Do You Need a Service Mesh? Understanding the Role of CNI vs. Service Mesh

The world of Kubernetes networking can sometimes be confusing. What’s a CNI? A service mesh? Do I need one? Both? And how do they interact in my cluster? The questions can go on and on.

Even for seasoned platform engineers, making sense of where these two components overlap and where the boundaries of responsibility end can be challenging. Seemingly bewildering obstacles can stand in the way of getting the most out of their complementary features.

One way to cut through the confusion is to start by defining what each of them is, then look at their respective capabilities, and finally clarify where they intersect and how they can work together.

This post will clarify:

  • What a CNI is responsible for
  • What a service mesh adds on top
  • When you need one, the other, or both

What a CNI Actually Does

Container Network Interface (CNI) is a standard way to connect and manage networking for containers in Kubernetes. It is a set of standards defined by Kubernetes for configuring container network interfaces and maintaining connectivity between pods in a dynamic environment where network peers are constantly being created and destroyed.

Those standards are implemented by CNI plugins. A CNI plugin is Continue reading

Arista Radius Administrator Login with Cisco ISE

Arista Radius Administrator Login with Cisco ISE

Let’s assume a simple scenario. You have two different teams managing your Arista devices. One team is made up of network administrators who need full access to the devices. The other team only needs limited access and should not be able to make any configuration changes.

A common way to handle this is by using role-based access with Radius. You can assign different privilege levels based on who is logging in, without creating local users on every device. In this post, we will look at how to achieve this using Cisco ISE and Radius. You do not have to use Cisco ISE, any Radius server can do the job, but this post focuses on Cisco ISE since it is commonly used in enterprise environments.

Configuring AAA on Arista EOS Devices Using TACACS+ and ISE
In this blog post, let’s look at how to configure TACACS+ authentication on Arista EOS devices using Cisco ISE. When someone tries to log in to the device
Arista Radius Administrator Login with Cisco ISEPacketswitchSuresh Vinasiththamby
Arista Radius Administrator Login with Cisco ISE

Overview

For this example, we will have two users, each belonging to a different group with different access requirements.

  • bob is part of the network-admin group and needs full access
  • brad is part of the Continue reading

Merry Christmas And Happy New 2026 Year

Dear friends,

Thank you so much for reading our blog, for all your questions and interesting discussions. You are amazing audience, thanks for being with us.

It is absolute pleasure to wish each and every of you Merry Christmas! Let the coming year be successful, healthy and prosperous for you and your beloved ones. And for now, have a wonderful Christmas time.

Yours sincerely,

Team Karneliuk

How Workers powers our internal maintenance scheduling pipeline

Cloudflare has data centers in over 330 cities globally, so you might think we could easily disrupt a few at any time without users noticing when we plan data center operations. However, the reality is that disruptive maintenance requires careful planning, and as Cloudflare grew, managing these complexities through manual coordination between our infrastructure and network operations specialists became nearly impossible.

It is no longer feasible for a human to track every overlapping maintenance request or account for every customer-specific routing rule in real time. We reached a point where manual oversight alone couldn't guarantee that a routine hardware update in one part of the world wouldn't inadvertently conflict with a critical path in another.

We realized we needed a centralized, automated "brain" to act as a safeguard — a system that could see the entire state of our network at once. By building this scheduler on Cloudflare Workers, we created a way to programmatically enforce safety constraints, ensuring that no matter how fast we move, we never sacrifice the reliability of the services on which our customers depend.

In this blog post, we’ll explain how we built it, and share the results we’re seeing now.

Building a Continue reading

Yayoi Kusama: Seniman Polkadot yang Mengubah Dunia Seni Modern

Perjalanan Hidup Awal yang Penuh Imajinasi

Kisah hidup Yayoi Kusama selalu menarik perhatian banyak pencinta seni. Ia lahir di Matsumoto, Jepang, dan tumbuh dalam lingkungan yang penuh tekanan keluarga. Meski demikian, ia justru menemukan pelarian melalui seni. Imajinasi visualnya berkembang sejak kecil. Ia sering melihat pola berulang yang memenuhi ruang di sekitarnya. Fenomena itu kemudian membentuk identitas artistiknya di masa depan.

Selain itu, Kusama mulai menggambar polkadot sejak usia belia. Pola tersebut muncul dari pengalaman visual yang terus menyertainya. Walau hidupnya tak mudah, Kusama berhasil mengubah kesulitan itu menjadi kekuatan kreatif. Gaya avant-garde miliknya terbentuk dari keberaniannya menolak batas. Karena itu, banyak kritikus menilai konsistensi gagasannya berbeda dibanding seniman lain pada zamannya.

Namun perjalanan menuju panggung dunia tidak terjadi secara instan. Kusama harus menghadapi banyak penolakan. Tetapi tekadnya kuat. Ia terus berkarya dan mencari tempat yang bisa menerima suaranya. Sikap tersebut kemudian menjadi pondasi kesuksesannya.

Era New York dan Lahirnya Seni Eksperimental

Pada tahun 1950-an, Yayoi Kusama mengambil keputusan besar. Ia pindah ke New York untuk mengejar mimpi besar di dunia seni internasional. Kota Continue reading

Worth Reading 121925


In my earlier article on Technitium and Wazuh, I described DNS as both a behavioral signal and an enforcement point. DNS queries appear early in the attack chain, often long before C2 traffic stabilizes.


Cloudflare’s network suffered a brief but widespread outage Friday, after an update to its Web Application Firewall to mitigate a vulnerability in React Server Components went wrong.


You’d think that by now, networks were well enough understood that people would stop making assumptions that we have known, almost since the dawn of networking, to be untrue. Yet as users, developers, and network administrators, we still seem curiously unable to let go of long-held beliefs.


As well as the Mac clones, there were PC-style PowerPC machines – and a version of classic MacOS for them has just been rediscovered, enabling previously unimagined combinations.


Have you ever experienced that moment of panic when you can’t recall a familiar phone number or navigate without a map app? This growing reliance on external memory—known as the “Google Effect”—is a real-world example of how we’ve outsourced core cognitive functions to our devices.

Code Orange: Fail Small — our resilience plan following recent incidents

On November 18, 2025, Cloudflare’s network experienced significant failures to deliver network traffic for approximately two hours and ten minutes. Nearly three weeks later, on December 5, 2025, our network again failed to serve traffic for 28% of applications behind our network for about 25 minutes.

We published detailed post-mortem blog posts following both incidents, but we know that we have more to do to earn back your trust. Today we are sharing details about the work underway at Cloudflare to prevent outages like these from happening again.

We are calling the plan “Code Orange: Fail Small”, which reflects our goal of making our network more resilient to errors or mistakes that could lead to a major outage. A “Code Orange” means the work on this project is prioritized above all else. For context, we declared a “Code Orange” at Cloudflare once before, following another major incident that required top priority from everyone across the company. We feel the recent events require the same focus.  Code Orange is our way to enable that to happen, allowing teams to work cross-functionally as necessary to get the job done while pausing any other work.

The Code Continue reading

Innovating to address streaming abuse — and our latest transparency report

Cloudflare's latest transparency report — covering the first half of 2025 — is now live. As part of our commitment to transparency, Cloudflare publishes such reports twice a year, describing how we handle legal requests for customer information and reports of abuse of our services. Although we’ve been publishing these reports for over 10 years, we’ve continued to adapt our transparency reporting and our commitments to reflect Cloudflare’s growth and changes as a company. Most recently, we made changes to the format of our reports to make them even more comprehensive and understandable.

In general, we try to provide updates on our approach or the requests that we receive in the transparency report itself. To that end, we have some notable updates for the first half of 2025. But our transparency report can only go so far in explaining the numbers. 

In this blog post, we’ll do a deeper dive on one topic: Cloudflare’s approach to streaming and claims of copyright violations. Given increased access to AI tools and other systems for abuse, bad actors have become increasingly sophisticated in the way they attempt to abuse systems to stream copyrighted content, often incorporating steps to hide their behavior. We’ve Continue reading

Happy Holidays and All the Best in 2026!

They say time goes faster as you get older, and it seems to be true. Another year has (almost) gone by.

Try to disconnect from the crazy pace of the networking world, forget the “vibe coding with AI will make engineers obsolete” stupidities (hint: Fifth Generation Languages and Natural Language Programming were all the rage in the 1980s and 1990s), and focus on your loved ones. I would also like to wish you all the best in 2026!

In the meantime, I’m working on weaning netlab off of a particular automation tool (you can always track the progress on GitHub). Expect the first results in the January netlab release.

How Istio Ambient Mode Delivers Real World Solutions

For years, platform teams have known what a service mesh can provide: strong workload identity, authorization, mutual TLS authentication and encryption, fine-grained traffic control, and deep observability across distributed systems. In theory, Istio checked all the boxes. In practice though, many teams hit a wall.

Across industries like financial services, media, retail, and SaaS, organizations told a similar story. They wanted mTLS between services to meet regulatory or security requirements. They needed safer deployment capabilities like canary rollouts and traffic splitting. They wanted visibility that went beyond IP addresses.

However, traditional sidecar based meshes came with real costs:

  • High operational complexity
  • Thousands of sidecars to manage
  • Fragile upgrade paths
  • Hard to debug failure modes

In several cases, teams started down the Istio service mesh path, only to pause or roll back entirely because the ongoing operational complexity was too high. The value of a service mesh was clear, but the service mesh architecture based on sidecars was not sustainable for many production environments.

The Reality Platform Teams Have Been Living With

In many cases, organizations evaluated service meshes with clear goals in mind. They wanted mTLS between services, better control over traffic during deployments, and observability that could keep up. Continue reading

IPB190: IPv6 in Kubernetes Deployments

Kubernetes is a popular container orchestration platform. Today’s IPv6 Buzz episode explores the benefits of using IPv6 in Kubernetes, and how Kubernetes uses IP addresses in both the control plane and data plane.We also address why the adoption rate is estimated to be so low, from default configurations to issues with non-IPv6-aware applications inside containers.... Read more »

Announcing support for GROUP BY, SUM, and other aggregation queries in R2 SQL

When you’re dealing with large amounts of data, it’s helpful to get a quick overview — which is exactly what aggregations provide in SQL. Aggregations, known as “GROUP BY queries”, provide a bird’s eye view, so you can quickly gain insights from vast volumes of data.

That’s why we are excited to announce support for aggregations in R2 SQL, Cloudflare's serverless, distributed, analytics query engine, which is capable of running SQL queries over data stored in R2 Data Catalog. Aggregations will allow users of R2 SQL to spot important trends and changes in the data, generate reports and find anomalies in logs.

This release builds on the already supported filter queries, which are foundational for analytical workloads, and allow users to find needles in haystacks of Apache Parquet files.

In this post, we’ll unpack the utility and quirks of aggregations, and then dive into how we extended R2 SQL to support running such queries over vast amounts of data stored in R2 Data Catalog.

The importance of aggregations in analytics

Aggregations, or “GROUP BY queries”, generate a short summary of the underlying data.

A common use case for aggregations is generating reports. Consider a table called “sales”, which contains Continue reading

D2DO290: AI’s Impact on Developer Productivity Vs. Development Productivity

Ned Bellavance and Kyler Middleton are joined by Rachel Stephens, Research Director at RedMonk, to discuss the state of DevOps and the impact of AI. They explore the distinction between developer productivity and development productivity, underlined by a DORA report finding that while AI dramatically boosts individual developer productivity, it often fails to improve overall... Read more »
1 7 8 9 10 11 3,841