What’s new in Calico Enterprise 3.14: WAF, Calico CNI on AKS, and support for RKE2

At Tigera, we strive to innovate at every opportunity thrown at us and deliver what you need! We have listened to what users ask and today we are excited to announce the early preview of Calico Enterprise 3.14. From new capabilities to product supportability and extending partnerships with our trusted partners, let’s take a look at some of the new features in this release.

Web application firewall (WAF)

Web applications are a critical aspect of any business, whether they are public facing or internal. There has been a fundamental shift in the way these applications are developed—as they have become more container-based and API-based, we refer to these as cloud-native applications.

To keep these modern web applications secure, we need to analyze all HTTP communication and block any malicious traffic traversing the web application. However, in a cloud-native environment, we can’t achieve this using simple network policies or by using perimeter network firewalls. Instead, a cloud-native web application firewall (WAF) would be necessary.


Fig. 1: Service annotation for workload-based WAF using Calico

This is why we have introduced a cloud-native WAF into Calico Enterprise that’s different from the traditional WAFs you may know. While most traditional WAFs are deployed to protect web applications against external attacks on the perimeter level, Calico provides an in-depth WAF that protects web applications from internal and external attacks as it filters traffic between different workloads. This helps you monitor and verify access to web applications and collect access logs for compliance/auditing and analytics.

Fig. 2: Alert based on a suspicious SQL injection

Calico Enterprise enables WAF as an add-on to its deployment of Envoy as a DaemonSet. This integration leverages ModSecurity, a popular open-source WAF that provides a core rule set for the most common security risks identified by OWASP, and also enables operators to BYO rule sets or leverage subscription-based rules. (Note: The WAF functionality is also available in the 3.13 release.)

Support for Calico CNI with AKS

Microsoft recently introduced a bring-your-own CNI (BYOCNI) program to help AKS users address more advanced networking requirements. Calico is the most widely adopted container networking and security solution for Kubernetes, and now it’s available as a CNI on AKS clusters under the BYOCNI program.

Under BYOCNI, AKS users can leverage Calico’s advanced IPAM capabilities the same way in self-managed Azure clusters as they would in managed Azure AKS clusters. This provides a seamless and uniform CNI operation in a single or hybrid cluster environment. Calico CNI users can also integrate with legacy firewalls and address multiple IPAM issues with the previously available Azure or Kubernetes CNIs.

Support for RKE2

Calico Enterprise is now officially supported on SUSE Rancher Kubernetes Engine2 (RKE2). RKE2 is the next generation of SUSE Rancher’s RKE platform. It is a fully conformant Kubernetes distribution that focuses on security and compliance within the U.S. Federal Government sector and other regulated agencies.

New users on RKE2 can install Calico Enterprise with all its existing features. Installation or deployment is similar to how Calico was installed on RKE. With this support, Calico Enterprise will be able to boost your security infrastructure with its zero-trust workload controls for building and running applications on RKE2.

Fig. 3: Connecting Calico to SUSE Rancher RKE2

We’re excited to bring these new features and capabilities to you in our latest release of Calico Enterprise, and continue to work hard toward adding even more updates for future releases.

Watch this space for more early previews, product releases, and Calico updates! Or talk to our experts to learn more.

Want to try Calico for free? Sign up for a 14-day free trial.

 

Join our mailing list

Get updates on blog posts, workshops, certification programs, new releases, and more!