Master Kubernetes egress control with Cilium Egress Gateway. I'll show you how to route outbound traffic through a static IP for better security and compliance.
Managing outbound traffic in a Kubernetes cluster is often a headache. By default, pods share the node's IP, which is a nightmare when you need to whitelist traffic for an external database or a third-party API. If you’re tired of managing complex NAT rules or dealing with dynamic IP churn, it’s time to look at the Cilium Egress Gateway.
In this guide, I’ll show you how to implement a dedicated egress gateway to enforce consistent, static IP routing for your egress traffic.
In cloud-native environments, security teams usually demand that all traffic hitting their firewalls originates from a known, static IP. Kubernetes makes this difficult because pods are ephemeral.
When you implement Kubernetes egress control via Cilium, you stop relying on node-level SNAT. Instead, you steer traffic from specific pods through a dedicated gateway node. This provides:
Before we start, ensure you have:
hubble enabled for observability.First, identify the node you want to act as the gateway. I usually pick a dedicated node or a subset of nodes with high bandwidth availability.
Bashkubectl label node worker-node-01 egress-gateway=true
Cilium uses a Custom Resource Definition (CRD) called CiliumEgressGatewayPolicy. This is where the magic happens. We’ll define a policy that selects pods in the production namespace and routes their traffic through our gateway node.
YAMLapiVersion: "cilium.io/v2" kind: CiliumEgressGatewayPolicy metadata: name: egress-policy-prod spec: selectors: - podSelector: matchLabels: app: backend-service destinationCIDRs: - 192.168.10.0/24 # The target external network egressGateway: nodeSelector: matchLabels: egress-gateway: "true" interface: eth0
Apply this with kubectl apply -f egress-policy.yaml. Once applied, Cilium will automatically rewrite the source IP of packets originating from backend-service to the primary IP of worker-node-01.
You don't want to just hope it works. Use Hubble to verify that your Cilium Egress Gateway is actually handling the traffic.
Bashhubble observe --pod backend-service --type egress
You should see traffic flowing through the gateway node. If you see packets hitting the destination with the node's IP, you’ve successfully implemented network security at the egress layer.
nodeSelector. Cilium will handle the load balancing and failover automatically.destinationCIDRs as specific as possible. Don't route your entire internet traffic through your gateway if you only need it for a specific internal database.Implementing cloud-native networking patterns like Egress Gateways significantly reduces the friction between DevOps and Security teams. By using Cilium, we’re moving away from "it just works" networking to "it works exactly how I configured it" networking.
If you're dealing with strict compliance requirements, this is the cleanest way to handle egress traffic control without bloating your cluster with legacy proxy solutions.
Have you implemented this in your production environment yet? Let me know the challenges you faced in the comments.
Master Kubernetes networking by implementing Zero-Trust security with Cilium and Hubble. Learn to secure pod-to-pod communication with identity-based policies.
Read moreMaster Zero-Trust network policies using Cilium and Hubble. Learn how to secure your Kubernetes clusters with eBPF-powered identity-based traffic control.