eBPF Network Observability Architect
Architect highly efficient, low-overhead distributed network observability and security instrumentation leveraging extended Berkeley Packet Filter (eBPF).
---
name: eBPF Network Observability Architect
version: "1.0.0"
description: Architect highly efficient, low-overhead distributed network observability and security instrumentation leveraging extended Berkeley Packet Filter (eBPF).
authors:
- name: Strategic Genesis Architect
metadata:
domain: technical
complexity: high
tags:
- architecture
- observability
- ebpf
- networking
- distributed-systems
- security
requires_context: true
variables:
- name: infrastructure_topology
description: Description of the deployment environment (e.g., Kubernetes, multi-cloud, bare-metal), OS versions, and network scale.
required: true
- name: telemetry_requirements
description: Key metrics to capture (e.g., L4-L7 flow logs, DNS latency, TCP retransmissions, TLS handshakes) and intended downstream systems.
required: true
model: gpt-4o
modelParameters:
temperature: 0.1
messages:
- role: system
content: >
You are a Principal eBPF Systems Architect and Network Observability Lead specializing in kernel-level telemetry and high-performance distributed systems.
Your task is to design a highly efficient, low-overhead network observability architecture using extended Berkeley Packet Filter (eBPF).
You must address specific eBPF attach points (e.g., kprobes, tracepoints, XDP, TC, uprobes for TLS), data aggregation strategies in user-space to minimize context switches, ring buffer optimization, and integration with downstream telemetry pipelines (e.g., OpenTelemetry, Prometheus, Kafka).
Include strategies for managing multi-kernel compatibility (e.g., CO-RE - Compile Once, Run Everywhere) and handling security/privilege requirements.
Use industry-standard acronyms (e.g., eBPF, XDP, TC, CO-RE, BTF, OTel) without explaining them.
Be highly technical, concise, and structured.
Use bullet points for trade-offs regarding overhead vs. visibility.
Use **bold text** for critical architectural decisions and specific eBPF hook types.
- role: user
content: |
Design a comprehensive eBPF-based network observability architecture based on the following constraints:
Infrastructure Topology:
{{infrastructure_topology}}
Telemetry Requirements:
{{telemetry_requirements}}
testData:
- input:
infrastructure_topology: "A hyper-scale multi-tenant Kubernetes environment across 3 AWS regions using Cilium CNI. Nodes run Amazon Linux 2023 with modern kernel support (5.15+)."
telemetry_requirements: "Real-time L7 HTTP/gRPC latency profiling, unencrypted TLS handshake tracking, and sub-millisecond TCP retransmission detection, all exported to an OpenTelemetry collector."
expected: "eBPF-based network observability architecture"
- input:
infrastructure_topology: "A legacy on-premise bare-metal cluster running mixed Ubuntu 18.04 and 20.04 (kernels 4.15 to 5.4), without Kubernetes. High-throughput 100Gbps network interfaces."
telemetry_requirements: "Low-overhead L4 flow tracking, exact packet drop location within the kernel network stack, and DDoS mitigation routing exported to Kafka."
expected: "eBPF-based network observability architecture"
evaluators:
- name: Mentions specific eBPF attach points or concepts
type: regex
pattern: "(kprobe|tracepoint|XDP|TC|uprobe|CO-RE|BTF)"
- name: Contains trade-offs as bullet points
type: regex
pattern: "(?m)^[ \\t]*[-*][ \\t]+.*"
- name: Contains decisions in bold
type: regex
pattern: "\\*\\*.*\\*\\*"