AWS Security Groups Integration
Security groups, acting as instance-level network firewalls, are among the most important and commonly used building blocks in any AWS cloud deployment. It’s common for a Kubernetes cluster in AWS to interact with other Amazon-hosted resources outside of the cluster such as application instances and datastores like Amazon RDS or ElastiCache. The native protection for these resources is VPC (Virtual Private Cloud) security groups.
However, AWS security groups and VPCs are typically unaware of components inside a Kubernetes cluster. By default, VPC security groups can be applied only to application instances. To allow a subset of pods access to an RDS instance, you must allow access for your entire Kubernetes cluster – which allows all Kubernetes pods access to the RDS instance. This is not a desirable outcome when you are securing microservices and multi-tenant deployments.
AWS security groups integration enables you to combine AWS security groups with Calico Enterprise or Calico Cloud security policy, and restrict access to Amazon-hosted resources outside of the cluster on a per-pod basis. You can use this policy to enforce granular access control between Kubernetes pods and Amazon Virtual Private Cloud (AWS VPC) resources.
The Calico Enterprise AWS security groups integration uses the Kubernetes cloud controller to monitor the security groups and VPC endpoints in the Amazon VPC, create network policies, and ensure that required security groups are added to VPC endpoints. Calico Enterprise or Calico Cloud can be deployed along with an additional security group that can manage pod-level security. All you need to do is annotate your pod to connect to the Calico-provided security group and you will achieve pod-level access controls to AWS resources.
Now you can combine AWS security groups with Calico Enterprise and Calico Cloud security policy to enforce granular access control between Kubernetes pods and Amazon Virtual Private Cloud (AWS VPC) resources.