On this page
There is a specific kind of silence that settles over a channel when a Service is green in kubectl, every pod is Running, the endpoints are populated, and the thing is still completely unreachable from the rack next door. The platform engineer is certain it is the network. The network engineer is certain nothing is even being announced to them. Here is the uncomfortable part: they are both right. They are staring at the same Service IP from two different planets.
To a platform engineer, a Service is finished the moment it has an external IP. The control loop did its job, the address is assigned, ship it. To a network engineer, an IP address is just a number until the fabric has been told how to reach it. On a flat L2 network those two views quietly agree and nobody notices the gap. On an EVPN/VXLAN fabric, where every rack is its own little island of L2 stitched together with L3 and VXLAN, the gap stops being quiet. It becomes the entire problem.
This is the story of how I close that gap, why the obvious shortcut runs out of road, and what it looks like when a Service IP stops being a local secret and becomes a route the whole fabric can see.
The Service that started it
The cast is small. A spine-leaf fabric running EVPN/VXLAN, a couple of spines, a few leaves, and a border leaf that hands off to a Palo Alto at the edge. On top of it, a Kubernetes cluster where Cilium runs the dataplane and replaces kube-proxy. The one character that matters for this post is a single Service: an L7 gateway with a LoadBalancer IP that Cilium handed out from its own pool. Call it 192.168.200.0. Everything that follows is about getting that one address reachable from everywhere, cleanly, without lying to anyone.
The Gateway's LoadBalancer VIP, 192.168.200.0, assigned by Cilium LB-IPAM. Green in Kubernetes, and so far invisible to the fabric.
