Solutions
Audit & Optimization Platform Design Automation Team Structure
Documentation Blog
Get Started
Networking 2022

CNI Feature Matrix: Network Policies, Service Mesh, and More

K8s Guru
7 min read
#cilium #calico #antrea #feature-comparison #network-policies #service-mesh #comparison
CNI Feature Matrix: Network Policies, Service Mesh, and More

Table of Contents

Introduction

Choosing a CNI plugin isn’t just about performance—it’s about features. Different CNIs offer different capabilities: network policy enforcement, service mesh integration, observability tools, security features, and multi-cluster support. Understanding these differences is crucial for selecting the right CNI for your requirements.

This feature matrix compares major CNI plugins across key feature categories: Cilium, Calico, Antrea, AWS VPC CNI, Flannel, and Weave Net. We’ll examine network policies, service mesh integration, observability, security, and advanced features.

Feature Categories

  1. Network Policies: Kubernetes NetworkPolicy support and enforcement
  2. Service Mesh: Native service mesh capabilities or integration
  3. Observability: Built-in observability tools and metrics
  4. Security: Encryption, authentication, and security features
  5. Multi-Cluster: Cross-cluster networking capabilities
  6. Advanced Features: Gateway API, eBPF, and specialized capabilities

Network Policy Support

Cilium

  • NetworkPolicy: Full Kubernetes NetworkPolicy support
  • CiliumNetworkPolicy: Extended policy with L7 awareness (HTTP, gRPC, DNS)
  • Enforcement: eBPF-based, high performance
  • Features: L7 policies, DNS policies, FQDN policies, identity-based policies

Calico

  • NetworkPolicy: Full Kubernetes NetworkPolicy support
  • NetworkPolicy (Calico): Extended policy with additional features
  • Enforcement: iptables or eBPF (Calico 3.16+)
  • Features: Global network policies, tiered policies, policy tiers

Antrea

  • NetworkPolicy: Full Kubernetes NetworkPolicy support
  • AntreaNetworkPolicy: Extended policy with additional features
  • Enforcement: OVS flow rules
  • Features: AppliedTo, cluster-wide policies, policy priorities

AWS VPC CNI

  • NetworkPolicy: Limited support (requires Calico or other policy engine)
  • Security Groups: Pod-level security groups (VPC CNI 1.7+)
  • Enforcement: AWS security groups
  • Features: Security group-based policies, VPC-level policies

Flannel

  • NetworkPolicy: No native support (requires Calico or other policy engine)
  • Enforcement: None
  • Features: None

Weave Net

  • NetworkPolicy: Full Kubernetes NetworkPolicy support
  • Enforcement: Weave Net policy engine
  • Features: Basic network policy enforcement

Service Mesh Integration

Cilium

  • Native Service Mesh: Yes (Cilium Service Mesh, no sidecars)
  • Sidecar Mesh: Integrates with Istio, Linkerd
  • Features: Kernel-level mesh, transparent mTLS, L7 policies
  • Performance: Excellent (no sidecar overhead)

Calico

  • Native Service Mesh: No
  • Sidecar Mesh: Works with Istio, Linkerd, other meshes
  • Features: Network policy integration with service meshes
  • Performance: Good (with sidecar meshes)

Antrea

  • Native Service Mesh: No
  • Sidecar Mesh: Works with Istio, Linkerd, other meshes
  • Features: Network policy integration with service meshes
  • Performance: Good (with sidecar meshes)

AWS VPC CNI

  • Native Service Mesh: No
  • Sidecar Mesh: Works with Istio, Linkerd, App Mesh
  • Features: AWS App Mesh integration
  • Performance: Good (with sidecar meshes)

Flannel

  • Native Service Mesh: No
  • Sidecar Mesh: Works with any service mesh
  • Features: Basic connectivity for service meshes
  • Performance: Good (with sidecar meshes)

Weave Net

  • Native Service Mesh: No
  • Sidecar Mesh: Works with service meshes
  • Features: Basic connectivity for service meshes
  • Performance: Good (with sidecar meshes)

Observability Features

Cilium

  • Built-In Tool: Hubble (eBPF-based observability)
  • Metrics: Prometheus metrics
  • Features: L7 visibility, service maps, DNS tracking, policy verification
  • Real-Time: Yes

Calico

  • Built-In Tool: None (external tools)
  • Metrics: Prometheus metrics
  • Features: Flow logging, policy metrics
  • Real-Time: Limited

Antrea

  • Built-In Tool: Grafana dashboards
  • Metrics: Prometheus metrics
  • Features: OVS flow monitoring, flow aggregation
  • Real-Time: Limited

AWS VPC CNI

  • Built-In Tool: AWS CloudWatch, VPC Flow Logs
  • Metrics: CloudWatch metrics
  • Features: VPC flow logs, pod IP visibility
  • Real-Time: Delayed (VPC logs)

Flannel

  • Built-In Tool: None
  • Metrics: None
  • Features: External tools only
  • Real-Time: No

Weave Net

  • Built-In Tool: Weave Scope (separate product)
  • Metrics: Limited
  • Features: Network topology visualization
  • Real-Time: Limited

Security Features

Cilium

  • Encryption: Transparent encryption (IPsec, WireGuard)
  • Identity: Workload identity-based policies
  • mTLS: Native mTLS support
  • Features: Identity-based policies, encryption, authentication

Calico

  • Encryption: IPsec encryption (Calico Enterprise)
  • Identity: Pod identity support
  • mTLS: Via service mesh integration
  • Features: Network policies, encryption (Enterprise)

Antrea

  • Encryption: IPsec encryption
  • Identity: Pod identity support
  • mTLS: Via service mesh integration
  • Features: Network policies, encryption

AWS VPC CNI

  • Encryption: VPC-level encryption, security groups
  • Identity: IAM integration
  • mTLS: Via service mesh integration
  • Features: Security groups, IAM integration

Flannel

  • Encryption: None
  • Identity: None
  • mTLS: Via service mesh integration
  • Features: Basic connectivity only

Weave Net

  • Encryption: Automatic encryption
  • Identity: Basic identity support
  • mTLS: Via service mesh integration
  • Features: Automatic encryption, network policies

Multi-Cluster Support

Cilium

  • Native Support: Yes (Cilium Cluster Mesh)
  • Approach: eBPF-based multi-cluster networking
  • Features: Transparent service communication, cross-cluster policies
  • Performance: Excellent

Calico

  • Native Support: Limited (requires external solutions)
  • Approach: BGP-based federation
  • Features: Cross-cluster routing (with configuration)
  • Performance: Good

Antrea

  • Native Support: No
  • Approach: External solutions (Submariner, etc.)
  • Features: None
  • Performance: N/A

AWS VPC CNI

  • Native Support: No
  • Approach: VPC peering, Transit Gateway
  • Features: AWS networking primitives
  • Performance: Good (AWS-native)

Flannel

  • Native Support: No
  • Approach: External solutions
  • Features: None
  • Performance: N/A

Weave Net

  • Native Support: Limited (Weave Net multi-cluster)
  • Approach: Weave Net mesh
  • Features: Basic multi-cluster connectivity
  • Performance: Fair

Advanced Features

Cilium

  • Gateway API: Full Gateway API support
  • eBPF: Native eBPF capabilities
  • L7 Policies: HTTP/gRPC/DNS-aware policies
  • Features: Gateway API, eBPF programs, L7 policies, identity-based networking

Calico

  • Gateway API: Limited support
  • BGP: Native BGP support
  • IPAM: Advanced IPAM features
  • Features: BGP, IPAM, policy tiers, global policies

Antrea

  • Gateway API: Limited support
  • OVS: OVS-based features
  • IPAM: OVS IPAM
  • Features: OVS features, applied-to policies, cluster-wide policies

AWS VPC CNI

  • Gateway API: Limited support
  • AWS Integration: Native AWS features
  • IPAM: VPC IPAM
  • Features: Security groups, VPC integration, automatic subnet discovery

Flannel

  • Gateway API: No
  • Simple: Minimal features
  • IPAM: Basic IPAM
  • Features: Basic connectivity only

Weave Net

  • Gateway API: No
  • Encryption: Automatic encryption
  • IPAM: Weave IPAM
  • Features: Automatic encryption, network policies

Feature Comparison Matrix

FeatureCiliumCalicoAntreaAWS VPC CNIFlannelWeave Net
NetworkPolicyExcellentExcellentExcellentLimitedNoneGood
L7 PoliciesYesNoNoNoNoNo
Service MeshNativeIntegrationIntegrationIntegrationIntegrationIntegration
ObservabilityHubbleExternalGrafanaCloudWatchNoneWeave Scope
L7 VisibilityYesNoNoNoNoNo
EncryptionYesEnterpriseYesVPC-levelNoYes
Multi-ClusterCluster MeshLimitedNoAWS-nativeNoLimited
Gateway APIFullLimitedLimitedLimitedNoNo
eBPFNativeOptionalNoNoNoNo
BGPYesYesNoNoNoNo
Security GroupsNoNoNoYesNoNo

Use Case Recommendations

Choose Cilium if:

  • You need L7 network policies
  • You want native service mesh (no sidecars)
  • You need comprehensive observability (Hubble)
  • You want multi-cluster networking (Cluster Mesh)
  • You need Gateway API support
  • You want the most feature-rich CNI

Choose Calico if:

  • You need BGP integration
  • You want tiered network policies
  • You need IPAM features
  • You want good network policy support
  • You prefer iptables or eBPF options

Choose Antrea if:

  • You’re using VMware infrastructure
  • You want OVS-based features
  • You need cluster-wide policies
  • You want good network policy support
  • You prefer OVS architecture

Choose AWS VPC CNI if:

  • You’re running EKS exclusively
  • You need pod security groups
  • You want native AWS integration
  • You prefer AWS-native features
  • You’re in AWS-only environments

Choose Flannel if:

  • You want the simplest CNI
  • You don’t need network policies
  • You’ll use external policy engines
  • Simplicity is the priority
  • Basic connectivity is sufficient

Choose Weave Net if:

  • You want automatic encryption
  • You need basic network policies
  • You want simple setup
  • You prefer Weave Net features
  • Basic features are sufficient

Decision Framework

If Network Policies are Critical:

  1. Cilium - Best L7 policy support
  2. Calico - Excellent L3/L4 policies
  3. Antrea - Good policy support

If Service Mesh is Required:

  1. Cilium - Native mesh (no sidecars)
  2. Others - Sidecar mesh integration

If Observability is Important:

  1. Cilium - Hubble with L7 visibility
  2. Antrea - Grafana dashboards
  3. Calico - External tool integration

If Multi-Cluster is Needed:

  1. Cilium - Cluster Mesh
  2. AWS VPC CNI - AWS-native (AWS only)
  3. Others - External solutions

If Simplicity is Priority:

  1. Flannel - Simplest
  2. Weave Net - Simple with encryption
  3. AWS VPC CNI - Simple in AWS

Summary

Feature capabilities vary significantly across CNI plugins. Cilium offers the most comprehensive feature set with L7 policies, native service mesh, Hubble observability, and multi-cluster support. Calico provides excellent network policy support with BGP and IPAM features. Antrea offers good policy support with OVS features. AWS VPC CNI excels in AWS-native features like security groups. Flannel prioritizes simplicity with minimal features. Weave Net provides basic features with automatic encryption.

The choice depends on your feature requirements: for the most comprehensive feature set, Cilium is unmatched. For AWS-only environments, VPC CNI provides excellent AWS integration. For balanced features and simplicity, Calico or Antrea are solid choices. For simplicity-first deployments, Flannel remains viable.