Skip to main content

Cilium ENI Mode + Gateway API Deep-dive Configuration

info

This document is a deep-dive guide for the Gateway API Adoption Guide. It provides a practical guide for combining Cilium ENI mode with Gateway API for high-performance networking.

Cilium ENI mode is a high-performance networking solution that directly utilizes AWS Elastic Network Interfaces to assign VPC IP addresses to pods. Combined with Gateway API, it achieves both standardized L7 routing and eBPF-based ultra-low latency processing.

1. What is Cilium ENI Mode?

Cilium ENI mode directly uses AWS ENI to assign VPC IP addresses to pods. Key features:

  • AWS ENI Direct Use: Each pod receives a real VPC IP, fully integrating with AWS networking (Security Groups, NACLs, VPC Flow Logs)
  • eBPF-based High-Performance Networking: 10x+ performance improvement over iptables with minimal CPU overhead
  • Native Routing: No overlay encapsulation (VXLAN/Geneve), using VPC routing tables directly

2. Architecture Overview

NLB (L4) → eBPF TPROXY (transparent proxy) → Cilium Envoy (L7 Gateway) → Backend Pods (ENI IPs)

Key Components

  1. NLB: Managed L4 load balancer, microsecond latency
  2. eBPF TPROXY: XDP-level packet interception, lock-free per-CPU processing
  3. Cilium Envoy: L7 processing, HTTPRoute/TLSRoute implementation
  4. Cilium Operator: ENI lifecycle management, IP pool management
  5. Cilium Agent (DaemonSet): eBPF program management, CNI plugin
  6. Hubble: Real-time network flow observability, L7 protocol visibility

3. Prerequisites

⚙️ EKS 클러스터 요구사항
Gateway API 구축을 위한 필수 환경 설정
EKS 버전1.28 이상 (권장: 1.32)
Gateway API v1.4 호환성
컨트롤 플레인kube-proxy 비활성화
Cilium이 kube-proxy 대체
노드 운영체제Amazon Linux 2023 또는 Ubuntu 22.04
eBPF 커널 지원 필요 (5.10+)
컨테이너 런타임containerd 1.6+
CRI 호환성
VPC CNI 제거필수
Cilium이 CNI 역할 수행

4. Installation Flow

For new clusters: disable VPC CNI → install Gateway API CRDs → install Cilium via Helm → create Gateway resources.

For existing clusters: downtime required (5-10 min) for VPC CNI removal and Cilium installation.

5. Gateway API Resource Configuration

Standard HTTPRoute, traffic splitting (canary), header-based routing, URL rewrite, and role separation patterns are all supported identically to other Gateway API implementations.

6. Performance Optimization

  • NLB + Cilium Envoy: ~3.5ms total vs ~15ms with ALB+NGINX
  • Prefix Delegation: 16x fewer ENI attach operations
  • BPF tuning: Pre-allocated maps, Maglev load balancing
  • XDP acceleration: 10x packet filtering, 80% CPU reduction for DDoS
⚡ 레이턴시 비교 분석
ALB+NGINX vs NLB+Cilium 성능 비교
구성 요소ALB + NGINXNLB + Cilium개선율
L4 로드밸런서ALB: 10msNLB: 0.4ms
96%
L7 프록시NGINX: 5mseBPF+Envoy: 3.1ms
38%
총 레이턴시15ms3.5ms
77%
🔄 로드밸런싱 알고리즘 비교
Cilium의 random vs maglev 알고리즘 특성
알고리즘연결 고정성백엔드 추가 시백엔드 제거 시CPU 오버헤드
random
없음영향 없음영향 없음최소
maglev추천
최대 90%10% 재배치제거된 백엔드 트래픽만 재배치낮음
💻 인스턴스 타입 권장사항
Gateway API 노드 그룹에 최적화된 인스턴스 선택
인스턴스 타입vCPU메모리네트워크 대역폭ENIIP/ENI권장 용도
m7g.xlarge416GB
최대 12.5Gbps
415범용, 비용 효율
c7gn.xlarge48GB
최대 30Gbps
415고성능 게이트웨이
m7g.2xlarge832GB
최대 15Gbps
415중규모 워크로드
c7gn.4xlarge1632GB
최대 50Gbps
830대규모 트래픽
m7g.8xlarge32128GB
25Gbps
830고밀도 파드
c7gn.12xlarge4896GB
100Gbps
1550초고성능

7. Operations & Observability

Hubble provides real-time flow observation, service maps, L7 protocol visibility (HTTP, gRPC, Kafka, DNS), and Prometheus metric export.

8. BGP Control Plane v2

For hybrid environments needing on-premises to EKS traffic routing via BGP. Not required when using NLB in pure AWS environments.

9. Hybrid Nodes Architecture and AI/ML Workloads

For EKS Hybrid Nodes combining cloud and on-premises GPU nodes, Cilium serves as a unified CNI. Recommended architecture: Cilium CNI + Cilium Gateway API + llm-d for minimized component count with optimal performance.