The world of cloud-native networking is rapidly evolving, and one technology that is causing a stir is eBPF (extended Berkeley Packet Filter). Today, we’ll take a closer look at the roots of eBPF-based networking, its rise in popularity, and why it’s such an ideal match for the cloud-native world. We’ll also explore the key features and capabilities of Cilium, an open-source project built on top of eBPF to address networking, observability, and security challenges in container workloads.

The Roots of Programmability: Software Defined Networking

Before diving into the world of eBPF and its impact on networking, let’s take a trip down memory lane and explore the history of networking. In the 90s, networking was primarily physical, with cables, dial-up modems, and Layer 2 protocols dominating the scene. However, the late 90s saw the emergence of software-based firewalling solutions like iptables for Linux and PF for BSD. These projects laid the foundation for a larger movement towards software-defined networking (SDN).

SDN gained momentum in 2009 with the release of Open vSwitch, which brought programmability to the Linux kernel and paved the way for more flexible and dynamic networking solutions. This programmability aspect is still a cornerstone of eBPF-based networking today, as it removes the device-centric model from the equation, enabling greater control and adaptability.

The Rise of Containers and Kubernetes

Fast forward to 2013, when Docker burst onto the scene, revolutionizing the way applications were packaged and deployed. Containers became the new norm, and the rise of container orchestration platforms like Kubernetes followed suit. While the early networking solutions for containers were inherited from the virtualization era, Kubernetes took a different approach by making fewer assumptions about networking and security.

However, the desire to rapidly evolve Kubernetes led to a heavy reliance on iptables, a packet filter in the Linux kernel that was not perfect for the task at hand. This reliance on iptables provided the groundwork for the eBPF revolution that was about to unfold.

The eBPF Revolution Begins

In 2014, eBPF was first merged into the Linux kernel as an extended version of the long-standing packet filter BPF (Berkeley Packet Filter). This marked the beginning of a new era in networking programmability. With eBPF, developers gained the ability to write programs that could run directly in the Linux kernel and interact with the network stack. This breakthrough opened up a world of possibilities for networking, tracing, security, profiling, and observability.

One of the key milestones in the eBPF journey was the merging of the eBPF backend into the LLVM compiler suite, allowing LLVM to emit eBPF bytecode. This integration, combined with eBPF’s integration into the kernel’s traffic control layer, made Linux networking programmable with eBPF.

The year 2016 witnessed another significant development with the merging of XDP (eXpress Data Path) into the Linux kernel. XDP allowed eBPF programs to run directly in the driver of a network device, enabling high-performance packet processing and paving the way for eBPF-based load balancers.

Since then, eBPF has continued to evolve and grow in power and popularity. Its general-purpose nature has attracted a diverse community of developers, resulting in innovations across various domains, including networking, tracing, security, and observability.

Cilium & eBPF – An Ideal Match for the Cloud-Native World

With a brief history of eBPF and its revolutionary impact on networking, let’s dive into why eBPF, and specifically Cilium, is a perfect fit for the cloud-native world.


The programmability of eBPF is a game-changer in the rapidly evolving cloud-native landscape. Its flexibility allows developers to adapt to the dynamic requirements of cloud-native environments and easily scale their networking solutions. Google, for example, adopted Cilium as its new networking dataplane for Google Kubernetes Engine (GKE) because of the programmability offered by eBPF.

eBPF’s generic nature is another key advantage. Unlike networking-specific solutions like iptables or Open vSwitch, eBPF’s versatility attracts a larger community of innovators and avoids making premature assumptions about future networking challenges. This adaptability is crucial in a world where microservices and higher-level protocols take center stage.

Embedded in the Linux Kernel

One might argue that programmability already existed in the form of user-space networking. However, eBPF’s unique value proposition lies in its seamless integration into the Linux kernel. Unlike user-space frameworks, eBPF programs remain within the kernel, eliminating the need to traverse the socket layer and ensuring a more streamlined and efficient networking experience.

This integration is particularly important in the age of containers, where networking happens within the same kernel, without the natural boundary created by hypervisors in virtual machine environments.

Safety and Efficiency

While loading a Linux kernel module might provide arbitrary programmability, it comes with potential downsides. Kernel modules can be buggy and may crash the system. eBPF changed the game by bringing safety to kernel programming. Before execution, eBPF programs undergo a verification process, making them significantly more secure than loading a kernel module.

Efficiency is another area where eBPF shines. Thanks to its Just in Time (JIT) compiler, eBPF bytecode is executed natively, ensuring optimal performance without sacrificing speed.

Cilium – eBPF-based Networking, Observability, and Security

Now that we understand the power of eBPF, let’s explore Cilium, an open-source project that harnesses the capabilities of eBPF to address networking, observability, and security challenges in container workloads.


At its core, Cilium provides network connectivity for Kubernetes workloads as a Container Network Interface (CNI). It supports both IPv4 and IPv6, with the ability to handle direct-routing, encapsulation/overlay topologies, and integration with cloud-specific networking layers. Cilium can also act as a 100% kube-proxy replacement, providing efficient and scalable service load-balancing within a Kubernetes cluster.

But Cilium’s networking capabilities go beyond the cluster. With its XDP-based edge load-balancing feature, Cilium can steer traffic into Kubernetes clusters or operate independently. It supports consistent hashing with Maglev and provides implementations for Kubernetes service types like NodePort, LoadBalancer, and services with externalIPs.

Cilium also enables multi-cluster connectivity without the need for additional gateways or proxies. Global services in Cilium allow for routing service traffic across clusters seamlessly. Additionally, Cilium seamlessly integrates virtual and metal machines with Kubernetes workloads, eliminating the need for proxies or gateways.


Cilium’s security features are another major highlight. It offers full support for Kubernetes Network Policy, providing a modern, identity-based implementation built entirely on eBPF. This allows for fine-grained control over network traffic and enhances compliance monitoring and troubleshooting capabilities.

Cilium also integrates transparently with DNS-based service discovery, enabling network policies based on DNS names rather than IP addresses. This is particularly useful in dynamic service environments where IP addresses are constantly changing. The built-in DNS authorization further enhances the security model.

API awareness is another crucial aspect of Cilium’s security capabilities. It seamlessly injects proxies like Envoy on-demand, enabling policy enforcement at the API level for protocols like HTTP, Kafka, gRPC, Cassandra, and more.

Cilium also offers policy-driven SSL termination and injection, allowing for secure SSL connections without sharing secrets directly with workloads. Additionally, Cilium’s simulation and audit features enable users to inspect the effects of network policy changes before implementing them, ensuring a more secure and controlled environment.


Cilium provides extensive observability features to gain deep insights into networking, application behavior, and security. Flow logging at various levels provides visibility into forwarding and policy decisions. A cluster-wide flow query API allows for quick inspection of network behavior during incidents.

Programmable metrics in Cilium enable users to monitor network, application, and security behavior effectively. These metrics can be customized and configured to monitor specific aspects of the environment, ensuring the correctness and performance of the system.

Cilium’s service map feature simplifies the understanding of application topologies and dependencies with a graphical representation. Troubleshooting is made easier with Cilium’s built-in tracing system, which allows for tracking every forwarding decision. Packet drops can be monitored and analyzed in detail, aiding in problem diagnosis and resolution.


The evolution of eBPF has revolutionized cloud-native networking, offering unparalleled programmability, safety, and efficiency. Cilium, as an open-source project built on top of eBPF, takes full advantage of these capabilities to address networking, observability, and security challenges in container workloads.

As the cloud-native landscape continues to evolve, eBPF and Cilium will play a crucial role in enabling organizations to build scalable, secure, and observable networking solutions. With their versatility and adaptability, they are well-positioned to meet the demands of the cloud-native world.

So, whether you’re looking to enhance your networking capabilities, strengthen security, or gain deeper observability into your cloud-native environment, eBPF and Cilium are the technologies to watch out for.

Further Reading