A challenge for enterprises that operate large-scale network infrastructure has long been how to maintain performance while updating critical systems. The Linux Foundation’s networking division (LF Networking) is helping to address that challenge with the L3AF project, which is based on eBPF (extended Berkeley Packet Filter) technology.
With the new L3AF 2.1.0 update, the technology is gaining a series of improvements including: enhanced observability features, application container improvements, and expanded network interface management functions.
“L3AF is an open-source project aimed at simplifying monitoring and control networks of large-scale cloud applications,” Ranny Haiby, CTO of networking, edge and access at the Linux Foundation, told Network World. “Some of the main use cases for L3AF are in traffic rate limiting, DDoS mitigation, traffic quality monitoring and network observability.”
Where L3AF bring more network utility to eBPF
L3AF enables deployment and chaining of eBPF programs. Haiby noted that the technology was initially developed to address the needs of hyperscale e-commerce applications of retailers. In fact, one of the most prominent publicly disclosed deployments of L3AF is at Walmart, the world’s largest retailer.
While retail was the initial target, today the technology has applicable use cases in any industry vertical imaginable. In 2025, eBPF is already integrated and supported on all modern cloud-native environments. The pervasiveness of eBPF support is what makes L3AF a good option for controlling eBPF programs in multi-cloud and multi-platform environments.
Haiby explained that L3AF’s API-driven approach simplifies the deployment and scaling of network monitoring and control eBPF programs. “The 100% software-based approach of eBPF and L3AF eliminates the need for dedicated costly networking hardware devices that tend to become performance bottlenecks,” he said.
L3AF helps to solve traffic management and security concerns
Walmart has been using L3AF for holiday sales traffic management, which is a mission-critical task for the company.
A key part of traffic management in the modern era is also helping to protect against malicious traffic floods, including distributed denial-of-service (DDoS) attacks. Haiby noted that the L3AF platform provides full lifecycle management to defend against DDoS attacks. He explained that L3AF offers deep visibility into network infrastructure components that are usually hidden outside of the Linux kernel. It also enables complex functions to be performed directly in the traffic flow of Walmart’s retail and e-commerce platform.
“Before L3AF, security hardening and DDoS mitigation of large scale e-commerce sites required dedicated hardware devices, or reliance on mechanisms provided by the cloud platform, that were proprietary and different across clouds,” Haiby said. “Being based on the foundations of eBPF it is cloud platform agnostic, meaning the same security and observability solutions can run on any cloud.”
L3AF 2.1.0 gets more ‘graceful’
Among the updates in the L3AF 2.1.0 release is graceful restart functionality.
Haiby commented that one of the lessons learned from running L3AF in production environments is that during the lifecycle of the eBPF programs, there is a need to update and upgrade the control plane. That typically meant shutting down the lf3afd daemon that orchestrates and manages multiple eBPF programs, during the upgrades.
The latest release eliminates this limitation by ensuring seamless transition, where the new version of l3afd takes control of the eBPF programs before shutting down the existing instance of l3afd.
“During high-demand times, it is unacceptable to interrupt the availability and performance of the application, but it is sometimes crucial to update the control plane at that exact time, to ensure resilience and performance of the application,” Haiby said. “The new graceful restart functionality enables exactly that. It lets the operations staff change and update the control plane of the network while the eBPF programs continue to function at full capacity, uninterrupted.”
Expanding container support with L3AF 2.1
Another key update with the L3AF 2.1.0 release is expanded container support as well as availability on Docker Hub.
Haiby noted that Kubernetes and its containerized approach have become the de-facto standard for running any workload in production. With Release 2.1, it has become easier than ever to integrate L3AF with containerized workloads running on Kubernetes.
The packaging of L3AF into a containerized application available on DockerHub makes it possible to make L3AF a part of the CI/CD (continuous integration/continuous deployment) DevOps pipeline.
“DevOps professionals may consume the L3AF images from the DockerHub repository and seamlessly integrate with the rest of their production software stack,” he said. “Future upgrades of the L3AF are simplified through the use of DockerHub, ensuring that the latest and most secure versions can be instantly deployed.
Getting deeper network observability with Kprobes
One of the key elements of successful network observability is the use of standard interfaces for probing and monitoring the flow of packets through the network.
Haiby noted that it is crucial to have all the different elements of the network support identical interfaces, so that network observability applications can provide a true end-to-end picture of the state of the network and the applications depending on it. In support of that goal, L3AF 2.1.0 now has support for Kprobes and tracepoint hooks.
Kprobes (kernel probes) are a Linux kernel tracing capability that can be used to monitor events in the operating system. By adding support for the standard dynamic kprobes and tracepoint hooks out of the box, L3AF provides integration with existing observability systems, enriching them with data coming directly from the kernel eBPF programs, Haiby said.
Looking forward to future releases, there’s still more work to be done. There will be a continued focus on ease of consumption as well as scale. Focusing on the needs of real-world users is also a primary goal.
“The L3AF community continues expanding the functionality based on real-life deployments experience,” Haiby said. “As the adoption of L3AF grows beyond just e-commerce applications, new use cases emerge and with them the need for new features.”
Source:: Network World