Kubernetes networking admins attending KubeCon+CloudNativeCon EU in London next week will need to visit booth S653. There, cloud networking service provider Aviatrix will be demonstrating its new Kubernetes firewall.
“One of the things which we didn’t have in the Kubernetes space is a really good Kubernetes-aware networking and security solution,” said Anirban Sengupta, Aviatrix CTO, in an interview with TNS. “Hardcore networking isn’t really integrated into Kubernetes.”
Prior to Aviatrix, Sengupta was at Google and was part of the team for the company’s Anthros commercial Kubernetes service, focusing on the service mesh side of things. So he has been right in the middle of the overlapping Venn diagram for Kubernetes, networking and the enterprise.
The Aviatrix Kubernetes Firewall brings enterprise-levels of control to Kubernetes cloud, multi-cloud and hybrid cloud deployments. Built on intent-based policies, it solves a number of common issues when bringing K8s into the enterprise, such as managing IP addresses and integration with non Kubernetes, VM-based workloads.
Networking Complexities with Kubernetes
To date, Kubernetes security has focused largely on security east-west traffic within the cluster itself, with Container Network Interfaces (CNI) and service meshes.
This has led to operational silos across environments, according to Aviatrix. It has also limited the interoperability with non-Kubernetes resources, such as traditional virtual machine (VM) workloads.
This results in the duplication of diagnostic toolsets and fragmented policies for different environments. It also gives malicious hackers more surface area to operate. Once in a Kubernetes environment, an attacker can move about fairly easily.
IP Exhaustion
One particular pain point is the corporate exhaustion of IP addresses on the network. Aviatrix estimated that Kubernetes uses 10 times as many IP addresses as routine VM-based deployments.
Large-scale deployments can exhaust an organization’s allotment of IP addresses, even when using cloud native tools that attempt to abstract away IP address management.
“We have customers who have hundreds of pods, and even a customer who has 1000 pods, which are all overlapping IP addresses,” Sengupta said. Companies are stingy with their IP addresses, given that they want to save them for external use.
Typically, this isn’t an issue until the organization starts to network multiple clusters together, and then the overlapping IPs cause confusion.
The problem is exacerbated by the use of classless inter-domain routing (CIDR) blocks, a method of using IP addresses more efficiently that, when used with Kubernetes, can deplete IP addresses even more quickly.
An Enterprise Firewall for Kubernetes
The Aviatrix Kubernetes Firewall is designed to streamline operations across Kubernetes and non-Kubernetes resources, unifying governance and security under a zero-trust architecture.
The firewall is conversant with Kubernetes namespace terminology. Concepts such as “pods,” “nodes,” “labels,” and “services,” can all be used by developers to describe policy enforcement.
“All these policies can be implemented right as declarative, internet-based policy management,” Sengupta said. “There’s no IP addresses involved.”
The service features dynamic network policy enforcement, providing dynamic IP allocation, real-time CIDR conflict resolution, and identity-based enforcement — for both VM workloads and Kubernetes.
As a result, it can manage overlapping IP address ranges between clusters and the wider network through advanced NAT capabilities, allowing organizations to deploy Kubernetes clusters with ample IP allocations.
According to the company, key features include:
- Granular Identity-Based Security: Policy enforcement based on Kubernetes-native identities provides dynamic, workload-aware security.
- Unified Hybrid and Multicloud Visibility: Enterprises gain real-time visibility into Kubernetes traffic across all environments, enhancing observability and anomaly detection.
- Integrated Security for VMs and Kubernetes: A single security model unifies security policies across containerized and legacy applications, simplifying management and enforcement.
- Egress Traffic Control and Compliance: Enforced policy-based egress filtering maintains compliance with standards such as PCI-DSS, HIPAA and SOC 2.
- Automated Policy Management: A centralized control plane streamlines the definition and enforcement of security policies across multicloud and multicluster environments.
The service works with Amazon Web Services, Azure, Google Cloud, and on-prem environments.
In April, Aviatrix will host a webinar on integrating Kubernetes networking with enterprise infrastructure. Register here. KubeCon is managed by the Cloud Native Computing Foundation.
The post KubeCon EU 2025: Aviatrix’s Enterprise Firewall for Kubernetes appeared first on The New Stack.