Self-service, Zero Trust Network Security
Challenge
Rabobank is a multinational bank offering banking and financial services in the Netherlands. The API platform team which is responsible for securely and robustly connecting all APIs across Rabobank needed to migrate off their old API platform to reduce costs. When setting up their new platform on Kubernetes, they realized Kubernetes network policies only supported IP whitelisting and not FQDN-based policies.
The API platform team of five needed to support 400 teams so this limitation was a significant concern because relying solely on IP addresses for network policy was not scalable. They found that IP whitelisting was not very secure and didn’t scale well, especially within a multinational banking environment. IP addresses are ephemeral, and using FQDNs would simplify automation, maintenance, and troubleshooting. They also needed a network security solution that is easy to maintain and set up, since it is a critical part of their environment.
Faced with this challenge, Rabobank began exploring tools that would enable them to apply network policies based on FQDNs and ultimately allow them to migrate more quickly to the new platform and save licensing costs.
Solution
Rabobank turned to Cilium as their preferred network security and observability solution. Cilium is the default Container Network Interface (CNI) for Rabobank’s API platform team, enabling them to implement zero-trust networking and create a self-service environment for their teams. With Cilium, configuring network policies has become easier for them, allowing for automated allow listing of their API providers. The shift from IP allow listing to using FQDN has significantly eased the maintenance and troubleshooting of their platform.
Furthermore, Cilium Hubble provided them with valuable insights into their traffic flow and helped them identify necessary whitelisting rules. The automation they were able to put in place with Cilium also allowed them to migrate faster to the self-service platform.
Impact
Using Cilium for their new Kubernetes-based API platform made it easier to automate and maintain network security across 400 teams consuming the platform. This reduction in toil allowed the platform team to deliver their new API platform sooner saving on licensing costs.
Projects used
By the numbers
1.6 Billion
Calls per month
400+ Teams
Leveraging fully automated FQDN
high security
Combined with high automation
Implementing Self-Service Zero Trust Network Security with Cilium
Rabobank, a Dutch multinational bank, operates many departments from home loans to wealth management to business lending. Their API platform is at the core of this, tying all of their services together and is responsible for securely and robustly connecting APIs across Rabobank. Their infrastructure is composed of two Kubernetes platforms: one running in the cloud via Azure Kubernetes Service (AKS) and the other on-premises via OpenShift.The Cloud half of the team consists of five members and needs to manage a platform for 400 teams. They needed to migrate off of their old API platform to reduce licensing costs and they needed to do it as soon as possible.
Initially, they chose Azure’s default Container Network Interface (CNI) for their networking layer. However, they encountered a significant limitation: the inability to implement network filtering based on Fully Qualified Domain Names (FQDN). The default Kubernetes network policies only support IP allow listing, which poses practical challenges in automation, maintenance, troubleshooting, and security.
“We all know that IP whitelisting is not very secure and doesn’t scale well, especially within a multinational banking environment. We were also looking for a network security solution that is easy to maintain and set up, since it is an important part of our environment, but can also be time-consuming. Each team knows best what they want to allow because they know which backends they need to reach from their API. And that can often change because the backend or other things can move quickly. We don’t want to do IP whitelisting because even the backend IP can switch, especially if it’s in the cloud. You also don’t care what the IP is and IPs can be very error prone. Having FQDN is way easier to maintain because it says more than an IP address, allowing teams to just provide a list of names instead of IPs.”
Frank Potter, Rabobank
Motivated by this challenge, they started searching for an alternative solution.
After conducting their research, Rabobank decided to choose Cilium after also considering other technologies like Calico, Istio, and Consul.
“Cilium was the only one that offered FQDN support out of the box. It also had Hubble, which made it easy to observe which flows of traffic there are at the pod level. Besides Cilium I was aware of other CNIs, and service meshes e.g. Istio, Consul, and Linkerd. However, Istio and Consul have a high learning curve, making Cilium the preferred choice. Furthermore, Cilium is a CNI that focuses on security but with low overhead due to the eBPF.
“We don’t even have a practical use case for a service mesh because we don’t want to expose tenants to each other. Most of the traffic that comes into a cluster also directly goes out to a backend, which can be on-premise or in the cloud so there is no real need for a service mesh in our API banking environment.” said Potter.
With their decision made, they utilized Azure’s ‘bring your own CNI’ feature and set up Cilium in their clusters using Helm. Cilium is also integrated now in Azure in the marketplace making it an easy way forward.
Better Observability with Hubble
Once the platform team had Cilium set up, they also found and enabled Hubble for better observability, giving them the ability to understand their network and know how to approach allowing their application traffic.
“I didn’t know about Hubble, so that was something we discovered along the way and it was a nice feature to have. What I like about Hubble is that it really gives a great overview of what is going on. You can see the traffic and also graphically, you can see how it flows. In the beginning, when we were allowing some traffic, we weren’t exactly sure what we needed but with Hubble, we could see all the traffic and even found some things we had missed.”
Frank Potter, Rabobank
Cilium Enables Automation
Running an API platform for 400 teams is no easy task. To keep up with their demands, the platform team needed to ensure they had high automation in place while still keeping with the stringent security requirements of the bank.
“We have 400 teams and as the platform team, we don’t always know which team is using which back end. We need the platform to be fully self-service for the teams because otherwise, it would become unmanageable,” Potter said.
“We have a zero trust architecture where it’s default deny and the teams then have to say what things are allowed. They provide the name that is put into a database and then that database is read to check if there are any changes before applying new policies.
“We had to migrate the 400 teams and it was a lot of work. That’s also why we did a lot of automation, to make it easy for the users themselves. If you give teams the power, they already have the best knowledge of what they need to do. With Cilium now in place, almost no maintenance needs to be done by our team, besides upgrading Cilium once in a while.”
Faster Migration to Save Licensing Costs
Cilium is a significant success for the API platform team at Rabobank. By providing automation and easy maintenance for their network security, Cilium helped them to migrate their 400 teams off of the old API platform more quickly and save licensing costs.
Since Cilium has addressed their network security challenges, Rabobank has other ideas for how to leverage Cilium’s feature set, like utilizing Tetragon for runtime security.
“It’s good to know what actually happens at runtime. Just like with Cilium, you don’t know what traffic you have until you observe it. I think that’s a good thing to have security observability with Tetragon. What I like about Tetragon is that with eBPF, if a malicious event were to happen in the kernel space, it can be resolved faster.”
Frank Potter, Rabobank