Investing in Isovalent

I am very excited to announce our partnership with Isovalent in their journey to redefine networking and security. Isovalent is the driving force behind both eBPF and Cilium, projects in Linux that provide a software networking layer for modern cloud architectures. Cilium has rapidly become a leading technology in the Kubernetes ecosystem, providing the network data plane for the Google Kubernetes Engine (GKE), and gaining adoption among other leading cloud native end users, including Adobe, DataDog, GitLab, and DigitalOcean. 

So what is all the fuss about? Let me explain. 

For decades, networks have been defined in terms of the individual endpoints they connect. With workloads running on physical machines, we wired physical switches, load-balancers, and firewalls, and defined connectivity in terms of the IP addresses assigned to each machine. When we shifted to connecting virtual machines (VMs), we created virtual switches, virtual load-balancers, and virtual firewalls, but again thought of connectivity in terms of individual VM endpoints. 

In modern systems we rarely think about connecting machines and wires, or virtual machines, or even containers, really. Instead, we’re concerned with connecting microservices, cloud services, APIs, and the higher level protocols and systems used to connect them. The past was IP addresses, ports, vNICs and VLANS. Now, it is service identity, gRPC, Kafka, distributed data stores, remote APIs, etc. 

Kubernetes has emerged as the cloud’s operating system, stitching together nodes (the majority of them Linux) and enabling microservices. But Kubernetes breaks a lot of the old school networking and security tooling that assumed an immutable physical server. And so, simply, we need a new networking and security layer that provides cloud native visibility, security, and control of these high level abstractions in a way that is secure, seamless to deploy, and does not compromise application performance. That new layer is Cilium. 

Cilium is built around eBPF and runs within the Linux kernel, making it seamless to deploy and highly performant. Linux is the operating system for many of the nodes underlying Kubernetes. And wherever there’s Linux, security comes down to a kernel being asked to do something. Until recently, that kernel, while powerful, was relatively unintelligent, with layers of complexity built on top.

With eBPF, it’s possible to write a program and embed it directly into the kernel. A common analogy: eBPF brings to the Linux kernel what JavaScript brought to the browser. With eBPF, you can see and control what is happening at the API level, showing the remote API calls being invoked and the data that they are being passed. Cilium + eBPF is far more than API-aware visibility, it’s a fundamentally more powerful way to do networking in cloud environments, from traditional configurations on up, that allows for more robust program tracing, observability, and monitoring. But it’s hard to provide a full technical overview of something as foundational as eBPF and Cilium in a blog post such as this, so rather than attempt to do that, I strongly recommend you watch this video from Isovalent Cofounder Thomas Graf.

Building something like Cilium, and an enterprise offering around it, is no small feat. There are few teams in the industry who have the right combined background of low-level networking, Linux kernel intervals, large distributed systems, and open source community building to pull it off. We believe that the team at Isovalent is hands down the most equipped for the job, not just because of their work creating eBPF and Cilium, but because they have decades of experiences in the foundational technologies that led up to it.

Dan Wendlandt along with Thomas, the cofounders of Isovalent, are two of the most respected talents in the software defined networking space. Thomas, the CTO, is one of the leading engineers and architects of networking in Linux in the world. He’s also the original creator of Cilium, and along with Isovalent’s Daniel Borkmann, was foundational in turning eBPF into an industry-wide movement.

I first met Dan, the CEO, when we were both at Stanford. At the time I was TA’ing an undergraduate networking course and he was the top student in the class. Dan joined me in the very earliest days at Nicira, where we built out a software networking layer for virtualized data centers, which became a multi-billion dollar product line within VMware. 

Dan, Thomas, and I have been working in this space for over a decade and we’ve always shared as our north star a belief that networking and security must be decoupled from low-level abstractions, like IPs and ports, and instead operate at a higher layer that aligns with how developers, DeVOps, and SecOPs teams already think about their applications. Until just recently, the supporting technologies simply didn’t exist for such a solution. But that all changed with Kubernetes and eBPF. 

With Isovalent, Dan and Thomas have put together the best team in the industry to develop the best networking and security technologies for Kubernetes. We strongly believe they are well on their way to upending networking yet again. 



The views expressed here are those of the individual AH Capital Management, L.L.C. (“a16z”) personnel quoted and are not the views of a16z or its affiliates. Certain information contained in here has been obtained from third-party sources, including from portfolio companies of funds managed by a16z. While taken from sources believed to be reliable, a16z has not independently verified such information and makes no representations about the enduring accuracy of the information or its appropriateness for a given situation. In addition, this content may include third-party advertisements; a16z has not reviewed such advertisements and does not endorse any advertising content contained therein.

This content is provided for informational purposes only, and should not be relied upon as legal, business, investment, or tax advice. You should consult your own advisers as to those matters. References to any securities or digital assets are for illustrative purposes only, and do not constitute an investment recommendation or offer to provide investment advisory services. Furthermore, this content is not directed at nor intended for use by any investors or prospective investors, and may not under any circumstances be relied upon when making a decision to invest in any fund managed by a16z. (An offering to invest in an a16z fund will be made only by the private placement memorandum, subscription agreement, and other relevant documentation of any such fund and should be read in their entirety.) Any investments or portfolio companies mentioned, referred to, or described are not representative of all investments in vehicles managed by a16z, and there can be no assurance that the investments will be profitable or that other investments made in the future will have similar characteristics or results. A list of investments made by funds managed by Andreessen Horowitz (excluding investments for which the issuer has not provided permission for a16z to disclose publicly as well as unannounced investments in publicly traded digital assets) is available at

Charts and graphs provided within are for informational purposes solely and should not be relied upon when making any investment decision. Past performance is not indicative of future results. The content speaks only as of the date indicated. Any projections, estimates, forecasts, targets, prospects, and/or opinions expressed in these materials are subject to change without notice and may differ or be contrary to opinions expressed by others. Please see for additional important information.

The enterprise is changing

Sign up for our enterprise newsletter to get the a16z take on the trends reshaping B2B and enterprise tech.