Basic principles

• Make sure to use policies like Cilium network policies and Tetragon tracing policies.
• Have as few network hops internally as possible, think of where traffic comes in and how it propagates.
• Make sure you can observe package destinations (observability), Cilium network policies will help with this. Keep a lookout for anomalies or blocked traffic that shouldn't be blocked.

A note on CDNs

We have tested a range of CDNs and even the fastest (bunny.net) is still slower than simply using our cluster in most of our target region (Norway). CDNs are great to make sure the website is still up even if the cluster is down, however this failover only provides benefits for full blown disaster. Make sure people can find the information even in these situations, but downgrading our performance, increasing costs and adding complexity in nominal situations is not desirable. In these situations, having a status page with a low TTL DNS entry is better, as it can be automatically switched over to a failover.

Will come later

• A small section about Cilium and how it uses BPF. Downsides/upsides to BPF. Overview of the Cilium network, a section about deprecating ingresses in favor of gateways, how monitoring through hubble/envoy works and the efficiency of kernel based networking.
• How to do networking from external sources using Tailscale (will be replaced by Netbird).