Azure CNI and Cilium for Advanced AKS Networking, Security & Observability

Microsoft

May 08, 2025

Introduction

Kubernetes has become the cornerstone of cloud-native infrastructure. While its orchestration capabilities are widely recognized, Kubernetes networking remains one of its most complex yet crucial pillars — especially in enterprise-grade deployments.

If you're running production workloads in Azure Kubernetes Service (AKS), the choice of networking plugin significantly impacts scalability, security posture, observability, and compliance. Enter Azure CNI and Cilium, a pairing that combines Azure-native networking integration with cutting-edge, eBPF-powered security and visibility.

Azure CNI: High-Performance VNet Integration

Azure CNI is not just a network plugin—it’s the bridge between AKS and Azure’s virtual networking fabric.

How It Works:

Each pod gets an IP address from the Azure VNet subnet (no NAT).
This allows direct, routable access between pods and other Azure services (e.g., Azure SQL, Private Endpoints, etc.).
Network Security Groups (NSGs), Route Tables, and firewalls apply natively.

Benefits:

Predictable IP Addressing (no overlay needed)
Hybrid connectivity ready
Works seamlessly with Azure Firewall, Azure Application Gateway, and Private Link

However, Azure CNI alone lacks advanced features like application-layer security, identity-based policies, and deep observability. This is where Cilium steps in.

Cilium: eBPF-Powered Networking & Security

Cilium is a revolutionary Kubernetes networking and security project built on eBPF (extended Berkeley Packet Filter)—a Linux kernel technology that allows programmable, high-performance packet processing.

What Cilium Brings to AKS:

Feature	Description
eBPF Networking	Replace iptables with eBPF for faster, more scalable packet filtering
L3/L4/L7 Network Policies	Apply granular access rules down to the API call level
FQDN-based Egress Control	Block/allow traffic to domains like *.github.com
Hubble Observability	Real-time network flow monitoring and service dependency visualization
Transparent Encryption	Encrypt pod-to-pod traffic with WireGuard, no app changes required

Note: For using FQDN Filtering, L7 Network Policies, Container Network Observability, we need to enable advanced container networking services.

Why Azure CNI + Cilium Together?

Azure CNI provides robust, native VNet integration
Cilium enhances security and observability via eBPF

This duo creates a hybrid setup that’s ideal for regulated, performance-sensitive, production workloads.

Architecture Overview

Here’s what this combination looks like in practice:

Pods are directly IP-addressed within Azure VNet (Azure CNI), while Cilium runs as a daemonset/enforcer, applying security policies and exporting observability metrics

Zero Trust Security in AKS Using Cilium

The traditional perimeter firewall model is ineffective in Kubernetes. What you need is workload-level security — and that’s what Cilium delivers.

Security Capabilities:

Identity-Aware Policies
Define rules like: "Allow frontend pods to call backend pods only if they use service account X"
FQDN Policies
Prevent data exfiltration by whitelisting external domains (e.g., allow only microsoft.com and github.com)
Protocol-Aware Filtering
Enforce that service X only allows HTTP GET to /api/* from certain pods — not just any TCP traffic.
Transparent Encryption
Secure east-west traffic inside your cluster using WireGuard-based encryption, with zero impact on apps.

Observability with Hubble: No More Blind Spots

Understanding how services communicate in Kubernetes is vital for debugging, auditing, and performance tuning. Cilium ships with Hubble, a distributed observability layer that runs natively on top of eBPF.