Why Calico Cloud Free Tier?
As Kubernetes environments grow in scale and complexity, platform teams face increasing pressure to secure workloads without slowing down application delivery. But managing and enforcing network policies in Kubernetes is notoriously difficult—especially when visibility into pod-to-pod communication is limited or nonexistent. Teams are often forced to rely on manual traffic inspection, standalone logs, or trial-and-error policy changes, increasing the risk of misconfiguration and service disruption. Safe policy management and microsegmentation becomes a daunting task without clear knowledge or insight into which services should communicate with each other.
In this detailed look, we’ll explore how Calico Cloud Free Tier builds upon Calico Open Source, and helps platform teams visualize traffic with a dynamic service graph, simplifies policy management, and even analyzes actual traffic to recommend policies.
What is Calico Cloud Free Tier?
Calico Cloud Free Tier is a managed SaaS, no-cost offering that extends the capabilities of Calico Open Source 3.30 and higher to help Kubernetes teams improve network visibility, simplify policy management, and improve security by simplifying microsegmentation. Designed for single-cluster environments, it provides platform engineers and operators with powerful observability and policy management tools. With a seamless onboarding experience for users already running Calico Open Source 3.30 or higher, Calico Cloud Free Tier empowers teams to take control of their Kubernetes traffic—without additional cost or vendor lock-in.
Let’s take a closer look at the key features that make Calico Cloud Free Tier a powerful solution for Kubernetes network security and observability:
Enhanced Observability
Calico’s primary observability solution is Dynamic Service Graph, a powerful visualization tool that maps real-time pod-to-pod communication across your cluster. This Service Graph, which is available in Calico Cloud Free Tier, gives you an immediate understanding of how workloads interact, making it far easier to identify unexpected traffic patterns or missing connections. Need to troubleshoot a failed service call? Simply drill down into the graph to access real-time flow logs with detailed packet and policy metadata. This eliminates the guesswork from debugging and speeds up root-cause analysis dramatically.
Each node of the Service Graph represents a Kubernetes workload or service, and edges between them show actual traffic flows. Colors and directional arrows make it easy to spot problems or unexpected behavior at a glance. Clicking into any node or flow reveals rich metadata including traffic volumes, protocols, and policy impact.
With Calico Dynamic Service Graph, click on nodes or edges (flows) to drill down into more detail to include statistics and context-sensitive access on flow logs that pertain to the selected node or edge. Edges show green (traffic allowed) and red (traffic disallowed), and clicking on an edge also shows which network policies allow or disallow that flow.
Want deeper insight? Use flow logs to trace anomalies, verify policy enforcement, debug connectivity issues, and more. And the Service Graph isn’t only for observability; its dynamic nature makes it easy to visualize, build, and test network policies by helping you identify misconfigurations, uncover and eliminate unnecessary connections, ensure compliance with security policies, and fine-tune network performance.
Simplified Microsegmentation
Microsegmentation is a powerful technique for isolating workloads and limiting the lateral spread of malware—a critical control required by compliance standards like PCI DSS, SOC 2, and HIPAA. Yet, implementing it in Kubernetes is notoriously difficult due to limited visibility and a lack of tools for testing and validation. Calico Cloud Free Tier addresses this challenge by making microsegmentation easier to implement. It enables teams to visually identify segment boundaries through the Dynamic Service Graph, test policies safely in staging mode before enforcing them, and organize rules using a tiered policy model aligned with organizational roles and environments.
Putting policies into different tiers allows teams to collaborate on policies based on role, and also enforces order of execution with policies in the leftmost tiers having a higher level of priority that cannot be overridden by policies to the right.
Calico Cloud Free Tier makes it easy to secure Kubernetes environments and simplify microsegmentation efforts with Policy Board—a centralized interface to manage, stage, and view Kubernetes network policies organized by tiers. This tiered model, called policy tiers, lets teams separate organization-wide and application-specific policies, reducing overlap and improving clarity.
Calico Policy Board simplifies microsegmentation by making it easier to safely create, stage, and deploy network policies.
A key capability of Policy Board is the ability to stage policies in audit mode before enforcement. This staging allows teams to simulate the effect of a policy on traffic without actually blocking or allowing it, helping identify potential disruptions in advance. Teams can view policy impact alongside real-time flow logs to understand what traffic would be affected and why. Once validated, policies can be confidently enforced. This reduces the risk of service outages and misconfigurations, especially in dynamic or production environments. By combining visual context with Dynamic Service Graph, the ability to test policies before enforcement, and role-based policy tiers, Calico Cloud Free Tier gives platform teams a simple method to adopt microsegmentation safely and incrementally.
Using the Calico Policy Board
The Calico Policy Board is a simple, visual interface that helps you view all of your Kubernetes network policies, which tier and order they’re in, as well as the volume of allowed and denied traffic. This is especially powerful and time-saving compared to running repetitive kubectl commands to get and describe various tiers and policies.. Once you’re logged into your Calico Cloud Free Tier account, just navigate to the Policy Board from the main menu.
The Policy Board is organized by policy tiers (the columns), and each box in a tier represents a policy. Policies and tiers are ordered by precedence, with the left-most tiers being evaluated first, and within each tier policies are evaluated top to bottom.
In Calico Cloud Free Tier the policies board is View Only, showing you every policy that has been applied as a YAML manifest via the command line. The policies board quickly draws your attention to any policy that is denying traffic as it will be highlighted in red. Clicking on a policy opens a view showing the scope of the policy and all of its rules, as well as the volume of allowed or denied traffic. You can also download the YAML manifest from the user interface (UI).
Policies are easy to differentiate between global or namespace scoped, or enforced or staged policies. Any staged policies can be enforced by updating the network policy, and changing the kind from StagedNetworkPolicy to NetworkPolicy. Once applied the policy board will reflect those changes.
Intuitive Dashboards
For ongoing monitoring and performance tuning, Calico Cloud Free Tier provides easy-to-use Calico Dashboards that surface cluster health and traffic volume metrics, to include information on dropped packets, in real time. This is especially useful for identifying anomalies, such as a sudden spike in ingress traffic that could indicate a misconfigured service or a potential attack vector. These insights help operators take proactive steps to secure and optimize cluster traffic.
Two dashboards are provided in Calico Free Tier that both utilize flow logs: a cluster health and a traffic flow dashboard.
Suppose a team observes intermittent failures in a frontend service. Using the Dashboards, they can pinpoint the exact moment traffic increased, using the traffic flow dashboard, and then cross-reference that timeline with flow logs and policy activity. This not only helps highlight the impacted workloads but also surfaces which policy (if any) is responsible. With this context, platform engineers can then adjust the policy —avoiding guesswork and restoring service faster. Calico Dashboards turn observability into action by connecting the high-level metrics of the dashboard with deep network insights gained through the Dynamic Service Graph tool.
Intelligent Policy Recommendations
Network policy creation is one of the most error-prone tasks in Kubernetes, often requiring tribal knowledge from developers about which services are supposed to talk to each other. Calico Cloud Free Tier offers intelligent policy recommendations that automatically analyze observed traffic to suggest policies. This helps reduce human error, reduces the possibility of misconfigurations, improves efficiency, and accelerates policy rollout, all while preserving security best practices.
Policy recommendations: This feature enables automatic generation of policy recommendations for each namespace in your cluster.
How it works: Calico analyzes flow logs from your workloads and automatically generates network policies for each namespace. These recommendations are continuously updated as new traffic patterns are observed, and you can review these recommendations through the Calico Cloud Free Tier web console. When this feature is available you will be able to enable policy recommendations by setting the RecStatus parameter to Enabled, in the PolicyRecommendationScope resource using kubectl.
kubectl patch PolicyRecommendationScope default --type='json' -p='[{"op": "replace", "path": "/spec/namespaceSpec/recStatus", "value": "Enabled"}]'
Seamless Path to Calico Cloud Free Tier
If you’re already using Calico Open Source 3.30 or later, you can connect to Calico Cloud Free Tier in seconds with no disruption to your existing setup. In fact, all the software needed is included in Calico Open Source 3.30 or higher – which means all you need to do is create an account and connect. Calico Cloud Free Tier preserves the open, Kubernetes-native foundation of Calico Open Source while layering in powerful observability, simplified policy management, and security capabilities. And if you ever need to scale up, the path to full Calico Cloud editions with multi-cluster support, even greater observability, egress gateway, and enterprise support is frictionless.
How Calico Cloud Free Tier Enhances Calico Open Source
| Feature Comparison: Calico Open Source and Calico Cloud Free Tier | ||
| Feature | Calico Open Source 3.30+ | Calico Cloud Free Tier |
| Policy Tiers | Y | Y |
| Policy Board | N | View only |
| Dynamic Service Graph | N | Y |
| Dashboards | N | Y |
| Flow logs | Y | Y |
Note: Calico Cloud Free Tier is limited to a single user and a single Kubernetes cluster. See a full feature comparison.
Conclusion
Calico Cloud Free Tier improves Kubernetes security and visibility by building on Calico Open Source with no-cost features like Dynamic Service Graph for real-time traffic visualization, a centralized Policy Board, user-friendly dashboards, and upcoming intelligent policy recommendations based on actual traffic. Designed for single-cluster environments, Calico Cloud Free Tier simplifies microsegmentation, accelerates troubleshooting, and enables safe policy creation and testing—all without disrupting existing setups or introducing vendor lock-in. Best of all, if you’re already using Calico Open Source 3.30 or later, getting started is as simple as creating an account and connecting—no additional software installation needed.
Get started with Calico Cloud Free Tier. Or, upgrade to Calico 3.30.
