AWS Interconnect GA, Cloudflare Mesh, GitLab 19, EKS Auto Mode, and OpenTelemetry Config

📅 April 17, 2026 ⏱️ 15:00Episode 34Industry News

devopscloudflareawsgithubEKSCloudgitlabopentelemetryVPCcontainerd

Apple Spotify

Now Playing

Ship It Weekly

Transcript

0:00 A lot of infrastructure work gets easier right

0:02 around the moment it gets more opinionated. Private

0:05 connectivity becomes a product. Cluster networking

0:08 becomes a managed default. Ingress migrations

0:12 stop being optional. Observability config starts

0:15 acting like a real standard. And the old we'll

0:18 patch that next sprint stuff still shows up in

0:21 the lightning round waiting to ruin somebody's

0:24 week. That's the theme this week. The platform

0:26 layer keeps absorbing work teams used to hand

0:29 roll, babysit, or quietly postpone. Sometimes

0:33 that is great. Sometimes it is the platform telling

0:35 you that your old defaults are running out of

0:38 runway. Hey, I'm Brian Teller. I work in DevOps

0:58 and SRE, and I run Teller's Tech. This is Ship

1:02 It Weekly, where I filter the noise and focus

1:04 on what actually changes how we run infrastructure

1:06 and own reliability. Show notes and links are

1:10 on shipitweekly .fm. If the show's been useful,

1:13 follow it wherever you listen. Ratings help way

1:16 more than they should. And if you want more signal

1:18 between episodes, check out oncallbrief .com.

1:22 The latest brief this week was heavy on breaking

1:24 changes, security patches, and platform releases,

1:27 and that definitely shaped this episode. We have

1:30 five main stories today, then the lightning round,

1:33 and we'll wrap with the human closer. we're starting

1:36 with aws interconnect going generally available

1:39 because this is a pretty clean signal that aws

1:42 wants private connectivity to feel a lot more

1:45 like a managed cloud primitive and a lot less

1:48 like a telecom product then cloudflare mesh which

1:51 feels like the private network for humans services

1:54 and agents version of the same broader trend

1:57 after that gitlab 19 .0 because the move away

2:01 from bundled nginx ingress and bundled data services

2:05 is exactly the kind of breaking change platform

2:07 teams actually have to plan around. And that

2:10 one came straight out of this week's on -call

2:12 brief. Then we've got EKS auto mode networking

2:14 and what it means when AWS owns more of the cluster

2:18 networking path for you. And finally, OpenTelemetry

2:21 declarative config reaching stability, which

2:24 is quieter than the others, but honestly kind

2:26 of foundational. Story one. AWS interconnect

2:33 is cloud networking getting productized harder.

2:35 Let's start there. AWS interconnect is now generally

2:38 available and the core pitch is pretty straightforward.

2:41 AWS is offering managed network connectivity

2:44 in two directions, multi -cloud connectivity

2:47 between AWS and other cloud providers and last

2:51 mile connectivity between AWS and your on -prem

2:54 or enterprise sites. AWS says that the service

2:57 is turnkey. private and designed to remove the

3:00 usual infrastructure complexity from the customer

3:03 side. The part that stood out to me is not just

3:06 the feature list. It's the framing. This is AWS

3:08 taking something that traditionally felt like

3:11 network engineering plus vendor coordination

3:13 plus waiting and trying to turn it into a cloud

3:16 service with a cleaner control surface. Multicloud

3:19 starts with Google Cloud. Azure is coming later

3:22 this year and the traffic stays on private backbones

3:25 instead of bouncing over the public internet.

3:27 The last mile option launches in the US with

3:30 Lumen. That matters because private connectivity

3:32 has always been one of those areas where cloud

3:35 teams and networking teams can end up speaking

3:38 slightly different languages while the delivery

3:40 timeline drags on forever. So when AWS starts

3:43 saying, we'll manage more of this path for you,

3:45 that is not just a product launch. That is a

3:48 platform boundary shifting. And I think the practical

3:51 takeaway is pretty simple. If you run multi -cloud,

3:54 hybrid, branch -heavy, or edgish environments,

3:57 this is the kind of thing worth paying attention

3:59 to early. Not because you need to adopt it tomorrow,

4:02 but because it changes the default expectation

4:04 of how painful private connectivity is supposed

4:07 to be. Story 2. Cloudflare Mesh is basically

4:14 saying private networking should include agents

4:17 now. Next up, Cloudflare Mesh. Cloudflare launched

4:20 Mesh as a private networking layer for users,

4:23 nodes, agents, and workers. Their pitch is that

4:26 the client on private networks are no longer

4:29 just humans and services. Now they're also autonomous

4:32 agents that need scoped access to internal APIs,

4:35 databases, and other private systems without

4:38 exposing those systems to the public internet.

4:40 And honestly, I think that framing lands. Because

4:43 this is one of the first times I've seen a big

4:45 networking security vendor say out loud that

4:48 agent traffic is not just a cute add -on to existing

4:51 access models. Cloudflare is treating it as a

4:54 first -class access pattern. Mesh plugs into

4:57 Cloudflare 1, applies existing gateway, access

5:00 and posture policies and ties into workers vpcs

5:04 so workers durable objects and agent workloads

5:07 can reach private infrastructure directly the

5:10 interesting part is that this is not being sold

5:12 like a traditional vpn replacement story it is

5:15 more like your private network should already

5:17 know how to deal with services laptops remote

5:20 servers and agent style workloads on the same

5:23 fabric Cloudflare also says Mesh is many too

5:27 many private networking over its global network,

5:29 not a collection of one -off tunnels glued together.

5:32 So the bigger read for me is this. Networking

5:35 vendors are starting to assume the future client

5:37 is sometimes a human, sometimes a workload, and

5:40 sometimes an agent acting semi -autonomously.

5:43 If that assumption keeps spreading, private access

5:45 tooling is going to look a lot more like policy

5:48 -driven platform plumbing and a lot less like

5:50 old -school remote access. Story three, GitLab

5:57 19 .0 is what real platform migration pressure

6:01 looks like. Now to GitLab. This week's on -call

6:04 brief highlighted GitLab 19 .0, and I think it

6:07 is a really good platform story because it is

6:09 not flashy at all. It is just the kind of change

6:12 that forces actual planning. GitLab says 19 .0

6:16 includes 15 breaking changes. And one of the

6:19 big ones for self -managed Helm users is that

6:22 bundled Nginx ingress is being replaced by Gateway

6:25 API with Envoy Gateway as the default. GitLab

6:29 says Nginx ingress hit end of life in March 2026,

6:33 though it can still be explicitly re -enabled

6:35 until removal in 20 .0. That alone is enough

6:39 to matter. But then there is the second punch.

6:42 GitLab is also removing bundled PostgreSQL, Redis,

6:46 and MinIO from the Helm chart and operator path,

6:50 with no replacement, citing licensing, maintenance,

6:53 and image availability issues. This is the exact

6:56 kind of story that feels just operational until

6:59 you are the team that has to sequence the migration.

7:02 Because these are not cosmetic defaults. These

7:05 are parts of the install path that people absolutely

7:08 built around, especially in test, POC, or smaller

7:12 self -managed setup. And now the platform is

7:15 basically saying that convenience path was temporary.

7:18 So the takeaway here is not just GitLab changed

7:20 some things. It is that platform teams need to

7:23 notice when a project's default architecture

7:25 starts growing up past its old bundled assumptions.

7:29 Gateway API is not just a new thing to learn.

7:32 For some teams, it is now the road forward whether

7:34 they wanted a migration project or not. Story

7:41 four, EKS Auto Mode networking. Is AWS trying

7:44 to make cluster networking feel less handmade?

7:47 Next up, EKS Auto Mode. AWS published a good

7:50 breakdown this week of how EKS Auto Mode handles

7:53 networking. And the story is really about ownership.

7:56 Auto Mode sets up the VPC CNI for you. manages

7:59 DNS as a core component, supports node level

8:02 DNS caching, and lets you request ALBs and NLBs

8:06 through native Kubernetes resources without a

8:09 separate load balancer controller. AWS also says

8:12 it handles CNI lifecycle management as part of

8:15 the cluster maintenance. That is a pretty meaningful

8:17 bundle of responsibility. Because cluster networking

8:20 is one of those areas where teams can spend years

8:24 carrying around a bunch of, well, this is just

8:27 how our cluster works, setup that is really a

8:30 mix of controllers, tuning, upgrades, and networking

8:33 assumptions nobody wants to touch during business

8:35 hours. What AWS is doing here is making a stronger

8:38 argument that for a lot of teams, that should

8:41 stop being custom glue. Pods get VPC IPs directly.

8:45 Traffic follows normal VPC route tables. You

8:49 use AWS native networking services and tools

8:52 you already know. And AWS is taking more responsibility

8:55 for keeping the CNI path current and sane. Now,

8:59 that trade is not going to be for everybody.

9:01 Some teams want the flexibility. Some teams need

9:04 the knobs. Some teams have enough scar tissue

9:06 to be suspicious anytime a managed mode says

9:09 trust us. Fair. But for a lot of orgs, the real

9:13 risk is not lack of knobs. It is the pile of

9:16 half -owned networking glue they already have.

9:22 Story 5. OpenTelemetry declarative config getting

9:26 stable is boring in the best way. Last main story.

9:30 OpenTelemetry announced that key portions of

9:33 its declarative configuration spec are now stable.

9:36 That includes the JSON schema, YAML file representation,

9:40 in -memory model, parsing and creation operations,

9:43 and the OTEL config file environment variable

9:46 used to point SDKs at a config file. The blog

9:49 also says implementations are currently available

9:52 in C++, Go, Java, JavaScript, and PHP, with .NET

9:58 and Python underway. I really like this one because

10:01 observability configuration has had a lot of

10:04 it depends energy for a long time. environment

10:07 variables everywhere slightly different mental

10:09 models across languages lots of power not always

10:13 a lot of consistency so when open telemetry says

10:15 the declarative config model is stable and should

10:18 increasingly be treated as a first -class ux

10:21 surface that is real platform maturity they even

10:24 say the future process should be declarative

10:26 configuration first and that older environment

10:29 variable patterns that do not interoperate well

10:32 may get deprecated over time that does not make

10:35 for a flashy headline But it does make life better

10:38 for platform teams that want more consistency

10:41 across languages and services without every team

10:44 inventing its own telemetry setup philosophy.

10:47 And honestly, that is a very DevOps story. Not

10:50 exciting in the launch demo sense, but very exciting

10:53 in the maybe we stop relearning config drift

10:56 in five languages sense. A few quick ones before

11:05 we wrap. Container D pushed security releases

11:08 across supported branches, including 1 .7 .31,

11:13 2 .0 .8, 2 .1 .7, and 2 .2 .3 to address CVE

11:19 -2026 -35469. The release notes describe it as

11:24 a SPDY stream issue and call out hardening around

11:28 sanitization errors before returning them over

11:31 gRPC to prevent possible credential leaks in

11:34 pod events. patch this one github also launched

11:38 code security risk assessment for organizations

11:40 github says org admins and security managers

11:43 can run a free assessment to review code vulnerabilities

11:47 across their org and the docs say it scans up

11:50 to 20 repositories and reports severity and autofix

11:54 eligible findings that is a pretty decent quick

11:57 win tool if you want a fast read on exposure

12:00 without building a whole campaign around it And

12:03 AWS published guidance on secure AI agent access

12:07 patterns using MCP. Their framing is that IAM

12:10 has to become the authorization layer for these

12:13 non -deterministic systems because coding assistants

12:17 and agents choose tools at runtime and can act

12:21 at machine speed. That is a good reminder that

12:23 it's just an assistant stops being true the second

12:26 it has real permissions. I think the cleanest

12:36 closer for this one is pretty simple. Infrastructure

12:39 keeps moving from assembled to opinionated. Private

12:42 connectivity gets wrapped as a managed service.

12:46 Private networking gets redesigned around workloads,

12:49 agents, and not just people. Kubernetes install

12:52 paths grow out of old bundled defaults. Cluster

12:56 networking becomes more provider -owned. Observability

12:59 config starts trying to look like an actual stable

13:02 interface instead of a pile of toggles. And that

13:06 shift cuts both ways. It can absolutely reduce

13:09 toil. It can also remove some of the comfortable

13:12 ambiguity teams used to hide inside. Because

13:15 once the platform gives you a clearer default,

13:17 you have to make a more conscious decision if

13:20 you want to keep doing things the old, harder

13:22 way. That is the human part of ops that shows

13:25 up over and over. A lot of teams say they want

13:28 simplicity. What they usually mean is they want

13:30 someone else to own the painful complexity without

13:33 taking away the escape hatches that they have

13:35 grown attached to. Sometimes that works. Sometimes

13:37 the industry just moves on and your migration

13:40 project shows up whether you invited it or not.

13:42 All right. That's it for this week of Ship It

13:45 Weekly. Quick recap. AWS interconnect going GA

13:49 and pushing private connectivity further into

13:52 managed service territory. Cloudflare Mesh building

13:55 private networking for users, workloads, and

13:58 agents. GitLab 19 .0 forcing some real migration

14:02 planning around gateway API and bundled services.

14:05 EKS auto mode networking making cluster networking

14:08 less handmade. and OpenTelemetry declarative

14:11 config getting stable in the kind of boring,

14:14 foundational way that usually matters a lot later.

14:18 Links and show notes are on ShipItWeekly .fm.

14:21 You can also find the video versions on YouTube.

14:24 And if you want more signal before the episode,

14:26 check out OnCallBrief .com. If this episode was

14:29 useful, follow or subscribe wherever you listen.

14:32 And send it to the person on your team who keeps

14:34 having to explain that managed does not always

14:37 mean simple. But it usually does mean the default

14:39 architecture is changing whether people noticed

14:42 or not. I'm Brian, and I'll see you next week.

0:00 A lot of infrastructure work gets easier right

0:02 around the moment it gets more opinionated. Private

0:05 connectivity becomes a product. Cluster networking

0:08 becomes a managed default. Ingress migrations

0:12 stop being optional. Observability config starts

0:15 acting like a real standard. And the old we'll

0:18 patch that next sprint stuff still shows up in

0:21 the lightning round waiting to ruin somebody's

0:24 week. That's the theme this week. The platform

0:26 layer keeps absorbing work teams used to hand

0:29 roll, babysit, or quietly postpone. Sometimes

0:33 that is great. Sometimes it is the platform telling

0:35 you that your old defaults are running out of

0:38 runway. Hey, I'm Brian Teller. I work in DevOps

0:58 and SRE, and I run Teller's Tech. This is Ship

1:02 It Weekly, where I filter the noise and focus

1:04 on what actually changes how we run infrastructure

1:06 and own reliability. Show notes and links are

1:10 on shipitweekly .fm. If the show's been useful,

1:13 follow it wherever you listen. Ratings help way

1:16 more than they should. And if you want more signal

1:18 between episodes, check out oncallbrief .com.

1:22 The latest brief this week was heavy on breaking

1:24 changes, security patches, and platform releases,

1:27 and that definitely shaped this episode. We have

1:30 five main stories today, then the lightning round,

1:33 and we'll wrap with the human closer. we're starting

1:36 with aws interconnect going generally available

1:39 because this is a pretty clean signal that aws

1:42 wants private connectivity to feel a lot more

1:45 like a managed cloud primitive and a lot less

1:48 like a telecom product then cloudflare mesh which

1:51 feels like the private network for humans services

1:54 and agents version of the same broader trend

1:57 after that gitlab 19 .0 because the move away

2:01 from bundled nginx ingress and bundled data services

2:05 is exactly the kind of breaking change platform

2:07 teams actually have to plan around. And that

2:10 one came straight out of this week's on -call

2:12 brief. Then we've got EKS auto mode networking

2:14 and what it means when AWS owns more of the cluster

2:18 networking path for you. And finally, OpenTelemetry

2:21 declarative config reaching stability, which

2:24 is quieter than the others, but honestly kind

2:26 of foundational. Story one. AWS interconnect

2:33 is cloud networking getting productized harder.

2:35 Let's start there. AWS interconnect is now generally

2:38 available and the core pitch is pretty straightforward.

2:41 AWS is offering managed network connectivity

2:44 in two directions, multi -cloud connectivity

2:47 between AWS and other cloud providers and last

2:51 mile connectivity between AWS and your on -prem

2:54 or enterprise sites. AWS says that the service

2:57 is turnkey. private and designed to remove the

3:00 usual infrastructure complexity from the customer

3:03 side. The part that stood out to me is not just

3:06 the feature list. It's the framing. This is AWS

3:08 taking something that traditionally felt like

3:11 network engineering plus vendor coordination

3:13 plus waiting and trying to turn it into a cloud

3:16 service with a cleaner control surface. Multicloud

3:19 starts with Google Cloud. Azure is coming later

3:22 this year and the traffic stays on private backbones

3:25 instead of bouncing over the public internet.

3:27 The last mile option launches in the US with

3:30 Lumen. That matters because private connectivity

3:32 has always been one of those areas where cloud

3:35 teams and networking teams can end up speaking

3:38 slightly different languages while the delivery

3:40 timeline drags on forever. So when AWS starts

3:43 saying, we'll manage more of this path for you,

3:45 that is not just a product launch. That is a

3:48 platform boundary shifting. And I think the practical

3:51 takeaway is pretty simple. If you run multi -cloud,

3:54 hybrid, branch -heavy, or edgish environments,

3:57 this is the kind of thing worth paying attention

3:59 to early. Not because you need to adopt it tomorrow,

4:02 but because it changes the default expectation

4:04 of how painful private connectivity is supposed

4:07 to be. Story 2. Cloudflare Mesh is basically

4:14 saying private networking should include agents

4:17 now. Next up, Cloudflare Mesh. Cloudflare launched

4:20 Mesh as a private networking layer for users,

4:23 nodes, agents, and workers. Their pitch is that

4:26 the client on private networks are no longer

4:29 just humans and services. Now they're also autonomous

4:32 agents that need scoped access to internal APIs,

4:35 databases, and other private systems without

4:38 exposing those systems to the public internet.

4:40 And honestly, I think that framing lands. Because

4:43 this is one of the first times I've seen a big

4:45 networking security vendor say out loud that

4:48 agent traffic is not just a cute add -on to existing

4:51 access models. Cloudflare is treating it as a

4:54 first -class access pattern. Mesh plugs into

4:57 Cloudflare 1, applies existing gateway, access

5:00 and posture policies and ties into workers vpcs

5:04 so workers durable objects and agent workloads

5:07 can reach private infrastructure directly the

5:10 interesting part is that this is not being sold

5:12 like a traditional vpn replacement story it is

5:15 more like your private network should already

5:17 know how to deal with services laptops remote

5:20 servers and agent style workloads on the same

5:23 fabric Cloudflare also says Mesh is many too

5:27 many private networking over its global network,

5:29 not a collection of one -off tunnels glued together.

5:32 So the bigger read for me is this. Networking

5:35 vendors are starting to assume the future client

5:37 is sometimes a human, sometimes a workload, and

5:40 sometimes an agent acting semi -autonomously.

5:43 If that assumption keeps spreading, private access

5:45 tooling is going to look a lot more like policy

5:48 -driven platform plumbing and a lot less like

5:50 old -school remote access. Story three, GitLab

5:57 19 .0 is what real platform migration pressure

6:01 looks like. Now to GitLab. This week's on -call

6:04 brief highlighted GitLab 19 .0, and I think it

6:07 is a really good platform story because it is

6:09 not flashy at all. It is just the kind of change

6:12 that forces actual planning. GitLab says 19 .0

6:16 includes 15 breaking changes. And one of the

6:19 big ones for self -managed Helm users is that

6:22 bundled Nginx ingress is being replaced by Gateway

6:25 API with Envoy Gateway as the default. GitLab

6:29 says Nginx ingress hit end of life in March 2026,

6:33 though it can still be explicitly re -enabled

6:35 until removal in 20 .0. That alone is enough

6:39 to matter. But then there is the second punch.

6:42 GitLab is also removing bundled PostgreSQL, Redis,

6:46 and MinIO from the Helm chart and operator path,

6:50 with no replacement, citing licensing, maintenance,

6:53 and image availability issues. This is the exact

6:56 kind of story that feels just operational until

6:59 you are the team that has to sequence the migration.

7:02 Because these are not cosmetic defaults. These

7:05 are parts of the install path that people absolutely

7:08 built around, especially in test, POC, or smaller

7:12 self -managed setup. And now the platform is

7:15 basically saying that convenience path was temporary.

7:18 So the takeaway here is not just GitLab changed

7:20 some things. It is that platform teams need to

7:23 notice when a project's default architecture

7:25 starts growing up past its old bundled assumptions.

7:29 Gateway API is not just a new thing to learn.

7:32 For some teams, it is now the road forward whether

7:34 they wanted a migration project or not. Story

7:41 four, EKS Auto Mode networking. Is AWS trying

7:44 to make cluster networking feel less handmade?

7:47 Next up, EKS Auto Mode. AWS published a good

7:50 breakdown this week of how EKS Auto Mode handles

7:53 networking. And the story is really about ownership.

7:56 Auto Mode sets up the VPC CNI for you. manages

7:59 DNS as a core component, supports node level

8:02 DNS caching, and lets you request ALBs and NLBs

8:06 through native Kubernetes resources without a

8:09 separate load balancer controller. AWS also says

8:12 it handles CNI lifecycle management as part of

8:15 the cluster maintenance. That is a pretty meaningful

8:17 bundle of responsibility. Because cluster networking

8:20 is one of those areas where teams can spend years

8:24 carrying around a bunch of, well, this is just

8:27 how our cluster works, setup that is really a

8:30 mix of controllers, tuning, upgrades, and networking

8:33 assumptions nobody wants to touch during business

8:35 hours. What AWS is doing here is making a stronger

8:38 argument that for a lot of teams, that should

8:41 stop being custom glue. Pods get VPC IPs directly.

8:45 Traffic follows normal VPC route tables. You

8:49 use AWS native networking services and tools

8:52 you already know. And AWS is taking more responsibility

8:55 for keeping the CNI path current and sane. Now,

8:59 that trade is not going to be for everybody.

9:01 Some teams want the flexibility. Some teams need

9:04 the knobs. Some teams have enough scar tissue

9:06 to be suspicious anytime a managed mode says

9:09 trust us. Fair. But for a lot of orgs, the real

9:13 risk is not lack of knobs. It is the pile of

9:16 half -owned networking glue they already have.

9:22 Story 5. OpenTelemetry declarative config getting

9:26 stable is boring in the best way. Last main story.

9:30 OpenTelemetry announced that key portions of

9:33 its declarative configuration spec are now stable.

9:36 That includes the JSON schema, YAML file representation,

9:40 in -memory model, parsing and creation operations,

9:43 and the OTEL config file environment variable

9:46 used to point SDKs at a config file. The blog

9:49 also says implementations are currently available

9:52 in C++, Go, Java, JavaScript, and PHP, with .NET

9:58 and Python underway. I really like this one because

10:01 observability configuration has had a lot of

10:04 it depends energy for a long time. environment

10:07 variables everywhere slightly different mental

10:09 models across languages lots of power not always

10:13 a lot of consistency so when open telemetry says

10:15 the declarative config model is stable and should

10:18 increasingly be treated as a first -class ux

10:21 surface that is real platform maturity they even

10:24 say the future process should be declarative

10:26 configuration first and that older environment

10:29 variable patterns that do not interoperate well

10:32 may get deprecated over time that does not make

10:35 for a flashy headline But it does make life better

10:38 for platform teams that want more consistency

10:41 across languages and services without every team

10:44 inventing its own telemetry setup philosophy.

10:47 And honestly, that is a very DevOps story. Not

10:50 exciting in the launch demo sense, but very exciting

10:53 in the maybe we stop relearning config drift

10:56 in five languages sense. A few quick ones before

11:05 we wrap. Container D pushed security releases

11:08 across supported branches, including 1 .7 .31,

11:13 2 .0 .8, 2 .1 .7, and 2 .2 .3 to address CVE

11:19 -2026 -35469. The release notes describe it as

11:24 a SPDY stream issue and call out hardening around

11:28 sanitization errors before returning them over

11:31 gRPC to prevent possible credential leaks in

11:34 pod events. patch this one github also launched

11:38 code security risk assessment for organizations

11:40 github says org admins and security managers

11:43 can run a free assessment to review code vulnerabilities

11:47 across their org and the docs say it scans up

11:50 to 20 repositories and reports severity and autofix

11:54 eligible findings that is a pretty decent quick

11:57 win tool if you want a fast read on exposure

12:00 without building a whole campaign around it And

12:03 AWS published guidance on secure AI agent access

12:07 patterns using MCP. Their framing is that IAM

12:10 has to become the authorization layer for these

12:13 non -deterministic systems because coding assistants

12:17 and agents choose tools at runtime and can act

12:21 at machine speed. That is a good reminder that

12:23 it's just an assistant stops being true the second

12:26 it has real permissions. I think the cleanest

12:36 closer for this one is pretty simple. Infrastructure

12:39 keeps moving from assembled to opinionated. Private

12:42 connectivity gets wrapped as a managed service.

12:46 Private networking gets redesigned around workloads,

12:49 agents, and not just people. Kubernetes install

12:52 paths grow out of old bundled defaults. Cluster

12:56 networking becomes more provider -owned. Observability

12:59 config starts trying to look like an actual stable

13:02 interface instead of a pile of toggles. And that

13:06 shift cuts both ways. It can absolutely reduce

13:09 toil. It can also remove some of the comfortable

13:12 ambiguity teams used to hide inside. Because

13:15 once the platform gives you a clearer default,

13:17 you have to make a more conscious decision if

13:20 you want to keep doing things the old, harder

13:22 way. That is the human part of ops that shows

13:25 up over and over. A lot of teams say they want

13:28 simplicity. What they usually mean is they want

13:30 someone else to own the painful complexity without

13:33 taking away the escape hatches that they have

13:35 grown attached to. Sometimes that works. Sometimes

13:37 the industry just moves on and your migration

13:40 project shows up whether you invited it or not.

13:42 All right. That's it for this week of Ship It

13:45 Weekly. Quick recap. AWS interconnect going GA

13:49 and pushing private connectivity further into

13:52 managed service territory. Cloudflare Mesh building

13:55 private networking for users, workloads, and

13:58 agents. GitLab 19 .0 forcing some real migration

14:02 planning around gateway API and bundled services.

14:05 EKS auto mode networking making cluster networking

14:08 less handmade. and OpenTelemetry declarative

14:11 config getting stable in the kind of boring,

14:14 foundational way that usually matters a lot later.

14:18 Links and show notes are on ShipItWeekly .fm.

14:21 You can also find the video versions on YouTube.

14:24 And if you want more signal before the episode,

14:26 check out OnCallBrief .com. If this episode was

14:29 useful, follow or subscribe wherever you listen.

14:32 And send it to the person on your team who keeps

14:34 having to explain that managed does not always

14:37 mean simple. But it usually does mean the default

14:39 architecture is changing whether people noticed

14:42 or not. I'm Brian, and I'll see you next week.

🎧 Listen & Subscribe

Catch This Episode

Listen on your favorite podcast platform

Apple Podcasts Spotify YouTube (Video) Amazon Music

💬 Commentary

Host Commentary

This week’s episode really came together around one idea: the platform layer keeps absorbing work teams used to treat as background plumbing. AWS Interconnect going generally available is a good example of that. AWS is taking private connectivity, both multicloud and last mile, and trying to make it feel more like a managed cloud primitive than a long networking project full of vendor handoffs and waiting. That is a real shift in expectation, especially when AWS is openly positioning it around simpler private connectivity and faster deployment through partners like Lumen. (Amazon Web Services, Inc.)

Cloudflare Mesh feels like the same trend from a different angle. What stood out to me there is not just “private networking, but newer.” It is that Cloudflare is explicitly saying the private network now needs to work for users, nodes, Workers, and autonomous AI agents on the same fabric. That is a much more modern framing of what the client even is. Private access is not just about humans on laptops anymore. It is about workloads and semi-autonomous systems reaching private APIs and databases with policy wrapped around them from the start. (The Cloudflare Blog)

GitLab 19.0 is where that broader theme turns into migration pressure. This is the kind of story platform teams actually feel in real life. GitLab is moving Self-Managed Helm installs away from bundled NGINX Ingress and toward Gateway API with Envoy Gateway by default because NGINX Ingress reached end-of-life in March 2026. On top of that, GitLab is also removing bundled PostgreSQL, Redis, and MinIO from the Helm chart path. That is not flashy, but it is exactly how platforms grow up. Old convenience defaults get harder to justify, and eventually they stop being the road forward. (about.gitlab.com)

AWS is making a similar argument with EKS Auto Mode networking, just from the managed-cloud side. The message there is basically that cluster networking should stop feeling so handmade for teams that do not actually want to own every knob. AWS says Auto Mode sets up the VPC CNI automatically, gives pods VPC IPs directly, keeps traffic on normal VPC route tables, and handles networking components like DNS caching and load balancing more natively. That will not be everybody’s preferred trade, but it is definitely AWS pushing the idea that a lot of cluster networking glue should become provider-owned instead of half-owned by stressed platform teams. (Amazon Web Services, Inc.)

And then OpenTelemetry declarative config is the quieter version of the same story. It is not as headline-friendly as cloud networking or GitLab breaking changes, but it might age really well. Key parts of the declarative config spec are now stable, including the schema, YAML representation, parsing model, and OTEL_CONFIG_FILE. That is the kind of boring progress that usually matters a lot later, because it pushes observability setup toward something more consistent across languages and environments instead of every team reinventing its own telemetry setup philosophy. (OpenTelemetry)

So my takeaway from this week is pretty simple. A lot of teams say they want less toil and safer defaults, but they also want to keep every escape hatch they have gotten used to over the years. The industry does not always let you keep both. Sometimes the platform just moves on. Private connectivity becomes a managed service. Ingress migrations stop being optional. Cluster networking gets more opinionated. Config standards finally harden. That can feel like relief or loss of control depending on where you sit, but either way it is usually a sign that the default architecture is changing underneath you. (Amazon Web Services, Inc.)

📝 Notes

Show Notes

This episode of Ship It Weekly is about networking, ingress, and private access moving further up into the platform layer. Brian covers AWS Interconnect going generally available, Cloudflare Mesh, GitLab 19.0 breaking changes around Gateway API and bundled services, EKS Auto Mode networking, and OpenTelemetry declarative config reaching stability. He also hits containerd security patches, GitHub’s new Code Security risk assessment, and AWS guidance on securing AI agents with MCP. (Amazon Web Services, Inc.)

Links

AWS Interconnect GA and last mile connectivity https://aws.amazon.com/blogs/aws/aws-interconnect-is-now-generally-available-with-a-new-option-to-simplify-last-mile-connectivity/

Cloudflare Mesh https://blog.cloudflare.com/mesh/

GitLab 19.0 breaking changes https://about.gitlab.com/blog/a-guide-to-the-breaking-changes-in-gitlab-19-0/

EKS Auto Mode networking https://aws.amazon.com/blogs/containers/navigating-enterprise-networking-challenges-with-amazon-eks-auto-mode/

OpenTelemetry declarative config reaches stability https://opentelemetry.io/blog/2026/stable-declarative-config/

containerd security releases https://github.com/containerd/containerd/releases

GitHub Code Security risk assessment for organizations https://github.blog/changelog/2026-04-08-code-security-risk-assessment-available-for-organizations/

AWS secure AI agent access patterns using MCP https://aws.amazon.com/blogs/security/secure-ai-agent-access-patterns-to-aws-resources-using-model-context-protocol/

This week’s On Call Brief https://www.tellerstech.com/on-call-brief/2026-W16/

More episodes and show notes https://shipitweekly.fm/

🎙️ Your Host

Meet Brian Teller

Brian Teller

Your host is Brian Teller, the builder behind Teller’s Tech. He started Ship It Weekly because most “tech news” skips the parts that matter when you’re the one on-call. Each episode filters the noise down to what actually impacts infra, reliability, security, cost, and the day-to-day reality of running systems in production.

Brian’s done the work in real environments: Terraform and Terragrunt, Kubernetes, AWS, Kafka, CI/CD, and the less-fun parts like incident response, guardrails, and keeping spend under control. He’s not trying to read headlines at you. The point is context, tradeoffs, and the “okay, what should I do about this?” takeaway you can bring back to your team. Expect practical takes, a little opinion, and a bias toward stuff you can ship, not theory.

DevOps Institute Ambassador ITIL Ambassador

📍 Made in Greencastle, Greencastle, Franklin County, Pennsylvania, 17225, USA

Listen