azurekubernetesazure-akskubernetes-networkpolicycilium

AKS Network Policy Manager vs Azure Cilium Network Policies


I am trying to implement network policies in Azure AKS cluster. upon reading docs I see Azure supports 3 policy engine

Ref: https://learn.microsoft.com/en-us/azure/aks/use-network-policies#network-policy-options-in-aks

It also mentions that Cilium uses BPF vs Azure NPM using Linux Iptables where Cilium is more efficient.

I am wondering how cilium is better for network policies and when? My cluster is pretty small.

Can anyone tell how should I verify what kind of performance issues I can face with Azure NPM vs Cilium?


Solution

  • Cilium can be more effective than Azure Network Policy Manager (NPM) for network policies due to its eBPF-based architecture, which allows it to operate within the Linux kernel.

    Why Cilium Is Better for Network Policies?

    Cilium uses eBPF enables network policy directly in the kernel, making it highly efficient for packet processing. As a result, it scales more effectively unlike Azure NPM, which relies on iptables which can slow down with a high number of rules, Cilium’s performance remains consistent even in clusters with complex policies even if the network policies grow in complexity or if the cluster size increases. Even MS backs Cilium

    enter image description here

    What are the limitations of NPM vs Cilium?

    Azure NPM supports clusters up to 250 nodes. Performance may degrade with many policies or heavy traffic.

    enter image description here

    vs

    Cilium has slightly higher complexity during initial setup and requires familiarity with eBPF-based observability tools.

    how should you verify what kind of performance issues you can face with Azure NPM vs Cilium?

    You can run latency and throughput tests using monitor network configurations with Azure NPM or monitor metrics using Cilium plus few other tools are there like wrk or iperf to measure network latency, or even Azure Monitor.