Cisco Live EMEA in Amsterdam, we announced exciting innovations to the Cisco Observability Platform that enable our customers to reduce tool sprawl, break down silos between teams, minimize time to resolution, and ultimately, focus on what matters to their business. For a complete overview of the announcements, please read the press release Cisco Unveils New Innovations on the Cisco Observability Platform.

In this blog, we’ll focus on eBPF, the foundational technology Cisco uses to enhance Kubernetes observability within Cisco Cloud Observability. We will also touch briefly on how we will apply eBPF to address our customer’s challenges, with a follow-up blog coming later in the month as a deeper dive.

eBPF: The technology behind the magic

The roots of eBPF, or extended Berkeley Packet Filters, can be traced back to 1993 with the inception of the BSD Packet Filter, which enabled the use of programmatic instructions for accepting or rejecting network packets. This concept of running instructions dynamically within the kernel at runtime gave rise to the revolution. Since then, the community has taken that initial packet filtering use case to where we are today, with eBPF being used to implement security, observability, and networking use cases directly within the Linux kernel. Traditionally, the high stability and security requirements of the Linux kernel have been a source of friction when trying to add capability at the same pace as the adoption of cloud technology and modern application architectures. Anything going into the Linux kernel must be performant but, most importantly, highly secure so that it does not compromise the data. eBPF addresses this problem by allowing developers to add capabilities to the Linux kernel at runtime without changing kernel source code or loading kernel modules, and the eBPF verifier (built into the kernel) makes sure that any eBPF program running on the kernel will not hog the machine and are not vulnerable to any exploits.

A breakthrough for observability, eBPF-based tools can have the view of potentially everything that is running on the machine at the granularity of individual system calls; tools now can know what is going on in the application without actually instrumenting it and are also becoming more efficient and safer at the same time.

Even if you’re not using it directly or have not heard of it until today, you have first-hand experience with the benefits of eBPF. Since its inception almost ten years ago, hyperscalers and some tech-savvy organizations have used eBPF to make changes to their Linux environments that optimize data traffic to enable fast, reliable access for users. Today, cloud providers and other technology vendors use eBPF as a primary underlying technology to address a broad range of use cases

Simplifying and enhancing performance monitoring for Kubernetes workloads with eBPF

Kubernetes workloads rely on the cluster of infrastructure nodes connected to form an overlay network, making seamless communication between these services vital to ensure the workload’s overall health, performance, and security. The dynamic nature of Kubernetes enables workloads to be scaled and descaled within seconds because of its decoupled application and infrastructure architecture (via pods). This ephemeral nature of the pods makes it challenging to detect, track, and correlate performance issues across the stack without the right technology to diagnose and mitigate problems, which could lead to application downtime or degraded user experience.

eBPF presents a powerful solution to simplify and enhance observing Kubernetes workloads. Operating directly within the Linux kernel, it can deliver a holistic view of the system, including network traffic, system calls, and hardware events. It enables technology teams to understand the complex interactions between different services, pods, and containers that traditional monitoring tools cannot.

With eBPF, technology teams gain:

  • High-resolution visibility of how their applications interact with the system, including real-time analysis of network packets, system calls, and other events, providing a granular view of network activity and overall application behavior.
  • Dynamic tracing capabilities to effectively track and monitor network communications in real-time and adapt to the ephemeral nature of Kubernetes workloads as pods scale up or down.
  • Enhanced security through visibility into all system and network-related calls to help detect abnormal behavior or potential security threats and can also enforce network policies at the kernel level, enhancing the security of network communications.

eBPF in Cisco Cloud Observability

Today, we announced enhanced Kubernetes observability using eBPF.  Built on the Cisco Observability Platform and available with Cisco Cloud Observability, its initial focus is to provide network traffic monitoring for applications deployed in Kubernetes environments.

As enterprises scale their digital business, their release cycles continue to quicken. To match this pace and meet the SLAs, cross-functional ops teams employ multiple practices and tools which results in tool sprawl and siloed teams, thus the solution to the scale becomes one of its ugliest bottlenecks.  One of the most common symptoms of this problem is that Application teams often complain about limited visibility into the network performance, which results in longer MTTRs and unnecessary toil.  Cisco eBPF-based Kubernetes network monitoring breaks down silos and reduces tool sprawl by bringing network performance KPIs in the K8s context understood by the DevOps teams. It provides application and infrastructure teams with visibility into the topology of application dependencies and the impact of network performance on cross-dependency communication without the complexity of multiple tools, cross-team friction, and manual dependency mapping.

Cloud-Native Application Observability: Workloads

Initial use cases

  • Kubernetes-aware network traffic monitoring tracks network KPIs for communications across dependencies in a K8s cluster (packet loss, RTT latency, bytes transferred, connection throughput). It highlights any network bottlenecks in the cluster, including how they affect the applications deployed in the cluster. These metrics get aggregated as incoming and outgoing metrics per workload level by taking the aggregate of the metrics from all the links going in and out of that workload.
  • Zero-instrumentation application dependency mapping provides auto-discovery of workload-to-workload, the workload-to-cloud service (Database, Object Store, LoadBalancer), the workload to any third-party SaaS endpoint dependencies along with the network traffic KPIs for such as network communications, within the first 5 – 10 mins of network collector installation, without the need of APM instrumentation or manual path discovery.


eBPF’s cutting-edge technology will become integral to Cisco Full-Stack Observability’s strategy for delivering unprecedented visibility into Kubernetes workloads. Providing real-time insights simplifies monitoring while enhancing understanding of system and application behavior. eBPF is particularly effective in Kubernetes’s dynamic and intricate environments, proving invaluable for optimizing performance and bolstering security. As a critical component of Cisco Full-Stack Observability, eBPF empowers developers to navigate the complexities of Kubernetes, ensuring seamless, efficient, and effective workload management. Thus, embracing eBPF is embracing the future of full-stack observability.

Learn More

For more information and to stay up to date on the latest in Cisco Cloud Observability, check out the AppDynamics Product Updates page and the resources below.


Akshit Grover

Product Manager

Cisco AppDynamics