The Futuriom Q&A: Inside the Benefits of Isovalent with Nico Vibert
In April of 2024, Cisco closed the acquisition of Isovalent, an important startup that developed secure networking technology for cloud-native and containerized environments. Futuriom saw this as a major strategic acquisition to extend container-level networking capabilities across cloud-native infrastructure.
Isovalent leverages eBPF and Cilium technology, which have become de facto building blocks for cloud-native networking infrastructure. Cisco is extending this technology to AI-driven, cloud-native environments with Isovalent driving additional security and observability and intelligence across the Cisco portfolio.
Futuriom Founder and Principal analyst R. Scott Raynovich recently interviewed Nico Vibert, Senior Staff Technical Marketing Engineer, Isovalent at Cisco, to find out how Cisco is extending cloud-native networking functionality across enterprise networks and cloud fabrics.
Background: Why Cilium and eBPF Matter
First, some background. Isovalent was created after Kubernetes and containers became standard infrastructure in the cloud. Isovalent used open-source eBPF technology to build Cilium, one of the most popular tools for container networking in cloud-native environments.
Because Cilium is built into the Linux kernel, it can enable engineers to leverage fine-grained security and network properties without impacting performance.
Q&A with Nico Vibert
We published a blog about Cisco’s Isovalent strategy and our talk with Vibert here, but now we are publishing the full interview, which was filled with interesting insights about the trajectory of Isovalent inside Cisco.
So, let’s dive into the Q&A!
Futuriom: Cisco’s acquisition of Isovalent sends a clear signal about the company’s commitment to leading-edge protection across every workload and every cloud. Could you start by introducing “Cisco Isovalent Enterprise Networking” and outlining its core value proposition for AI data centers?
Vibert: Container networking and cloud-native networking needed a different network and security model, which led Cisco to be a seed investor in Isovalent. The founders of Isovalent were building Cilium, which was using a new technology called eBPF, which was a revolutionary networking technology in Linux [environments]. This was a new foundation for cloud networking and container networking. Cilium really took off and became widely adopted in the container space and Kubernetes space to the point where it was used by all the major cloud providers like Google, AWS, and Microsoft Azure for Kubernetes offerings.
Some of the largest platforms running AI and machine learning are using Cilium to underpin their networking.
For me, it’s the best of both worlds. You bring Kubernetes networking expertise to scalable, high-performance modern workloads. And then you have Cisco bringing decades of experience Like Cisco Nexus running high--performance critical applications in data center. That’s what you really need to run AI workloads. You need performance and security on both the physical [hardware] side as well as the software side.
Futuriom: The new Cisco Nexus One is positioned to deliver open networking choice and a consistent operational experience across on-premises, cloud, and API-driven environments. How does this platform extend into container-native environments via Isovalent for networking and security?
Vibert: I see it as a layered approach. You have Nexus, which provides the foundation. It provides predictable performance, reliability, and security at the physical level. Isovalent provides enterprise networking extended to containers, the cloud-native world. That’s essentially what we are providing.
This [provides] consistent networking and security for Kubernetes, where you can put repeatable code-driven operations. We configure Nexus as infrastructure as code and it’s all policy driven. We are applying the same model in Kubernetes, and it’s driven from code with business logic to create policies and deploy networking from intent. This is taking the software-defined approach of Nexus and pushing into the Kubernetes space.
Futuriom: As AI workloads demand unprecedented scale and deterministic network performance, in what scenarios should data center architects view the Isovalent as essential?
Vibert: I think if you step back to the origins of Kubernetes created by Google as an internal container orchestration platform and then open source, Kubernetes was originally built for microservices and small applications. It quickly becomes the universal platform to stand up and deploy modern applications.
Now we see virtual machines being deployed on Kubernetes and now AI and ML as well. [In AI] there are case studies of Kubernetes environments with thousands of nodes, right? So, Kubernetes has become the platform to run AI workloads.
In the traditional world, when you run high-performance computing, you need a very strong networking foundation, so it's the same in Kubernetes. That’s where we excel. Cilium is being used by some of the largest AI and LLM providers in the world, and it’s one of the reasons we’ve become successful through the use of eBPF, letting us do networking functions at kernel speed. That makes a massive difference for LLM companies that can’t have bottlenecks in their networking.
Futuriom: Isovalent’s Cilium and Tetragon, by leveraging eBPF, promise to address challenges such as tool sprawl, integration complexity, evolving security threats, and high operational costs within Kubernetes environments. Can you explain how this solution delivers on those promises?
Vibert: For me, it’s the way Kubernetes grew. It started with the need to have this networking, what we call a container network interface (CNI) plugin. That's the first tool you need to be able to connect your containers to get them an IP address and to make sure that they're able to communicate with one another.
What happened over time is that the platform team starting to adopt more and more single-purpose tools for lots of different use cases, including for security, for encryption, and for observability. There will be individual tools deployed for service-mesh and proxies. We ran a survey last year called the State of Kubernetes Networking report which showed us that on average, platform engineers run about seven different networking tools.
If you imagine having seven different vendors for networking in your physical environment, you can imagine how tricky that would be to maintain, operate, and troubleshoot. It’s a big challenge for operators of Kubernetes that they have so many different tools.
With Cilium using eBPF, we can add networking functions into Cilium without compromising performance because most of them become kernel functions. That can help our customers consolidate the number of tools they are running on a day-to-day basis and hopefully make life a bit easier for them.
Futuriom: Excellent. So what tangible benefits are customers realizing from this solution - particularly in terms of enhanced observability, simplified operations, and accelerated deployment of mission-critical AI applications?
Vibert: The way to think about this is to look at how organizations are investing in AI projects. They are committing substantial resources. GPUs are expensive. Data sets are expensive. It takes time and resources and a lot of hardware and services costs to build out your AI apps.
What organizations need to do is be able to make the most of [their resources]. You can’t spend weeks building an AI app to have it break. That’s why we are going to be strong [with]observability because you’ve got Cilium and eBPF operating at a deep level to understand network performance to see every packet across the platform. We are able to understand latency and behavior and know what is happening.
The Nexus dashboard gives you the visibility into the underlying network fabric. And then you combine this and then you add Splunk on top of it, part of the Cisco family. Splunk is great for correlation of logs and events. If you take these three together, you have the capability to identify issues faster and get more value.
Futuriom: With Kubernetes clusters increasingly interacting with external APIs and databases, security has become a top priority. How does the Cilium with Cisco Nexus ensure deterministic security protections for traffic without compromising performance or flexibility?
Vibert: Again, if you look at Nexus, it always had strong security at the physical network level with firewall [capabilities] and MACsec (Media Access Control Security) for the hardware-based encryption. At the physical layer we have a strong foundation with Nexus, but sometimes there is a bit of a black box from the networking to the observability level.
That’s where Isovalent is strong. It turned security on its head. Instead of creating security rules and firewall rules based on IP addresses, we use identity, metadata, and business logic to create our network policies. In the container world, you can’t have rules based on IP because IP addresses change all the time. You have to create policies. It’s very important to work closely with APIs and databases. It helps define the intent-driven logic behind which API should be called. Everything else is denied by default. It’s applying zero trust approach to the world of cloud native.
Futuriom: Thank you. As organizations scale Kubernetes' deployments across multiple tenants, what best practices should they follow when building multi-tenant environments? How does Isovalent technology enhance these architectures and ensure robust tenant isolation?
Vibert: We have a few different things, but I think that if you take a step back in terms of what Kubernetes is, you talk about multi-tenancy and how it’s used for platform engineering. This is where platform engineers are able to provide experience for accessing the services. You can build a self-service portal where, where they can come and deploy applications. That’s critical because Kubernetes is designed to be a shared platform, but you need to ensure that you have a self-service model where different teams can access their own parts.
We provide a role-based access control portal where people go and see their environment and troubleshoot without having to ask for support from anybody. They can be quite independent. Another aspect is the pure isolation using the firewall capabilities to ensure that traffic cannot cross from one tenant to another.
Futuriom: Interesting. This could be a big deal for AI, right? Because my understanding is that a lot of these AI clouds lack multitenancy as well as security.
Vibert: Yeah, absolutely. It’s a discussion we are having with one of our customers and it’s one of the challenges they are having with customers that want to deploy AI workloads. GPUs are very, very expensive. So, what they try to do is get tenants to access a shared platform to get the most out of their shared infrastructure. That’s where costs can escalate. You need to have a secure multi-tenancy platform.
Futuriom: Great. Could you share a compelling real-world example or use case that highlights how Cisco Isovalent and the Nexus together have delivered value for customers, particularly in complex or hybrid environments?
Vibert: I have one I can share, but I can’t name them. It’s a large, a global financial institution that they were running Kubernetes at scale already in a highly regulated environment. The challenges they had were the kind I alluded to before—a large number of tools. Many of them were open-source tools for networking, security, and observability. There has been massive overhead in managing all these different tools for their platform.
That was one challenge. They were really struggling with the boundary between the Kubernetes environment and the underlying data-center network. That made troubleshooting quite challenging. The eBPF platform gave them better visibility. And, going back to multi-tenancy, they have deployed the self-service model for multiple teams.
Across the businesses of investment banking and retail banking, and you can simplify things; you can just make life easier for your end users.
Futuriom: Thank you Nico!
Vibert: Thank you.
