Workload Access Controls

Enable secure, managed connectivity from Kubernetes to resources outside the cluster



Eventually you will need to securely migrate Kubernetes workloads into production and connect them to applications and resources outside of the cluster. Before you can do that, you’ll need to limit egress to external endpoints on a granular, per-pod basis. But Kubernetes workloads are ephemeral and their IP addresses can’t be predicted, making it challenging to control Kubernetes access to resources with any granularity.

Calico provides you with three methods to enable fine-grained access controls between your microservices and external databases, cloud services, APIs, and other applications that are protected behind a firewall. You can enforce controls from within the cluster using DNS egress policies, from a firewall outside the cluster using the egress gateway, or integrate with security groups if you are deployed to AWS. Controls are applied on a fine-grained, per-pod basis.


Secure Access

Control access to resources outside of the cluster, like databases, cloud-managed services, third-party APIs, and other applications that are not yet containerized


Safely and securely transition Kubernetes workloads from pilot to production

Maintain Compliance

Maintain compliance with existing enterprise and regulatory security requirements


DNS Policy

  • Calico extends the open-source policy model so that domain names (FQDN / DNS) can be used to allow access from a pod or set of pods (via label selector) to external resources (databases, cloud services, third-party APIs).
  • Security policies based on domain names (DNS) enable fine-grained controls that are enforced at the source pod, eliminating the need for a firewall rule or equivalent. DNS endpoints can be defined as an exact address (e.g. or can include wildcards (e.g. * DNS endpoints can also be used within Global Network Sets.
  • Calico security policies are designed to abstract away from IP addresses in favor of label selectors, but still require external services outside of the cluster to be identified by IP address.

Egress Gateway

  • An application that needs egress access is typically assigned its own namespace. Calico can designate a fixed IP to a namespace. Any pods that egress from that namespace are assigned that fixed IP.
  • You can then use a firewall rule to manage access controls between the egress IP and the external resource. As the application scales and more replicas are deployed, all egress from those replicas will also be assigned the same IP address as they leave the cluster.

AWS Security Group Integration

  • Calico integrates with AWS security groups, enabling you to join an individual pod to a security group. This is done through simple pod annotation that defines which security group a pod should join, making it easy to integrate with AWS.
  • You can define both ingress and egress rules; Calico will restrict access only to those pods with the correct annotation.

How It Works


Calico helps you granularly restrict Kubernetes access to resources outside the cluster in different ways. This not only protects your cluster resources, it provides you with the flexibility to align with your specific architecture. Domain names (FQDN / DNS) can be used to control access from a pod or set of pods to an external resource. You can enforce the controls from a firewall outside the cluster using the Egress Gateway. Or you can integrate with security groups if you are deployed to AWS.


Free eBook

Learn More

Technical Blog

Learn More


Learn More