Isovalent Enterprise Platform

VSHN Managed OpenShift uses Cilium as the default Container Network Interface (CNI). Isovalent Enterprise Platform builds on that foundation with deeper networking, observability, and runtime security capabilities for production environments.

cilium enterprise marketecture

Overview

Isovalent Enterprise Platform is designed for teams that need to:

  • enforce network security policies with more precision

  • improve visibility into service-to-service traffic and runtime behavior

  • scale multi-cluster networking patterns with less operational friction

  • apply runtime-level observability and enforcement with Tetragon

Platform Components

Depending on the ordered scope, Isovalent Enterprise Platform can include:

  • Isovalent Networking for Kubernetes

  • Isovalent Runtime Security

  • Isovalent Load Balancer

Why Enterprise Platform

Compared with OSS-only operation, the Enterprise Platform model emphasizes:

  • enterprise-grade support for purchased features

  • extended lifecycle coverage with tested releases and critical fixes

  • production-focused capabilities for scale, security, and compliance

When This Is a Fit

This model is typically a strong fit when you need:

  • stronger segmentation and policy control beyond baseline defaults

  • faster incident analysis with deeper flow and protocol visibility

  • transparent encryption and multi-cluster connectivity patterns

  • runtime security telemetry and enforcement for critical workloads

Strategic Use Cases

Future-proof infrastructure

Use eBPF-based networking and security capabilities that align with modern cloud-native platform patterns.

Reduce tool sprawl

Consolidate networking, observability, and runtime security capabilities into a more unified operating model.

Accelerate platform and compliance

Use policy, observability, and integration capabilities to shorten the path to production readiness and compliance operations.

Features

isovalent cilium

Networking

Key networking capabilities include:

  • eBPF-based load balancing at kernel level

  • Cluster Mesh for cross-cluster connectivity and service discovery

  • network policy enforcement across L3/L4/L7

  • identity-based policy and micro-segmentation

  • transparent encryption with IPsec and WireGuard

  • kube-proxy replacement with eBPF data-plane handling

  • Gateway API support for advanced routing and traffic management

  • BGP support for LoadBalancer and egress routing use cases

  • static egress gateway and broader hybrid connectivity patterns

Observability

Key observability capabilities include:

  • eBPF-based metrics and tracing with integration patterns for platforms such as Prometheus and Grafana,

  • service maps for service-to-service dependency visibility

  • identity-aware flow logs with policy verdict context

  • protocol-level visibility for traffic such as HTTP, gRPC, and Kafka

  • cluster-wide visibility via Hubble components

  • Golden Signals-oriented operational visibility

  • historical event exploration via Hubble Timescape

  • SIEM export and integration patterns

Runtime Security (Tetragon)

Tetragon provides:

  • Kubernetes-aware, eBPF-based runtime security

  • real-time runtime observability and policy enforcement

  • monitoring of process execution, syscalls, network activity, and file access

  • kernel-level policy enforcement

  • forensic analysis support by correlating runtime and network events

Common Use Cases

Common use cases include:

  • service mesh patterns

  • kube-proxy replacement

  • high-performance CNI requirements

  • protocol-level visibility and troubleshooting

  • transparent encryption requirements

  • zero-trust-oriented policy enforcement

Load Balancer Options

Two load-balancer-related options exist in the commercial model:

  • Load Balancer for Kubernetes as a networking add-on

  • Load Balancer (Essentials) as a separate Isovalent product line

Commercial Model and Defaults

The commercial defaults for Isovalent Enterprise Platform selections are:

  • Networking enabled (Essentials)

  • Runtime Security disabled

  • Load Balancer disabled

  • Networking add-ons disabled by default

Capability Default Optional Billable Notes

Base Cilium networking and observability

Yes

No

No

Included in the base Managed OpenShift scope.

Networking tier

Essentials

Advantage

Yes

Tier selection contributes to unit consumption.

Runtime Security (Tetragon) tier

No

Essentials / Advantage

Yes

Can be enabled for runtime-level observability and enforcement.

Networking add-ons

No

Yes

Yes

VSHN commercial catalog add-ons. Requires Networking enabled.

Runtime Security add-on

No

Yes

Yes

VSHN commercial catalog add-on. Requires Runtime Security Tier enabled.

Load Balancer (Essentials) product

No

Yes

Yes

Separate Isovalent product line, distinct from the Load Balancer for Kubernetes networking add-on.

How Licensing Is Calculated

Isovalent Enterprise Platform licensing is calculated using Isovalent Units. Unit requirements are derived from worker topology, environment characteristics, and selected products/features. The Standard Node Equivalent (SNE) model uses up to 16 cores / 64 GiB RAM per SNE. SNE per worker is calculated as max(ceil(cores/16), ceil(RAM_GiB/64)); larger workers count as multiple SNEs.

  1. Worker and environment topology is evaluated over the billing period.

  2. Selected tiers and add-ons determine required unit quantities.

  3. Unit consumption is aggregated for the billing period.

  4. Licensing charges are calculated from total consumed units multiplied by the applicable unit rate.

Monthly totals can increase or decrease with worker-topology changes over time.

Support Scope

Supported features are delivered and operated according to the agreed managed scope. Activation of optional capabilities is handled by request and may involve additional engineering work. Technical support scope follows purchased features and contracted service terms.

Unsupported and Beta Features

Features marked as beta by Isovalent, or non-standard configuration adjustments, are not supported by VSHN by default. They can be activated on request but are not monitored, backed up, or maintained unless explicitly agreed.

Pricing

When enabling Isovalent Enterprise Platform feature sets, the following additional reference rates apply. Values are shown in CHF per Standard Node Equivalent (SNE) per 30 days. One SNE corresponds to up to 16 cores and 64 GiB RAM. Larger workers count as multiple SNEs (for example, 32 cores / 128 GiB = 2 SNEs).

Feature Set Essentials (CHF / SNE / 30 days) Advantage (CHF / SNE / 30 days)

Networking and Observability

CHF 47.84

CHF 95.68

Runtime Security (Tetragon)

CHF 24.00

CHF 47.84

Load Balancer (Essentials)

CHF 12.00

CHF 12.00

Egress Gateway

CHF 16.00

CHF 16.00

Encryption

CHF 16.00

CHF 16.00

Load Balancer for Kubernetes

CHF 12.00

CHF 12.00

SIEM Export

CHF 8.00

CHF 8.00

Multi Cluster

CHF 24.00

CHF 24.00

Runtime Aware Network Policy

CHF 16.00

CHF 16.00

How to use this table:

  • Add the rates for the features you enable.

  • Determine the average number of SNEs active during the month.

  • SNE per worker is max(ceil(cores/16), ceil(RAM_GiB/64)).

  • Treat the result as a directional estimate.

Example (directional): If your cluster averages 3 SNEs during a month and you enable Networking and Observability (Essentials) plus Egress Gateway, the estimated add-on charge is (47.84 + 16.00) x 3 = CHF 191.52 / month.

Final billing is based on actual Isovalent Unit consumption for your worker topology during the billing period. Rows without tier variants intentionally show identical values in both columns.

Additional Resources