Eventually you will need to securely migrate Kubernetes workloads into production and connect them to applications and resources outside of the cluster. Before you can do that, you’ll need to limit egress to external endpoints on a granular, per-pod basis. But Kubernetes workloads are ephemeral and their IP addresses can’t be predicted, making it challenging to control Kubernetes access to resources with any granularity.
Calico provides you with three methods to enable fine-grained access controls between your microservices and external databases, cloud services, APIs, and other applications that are protected behind a firewall. You can enforce controls from within the cluster using DNS egress policies, from a firewall outside the cluster using the egress gateway, or integrate with security groups if you are deployed to AWS. Controls are applied on a fine-grained, per-pod basis.
Control access to resources outside of the cluster, like databases, cloud-managed services, third-party APIs, and other applications that are not yet containerized
Safely and securely transition Kubernetes workloads from pilot to production
Maintain compliance with existing enterprise and regulatory security requirements
Calico helps you granularly restrict Kubernetes access to resources outside the cluster in different ways. This not only protects your cluster resources, it provides you with the flexibility to align with your specific architecture. Domain names (FQDN / DNS) can be used to control access from a pod or set of pods to an external resource. You can enforce the controls from a firewall outside the cluster using the Egress Gateway. Or you can integrate with security groups if you are deployed to AWS.