You can get MetalLB-style service IPs without MetalLB. Cilium includes a BGP control plane that advertises LoadBalancer addresses on the LAN. The lab peers worker nodes with a UniFi UDM-SE as the default-gateway iBGP peer so phones, laptops, and the tailnet can reach Envoy Gateway VIPs without NodePorts.

Without BGP (or something like MetalLB), a LoadBalancer Service on bare metal often sits Pending forever. Advertising routes into the LAN gateway fixes that: the UDM learns /32 (or the pool) and forwards traffic to the node Cilium chose for the Service.