Isovalent Enterprise for Cilium

Cilium is an open source, cloud native solution for providing, securing, and observing network connectivity between workloads, fueled by the revolutionary Kernel technology eBPF

— cilium.io Website

isovalent cilium

APPUiO Managed provides Cilium by default in its enterprise version Isovalent Enterprise for Cilium. To learn more about Cilium, check out "What is Cilium?".

Isovalent Enterprise for Cilium addresses the complex workflows related to security automation, forensics, compliance, role-based access control, and integration with legacy infrastructure that arise as platform teams engage with application and security teams within an enterprise organization.

— Isovalent Website

Resources:

Supercharge OpenShift with Isovalent Cilium Enterprise (PDF by Isovalent)
Secure & scalable connectivity for open hybrid cloud with eBPF superpowers.
Accelerating the Journey to Cloud Native Microservices (PDF by Isovalent)
Overcoming the Networking, Observability and Security challenges that slow down adoption of production Kubernetes platforms.
Isovalent Cilium Enterprise - Security Сompliance & Forensics (PDF by Isovalent)
Leverage the power of eBPF to secure your Kubernetes platform.
Multi-Cluster Kubernetes Networking with Cilium (PDF by Isovalent)
APPUiO announcement: Partnership with Isovalent

cilium enterprise marketecture

Why using Cilium?

Using Cilium as the default Container Network Interface (CNI) in APPUiO Managed provides several compelling advantages:

Enhanced Security: Cilium leverages eBPF to provide highly efficient network security policies. This means stronger protection at both the network and application layers, safeguarding your Kubernetes environment against a wide range of security threats.
Improved Performance: By implementing a direct datapath, Cilium reduces latency and increases throughput, delivering superior performance compared to traditional CNIs. This is particularly beneficial for high-load applications and services.
Advanced Network Visibility: Cilium offers deep visibility into network traffic, enabling real-time monitoring and troubleshooting. This feature is invaluable for maintaining the health and performance of your Kubernetes clusters.
Multi-Cluster Networking: It supports seamless multi-cluster networking, making it easier to connect and manage multiple Kubernetes clusters, regardless of their location. This is essential for large-scale, distributed deployments.
Extensive Compatibility: Cilium is designed to be fully compatible with existing Kubernetes environments. It integrates smoothly with various cloud-native technologies, ensuring a hassle-free adoption in your Kubernetes ecosystem.

Features

Basic

The following features are part of the basic feature set which is included by default:

Networking

Cilium as default Container Network Interface (CNI) plugin
Cilium L3/L4 network policy, including both standard Kubernetes Network Policies and CiliumNetworkPolicies
BGP Service Announcement
Static Egress Gateway with High-Availability

Observability

Hubble flow observability events
Hubble flow metrics for consumption via external platforms like Prometheus
Multi-node Hubble querying for cluster-wide visibility via CLI + API (Hubble Relay)
L7 visibility

Advanced Networking and Observability

These features or configuration adjustments must be specifically requested. Activation and configuration of these features will imply additional engineering costs and recurring costs per vCPU, see Pricing.

Advanced Hubble features

Visualization of network connectivity ("service map") and network policies ("network policy editor")
Visualization of runtime behavior ("process ancestry tree")
Single-sign-on (SSO) and Role-based Access Control capabilities
Export of Hubble event data to SIEM via standard mechanism
TLS compliance monitoring

Advanced Networking

Cilium Cluster Mesh for multi-cluster routing, load-balancing, observability, and network policy.
Cilium transparent encryption using IPsec or Wireguard.
Cilium Gateway
Bandwidth Manager
Cilium L7 Service Mesh and East/West Gateway API
External VM Support

Tetragon

eBPF-based Security Observability and Runtime Enforcement.

Tetragon is a flexible Kubernetes-aware security observability and runtime enforcement tool that applies policy and filtering directly with eBPF, allowing for reduced observation overhead, tracking of any process, and real-time enforcement of policies.

— tetragon.io Website

Tetragon implementation and configuration must be specifically requested. Activation and configuration of this feature will imply additional engineering costs and recurring costs per vCPU, see Pricing.

Unsupported

All features marked as "Beta" by Isovalent or non-standard configuration adjustments are not supported by VSHN, but can still be activated or changed, although are neither monitored, backed up nor maintained. No guarantees are given, use them at your own risk.

Default Configuration

Latest supported Isovalent Enterprise for Cilium version
Default Kubernetes CNI plugin (Replacing potential default plugin of distribution)

Pricing

When using Cilium advanced feature sets, the following costs per Worker-vCPU are added:

Feature Set	Best Effort	Guaranteed Availability
Networking and Observability	CHF 5.00 per 30d CHF 0.0069 per hour	CHF 12.00 per 30d CHF 0.0167 per hour
Tetragon	CHF 12.00 per 30d CHF 0.0167 per hour	CHF 30.00 per 30d CHF 0.0417 per hour

Feature Set

Best Effort

Guaranteed Availability

Networking and Observability

CHF 5.00 per 30d
CHF 0.0069 per hour

CHF 12.00 per 30d
CHF 0.0167 per hour

Tetragon

CHF 12.00 per 30d
CHF 0.0167 per hour

CHF 30.00 per 30d
CHF 0.0417 per hour

Please note that the same Service Level applies like the underlying cluster.