9 posts in category networking

Diagram: sidecar traffic flow in a Linkerd service mesh

Istio vs. Linkerd: Service Mesh on Kubernetes

Comparing Istio 1.29 (sidecar mode) and Linkerd 2.19: data plane, mTLS, egress, resource overhead, observability, and when to use each.

Istio vs. Linkerd: Service Mesh on Kubernetes
Diagram: traffic flow through Istio Ambient's ztunnel data plane

Istio vs. Envoy Gateway: Gateway API on Kubernetes

Comparing Istio and Envoy Gateway as Gateway API implementations: mTLS, egress, Cilium, managed cloud specifics (AKS, GKE, OVH MKS), and real client IP.

Istio vs. Envoy Gateway: Gateway API on Kubernetes
Architecture diagram: Envoy Gateway global rate limiting with a custom ratelimit service

Envoy Gateway v1.7: Global Rate Limiting with a Custom ratelimit Service

How to wire envoyproxy/ratelimit as a self-hosted service into Envoy Gateway v1.7 using EnvoyPatchPolicy — three xDS patches, namespace-admin self-service, and the pitfalls to avoid.

Envoy Gateway v1.7: Global Rate Limiting with a Custom ratelimit Service
Diagram: deployment topology of a GCRA rate limiter built with haproxy-spoe-rs

haproxy-spoe-rs: Deployment

Deploying the haproxy-spoe-rs SPOA agent in production — container image, podman-compose, Kubernetes, HAProxy configuration, health checking, logging, and systemd.

haproxy-spoe-rs: Deployment
Diagram: request flow between HAProxy and a Rust SPOA agent

haproxy-spoe-rs: A Rust SPOA Agent Library for HAProxy

Building a HAProxy Stream Processing Offload Agent (SPOA) library in Rust — zero-dependency async design, mpsc write batching, 95.9% test coverage, and 2.8–4.9× higher throughput than the Go reference implementation.

haproxy-spoe-rs: A Rust SPOA Agent Library for HAProxy
Diagram: DNS resolution flow using pdns_recursor as a root-independent validating resolver

Running pdns_recursor as a root-independent validating resolver

How to configure PowerDNS Recursor 5.4 to resolve directly against TLD name servers without depending on the root name servers at runtime, using a local root.zone file loaded via zonetocaches — including DNSSEC validation, trust anchor setup, and the race condition that prevents it from working without a hint file.

Running pdns_recursor as a root-independent validating resolver
Diagram: DNS resolution flow from the root zone using Hickory DNS as a validating recursor

Running a validating DNS recursor from the root zone with Hickory DNS

How to run Hickory DNS as a full recursive resolver starting from the root zone, with DNSSEC validation, TLS-encrypted upstream connections, Happy Eyeballs, and Prometheus metrics — including all configuration options added in the recurser-from-root-zone branch.

Running a validating DNS recursor from the root zone with Hickory DNS
Sequence diagram: tls-proxy-tunnel relaying an HTTP CONNECT through an upstream proxy to open a tunnel, after which the client completes a TLS handshake directly with the destination server

tls-proxy-tunnel: Transparent TLS Tunnelling Through Corporate HTTP Proxies

How tls-proxy-tunnel (tpt) uses SNI peeking to tunnel TLS connections through corporate HTTP CONNECT proxies without ever terminating TLS — layer 4, zero config on the client side.

tls-proxy-tunnel: Transparent TLS Tunnelling Through Corporate HTTP Proxies
Diagram: HAProxy routing TCP connections from client devices based on TLS SNI to different backends, rejecting non-TLS connections

How does SNI Routing work in HAProxy

Learn how HAProxy container uses TLS Server Name Indication (SNI) to route encrypted TCP connections without decrypting them — enabling multiple services like Nextcloud and XMPP to share port 443.

How does SNI Routing work in HAProxy