APPUiO Managed Add-On: Cilium

Cilium is an open source software for providing, securing and observing network connectivity between container workloads - cloud native, and fueled by the revolutionary Kernel technology eBPF.

— cilium.io Website

isovalent cilium

To learn more, check out "What is Cilium?".

We offer Cilium in its commercial version from Isovalent - Isovalent Cilium Enterprise - as an add-on to APPUiO Managed. By using Isovalent Cilium Enterprise, additional features are available, as well as 24/7 support from the creators of Cilium.

Isovalent Cilium Enterprise addresses the complex workflows related to security automation, forensics, compliance, role-based access control, and integration with legacy infrastructure that arise as platform teams engage with application and security teams within an enterprise organization.

— Isovalent Website

Resources:

cilium enterprise marketecture

Why using Cilium?

Security

Cilum offers advanced security features which aren’t available by any other Kubernetes networking add-on. These features go far further than just networking, thanks to eBPF.

Advanced Networking

By leveraging eBPF, Cilium enables many advanced networking use-cases which aren’t possible with traditional, iptables-based network plugins. It outperforms in speed, flexibility and security.

Observability

Cilium works directly in the Kernel and therefore brings insights into what’s actually going on - far more than possible with traditional observability tooling.

VSHN Supported Features and Configuration

Supported by default

These features and configurations are available out-of-the box and installed and configured by default.

Core Secure & Scalable Connectivity
  • Highly scalable IPv4 and IPv6 Kubernetes CNI

  • Kubernetes Label & CIDR Network Policies

  • DNS-aware Network Policies

  • Host Network Policies

  • Deny Network Policies

Advanced Secure & Scalable Connectivity
  • L7-Aware Network Policy & Visibility

  • TLS-termination for L7 Visibility

Ops-Centric Connectivity Observability
  • Hubble Cluster-wide Flow Visibility CLI / API

  • Hubble Service Map + Flow Visibility UI

  • Identity-aware Network Metrics (Prometheus)

  • HTTP/gRPC-aware Connectivity Metrics

Application Team Troubleshooting & Policy Workflows
  • Multi-tenant RBAC for Flows, Metrics, and UI

  • Advanced Policy Troubleshooting UI

  • Simplified Policy Creation Tools & APIs

Enterprise Distribution & Support
  • Enterprise-hardened Cilium Versions and Testing

Supported on request

These features or configuration adjustments must be specifically requested and some restrictions apply. Activation and configuration of these features imply additional engineering costs and can cause additional engineering costs for operating them (although no fixed additional recurring costs apply).

Core Secure & Scalable Connectivity
  • Overlay, Direct, and Cloud Provider Routing Modes

  • High-performance L3/L4 Pod Load-balancing (kube-proxy replacement)

Advanced Secure & Scalable Connectivity
  • Transparent IPsec Encryption

  • Multi-cluster Routing, Load-balancing & Security

  • Advanced L3/L4 External Load-balancing (including XDP-acceleration, Direct Server Return, Maglev)

  • Advanced Bandwidth Management for Pods through EDT (Earliest Departure Time) model

  • Non-containerized VM / Bare-metal Workloads

  • 3rd-party BGP integrations (MetalLB, BIRD, etc.)

Ops-Centric Connectivity Observability
  • Historical Flow Data and Analytics

Application Team Troubleshooting & Policy Workflows
  • Historical Flow Data and Analytics

  • Automated Security Policy Approvals

SecOps Observability Workflows
  • Integration with External SIEM (Splunk, ELK, etc.) for Incident Investigation, Forensics + Audit

  • SIEM - Identity + DNS-aware Flow Data Export

  • SIEM - Process/Syscall Data Export

  • SIEM - TLS Handshake Compliance Monitoring

  • SIEM - Network Policy Compliance Monitoring

  • Identity-aware Tap/Mirror (IDS insertion)

Unsupported

These features or configuration adjustments are not supported by VSHN, but can still be activated or changed, allthough are neither monitored, backed up nor maintained. No guarantees are given, use them at your own risk.

Beta Features

All features marked as "Beta" by Isovalent.

Pricing

Pricing is per vCPU.

Default Configuration

  • Latest supported Isovalent Cilium Enterprise version

  • Default Kubernetes CNI plugin (Replacing potential default plugin of distribution)