Virtual machines are entering the cloud native world and it time to shed their baggage. With eBPF and AF_XDP, Cilium is removing the layers of emulated devices, bridges, and namespaces that have long weighed down VM networking. By combining AF_XDP with netkit, Cilium collapses the network path for VMs. Instead of traversing veth pairs and tap devices, traffic flows directly from the NIC to the guest kernel via QEMU’s AF_XDP backend. The result is lower latency, reduced CPU overhead, and a cleaner architecture. More importantly, it unifies the datapath for containers and VMs enabling a shared policy engine, consistent observability, and a common performance model. You can see some of the early work in this lwn.net article and there will be more coming out around KubeCon. I've got to finalize the schedule for CiliumCon so let’s 🐝 -gin.
View in browser
echo-newsletter-87

eCHO news is your bi-weekly wrap up of all things eBPF and Cilium. If you want to keep up on the latest in cloud native networking, observability, and security this is your quelle

29th July 2025

 

Virtual machines are entering the cloud native world and it time to shed their baggage. With eBPF and AF_XDP, Cilium is removing the layers of emulated devices, bridges, and namespaces that have long weighed down VM networking.

 

By combining AF_XDP with netkit, Cilium collapses the network path for VMs. Instead of traversing veth pairs and tap devices, traffic flows directly from the NIC to the guest kernel via QEMU’s AF_XDP backend. The result is lower latency, reduced CPU overhead, and a cleaner architecture.

 

More importantly, it unifies the datapath for containers and VMs enabling a shared policy engine, consistent observability, and a common performance model. You can see some of the early work in this lwn.net article and there will be more coming out around KubeCon. I've got to finalize the schedule for CiliumCon so let’s 🐝 -gin.

The Technical

Is Cilium a Good Option for Kubernetes on Bare Metal?

"Cilium has emerged as a critical CNI plugin for bare metal"

 

Lets understand Kprobes & Kretprobes

Learn how to attach eBPF programs at entry or return points

 

Introducing TCP-in-UDP solution

Make sure packets are not being modified by the network with eBPF

 

How Cycode Optimized CI/MON eBPF Agent to Handle Thousands of Events/sec

Filter data, choose maps and programs wisely, monitor programs, and more

 

Unlocking Kernel Power: How eBPF Transforms Linux’s Capabilities

"eBPF exemplifies how programmability can empower scalable, secure systems"

 

BeePL: Correct-by-compilation kernel extensions

A domain-specific language for eBPF with a formally verified type system

 

Secure Deployment of eBPF Programs Made Manifest

Adding a manifest and proof of logging in a transparency log for eBPF programs

 

Shared Socket: Enhancing Kubernetes Pod Communication with eBPF

60% increase in throughput and 38% reduction in latency

 

Ant Group's Cloup Workload Protection Platform (Ant CWPP) Built with Kata Containers and eBPF

"eBPF has changed the implementation of security solutions" becoming a standard?

 

Using eBPF to debug eBPF

Diving into compilation errors

 

CNI Migration Post-mortem: Flannel to Cilium on Talos

"Six hours into what should have been a 30-minute CNI migration" this will be good

 

Debugging eBPF verifier: Best Practices for High-Performance Kernel Programming

Overcome complexity limits with tail calls, maps, helpers, and more

 

eBPF Observability: The Universal Encapsulation Principle

See how different applications track data with eBPF

 

eBPF: Handling events in Userspace

See how different projects do it

 

isovalent/cilium-up-and-running

Manifests, scripts, and configurations from the O'Reilly book Cilium Up and Running

 

kakao/kubectl-cilium

A kubectl plugin to monitor Cilium BPF map pressure and detect eviction risks

 

d-e-s-o/bpflint

Linting functionality for BPF C programs

 

madhavan-21/kernalKoala

L4 network monitor that uses tc to trace ingress and egress traffic in real time

 

alex-ilgayev/MCPSpy

MCP Monitoring with eBPF

 

Internet-Architecture-and-Security/PacketScope

A general-purpose protocol stack analysis and debugging tool based on eBPF

 

eunomia-bpf/MCPtrace

An MCP server using eBPF to trace your kernel with bpftrace

 

multikernel/kernelscript

A modern, type-safe, domain-specific programming language for eBPF development

 

markopetrovi/eBPFLuanti

Protect Luanti servers from packet-based abuse with eBPF/XDP
 
capelabs/eBPF-for-DFIR
Collect real-time system events on Windows for Digital Forensics and Response

🐝

 

The Ecosystem

Case Study: SuperNetflow – Reinventing Network Observability with eBPF

“eBPF gave us the ability to process network traffic with the same principles as P4 programmable switches – but entirely in software, with better flexibility, cost efficiency, and scalability.”

 

Help Us Map The State of Kubernetes Networking

Help out Nico by filling out the a census for Kubernetes networking

 

Unleashing the Power of eBPF Capabilities for Linux Endpoint Security

"....makes eBPF a key component of modern endpoint protection"

 

Goodbye to iptables: A Quick Dive into GKE's Dataplane V2

Yes, GKE Dataplane V2 is just Cilium in a trench coat 

 

🔍 Unlocking Cloud-Native Power with Cilium and eBPF

Map Cilium features to personas

 

From kube-proxy to eBPF (Cilium)

"it’s pretty clear: Cilium powered by eBPF outperforms kube-proxy"

 

Kernel-Level Defense: How Radware Uses eBPF to Stop Volumetric Web DDoS Attacks

Taking L7 context and embedding it in the kernel

 

How Upwind Uses eBPF to Bring Real-Time Security to Cloud-Native Environments

"eBPF isn’t just a feature – it’s foundational"

🐝

 

The How To

Kubernetes - Installing Cilium CNI

in a k3s cluster

 

Certified Kubernetes Security Specialist Study Guide for Cilium

Implement pod-to-pod encryption with Cilium for the CKS

 

Restrict access to the IMDS endpoint on Azure Kubernetes Service with Cilium

Find problems with Hubble, fix them with Cilium network policies

 

Your First eBPF Program

Trace sys_enter_execve to see process execution on the system

 

Uncovering Pod to Pod Traffic in Kubernetes Using Cilium and Hubble

See the service map go live in minikube

🐝

 

The Video

High Security Cluster Operations with Cilium and Kyverno

From Cloud Native Zurich

 

Cisco Live Protect - Tetragon Powered CVE Mitigation for Nexus Switches

See Tetragon on a 9000 series switch with Splunk

 

Emerging Kubernetes tools and learning strategies

"I really like Cilium and Isovalent. A tool I'm keeping an eye on is Tetragon"

🐝

 

The Events

CiliumCon

November 10th in Atlanta

 

SIGCOMM 2025 eBPF Workshop

September 8-11th in Coimbra

 

Cilium in Action: Kubernetes Security & Insight

New virtual training from LF Training on September 15th

🐝 

The Livestreams

eCHO Episode 188: OOM and eBPF

 

eCHO Episode 188: OOM and eBPF

  

eCHO Episode 189: Cilium Cluster Mesh with Cluster API and KubeVirt

Episode 189: Cilium Cluster Mesh with Cluster API and KubeVirt

Upcoming Stream

eCHO Episode 190: André’s Enigma Machine

The Post of the Week

You embark on a quest to tightly lock down Kubernetes namespaces & tighten egress and ingress with Cilium Network Policies … blah blah best practices.  Then reality hits. Nothing talks to anything. Half your pods are crying in silence.  So, you fire up Hubble. Suddenly, you see it all.. flows, drops, who’s yelling at whom. Every denied connection laid bare. You tweak, test, watch the drops disappear.  By the end, it’s quiet. The cluster hums, policies are perfect, nothing unwanted gets in or out.  You close your laptop. You sleep. Happy. Cilium and its little hashtag#eBPF 🐝 keep everything in line.

As always, if you’ve seen a blog post, a tool, or anything else eBPF or Cilium related that you think the rest of the community should hear about, send them my way. You can either hit reply or join the #echo-news channel on Cilium Slack. You can also find all of the past episodes on the website.

🐝

To make sure you keep getting these emails, please add bill@isovalent.com to your address book or otherwise mark me as a permitted sender.

 

Know a friend that needs to be in the know? Forward this to them

Was this forwarded to you? Sign up today!

Written and sent by Bill Mulligan. Any feedback is welcome!

KC+CNC_NA_Headshot_241114_William_Mulligan_8154 (1)

I work for Isovalent at Cisco which is leading the eBPF-Powered Revolution in Cloud Native Networking, Observability, and Security with Cilium and Tetragon

logo-wordmark-isovalent-vertical-dark@2x
LinkedIn
X

Cisco/Isovalent, LLC, 755 Sycamore Drive, Milipitas, CA 95035, United States

Unsubscribe Manage preferences