availability. By default, this tutorial will create: VPC with 2 public and private subnets Bastion Hosts and NAT Gateways in the Public Subnet Three of each (masters, etcd, and worker nodes) in the Private Subnet following, which will be resolved in upcoming Cilium releases: IPVLAN L2 mode L7 policy enforcement NAT64 IPVLAN with tunneling Note The ipvlan-based datapath in L3 mode requires v4.12 or more recent Linux kernel’s socket is actually connected to the backend address and therefore no additional lower layer NAT is required. Deploy Cilium: kubectl create -f cilium.yaml kubectl -n kube-system get pods -l k8s-app=cilium

availability. By default, this tutorial will create: VPC with 2 public and private subnets Bas�on Hosts and NAT Gateways in the Public Subnet Three of each (masters, etcd, and worker nodes) in the Private Subnet following, which will be resolved in upcoming Cilium releases: IPVLAN L2 mode L7 policy enforcement NAT64 IPVLAN with tunneling Note The ipvlan-based datapath in L3 mode requires v4.12 or more recent containers). This ensures simplicity in architecture, avoids unnecessary network address transla�on (NAT) and provides each individual container with a full range of port numbers to use. The logical consequence

availability. By default, this tutorial will create: VPC with 2 public and private subnets Bastion Hosts and NAT Gateways in the Public Subnet Three of each (masters, etcd, and worker nodes) in the Private Subnet will be resolved in upcoming Cilium releases: IPVLAN L2 mode L7 policy enforcement FQDN Policies NAT64 IPVLAN with tunneling BPF-based masquerading Note The ipvlan-based datapath in L3 mode requires kernel’s socket is actually connected to the backend address and therefore no additional lower layer NAT is required. Verify that it has come up correctly: kubectl -n kube-system get pods -l k8s-app=cilium

translation right in the Linux kernel’s socket layer (e.g. at TCP connect time) such that per-packet NAT operations overhead can be avoided in lower layers. Bandwidth Management Cilium implements bandwidth availability. By default, this tutorial will create: VPC with 2 public and private subnets Bastion Hosts and NAT Gateways in the Public Subnet Three of each (masters, etcd, and worker nodes) in the Private Subnet will be resolved in upcoming Cilium releases: IPVLAN L2 mode L7 policy enforcement FQDN Policies NAT64 IPVLAN with tunneling eBPF-based masquerading Note The ipvlan-based datapath in L3 mode requires

translation right in the Linux kernel’s socket layer (e.g. at TCP connect time) such that per-packet NAT operations overhead can be avoided in lower layers. Bandwidth Management Cilium implements bandwidth availability. By default, this tutorial will create: VPC with 2 public and private subnets Bastion Hosts and NAT Gateways in the Public Subnet Three of each (masters, etcd, and worker nodes) in the Private Subnet will be resolved in upcoming Cilium releases: IPVLAN L2 mode L7 policy enforcement FQDN Policies NAT64 IPVLAN with tunneling eBPF-based masquerading Note The ipvlan-based datapath in L3 mode requires

availability. By default, this tutorial will create: VPC with 2 public and private subnets Bastion Hosts and NAT Gateways in the Public Subnet Three of each (masters, etcd, and worker nodes) in the Private Subnet will be resolved in upcoming Cilium releases: IPVLAN L2 mode L7 policy enforcement FQDN Policies NAT64 IPVLAN with tunneling Note The ipvlan-based datapath in L3 mode requires v4.12 or more recent Linux kernel’s socket is actually connected to the backend address and therefore no additional lower layer NAT is required. Verify that it has come up correctly: kubectl -n kube-system get pods -l k8s-app=cilium

translation right in the Linux kernel’s socket layer (e.g. at TCP connect time) such that per-packet NAT operations overhead can be avoided in lower layers. Bandwidth Management Cilium implements bandwidth added by VPC CNI iptables -t nat -F AWS-SNAT-CHAIN-0 \\ && iptables -t nat -F AWS-SNAT-CHAIN-1 \\ && iptables -t nat -F AWS-CONNMARK-CHAIN-0 \\ && iptables -t nat -F AWS-CONNMARK-CHAIN-1 Some availability. By default, this tutorial will create: VPC with 2 public and private subnets Bastion Hosts and NAT Gateways in the Public Subnet Three of each (masters, etcd, and worker nodes) in the Private Subnet

kernel network stack raw PREROUTING mangle PREROUTING nat PREROUTING tc ingress conntrack filter FORWARD mangle POSTROUING nat POSTROUING tc egress veth XDP的性能上限极高，可能是 TC 的 10 倍左右 raw PREROUTING mangle PREROUTING nat PREROUTING tc ingress conntrack filter FORWARD mangle POSTROUING nat POSTROUING tc egress routing XDP kernel ethernet driver kube-proxy DNAT kube-proxy SNAT worker node nodePort request backend endpoint tc eBPF NAT XDP eBPF NAT DSR 加速南北向 nodePort 访问 传统的 nodePort 转发，伴随着 SNAT的发生。而 Cilium 为 nodePort 提供了 native 和 IPIP

ingress raw PREROUTING conntrack mangle PREROUTING nat PREROUTING FIB lookup mangle FORWARD filter FORWARD mangle POSTROUTING nat POSTROUTING TC egress host httpd pod lxc0 eth0 XDP

global MAU • 3Tbps+ network traffic in total LINE Verda: LINE’s Private Cloud Service IaaS LB NAT … PaaS FaaS … Verda and XDP Based L4 Load Balancer Service • Part of our private cloud service