In Kubernetes, pods often need to securely communicate with external resources, such as internet services or APIs. Traditional Kubernetes network policies use IP addresses to identify these external resources. However, managing policies with IP addresses can be challenging because IPs often change, especially when dealing with dynamic websites or APIs.
Calico Enterprise addresses this challenge by extending Kubernetes network policies to support Fully Qualified Domain Names (FQDNs). This allows users to define policies using domain names instead of IP addresses, making it easier to manage and secure egress traffic. By dynamically mapping domain names to IPs, Calico ensures that policies remain up-to-date, enabling seamless and secure connectivity to external resources.
While this approach is conceptually simple, practical implementation is tricky. DNS mappings are dynamic: domain names often resolve to different IPs with each query, and wildcard support (e.g., *.example.com
) adds complexity. To address this, Calico monitors DNS traffic to create and manage domain-to-IP mappings dynamically, translating high-level DNS-based rules into efficient low-level constructs like iptables
, nftables
, or eBPF.
The DNS policy implementation significantly impacts performance and reliability. Currently, Calico offers three different modes to operate the DNS Continue reading
This is the second blog post in a series exploring how Kubernetes, despite its inherent complexity, provides features that simplify security efforts.
Kubernetes presents an interesting paradox: while it is complex, it simplifies many aspects of deploying and managing containerized applications, including configuration security. Once you navigate its learning curve, Kubernetes unlocks powerful capabilities and tool support that make managing configuration security significantly easier.
In this blog post, we’ll dive into how Kubernetes enhances configuration security and outline its key advantages.
Despite its complexity, Kubernetes offers a range of features that simplify configuration security. These include enhanced visibility, streamlined access to log data, robust RBAC (Role-Based Access Control) capabilities, security policy as code, a layered network policy model, and more. Many of these capabilities also improve the efficiency and effectiveness of mitigation and remediation workflows for configuration security. Below, we highlight key features that should be considered when developing a configuration security strategy.
Maintaining a complete inventory of workloads can be challenging in non-Kubernetes environments. However, Kubernetes provides complete visibility into every containerized workload running in the system. This eliminates concerns about shadow systems or overlooked resources that could Continue reading
Cloudflare Radar celebrated its fourth birthday in September 2024. As we’ve expanded Radar’s scope over the last four years, the value that it provides as a resource for the global Internet has grown over time, and with Radar data and graphs often appearing in publications and social media around the world, we knew that we needed to make it available in languages beyond English.
Localization is important because most Internet users do not speak English as a first language. According to W3Techs, English usage on the Internet has dropped 8.3 points (57.7% to 49.4%) since January 2023, whereas usage of other languages like Spanish, German, Japanese, Italian, Portuguese and Dutch is steadily increasing. Furthermore, a CSA Research study determined that 65% of Internet users prefer content in their language.
To successfully (and painlessly) localize any product, it must be internationalized first. Internationalization is the process of making a product ready to be translated and adapted into multiple languages and cultures, and it sets the foundation to enable your product to be localized later on at a much faster pace (and at a lower cost, both in time and budget). Below, we review how Cloudflare’s Radar Continue reading
Another year is almost gone, and it’s time for my traditional “I will disappear until mid-January” retreat (also, don’t expect me to read my email until I’m back).
I hope you’ll also be able to disconnect from the crazy pace of the networking world, forget the “AI will make networking engineers obsolete” shenanigans (hint: SDN did not), and focus on your loved ones. I would also like to wish you all the best in 2025!
I will probably get bored sometime in late December, so expect a few new netlab features in early January.
So far, this book has introduced two neural network architectures. The first one, the Feed-Forward Neural Network (FNN), works well for simple tasks, such as recognizing handwritten digits in small-sized images. The second one, the Convolutional Neural Network (CNN), is designed for processing larger images. CNNs can identify objects in images even when the location or orientation of the object changes.
This chapter introduces the Recurrent Neural Network (RNN). Unlike FNNs and CNNs, an RNN’s inputs include not only the current data but also all the inputs it has processed previously. In other words, an RNN preserves and uses historical data. This is achieved by feeding the output of the previous time step back into the hidden layer along with the current input vector.
Although RNNs can be used for predicting sequential data of variable lengths, such as sales figures or a patient’s historical health records, this chapter focuses on how RNNs can perform character-based text autocompletion. The upcoming chapters will explore word-based text prediction.
For training the RNN model, we typically use text datasets like IMDB Reviews or the Wikipedia Text Corpus. However, in this chapter, we simplify the process by using a tailored dataset containing Continue reading
Hello my friend,
Today we are going to talk about the last data type, which in generally exists in Python and Go (Golang), and which we need dearly for all meaningful applications including network and IT infrastructure automation. We are talking about structured, typed data, which is represented in Python in form of objects and classes and in Go (Golang) in form of structs. These structures are truly powerful and once you figure out how to use them, I’m quite confident you will be using it everywhere, where you can.
This question I’ve been asked rather frequently recently. Indeed, why do we in each blog post talk about Network Automation Trainings, which gravitate around Python/Ansible duet. The answer is straightforward: whilst Go (Golang) is very powerful as we showing it in these blogs, its usage in many cases is justified only in very high-scale environment. For majority of networks and IT systems, Python is great. It is suffice to say that entire OpenStack is built in Python. And ourselves we use it extensively in many customers’ systems. Go (Golang) is useful as extension of automation skills, Continue reading
Addy Osmani published an excellent overview of the challenges of AI-assisted coding. They apply equally well to the “AI will generate device configurations for me” or “AI will troubleshoot my network” ideas (ignoring for the moment the impact of the orders-of-magnitude smaller training set), so it’s definitely worth reading.
I particularly liked the “AI is like having a very eager junior developer on your team” take, as well as the description of the “70% problem” (AI will get you 70% there, but the last 30% will be frustrating) – a phenomenon perfectly illustrated by the following diagram by Forrest Brazeal:
In this episode of the Hedge, Eyvonne, Tom, and Russ talk about whether Intel will survive, centralization and industrial spying, and why you need to go touch grass and read a book.
As much as I love explaining how to use BGP in an optimal way, sometimes we have to do what we know is bad to get the job done. For example, if you have to deal with clueless ISPs who cannot figure out how to use BGP communities, you might be forced to use the Big Hammer of disaggregated prefixes. You can practice how that works in the next BGP lab exercise.
Click here to start the lab in your browser using GitHub Codespaces (or set up your own lab infrastructure). After starting the lab environment, change the directory to policy/b-disaggregate
and execute netlab up.