External Traffic Engineering with Cilium
03-18, 14:00–14:30 (Europe/Paris), Arena

Have you ever had a need to steer the incoming traffic to a subset of Kubernetes nodes? What about translating the source IP of traffic leaving the cluster to a fixed set of pre-defined addresses, all while maintaining high reliability and achieving sub-second failover times?

In this session we will walk you through a series of scenarios covering various aspects of ingress and egress Kubernetes traffic engineering using Cilium. We will demonstrate deployment scenarios and best practices that will help guide you through most common design patterns. While doing this we will be using industry-standard protocols, like BGP, to achieve high availability and open source solutions, like Egress Gateway, to implement functionality not provided by Kubernetes natively.


Integrating cloud-native applications into existing, non-Kubernetes environments brings a lot of new challenges for infrastructure professionals. These legacy environments often dictate the need for fine-grained control of traffic going over a security perimeter with stateful inspection on firewalls and intrusion detection systems. Whether you’re doing it to stay compliant with industry regulations or to improve your security posture, the problems still need to be addressed and the burden lies on the team managing the Kubernetes cluster.

Very few talks and tutorials about Kubernetes networking focus on external traffic and often gloss over the details of integration with the wider IT ecosystem. With this session the audience has a chance to get a deeper understanding of typical patterns for ingress and egress traffic engineering. This is beneficial as provided examples and design patterns can be reused in any Kubernetes cluster.

We don’t assume much networking knowledge, but the tutorial is a mix of intermediate and more advanced topics. Whether you’re deploying in the cloud, hybrid or multi-site environments, this tutorial will have something to address your needs. If you bring your laptop, you can also follow along our hands-on labs, designed to demonstrate the explained concepts.

Piotr is an architect in the field of security, networking and clouds. He designed and implemented Cloud Native and Data Center solutions in global scale projects. He developed features in MPLS, Adaptive Code Modulation and Autonomic Networking solutions. A presenter and author of sessions at KCD events, Cisco Live, VMworld. Multi-cloud certified. In free time solving puzzles.

Michael is a network and security product manager at Isovalent. He has diverse background spanning pre-sales, software development, network design and architecture. He enjoys writing code and technical blogs, exploring uncharted territories where cloud intersects with networking and security. An OSS contributor, author of books and blogs, a KubeCon reject.