Try reloading the player or open this episode directly on YouTube.
This episode of Ship It Weekly discusses the evolution of networking and ingress in cloud platforms, covering AWS Interconnect's GA, Cloudflare Mesh, GitLab 19.0 breaking changes, EKS Auto Mode, and OpenTelemetry's stable config.
Now Playing
AWS Interconnect GA, Cloudflare Mesh, GitLab 19, EKS Auto Mode, and OpenTelemetry Config
Ship It Weekly
0:0015:00
Chapters
Jump to a section in this episode.
Speed & share
Transcript
A lot of infrastructure work gets easier right
around the moment it gets more opinionated. Private
connectivity becomes a product. Cluster networking
becomes a managed default. Ingress migrations
stop being optional. Observability config starts
acting like a real standard. And the old we'll
patch that next sprint stuff still shows up in
the lightning round waiting to ruin somebody's
week. That's the theme this week. The platform
layer keeps absorbing work teams used to hand
roll, babysit, or quietly postpone. Sometimes
that is great. Sometimes it is the platform telling
you that your old defaults are running out of
runway. Hey, I'm Brian Teller. I work in DevOps
and SRE, and I run Teller's Tech. This is Ship
It Weekly, where I filter the noise and focus
on what actually changes how we run infrastructure
and own reliability. Show notes and links are
on shipitweekly .fm. If the show's been useful,
follow it wherever you listen. Ratings help way
more than they should. And if you want more signal
between episodes, check out oncallbrief .com.
The latest brief this week was heavy on breaking
changes, security patches, and platform releases,
and that definitely shaped this episode. We have
five main stories today, then the lightning round,
and we'll wrap with the human closer. we're starting
with aws interconnect going generally available
because this is a pretty clean signal that aws
wants private connectivity to feel a lot more
like a managed cloud primitive and a lot less
like a telecom product then cloudflare mesh which
feels like the private network for humans services
and agents version of the same broader trend
after that gitlab 19 .0 because the move away
from bundled nginx ingress and bundled data services
is exactly the kind of breaking change platform
teams actually have to plan around. And that
one came straight out of this week's on -call
brief. Then we've got EKS auto mode networking
and what it means when AWS owns more of the cluster
networking path for you. And finally, OpenTelemetry
declarative config reaching stability, which
is quieter than the others, but honestly kind
of foundational. Story one. AWS interconnect
is cloud networking getting productized harder.
Let's start there. AWS interconnect is now generally
available and the core pitch is pretty straightforward.
AWS is offering managed network connectivity
in two directions, multi -cloud connectivity
between AWS and other cloud providers and last
mile connectivity between AWS and your on -prem
or enterprise sites. AWS says that the service
is turnkey. private and designed to remove the
usual infrastructure complexity from the customer
side. The part that stood out to me is not just
the feature list. It's the framing. This is AWS
taking something that traditionally felt like
network engineering plus vendor coordination
plus waiting and trying to turn it into a cloud
service with a cleaner control surface. Multicloud
starts with Google Cloud. Azure is coming later
this year and the traffic stays on private backbones
instead of bouncing over the public internet.
The last mile option launches in the US with
Lumen. That matters because private connectivity
has always been one of those areas where cloud
teams and networking teams can end up speaking
slightly different languages while the delivery
timeline drags on forever. So when AWS starts
saying, we'll manage more of this path for you,
that is not just a product launch. That is a
platform boundary shifting. And I think the practical
takeaway is pretty simple. If you run multi -cloud,
hybrid, branch -heavy, or edgish environments,
this is the kind of thing worth paying attention
to early. Not because you need to adopt it tomorrow,
but because it changes the default expectation
of how painful private connectivity is supposed
to be. Story 2. Cloudflare Mesh is basically
saying private networking should include agents
now. Next up, Cloudflare Mesh. Cloudflare launched
Mesh as a private networking layer for users,
nodes, agents, and workers. Their pitch is that
the client on private networks are no longer
just humans and services. Now they're also autonomous
agents that need scoped access to internal APIs,
databases, and other private systems without
exposing those systems to the public internet.
And honestly, I think that framing lands. Because
this is one of the first times I've seen a big
networking security vendor say out loud that
agent traffic is not just a cute add -on to existing
access models. Cloudflare is treating it as a
first -class access pattern. Mesh plugs into
Cloudflare 1, applies existing gateway, access
and posture policies and ties into workers vpcs
so workers durable objects and agent workloads
can reach private infrastructure directly the
interesting part is that this is not being sold
like a traditional vpn replacement story it is
more like your private network should already
know how to deal with services laptops remote
servers and agent style workloads on the same
fabric Cloudflare also says Mesh is many too
many private networking over its global network,
not a collection of one -off tunnels glued together.
So the bigger read for me is this. Networking
vendors are starting to assume the future client
is sometimes a human, sometimes a workload, and
sometimes an agent acting semi -autonomously.
If that assumption keeps spreading, private access
tooling is going to look a lot more like policy
-driven platform plumbing and a lot less like
old -school remote access. Story three, GitLab
19 .0 is what real platform migration pressure
looks like. Now to GitLab. This week's on -call
brief highlighted GitLab 19 .0, and I think it
is a really good platform story because it is
not flashy at all. It is just the kind of change
that forces actual planning. GitLab says 19 .0
includes 15 breaking changes. And one of the
big ones for self -managed Helm users is that
bundled Nginx ingress is being replaced by Gateway
API with Envoy Gateway as the default. GitLab
says Nginx ingress hit end of life in March 2026,
though it can still be explicitly re -enabled
until removal in 20 .0. That alone is enough
to matter. But then there is the second punch.
GitLab is also removing bundled PostgreSQL, Redis,
and MinIO from the Helm chart and operator path,
with no replacement, citing licensing, maintenance,
and image availability issues. This is the exact
kind of story that feels just operational until
you are the team that has to sequence the migration.
Because these are not cosmetic defaults. These
are parts of the install path that people absolutely
built around, especially in test, POC, or smaller
self -managed setup. And now the platform is
basically saying that convenience path was temporary.
So the takeaway here is not just GitLab changed
some things. It is that platform teams need to
notice when a project's default architecture
starts growing up past its old bundled assumptions.
Gateway API is not just a new thing to learn.
For some teams, it is now the road forward whether
they wanted a migration project or not. Story
four, EKS Auto Mode networking. Is AWS trying
to make cluster networking feel less handmade?
Next up, EKS Auto Mode. AWS published a good
breakdown this week of how EKS Auto Mode handles
networking. And the story is really about ownership.
Auto Mode sets up the VPC CNI for you. manages
DNS as a core component, supports node level
DNS caching, and lets you request ALBs and NLBs
through native Kubernetes resources without a
separate load balancer controller. AWS also says
it handles CNI lifecycle management as part of
the cluster maintenance. That is a pretty meaningful
bundle of responsibility. Because cluster networking
is one of those areas where teams can spend years
carrying around a bunch of, well, this is just
how our cluster works, setup that is really a
mix of controllers, tuning, upgrades, and networking
assumptions nobody wants to touch during business
hours. What AWS is doing here is making a stronger
argument that for a lot of teams, that should
stop being custom glue. Pods get VPC IPs directly.
Traffic follows normal VPC route tables. You
use AWS native networking services and tools
you already know. And AWS is taking more responsibility
for keeping the CNI path current and sane. Now,
that trade is not going to be for everybody.
Some teams want the flexibility. Some teams need
the knobs. Some teams have enough scar tissue
to be suspicious anytime a managed mode says
trust us. Fair. But for a lot of orgs, the real
risk is not lack of knobs. It is the pile of
half -owned networking glue they already have.
Story 5. OpenTelemetry declarative config getting
stable is boring in the best way. Last main story.
OpenTelemetry announced that key portions of
its declarative configuration spec are now stable.
That includes the JSON schema, YAML file representation,
in -memory model, parsing and creation operations,
and the OTEL config file environment variable
used to point SDKs at a config file. The blog
also says implementations are currently available
in C++, Go, Java, JavaScript, and PHP, with .NET
and Python underway. I really like this one because
observability configuration has had a lot of
it depends energy for a long time. environment
variables everywhere slightly different mental
models across languages lots of power not always
a lot of consistency so when open telemetry says
the declarative config model is stable and should
increasingly be treated as a first -class ux
surface that is real platform maturity they even
say the future process should be declarative
configuration first and that older environment
variable patterns that do not interoperate well
may get deprecated over time that does not make
for a flashy headline But it does make life better
for platform teams that want more consistency
across languages and services without every team
inventing its own telemetry setup philosophy.
And honestly, that is a very DevOps story. Not
exciting in the launch demo sense, but very exciting
in the maybe we stop relearning config drift
in five languages sense. A few quick ones before
we wrap. Container D pushed security releases
across supported branches, including 1 .7 .31,
2 .0 .8, 2 .1 .7, and 2 .2 .3 to address CVE
-2026 -35469. The release notes describe it as
a SPDY stream issue and call out hardening around
sanitization errors before returning them over
gRPC to prevent possible credential leaks in
pod events. patch this one github also launched
code security risk assessment for organizations
github says org admins and security managers
can run a free assessment to review code vulnerabilities
across their org and the docs say it scans up
to 20 repositories and reports severity and autofix
eligible findings that is a pretty decent quick
win tool if you want a fast read on exposure
without building a whole campaign around it And
AWS published guidance on secure AI agent access
patterns using MCP. Their framing is that IAM
has to become the authorization layer for these
non -deterministic systems because coding assistants
and agents choose tools at runtime and can act
at machine speed. That is a good reminder that
it's just an assistant stops being true the second
it has real permissions. I think the cleanest
closer for this one is pretty simple. Infrastructure
keeps moving from assembled to opinionated. Private
connectivity gets wrapped as a managed service.
Private networking gets redesigned around workloads,
agents, and not just people. Kubernetes install
paths grow out of old bundled defaults. Cluster
networking becomes more provider -owned. Observability
config starts trying to look like an actual stable
interface instead of a pile of toggles. And that
shift cuts both ways. It can absolutely reduce
toil. It can also remove some of the comfortable
ambiguity teams used to hide inside. Because
once the platform gives you a clearer default,
you have to make a more conscious decision if
you want to keep doing things the old, harder
way. That is the human part of ops that shows
up over and over. A lot of teams say they want
simplicity. What they usually mean is they want
someone else to own the painful complexity without
taking away the escape hatches that they have
grown attached to. Sometimes that works. Sometimes
the industry just moves on and your migration
project shows up whether you invited it or not.
All right. That's it for this week of Ship It
Weekly. Quick recap. AWS interconnect going GA
and pushing private connectivity further into
managed service territory. Cloudflare Mesh building
private networking for users, workloads, and
agents. GitLab 19 .0 forcing some real migration
planning around gateway API and bundled services.
EKS auto mode networking making cluster networking
less handmade. and OpenTelemetry declarative
config getting stable in the kind of boring,
foundational way that usually matters a lot later.
This week’s episode really came together around one idea: the platform layer keeps absorbing work teams used to treat as background plumbing. AWS Interconnect going generally available is a good example of that. AWS is taking private connectivity, both multicloud and last mile, and trying to make it feel more like a managed cloud primitive than a long networking project full of vendor handoffs and waiting. That is a real shift in expectation, especially when AWS is openly positioning it around simpler private connectivity and faster deployment through partners like Lumen. (Amazon Web Services, Inc.)
Cloudflare Mesh feels like the same trend from a different angle. What stood out to me there is not just “private networking, but newer.” It is that Cloudflare is explicitly saying the private network now needs to work for users, nodes, Workers, and autonomous AI agents on the same fabric. That is a much more modern framing of what the client even is. Private access is not just about humans on laptops anymore. It is about workloads and semi-autonomous systems reaching private APIs and databases with policy wrapped around them from the start. (The Cloudflare Blog)
GitLab 19.0 is where that broader theme turns into migration pressure. This is the kind of story platform teams actually feel in real life. GitLab is moving Self-Managed Helm installs away from bundled NGINX Ingress and toward Gateway API with Envoy Gateway by default because NGINX Ingress reached end-of-life in March 2026. On top of that, GitLab is also removing bundled PostgreSQL, Redis, and MinIO from the Helm chart path. That is not flashy, but it is exactly how platforms grow up. Old convenience defaults get harder to justify, and eventually they stop being the road forward. (about.gitlab.com)
AWS is making a similar argument with EKS Auto Mode networking, just from the managed-cloud side. The message there is basically that cluster networking should stop feeling so handmade for teams that do not actually want to own every knob. AWS says Auto Mode sets up the VPC CNI automatically, gives pods VPC IPs directly, keeps traffic on normal VPC route tables, and handles networking components like DNS caching and load balancing more natively. That will not be everybody’s preferred trade, but it is definitely AWS pushing the idea that a lot of cluster networking glue should become provider-owned instead of half-owned by stressed platform teams. (Amazon Web Services, Inc.)
And then OpenTelemetry declarative config is the quieter version of the same story. It is not as headline-friendly as cloud networking or GitLab breaking changes, but it might age really well. Key parts of the declarative config spec are now stable, including the schema, YAML representation, parsing model, and OTEL_CONFIG_FILE. That is the kind of boring progress that usually matters a lot later, because it pushes observability setup toward something more consistent across languages and environments instead of every team reinventing its own telemetry setup philosophy. (OpenTelemetry)
So my takeaway from this week is pretty simple. A lot of teams say they want less toil and safer defaults, but they also want to keep every escape hatch they have gotten used to over the years. The industry does not always let you keep both. Sometimes the platform just moves on. Private connectivity becomes a managed service. Ingress migrations stop being optional. Cluster networking gets more opinionated. Config standards finally harden. That can feel like relief or loss of control depending on where you sit, but either way it is usually a sign that the default architecture is changing underneath you. (Amazon Web Services, Inc.)
📝 Notes
Show Notes
This episode of Ship It Weekly is about networking, ingress, and private access moving further up into the platform layer. Brian covers AWS Interconnect going generally available, Cloudflare Mesh, GitLab 19.0 breaking changes around Gateway API and bundled services, EKS Auto Mode networking, and OpenTelemetry declarative config reaching stability. He also hits containerd security patches, GitHub’s new Code Security risk assessment, and AWS guidance on securing AI agents with MCP. (Amazon Web Services, Inc.)
This week’s episode really came together around one idea: the platform layer keeps absorbing work teams used to treat as background plumbing. AWS Interconnect going generally available is a good example of that. AWS is taking private connectivity, both multicloud and last mile, and trying to make it feel more like a managed cloud primitive than a long networking project full of vendor handoffs and waiting. That is a real shift in expectation, especially when AWS is openly positioning it around simpler private connectivity and faster deployment through partners like Lumen. (Amazon Web Services, Inc.)
Cloudflare Mesh feels like the same trend from a different angle. What stood out to me there is not just “private networking, but newer.” It is that Cloudflare is explicitly saying the private network now needs to work for users, nodes, Workers, and autonomous AI agents on the same fabric. That is a much more modern framing of what the client even is. Private access is not just about humans on laptops anymore. It is about workloads and semi-autonomous systems reaching private APIs and databases with policy wrapped around them from the start. (The Cloudflare Blog)
GitLab 19.0 is where that broader theme turns into migration pressure. This is the kind of story platform teams actually feel in real life. GitLab is moving Self-Managed Helm installs away from bundled NGINX Ingress and toward Gateway API with Envoy Gateway by default because NGINX Ingress reached end-of-life in March 2026. On top of that, GitLab is also removing bundled PostgreSQL, Redis, and MinIO from the Helm chart path. That is not flashy, but it is exactly how platforms grow up. Old convenience defaults get harder to justify, and eventually they stop being the road forward. (about.gitlab.com)
AWS is making a similar argument with EKS Auto Mode networking, just from the managed-cloud side. The message there is basically that cluster networking should stop feeling so handmade for teams that do not actually want to own every knob. AWS says Auto Mode sets up the VPC CNI automatically, gives pods VPC IPs directly, keeps traffic on normal VPC route tables, and handles networking components like DNS caching and load balancing more natively. That will not be everybody’s preferred trade, but it is definitely AWS pushing the idea that a lot of cluster networking glue should become provider-owned instead of half-owned by stressed platform teams. (Amazon Web Services, Inc.)
And then OpenTelemetry declarative config is the quieter version of the same story. It is not as headline-friendly as cloud networking or GitLab breaking changes, but it might age really well. Key parts of the declarative config spec are now stable, including the schema, YAML representation, parsing model, and
OTEL_CONFIG_FILE. That is the kind of boring progress that usually matters a lot later, because it pushes observability setup toward something more consistent across languages and environments instead of every team reinventing its own telemetry setup philosophy. (OpenTelemetry)So my takeaway from this week is pretty simple. A lot of teams say they want less toil and safer defaults, but they also want to keep every escape hatch they have gotten used to over the years. The industry does not always let you keep both. Sometimes the platform just moves on. Private connectivity becomes a managed service. Ingress migrations stop being optional. Cluster networking gets more opinionated. Config standards finally harden. That can feel like relief or loss of control depending on where you sit, but either way it is usually a sign that the default architecture is changing underneath you. (Amazon Web Services, Inc.)