NetworkingNexus.net

Calico Whisker & Staged Network Policies: Secure Kubernetes Workloads Without Downtime

Rolling out network policies in a live Kubernetes cluster can feel like swapping wings mid-flight—one typo or overly broad rule and critical traffic is grounded. Calico’s Staged Network Policies remove the turbulence by letting you deploy policies in staged mode, so you can observe their impact before enforcing anything. Add Whisker, the open-source policy enforcement and testing tool (introduced as part of Calico Open Source 3.30) that captures every flow and tags it with a policy verdict, and you’ve got a safety harness that proves your change is sound long before you flip the switch. In this post, we’ll walk you through how you can leverage these capabilities to tighten security, validate intent, and ship changes confidently—without a single packet of downtime.

Deploying a Kubernetes Cluster

Calico for Policy is a CNI agnostic tool. Refer to the Calico Open Source docs for a list of supported CNIs. The git repository for this blog post can be found here.

For this post, let’s deploy a simple AKS cluster with Azure CNI.

## Configure 
az group create --name calicooss --location eastus2

## Create a 3 node AKS cluster with Azure CNI
az aks create \
  --resource-group calicooss \
  --name  Continue reading

Silicon One: Many Cisco Chips With One Architecture Chasing Many AI Workloads

With AI being the biggest change in IT infrastructure since the Dot Com boom, it was no surprise that at the annual Cisco Live event last month in San Diego, the focus was on AI – and particularly agentic AI – and how the networking giant differentiates itself from other infrastructure vendors when it comes to the emerging technology. …

Silicon One: Many Cisco Chips With One Architecture Chasing Many AI Workloads was written by Jeffrey Burt at The Next Platform.

Introducing simple and secure egress policies by hostname in Cloudflare’s SASE platform

Cloudflare’s SASE platform is on a mission to strengthen our platform-wide support for hostname- and domain-based policies. This mission is being driven by enthusiastic demands from our customers, and boosted along the way by several interesting engineering challenges. Today, we’re taking a deep dive into the first milestone of this mission, which we recently released in open beta: egress policies by hostname, domain, content category, and application. Let’s dive right in!

Egress policies and IP ACLs

Customers use our egress policies to control how their organization's Internet traffic connects to external services. An egress policy allows a customer to control the source IP address their traffic uses, as well as the geographic location that their traffic uses to egress onto the public Internet. Control of the source IP address is especially useful when accessing external services that apply policies to traffic based on source IPs, using IP Access Control Lists (ACLs). Some services use IP ACLs because they improve security, while others use them because they are explicitly required by regulation or compliance frameworks.

(That said, it's important to clarify that we do not recommend relying on IP ACLs as the only security mechanism used to gate Continue reading

Ultra Ethernet

Introduction

Remote Direct Memory Access over Converged Ethernet (RoCE) is a transport model that extends InfiniBand semantics over Ethernet networks. It enables direct memory access between hosts by encapsulating InfiniBand transport headers—such as the InfiniBand Transport Header (IBTH) and the RDMA Extended Transport Header (RETH)—within Ethernet, IP, and UDP packets. In by book "Deep Learning for Network Engineers" Chapter 9, describes how RDMA NICs process application work requests, known as InfiniBand verbs, and how these are encoded into IBTH and RETH headers for delivery to remote targets using RoCEv2.

This post shifts focus to the Ultra Ethernet Transport (UET) model, developed by the Ultra Ethernet Consortium (UEC). UET defines an alternative RDMA transport architecture that operates over standard Ethernet networks, without relying on InfiniBand message formats or semantics. While both RoCEv2 and UET enable remote memory access between nodes, UET is not based on InfiniBand transport headers, and the term RoCE is not used in UET systems.

Instead, UET introduces a new Ultra Ethernet (UE) layer composed of several sublayers, including the Semantic Sublayer (SES) and the Packet Delivery Sublayer (PDS). These sublayers are responsible for encoding and transmitting RDMA operations—such as memory addresses, remote keys (RKEYs), operation codes, and Continue reading

Expanding a Running Netlab Topology

One of the happy netlab users sent me an interesting challenge:

He’s built a large lab and added tons of extra configuration to the lab devices.
Afterwards, he realized he’d like to add a few more devices to the lab and was worried about losing all the changes he had made.

Unfortunately, you cannot add new devices to an already-running lab. You must shut down the lab, change the topology description, and start a new lab. However, there are things you can do to preserve the extra work you already did:

AWS Transit Gateway Introduction (VI)

In the previous post, we covered VPC Peering, which is a quick and easy way to create a connection between two VPCs. We also discussed its limitations, primarily that it is non-transitive. This means if VPC 'A' is peered with VPC 'B', and VPC 'B' is peered with VPC 'C', VPC 'A' cannot communicate with VPC 'C' through VPC 'B'. Because of this, to connect multiple VPCs together, you need to create a full mesh, where every VPC has a direct peering connection to every other VPC.

This complexity (when you have many VPCs) is why, in this post, we will look at AWS Transit Gateway (TGW). A Transit Gateway is an incredibly important networking resource in AWS that solves these scaling challenges. You will see the TGW featured in many modern AWS architecture diagrams because of the flexibility and simplicity it provides.

As always, if you find this post helpful, press the ‘clap’ button. It means a lot to me and helps me know you enjoy Continue reading

AWS VPC Peering (V)

Welcome back to the AWS Networking series. So far, we have covered a wide range of foundational topics. We started with the basics of building a VPC, creating subnets, configuring route tables, and providing Internet access with an Internet Gateway and a NAT Gateway. We then looked at the difference between stateful Security Groups attached to an instance's ENI and stateless Network ACLs applied at the subnet level. Most recently, we covered how to build a hybrid network using a Site-to-Site VPN.

In this post, we will continue to expand on VPC connectivity by looking at what AWS VPC Peering is and how to configure one.

If you are completely new to AWS networking, I highly recommend checking out our introductory posts linked below. However, if you are already familiar with the basics, you can carry on with this post.

As always, if you find this post helpful, press the ‘clap’ button. Continue reading

Build Your Own Private Cloud at Home With Docker

If you’re like me, you depend on a lot of systems and services, even within your home LAN. Because I work from home, that’s amplified to the point where I need certain applications available to me that aren’t hosted by a third party, for flexibility, ease of use, reliability and security. Thankfully, Docker is there to make deploying those apps and services considerably easier; otherwise, I’d wind up having to first deploy a collection of virtual machines (VMs), keep them running and worry about upgrading/managing them efficiently. Yeah, Docker makes this entire process easier. Even better, I can spin up those apps and services in seconds, instead of having to go the traditional route, which can often take quite a bit longer to deploy. But what are the apps and services that I depend on for my LAN to keep me productive? Surprise, surprise: I have a list, and here it is. Nextcloud

Worth Reading 070325

Ossification is still a major issue in today’s networking environment, and while it’s not a theme in the architecture of the transmission platform, we see it in the Internet Protocol itself, in our transport protocols, in our routing protocols, and in various applications.

The Federal Bureau of Investigation (FBI) is issuing this Public Service Announcement to warn the public about cyber criminals exploiting Internet of Things (IoT)1 devices connected to home networks to conduct criminal activity using the BADBOX 2.0 botnet2.

hile the architecture of the 900 series had no support for partitioning memory (requiring cooperation for multi-user activity), and many ran without any operating system at all, there was an optional NPL interface.

Most protocols do not have the equivalent of an X-Forwarded-For header. To solve this, HAProxy came up with the PROXY protocol, which is a Layer 4 protocol that allows a proxy server to communicate client information to a backend server.

If you built a proper technology strategy in the first place, driven by the business strategy, then no matter what is happening don’t ignore it, and don’t throw it out—update it and stick to it!

AWS Site-to-Site VPN (IV)

So far in the AWS Networking series, we have covered VPCs, subnets, route tables, Internet Gateways, NAT Gateways, EC2 instances, Security Groups, Network ACLs, and Elastic Network Interfaces. In this post, we will look at using a Site-to-Site VPN in AWS so you can securely connect your on-premise workloads to and from your AWS environment. This is a very important aspect of AWS networking, and this is a service you will use almost always.

If you have been following the series, you can easily follow along with this post. If you just stumbled upon this post, you can still continue, assuming you are already familiar with AWS networking basics. However, if you are completely new to AWS, I highly recommend checking out the previous posts linked below.

Why Do We Need a VPN to AWS?

When we launch an instance in a public subnet with a public IP address, we have seen that we can connect to Continue reading

How Multi-Agent Systems Revolutionize Data Workflows

The biggest challenge to AI initiatives is the data they rely on. …

How Multi-Agent Systems Revolutionize Data Workflows was written by Timothy Prickett Morgan at The Next Platform.

Best of the Hedge: Episode 1

Are you stressed? Everyone in IT seems to be continuously stressed–but what can we do about it? Sonia Cuff joins the Hedge to talk about stress.

download

From time to time we like to repost episodes of significance–this week we’re reposting episode 1.

Minding the Gap: SDS That Carries You Through Last Mile

Data center modernization is inevitable to keep pace with today’s performance-intensive workloads, which are growing especially rapidly in the financial services and e-commerce sectors. Software-defined storage (SDS) offers the promise of greater agility, scalability and reduced costs, making it a compelling part of the platform architect’s vision of a streamlined, software-driven infrastructure. A common priority for modernization is retiring traditional Fibre Channel (FC) SANs, which are perceived as legacy and complex. While still adequate for many application workloads, performance gaps exist in SDS block storage solutions that are engineered into legacy FC SANs, which cannot support the organization’s mission-critical application workloads. Once reserved as the primary storage tier for traditional workloads,

Palo Alto Upgrade from 10.2 to 11.2 (PA-440)

I have PA-440 in my home lab and was happily running PAN-OS 10.2.10-h9. But with the recent announcement that PAN-OS 10.2 will enter limited support from 26th August 2025, I decided it was time to upgrade. I was deciding between 11.1 and 11.2 for a while, but after reading through a few forums and discussions, I ended up choosing 11.2, specifically PAN-OS 11.2.4-h7.

Since I was already on 10.2, I could upgrade directly to 11.2 without going through any intermediate versions. As per the upgrade guide, all I had to do was download the 11.2.0 base image, then download and install 11.2.4-h7.

💡

Just to clarify, you only need to download the 11.2.0 base image, there’s no need to install it.

After downloading both the base image and the target image, just click 'Install' on the target image. As usual, make sure to take a backup before starting. If you’re running in HA, you can upgrade the firewalls one at a time without any downtime.

The whole process took about 10 to 15 minutes, and now I'm running 11.2.4-h7. If I come across any issues, I'll be sure to update this post.

Worth Reading: Expert Generalists

Martin Fowler published an interesting article about Expert Generalists. Straight from the abstract:

As computer systems get more sophisticated we’ve seen a growing trend to value deep specialists. But we’ve found that our most effective colleagues have a skill in spanning many specialties.

Also:

There are two sides to real expertise. The first is the familiar depth: a detailed command of one domain’s inner workings. The second, crucial in our fast-moving field is the ability to learn quickly, spot the fundamentals that run beneath shifting tools and trends, and apply them wherever we land.

Remember how I told you to focus on the fundamentals? 😎

Keep reading

A Detailed Look at Calico Cloud Free Tier

Why Calico Cloud Free Tier?

As Kubernetes environments grow in scale and complexity, platform teams face increasing pressure to secure workloads without slowing down application delivery. But managing and enforcing network policies in Kubernetes is notoriously difficult—especially when visibility into pod-to-pod communication is limited or nonexistent. Teams are often forced to rely on manual traffic inspection, standalone logs, or trial-and-error policy changes, increasing the risk of misconfiguration and service disruption. Safe policy management and microsegmentation becomes a daunting task without clear knowledge or insight into which services should communicate with each other.

In this detailed look, we’ll explore how Calico Cloud Free Tier builds upon Calico Open Source, and helps platform teams visualize traffic with a dynamic service graph, simplifies policy management, and even analyzes actual traffic to recommend policies.

What is Calico Cloud Free Tier?

Calico Cloud Free Tier is a managed SaaS, no-cost offering that extends the capabilities of Calico Open Source 3.30 and higher to help Kubernetes teams improve network visibility, simplify policy management, and improve security by simplifying microsegmentation. Designed for single-cluster environments, it provides platform engineers and operators with powerful observability and policy management tools. With a seamless onboarding experience for users already Continue reading

How Will Juniper Change HPE’s Datacenter Networking Strategy?

It has taken the better part of a year and a half and some wrangling with the US Department of Justice to get it done, but Hewlett Packard Enterprise has finally completed its $14 billion acquisition of Juniper Networks. …

How Will Juniper Change HPE’s Datacenter Networking Strategy? was written by Timothy Prickett Morgan at The Next Platform.

Site-to-site VPN between AWS and Palo Alto (Static & BGP)

In this blog post, we'll look at how to create a site-to-site VPN between AWS and a Palo Alto firewall. We'll go through both static routing and BGP options. This post assumes you're already somewhat familiar with AWS and Palo Alto, so we won't cover the basics like creating a VPC in AWS or setting up zones and policies on the firewall.

Overview

To create a VPN connection, you first need a compatible IPsec VPN device, like a firewall or router, at your on-premise location. In AWS, the resource you create to represent this device is called a Customer Gateway. In our example, the customer gateway is the Palo Alto firewall.

To send traffic from your VPC to your on-premise network, you route it to a Virtual Private Gateway (VGW). The VGW is a logical, redundant resource on the AWS side of the connection that you attach to your VPC. It serves as the target in your Continue reading

NAN095: Certification Deep Dive – The New Cisco Automation Track

Cisco recently announced a major evolution to its certification roadmap: starting February 2026, the popular DevNet certifications will transition to a brand-new Automation track. Joining us today is Francois Caen, Product Manager at Cisco, also an expert in network automation and a recognized voice in the Cisco Learning and Certification Community. We talk with Francois... Read more »

Molly-Guard: a Lifesaver on a Ubuntu Server

Have you ever managed to type reload in the wrong terminal window and brought down a core switch (I probably did)? I managed to do the Ubuntu equivalent of that stupidity: I told my main Ubuntu server to sudo poweroff instead of doing that to a Vagrant VM.

Fortunately, the open-source world doesn’t have to rely on the roadmaps created by networking vendors’ product managers; if there’s a big enough pain, someone will solve it.