overlay mode of Azure CNI.
- The key advantages can be categorized as:
- Simple deployment: Azure CNI powered by Cilium is easy to deploy and manage, making it a good choice for customers who want a simple solution for their AKS clusters.
- High-performance networking: The eBPF dataplane used by Azure CNI powered by Cilium provides high-performance networking, enabling fast and reliable communication between pods and services.
- Kubernetes Network Policies: Azure CNI powered by Cilium provides basic support for Kubernetes Network Policies, allowing customers to define fine-grained network access controls for their pods.
- High-performance load balancing: Azure CNI powered by Cilium offers high-performance load balancing for services within AKS clusters, providing reliable service access to customers.
- Overall, Azure CNI powered by Cilium is a good choice for customers who want a simple, high-performance networking solution for their smaller AKS clusters, with basic support for Kubernetes Network Policies and load balancing.
- Support will be provided by Microsoft
- Isovalent Enterprise for Cilium through Microsoft Azure Marketplace offers a wide range of advanced networking, security, and observability features to enterprises.
- Here are some key advantages of Isovalent Enterprise for Cilium on Microsoft Microsoft Azure Marketplace:
- Advanced Networking Features: Isovalent Enterprise for Cilium provides advanced networking features such as Layer 7 load balancing, Network Policies, DNS-based service discovery, and secure service-to-service communication using mTLS.
- Enhanced Security: With advanced security features like Application Layer Encryption, Network Security Policies, and DDoS protection, Isovalent Enterprise for Cilium provides better protection to enterprise workloads in Azure.
- Observability and Monitoring: Isovalent Enterprise for Cilium offers enhanced visibility with real-time network telemetry and fine-grained observability using tools like Prometheus and Grafana.
Integration with Azure Services: Isovalent Enterprise for Cilium integrates seamlessly with other Azure services like
- Azure Policy, Azure Monitor, and Azure Security Center, providing a unified management experience.
Enterprises with complex networking requirements, high-security standards, and larger workloads can benefit from the advanced features offered by Isovalent Enterprise for Cilium through Microsoft Microsoft Azure Marketplace - Support will be provided by Isovalent
- Customers who require more control can configure AKS BYOCNI and install Cilium manually. Important to note that Direct Routing and Azure IPAM integration is not supported.
- Customers can also seamlessly upgrade from Azure CNI powered by Cilium to Isovalent Enterprise for Cilium using the Microsoft Azure Marketplace.
- In case customers would like to enable more features, they can make use of ARM templates and Azure CLI to customize the Cilium configuration for the respective features. More details will be covered in an upcoming blog.
- AKS BYOCNI has support implications - Microsoft will not support CNI-related issues in clusters deployed with BYOCNI. In the case of Cilium OSS customers rely on community support. In the case of Isovalent Enterprise for Cilium, Isovalent provides support.
- Partnership with Microsoft
- Yes, Isovalent Cilium Enterprise is now on Microsoft Azure Marketplace
- Isovalent Enterprise for Cilium is available in the following regions:
- East US, EastUS2EUAP, West US, Central US, West Central US, South Central US, East US2, West US2, West Europe, North Europe, Canada Central, South East Asia, Australia East, Central India, Japan East, Korea Central, UK South, UK West, Germany West Central, France Central, East Asia, West US3, Norway East, South African North, North Central US, Australia South East, Switzerland North, Japan West, South India
- Get started with Isovalent Cilium Enterprise on the Azure Marketplace- General Availability
- Isovalent Enterprise for Cilium in Azure Marketplace by Azure
- Isovalent Enterprise for Cilium is available in Azure Marketplace by Isovalent
- Announcing Azure CNI Powered by Cilium
- Azure CNI Powered by Cilium for Azure Kubernetes (AKS)
- 24x7 Enterprise Support by Isovalent.
- Enterprise-hardened and tested releases
- Proactive Support and Environment Reviews
- Hubble Enterprise
- Export Flows to SIEM platforms
- Advanced Metrics
- Azure CNI powered by Cilium documentation
- Azure AKS BYOCNI documentation
- Cilium documentation for AKS BYOCNI
- AKS with Cilium & Azure IPAM ("legacy Azure IPAM")
- AKS with Azure CNI & Cilium via CNI chaining