Cilium NetworkPolicy with AWS Security Group rules
Cilium is a powerful network policy and security enforcement solution that is designed to work with Kubernetes and other container orchestration platforms.
Cilium network policy allows you to define rules that control how network traffic flows between Kubernetes pods and services or going outside of the cluster. These rules can be used to enforce security policies and prevent unauthorized access to your cluster. You can define policies based on a range of criteria, including IP addresses, ports, and protocols.
When Cilium running on AWS EKS clusters, it supports network policy rules based on AWS security groups: toGroups. However, it is totally different with Pod Security Group from AWS VPC CNI, as Cilium toGroups whitelists communications between Pods inside the Kubernetes cluster and a set of EC2 VMs attaching the specified AWS security groups.
Prerequisites
In this post, it would be demoed that how to use toGroups rules in Cilium NetworkPolicy to control the traffic between the Kubernetes cluster and an EC2 VM.
Therefore, the Kubernetes Pods should be able to send traffic to the target EC2 VM. In my case, the EC2 instance is launched in the same VPC with the EKS cluster and the a security group is added to allow traffic coming in from Pods in…
