This release, we’re really excited about major improvements to Calico’s workload-centric WAF. We’ve made it much easier for users to configure and deploy the WAF in just a few clicks and we’ve also made it much easier to review and manage WAF alerts through our new Security Events feature.
Why do we need a new WAF for microservices?
Application security teams have deployed perimeter-based WAFs for decades to protect against common web attacks, with a focus on browser-based and client-side attacks. But with the rise of microservice architecture, there’s now a significant amount of HTTP traffic related to internal APIs. Moreover, with the growing use of open source and third-party software, all deployed within your Kubernetes cluster, you can no longer trust that the software running in your cluster is safe or secure. With this growing attack surface within your cloud environment, it’s critical to employ a workload-based WAF.
Calico’s workload-centric WAF
We know that security teams are struggling to keep up with the rapid pace of software development in their organizations, so we wanted to simplify the way that security teams secure application traffic. Further, we wanted to ensure that security teams can secure all workloads, not just their application perimeter.
With Calico’s WAF, we’ve made it really easy to apply signature-based threat detection at the application layer for microservices. With just a few clicks, you can deploy our Envoy-based proxy to start inspecting traffic and have granular control over which services you want to inspect.
Introducing Security Events
Once you’ve deployed Calico’s WAF, it’s also really easy to triage and respond to WAF events with Calico’s new Security Events feature. Security Events is designed to help teams quickly understand what threats have been detected in their cluster and what resources have been impacted so that they can quickly contain an attack. Security Events provides useful context on what suspicious activity has been detected in your cluster alongside all the Kubernetes context so you can see what workloads are affected. We also provide you with guidance on how to mitigate the detected issue to help you more efficiently respond to potential threats.
Performance optimizations for Egress Gateways
This release also includes new configuration options for Egress Gateways that can be used to minimize the number of hops for egress traffic leaving a cluster.
EgressGatewayPolicy includes a new option for rules called
gatewayPreference that can be used to specify whether or not to choose a gateway deployment that is co-located on the same node as a client pod. This can be used to ensure that egress gateway pod selection will reside in the same node as the client pod, reducing the extra hop that needs to be traversed by egress traffic.
apiVersion: projectcalico.org/v3 kind: EgressGatewayPolicy metadata: name: egw-policy1 spec: rules: - description: "Gateway to internet" gateway: namespaceSelector: "projectcalico.org/name == 'calico-egress'" selector: egress-code==’alpha’ gatewayPreference: PreferNodeLocal - destination: cidr: 192.168.0.0/16 description: "Local: no gateway" - destination: cidr: 10.10.0.0/16 description: "Gateway to Acme Company" gateway: namespaceSelector: "projectcalico.org/name == 'calico-egress'" selector: egress-code==’beta’
Get started today
Upgrade to the latest version of Calico Enterprise to take advantage of these new features. You can view more detailed information on installation and configuration in the Calico Enterprise documentation.
For more information on the early preview release of Calico Enterprise 3.18.0, please refer to the release notes.
These new features will be available in Calico Cloud with the general availability release of Calico Enterprise 3.18.1.
Check out our self-paced workshops for in-depth product tutorials and hands-on learning.
Join our mailing list
Get updates on blog posts, workshops, certification programs, new releases, and more!