- Configuring Cilium BGP to advertise service and pod routes into your network.
- Configuring Cilium load-balancer IPAM so LoadBalancer services get addresses from a Cilium-managed pool.
- Validating the configuration and demonstrating end-to-end traffic flow for those services.
Ensure you have cluster admin access and a working Cilium installation. If you haven’t installed Cilium yet, see the Cilium docs: https://docs.cilium.io/.
At-a-glance: What you’ll accomplish
| Topic | Purpose | Quick command examples |
|---|---|---|
| Cilium BGP | Advertise Kubernetes/pod/service routes into external network via BGP | kubectl get pods -n kube-system -l k8s-app=cilium |
| LoadBalancer IPAM | Allocate external IPs from a Cilium-managed pool to Services | kubectl get svc -o wide |
| Validation & traffic flow | Confirm BGP neighbors, service external IPs, and end-to-end connectivity | kubectl describe svc <name>; test with curl or telnet |
Step-by-step overview
- Configure Cilium to run a BGP speaker and announce the desired prefixes to your network routers.
- Configure the load-balancer IPAM pool and enable the Cilium LoadBalancer IP assignment for Kubernetes services.
- Deploy a sample LoadBalancer service and confirm it receives an external IP from the pool.
- Verify BGP neighbor status on your routers and on any Cilium BGP-ready components.
- Test connectivity from outside your cluster to the LoadBalancer IP and trace the path (verify traffic reaches the service endpoints).
Example: high-level values file (illustrative)
Below is an illustrative values snippet showing how you might enable BGP and load-balancer IPAM in Cilium’s Helm/values configuration. Replace the placeholders with values appropriate for your environment.BGP advertises routes into your network—misconfiguration can cause traffic blackholes or route leaks. Coordinate prefix announcements and AS numbers with your network team before enabling BGP.
Typical configuration flow
- Install or update Cilium with the desired Helm values (or update a Cilium ConfigMap); examples above are illustrative.
- Ensure network/router side is configured to accept BGP sessions from your cluster nodes (peer IPs, AS numbers, route filters).
- Configure the load-balancer IP pool in Cilium so that Service objects of type LoadBalancer can be assigned IPs from the pool.
- Deploy a sample app and create a Service of type LoadBalancer to test the allocation and BGP announcements.
Verification checklist and commands
Use these checks in sequence to validate the setup:- Verify Cilium agents are running
- Inspect the Service and the assigned external IP
- Confirm the external IP came from your configured pool
- Check the Service’s external IP matches an address inside the pool CIDR.
- Check BGP advertisements and neighbor states
- On your external router(s): verify BGP neighbor is established and that the prefix for the Service IP (or the service/pod CIDR) is being learned.
- Example: Router CLI (platform dependent)
- Cisco-like:
show ip bgp summary/show ip route <prefix> - BIRD:
birdc show status/birdc show route for 192.0.2.2
- Cisco-like:
- On the cluster: review Cilium logs and status for BGP-related messages
- End-to-end connectivity test
- From an external host in the same network, confirm TCP/HTTP reachability to the LoadBalancer IP:
- Trace traffic flow to confirm it reaches the service endpoint
- Use tcpdump on the node or Cilium endpoints to observe the incoming packets and their forwarding.
References and further reading
- Cilium documentation: https://docs.cilium.io/
- Cilium LoadBalancer/IPAM guide: https://docs.cilium.io/en/stable/loadbalancer/
- Kubernetes Services: https://kubernetes.io/docs/concepts/services-networking/service/
- BGP basics and router configuration: refer to your router vendor documentation (Cisco, Juniper, BIRD, FRR, etc.)