AzureFeeds

Azure Container Networking Interface (CNI) continues to evolve, now bolstered by the innovative capabilities of Cilium. Azure CNI Powered by Cilium (ACPC) leverages Cilium’s extended Berkeley Packet Filter (eBPF) technologies to enable features such as network policy enforcement, deep observability, and improved service routing. Here’s a deeper look into the latest features that make management of Azure Kubernetes Service (AKS) clusters more efficient, scalable, and secure.

Improved Performance: Cilium Endpoint Slices

One of the standout features in the recent updates is the introduction of CiliumEndpointSlice. This feature significantly enhances the performance and scalability of the Cilium dataplane in AKS clusters.

Previously, Cilium used Custom Resource Definitions (CRDs) called CiliumEndpoints to manage pods. Each pod had a CiliumEndpoint associated with it, which contained information about the pod’s status and properties. However, this approach placed significant stress on the control plane, especially in larger clusters.

To alleviate this load, CiliumEndpointSlice batches CiliumEndpoints and their updates, reducing the number of updates propagated to the control plane. Our performance testing has shown remarkable improvements:

• Average API Server Responsiveness: Upto 50% decrease in latency, meaning faster processing of queries.


• Pod Startup Latencies: Upto 60% reduction, allowing for faster deployment and scaling.


• In-Cluster Network Latency: Upto 80% decrease, translating to better application performance.

Note that this feature is Generally Available in AKS clusters, by default, using Cilium 1.17 release and above and does not require additional configuration changes! Learn more about improvements unlocked by CiliumEndpointSlices with Azure CNI by Cilium – High-Scale Kubernetes Networking with Azure CNI Powered by Cilium | Microsoft Community Hub.

Deployment Flexibility: Dual Stack for Cilium Network Policies

Kubernetes clusters operating on an IPv4/IPv6 dual-stack network enable workloads to natively access both IPv4 and IPv6 endpoints without incurring additional complexities or performance drawbacks. Previously, we had enabled the use of dual stack networking on AKS clusters (starting with AKS 1.29) running Azure CNI powered by Cilium in preview mode. Now, we are happy to announce that the feature is Generally Available! By enabling both IPv4 and IPv6 addressing, you can manage your production AKS clusters in mixed environments, accommodating various network configurations seamlessly. More importantly, dual-stack support in Azure CNI’s Cilium network policies extend security benefits for AKS clusters in those complex environments. For instance, you can enable dual stack AKS clusters using eBPF dataplane as follows:

az aks create –location –resource-group –name –network-plugin azure –network-plugin-mode overlay –network-dataplane cilium –ip-families ipv4,ipv6 –generate-ssh-keys

Learn more about Azure CNI’s Network Policies – Configure Azure CNI Powered by Cilium in Azure Kubernetes Service (AKS) – Azure Kubernetes Service | Microsoft Learn

Ease of Use: Node Subnet Mode with Cilium

Azure CNI now supports Node Subnet IPAM mode with Cilium Dataplane. In Node Subnet mode IP addresses to pods are assigned from the same subnet as the node itself, simplifying routing and policy management. This mode is particularly beneficial for smaller clusters where managing multiple subnets is cumbersome. AKS clusters using this mode also gain the benefits of improved network observability, Cilium Network Policies and FQDN filtering and more capabilities unlocked by Advanced Container Networking Services (ACNS). More notable, with this feature we now support all IPAM configuration options with eBPF dataplane on AKS clusters. You can create an AKS cluster with node subnet IPAM mode and eBPF dataplane as follows:

az aks create –name –resource-group –location –network-plugin azure –network-dataplane cilium –generate-ssh-keys

Learn more about Node Subnet – Configure Azure CNI Powered by Cilium in Azure Kubernetes Service (AKS) – Azure Kubernetes Service | Microsoft Learn.

Defense-in-depth: Cilium Layer 7 Policies

Azure CNI by Cilium extends its comprehensive Layer4 network policy capabilities to Layer7, offering granular control over application traffic. This feature enables users to define security policies based on application-level protocols and metadata, adding a powerful layer of security and compliance management.

Layer7 policies are implemented using Envoy, an open-source service proxy, which is part of ACNS Security Agent operating in conjunction with the Cilium agent. Envoy handles traffic between services and provides necessary visibility and control at the application layer. Policies can be enforced based on HTTP and gRPC methods, paths, headers, and other application-specific attributes. Additionally, Cilium Network Policies support Kafka-based workflows, enhancing security and traffic management.
This feature is currently in public preview mode and you can learn more about the getting started experience here – Introducing Layer 7 Network Policies with Advanced Container Networking Services for AKS Clusters! | Microsoft Community Hub.

Coming Soon: Transparent Encryption with Wireguard

By leveraging Cilium’s Wireguard, customers can achieve regulatory compliance by ensuring that all network traffic, whether HTTP-based or non-HTTP, is encrypted. Users can enable inter-node transparent encryption in their Kubernetes environments using Cilium’s open-source based solution. When Wireguard is enabled, the cilium agent on each cluster node will establish a secure Wireguard tunnel with all other known nodes in the cluster to encrypt traffic between cilium endpoints. This feature will soon be in public preview and will be enabled as part of ACNS. Stay tuned for more details on this.

Conclusion

These new features in Azure CNI Powered by Cilium underscore our commitment to enhancing default network performance and security in your AKS environments, all while collaborating with the open-source community. From the impressive performance boost with CiliumEndpointSlice to the adaptability of dual-stack support and the advanced security of Layer7 policies and Wireguard based encryption, these innovations ensure your AKS clusters are not just ready for today but are primed for the future. Also, don’t forget to dive into the fascinating world of eBPF-based observability in multi-cloud environments! Check out our latest post – Retina: Bridging Kubernetes Observability and eBPF Across the Clouds.

Why wait, try these out now!

Stay tuned to the AKS public roadmap for more exciting developments! For additional information, visit the following resources:

• For more info about Azure CNI Powered by Cilium visit – Configure Azure CNI Powered by Cilium in AKS.


• For more info about ACNS visit Advanced Container Networking Services (ACNS) for AKS | Microsoft Learn.