https://alexej.disterhoft.de/tags/cilium/Recent content in Cilium on alexej.disterhoft.deHugoenAlexej DisterhoftSat, 04 Apr 2026 00:00:00 +0200https://alexej.disterhoft.de/posts/use-ciliumcidrgroup-to-simplify-cilium-network-policies-on-aks/Sat, 04 Apr 2026 00:00:00 +0200https://alexej.disterhoft.de/posts/use-ciliumcidrgroup-to-simplify-cilium-network-policies-on-aks/<h2 id="the-problem-with-egress-in-aks"> <a class="heading-link" href="#the-problem-with-egress-in-aks" title="Link to this section" > <span class="heading-text">The problem with egress in AKS</span> <span class="heading-anchor" aria-hidden="true"> <svg class="heading-anchor-icon" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="1.8" stroke-linecap="round" stroke-linejoin="round" > <path d="M10 13.5a3.5 3.5 0 0 0 5 0l3-3a3.5 3.5 0 0 0-5-5l-1 1" /> <path d="M14 10.5a3.5 3.5 0 0 0-5 0l-3 3a3.5 3.5 0 0 0 5 5l1-1" /> </svg> </span> </a> </h2> <p>Once you start tightening egress in an AKS cluster running Cilium, you quickly discover that the outside world is mostly <code>reserved:world</code>. Azure IMDS at <code>169.254.169.254/32</code>, the internal DNS resolver at <code>168.63.129.16/32</code>, your VNet peers &ndash; they all land in the same identity bucket, and your Cilium network policies end up with raw CIDRs scattered across every rule that needs to reach them.</p>