AWS re:Invent 2025 - Networking and observability strategies for Kubernetes (CNS417)

Networking and Observability Strategies for Kubernetes

Challenges in Distributed Kubernetes Environments

• Kubernetes environments are becoming increasingly complex and distributed
• The network is a critical fabric that ties together various components and services
• Lack of visibility into the network can lead to challenges in:
  • Ensuring security and compliance
  • Optimizing performance and cost
  • Aligning application behavior with design

Simplifying Infrastructure Management with EKS Auto Mode

• EKS Auto Mode provides a simplified infrastructure baseline for Kubernetes clusters
• Includes core networking components like CoreDNS, kube-proxy, and a native CNI with network policy support
• Automatically provisions and manages the cluster infrastructure, including compute scaling with Cluster Autoscaler
• Enables default network policies to improve the security posture out-of-the-box

Enhancing Network Security with Native Network Policies

• EKS Auto Mode provides native support for Kubernetes network policies
• Uses eBPF-based CNI for high-performance network policy enforcement
• Allows defining default network policy behavior at the node class level
• Provides a controlled rollout of network policy changes to minimize disruption

Achieving Network Observability with Container Network Observability

• Introduces a new "Container Network Observability" feature in EKS
• Provides granular network performance metrics at the pod and worker node level
• Integrates with existing observability stacks (e.g., Prometheus, CloudWatch)
• Enables detailed visualization of network flows, including east-west traffic and traffic to external services
• Complements service mesh usage by providing observability without the operational overhead

Shifting Left Security with Network Observability

• Network observability data can be used to create more accurate and targeted network policies
• Allows shifting security left by defining policies in the development environment based on observed traffic patterns
• Reduces the cost of fixing security issues by addressing them earlier in the development lifecycle

Simplifying Platform and Application Lifecycle with EKS Capabilities

• Introduces "EKS Capabilities", a new set of managed services for the entire platform and application lifecycle
• Leverages open-source tools like Argo CD, Kube-bench, and ACK to simplify platform management
• Enables faster time-to-market and increased development velocity

Key Takeaways

• Distributed Kubernetes environments require comprehensive network observability to optimize for security, performance, and cost
• EKS Auto Mode provides a simplified infrastructure baseline with built-in networking capabilities
• Native network policies in EKS improve the security posture and enable shifting left security
• Container Network Observability delivers granular visibility into network performance and behavior
• EKS Capabilities further simplify platform and application lifecycle management