Skip to content

Get Started with Cilium as a Load Balancer for On-Premises Kubernetes Clusters

Organizations deploying Kubernetes in on-premises data centers or hybrid cloud environments often face challenges with exposing services externally. Unlike public cloud providers that offer managed load balancers out of the box, bare metal environments require custom solutions. This is where Cilium steps in as a powerful alternative, offering native load balancing capabilities using BGP (Border Gateway Protocol).

Cilium is more than just a CNI plugin. It enables advanced networking features, such as observability, security, and load balancing—all integrated deeply with the Kubernetes networking model. Specifically, Cilium can advertise Kubernetes LoadBalancer service IPs to external routers using BGP, making these services reachable directly from external networks without needing to rely on cloud-native load balancers or manual proxy setups. This is ideal for enterprises running bare metal Kubernetes clusters, air-gapped environments, or hybrid cloud setups.

Want to dive deeper? Check out our introductory blog on Cilium’s Kubernetes load balancing capabilities. Navigate to the detailed step-by-step instructions for additional information.

Steps to Get Started

When configured with BGP, Cilium dynamically communicates with upstream BGP-capable routers (such as FRR or physical data center routers). It advertises the IP addresses allocated to Kubernetes LoadBalancer services, allowing external traffic to route directly to nodes within the cluster.

In this getting started guide, to keep things simple, we will deploy the FRR router to our cluster and assume no external BGP router is available.

Using the Rafay Console, platform and infrastructure teams can automate this process with precision and repeatability. The workflow looks like the following:

  1. Installing Cilium as a CNI plugin with BGP support enabled.
  2. Creating BGP Peering policies to link Cilium with the upstream BGP routers.
  3. Defining IP pools that represent the range of external IPs available for allocation to LoadBalancer services.
  4. Customizing cluster-specific overrides to align IP address ranges with data center network topology.
  5. Applying everything via Rafay Cluster Blueprints to standardize and automate the deployment across environments.

Each step is manageable through the Rafay console and can be fully automated end-to-end using the supported options for automation.

Practical Validation

Once the cluster blueprint is applied to the cluster, validating the setup is straightforward.

We will deploy a simple NGINX deployment with a LoadBalancer service. This will allow users to validate that external IPs are allocated from the configured pool, advertised via BGP, and reachable from outside the cluster. This setup will confirm that the service is not just live inside the Kubernetes network, but also truly accessible to users and applications outside the environment.

Navigate to the detailed step-by-step instructions for additional information.

Conclusion

By enabling BGP support for service IP advertisement, Cilium transforms how Kubernetes clusters can expose services in non-cloud environments. Combined with automation enabled by the Rafay platform, the process becomes streamlined, repeatable, and scalable across a fleet of clusters.

Cilium as a Load Balancer is a robust solution for modern enterprises looking to bridge the gap between cloud-native networking and traditional data center infrastructure. This method dramatically reduces operational overhead, eliminates the need for external load balancers, and offers more deterministic networking—a significant benefit for regulated or latency-sensitive workloads.