Securing the Networking Stack with Cilium
Challenge
ilionx is an IT consultancy firm with several offices in the Netherlands. ilionx supports its clients in the field of digital strategy, cloud applications, data & AI, hyper-automation & integration and managed services. They do this with expertise from architecture, application development, and security and data, to organizational processes and change processes. ilionx has a Kubernetes platform called ACP (Application Centric Platform) which was built with high security, automation, and self-service in mind, without developers needing to have a lot of Kubernetes knowledge.
Initially, when ilionx set up their Kubernetes platform, they opted for a simple CNI and used a private networking stack appliance on L3 and L7 as a WAF. It didn’t take long for them to realize that this setup was a roadblock to self-service and automation, making things overly complex for the team. They also lacked the network security policies they needed for multi-tenant clusters and the firewall required manual set up. Faced with these challenges, they started searching for a solution that would provide secure network policies and allow them to bring L3 and L7 firewall configurations into code to support automating actions via APIs.
Solution
ilionx turned to Cilium as their preferred networking, observability and security solution after a series of positive referrals and extensive research. Cilium’s integration in their platform presented a two-fold solution; firstly, serving as the automatable network engine managing traffic direction within the Kubernetes cluster, and secondly, enforcing security through network policies and firewalling, ensuring a robust multi-tenant environment where clients’ data remains secure and isolated.
Impact
Integrating Cilium into their Kubernetes platform has made automation and administration tasks easier, allowing for a more self-service approach for their development teams. The use of Cilium’s network policies improved security and provided better insights into network traffic. Cilium also allowed them to replace their current network security solution and its manual configuration in their networking stack. Overall, Cilium enhanced the team’s ability to provide a secure and self-service Kubernetes platform for their customers.
Projects used
By the numbers
500,000
Data points secured every day
35+
Customers using the product
40,000
Connections per day
Securing the Networking Stack with Cilium
ilionx is a well-known IT consultancy firm with a wide range of clients, including those in healthcare, business intelligence, application development, IT support, and general consultancy. They’re also the go-to for customers needing tight security, especially those with microservice architectures or web applications, with a strong focus on cloud solutions and automation.
The ilionx platform team consists of six engineers working on automation and open source, specifically focusing on their Kubernetes platform: Application Centric Platform. They originally built out their Kubernetes platform with Calico but ran into problems.
“We were running Calico and the network policies from Calico were not doing what we needed them to do. I wouldn’t say they were bad, but they weren’t really trustworthy. We couldn’t get someone to explain to us how they worked and not a lot of documentation was up and running back then,” explained Remy Simons, Managing Consultant – Cloud/Platform Engineer at ilionx.
“And then the fun part started because the Azure networking stack had issues with parts of the Calico networking. After two or three weeks of troubleshooting, we knew we needed to look for another solution.”
ilionx conducted evaluations of various popular CNI plugins and Cilium emerged as their preferred choice after a series of positive referrals and extensive research.
“After doing research on the best networking engines for Kubernetes, Cilium consistently emerged on top. We shared our findings with other Kubernetes platform leaders and discovered there was a common understanding for Cilium. The innovation of Kubernetes is still strong and there are a lot of options to choose from. The choice for Cilium, however, is one of the best choices we made. With Cilium we can properly secure clusters with network policies and get a lot of insight into network flows with Hubble. We also haven’t had any network, HA, or connectivity issues in the last two years.”
Remy Simons, Managing Consultant – Cloud/Platform Engineer, ilionx
After making their decision, they replaced Calico in their Kubernetes Cluster with Cilium by setting up new clusters and migrating over the workloads. Cilium provides two key capabilities to their clusters. First, it is a network engine that is responsible for directing the traffic to the pods and inter-cluster networking. Second, they use Cilium network policies to microsegment their network. They utilize multi-tenant clusters and don’t want customers to be able to access each other’s data. With Cilium network policies in place, they can now prevent traffic from traversing customer namespaces.
Simplifying and Automating the Networking Stack with Cilium
With Cilium up and running in their clusters, ilionx looked for further ways they could leverage it to simplify and automate their networking and security stack. At the time, they were using a network security stack for L3 and L7 firewalling and a private WAF. However, it was not built for the cloud native world and was consuming too much of their team’s time.
“Maintaining layer three and layer seven security on the current stack is a hassle. We want a self-service platform, but it takes us two to four hours to onboard each customer. If I have to tell a development team that, hey, you’re going to make use of our Kubernetes platform, but you also need to have all this networking knowledge. That’s never going to lift off.”
Remy Simons, Managing Consultant – Cloud/Platform Engineer, ilionx
The developers were already editing their own deployment files, replica sets, and storage through code, but the networking stack was not yet automatable and needed to be handled by the platform team. Cilium allows developers to manage the networking stack through the YAML that they were already used to.
“There’s no planet at the moment where we can easily automate against the current stack, where we have to talk to several API endpoints. It’s not always working and doesn’t support setting all the configurations using the API. On the other hand, if I use Cilium network policies and the API from Kubernetes I can automate everything easier. I can educate the development teams on how to use their own network policies and how to make a fence around their own application making it almost completely self-service. Everything that we can do with CIlium network policies makes automation better. It’s really easy. The self-service makes it a lot more sellable and usable to our development teams,” said Simons.
Replacing the network security stack with Cilium helped simplify and automate their networking stack for network policies and firewalling. They currently use Cilium for L3 firewalling but are also looking to use it to replace their L7 WAF.
“If Cilium can do 80% of the WAF functionality, we are going to put three or four people on a whole migration and just move it to Cilium completely. Because then we can use Cilium for more than just setting boundaries at the edge and in between namespaces. We can also use it for our L7 firewalling. Sometime next year, we want to use Cilium for everything.”
Remy Simons, Managing Consultant – Cloud/Platform Engineer, ilionx
Cilium is a significant success for the Kubernetes platform team at ilionx, effectively catering to their networking, security, and observability requirements and allowing them to simplify and automate their developer’s networking needs.
Future Plans: Multi Cluster Networking and Security Observability
Since Cilium has addressed many of their networking and security concerns, Ilionx plans to leverage other aspects of the Cilium feature set and suite of tools. To increase reliability, they plan to grow their cluster across multiple regions, with Cilium Cluster Mesh providing a stable multi-cluster networking foundation, allowing them to keep downtime to a minimum while ensuring consistent L3/L7 protection everywhere.
Besides Cilium, Simons explained they are also looking into Tetragon for security observability. “We are currently using an EDR solution to scan every process in their cluster and undergo several pen tests a year. Just trialling Tetragon, we already noticed that eBPF can do a lot more for security observability and are excited to dive into it more in the future.”