Aviatrix Blog 
In a recent discussion with Cloud Native Now featuring Aviatrix, Anirban Sengupta, our Chief Technology Officer and Senior Vice President of Engineering, and seasoned IT journalist Mike Vizard discussed the new Aviatrix Kubernetes Firewall and how it empowers enterprises to overcome the challenges of securing Kubernetes environments.
Their conversation teased out several critical aspects of the Aviatrix Kubernetes Firewall, including how this feature:
- Compares to the current approaches to Kubernetes security
- Resolves the problem of IP exhaustion and overlap
- Helps networking teams optimize cost and utilization
- Empowers networking teams to work effectively — both independently and collaboratively
3 Evolving Approaches to Kubernetes Security
At the moment, there are three evolving strategies for enhancing Kubernetes security. These approaches don’t entirely overlap — each offers unique advantages:
- The service mesh effort — This approach could also be called “service-to-service encryption.” This approach is similar to a VPN.
- CNIs (Container network interfaces) like Cilium — Another effort to secure Kubernetes clusters is happening on Cilium, spearheaded by Isovalent, which was recently acquired by Cisco. While this CNI-based solution offers some great advantages for dynamically configuring network resources, it’s limited: most CSPs don’t support third-party CNIs because they provide their own.
- The Aviatrix Kubernetes Firewall — Aviatrix recently introduced a third approach, our policy-driven Kubernetes Firewall solution. This approach provides a more platform-centric and security team-centric approach that provides in-depth, multi-level security through segmentation, egress security, and network-wide policies. In other words, the Kubernetes Firewall is more like a “layered cake approach” that can incorporate the other two approaches, service mesh and CNI, to provide comprehensive protection.
Defining the Collaboration between DevOps and Platform Engineering Teams
In terms of operational dynamics, DevOps and platform engineers work together to implement this layered security approach. The container platform team will use the Kubernetes Firewall, and DevOps will provide the consumption layer on top of the Kubernetes Firewall, creating two different consumption layers:
- The platform team will use Terraform, infrastructure-as-code, to orchestrate the governance of the firewall.
- The DevOps team will use YAML-based and CRD-based consumption to tweak those firewall rules so that they can add pods and destination services right through their deployment spec.
This deployment setup defines a clear workflow between teams: the security team pays for the firewall, then provides Terraform scripts to developers and DevOps to incorporate in their DevOps pipeline. Then, the DevSecOps uses YAML files to customize the solution as needed and make sure applications run smoothly. Each team has what it needs to collaborate effectively.
Set It and Forget It: How the Aviatrix Kubernetes Firewall Overcomes IP Exhaustion and Overlap
The inherent dynamism and complexity of Kubernetes environments creates new challenges: ephemeral IP addresses, scaling pods and nodes, and overlapping IP spaces. These factors differentiate Kubernetes from traditional VM or physical server environments and force networking teams to find advanced firewall capabilities that can adapt to this fluidity without compromising security.
Aviatrix helps security and platform teams avoid an intimidating problem by giving them a way out of worrying about the ephemeral, dynamic nature of Kubernetes. Our solution provides a high level of abstraction that frees these teams to just write rules based on tags, pods, and nods that are not ephemeral, so they don’t require constant maintenance and constant updates.
Addressing Utilization and Cost Optimization
Enterprises that use Kubernetes also face the challenges of utilization and cost optimization. There are multiple ways that companies can deploy Kubernetes, including zone-as-a-service, cluster-as-a-service, and namespace-as-a-service, to streamline utilization and save costs.
With the Aviatrix Kubernetes Firewall, customers can optimize their usage and cost, so that they can pack more applications without losing governance or having noisy neighbor problems. This solution offers excellent security guardrails for each application while remaining flexible: it can run in a single cluster or a multiple regional clusters.
When it comes to security, bad actors are aware that more and more high-value applications are being developed on containers now. AI and LMM applications, for example, are being developed in Kubernetes containers. Knowing this, Aviatrix designed its Kubernetes Firewall to look at the applications running in containers and on VMs, and to provide recommendations for policies and rules for security teams to examine. The solution is GenAI-based, giving humans full control while making sure AI does most of the work.
Giving Teams the Best of Both Worlds
This is just the start of this journey for Aviatrix: the overall goal with this new feature is to empower teams who are using containers or modernizing containers and need to make their applications secure and scalable. It’s also saves time and energy for DevOps people, who no longer have to wait for the infrastructure team to approve or put all the security and governance rules for them. The Aviatrix Kubernetes Firewall not only makes applications secure, but also makes developers independent and able to achieve high velocity, so they can have the best of both worlds.
- Read more about how Aviatrix simplifies Kubernetes adoption.
- Join us at KubeCon London, where we’ll discuss Kubernetes networking and offer demos of the Aviatrix Kubernetes Firewall at Booth S653 from April 1-4, 2025.