diff --git a/kube/3-deploy/1-core/01-networking/cilium/install.yaml b/kube/3-deploy/1-core/01-networking/cilium/install.yaml
index d3207798..f4210c73 100644
--- a/kube/3-deploy/1-core/01-networking/cilium/install.yaml
+++ b/kube/3-deploy/1-core/01-networking/cilium/install.yaml
@@ -131,6 +131,11 @@ spec:
       range: 9993,32767
     bandwidthManager:
       enabled: true
+      bbr: false # enable after Talos kernel updated to >= 5.18
+    bpf:
+      masquerade: true
+      tproxy: true
+    enableIPv6BIGTCP: false # enable after Talos kernel updated to >= 5.19
     l7Proxy: true
     hubble:
       enabled: true
diff --git a/kube/3-deploy/2-apps/kanidm/app/hr.yaml b/kube/3-deploy/2-apps/kanidm/app/hr.yaml
index dedf95bd..f1e74ba5 100644
--- a/kube/3-deploy/2-apps/kanidm/app/hr.yaml
+++ b/kube/3-deploy/2-apps/kanidm/app/hr.yaml
@@ -53,6 +53,7 @@ spec:
         primary: true
         ingressClassName: nginx
         annotations:
+          external-dns.alpha.kubernetes.io/target: "${IP_EC2_INGRESS}"
           nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
           # https://github.com/kubernetes/ingress-nginx/issues/6728
           nginx.ingress.kubernetes.io/server-snippet: |