Articles

Assign External IPs to LoadBalancer Services with Cilium IPAM (2026)

April 16, 2026 4 min read

Cilium’s IP Address Management (IPAM) can dynamically assign external IP addresses to your LoadBalancer services, eliminating the need for pre-allocated static IPs and simplifying your cloud network setup.

Let’s see this in action. Imagine you have a Kubernetes cluster and you want to expose a service externally. With a standard LoadBalancer service, your cloud provider would typically provision an external IP for you. But what if you want more control or want to leverage Cilium’s features?

apiVersion: v1
kind: Service
metadata:
  name: my-app-service
  annotations:
    # This annotation tells Cilium to manage the external IP
    io.cilium.operator.external-ips: "true"
spec:
  selector:
    app: my-app
  ports:
    - protocol: TCP
      port: 80
      targetPort: 8080
  type: LoadBalancer

When you apply this Service manifest, Cilium’s operator, specifically its IPAM component, will intercept the creation request. Instead of relying solely on the cloud provider’s default LoadBalancer provisioning, Cilium will look for available IP addresses from its configured IP pools.

Here’s a breakdown of how Cilium’s IPAM works for LoadBalancer services:

The Problem Cilium Solves:

Traditionally, LoadBalancer type services in Kubernetes rely on cloud provider integrations to provision external IPs. This often means:

  • Static Allocation: IPs are pre-allocated and might go unused if the service isn’t created.
  • Limited Control: You have less visibility and control over which specific IP is assigned.
  • Cost: Unused static IPs can incur costs.
  • Portability: Migrating services between environments might require re-provisioning IPs.

Cilium’s IPAM aims to provide a more dynamic, efficient, and controlled way to manage these external IPs.

How Cilium IPAM Manages External IPs:

  1. Operator Watches for Services: The Cilium operator continuously watches for Service resources with type: LoadBalancer.
  2. Annotation Check: It specifically looks for the io.cilium.operator.external-ips: "true" annotation. This annotation signals that Cilium should manage the external IP for this service.
  3. IP Pool Allocation: Cilium’s IPAM controller has access to configured IP address pools. These pools can be defined in various ways, often through Cilium’s configuration (e.g., cilium ipam settings in the operator’s deployment). When a LoadBalancer service with the annotation is detected, Cilium picks an available IP from one of these pools.
  4. Service Status Update: Once an IP is allocated, Cilium updates the status.loadBalancer.ingress field of the Kubernetes Service object with the assigned external IP. This is the same field that cloud provider integrations normally populate.
  5. Cloud Provider Integration (Optional but Common): In cloud environments, Cilium often still interacts with the cloud provider’s LoadBalancer API. However, instead of asking the provider to allocate an IP, Cilium might instruct the provider to use an already-allocated IP from its pool and associate it with the cloud LoadBalancer resource. This allows Cilium to manage the IP lifecycle while still leveraging the cloud provider’s L4 load balancing infrastructure. For bare-metal or on-premises deployments, Cilium might directly configure L3/L4 routing or integrate with external LBs.

Key Configuration Levers:

The behavior of Cilium IPAM for LoadBalancer services is primarily controlled by the operator’s configuration. This is typically done via arguments passed to the cilium-operator Deployment.

  • --cluster-pool-ipv4-cidr: This is a fundamental setting that defines the CIDR block(s) from which Cilium will allocate IPs for various purposes, including Pods and potentially external IPs if not explicitly managed by a cloud provider.
  • --operator-ipam-pod-cidr: While this primarily relates to Pod IP allocation, understanding how Cilium manages its internal IP pools is crucial.
  • --enable-ipv4 / --enable-ipv6: Ensures that the desired IP families are enabled for allocation.

When io.cilium.operator.external-ips: "true" is present, Cilium will attempt to allocate an IP from its available IP address space managed by IPAM. This IP space is typically derived from the CIDRs configured for the cluster.

A Deeper Dive into IP Allocation Strategy:

When Cilium assigns an external IP to a LoadBalancer service, it’s essentially drawing from the same IP address pools it uses for Pods, or from specifically designated pools for external IPs. The operator maintains a state of allocated IPs. If you have multiple LoadBalancer services annotated with io.cilium.operator.external-ips: "true", Cilium will assign a unique IP from its pool to each. This means you’re not consuming IPs from your cloud provider’s limited public IP range for each service; you’re using IPs managed by Cilium.

The crucial point is that the io.cilium.operator.external-ips: "true" annotation tells Cilium’s IPAM controller, "Hey, I need an external IP for this service, and I want you to give me one from your managed pool." Cilium then consults its internal state and available IP addresses to fulfill this request, updating the service status accordingly. The underlying mechanism for how that IP becomes accessible externally depends on your environment (cloud provider integration, BGP, etc.), but the IP assignment itself is handled by Cilium IPAM.

This dynamic assignment is key to efficient IP utilization and can significantly simplify the management of services exposed externally, especially in large or dynamic environments.

The next challenge you’ll likely encounter is managing the lifecycle of these dynamically assigned IPs, such as ensuring they are released when the service is deleted and preventing IP exhaustion.

Want structured learning?

Take the full Cilium course →