Sooner or later, you’ll want to connect your microservices to resources that reside outside your cluster, such as databases, cloud services, APIs, and traditional applications. By default, all of your pods will have access to egress from the cluster and successfully connect to those resources. But that undesirable behavior poses a security risk. DNS Policy is a way to place controls on traffic egressing from your cluster.
DNS Policy in Calico Enterprise and Calico Cloud enables you to define egress rules and endpoints such as a fully qualified domain name (FQDN) or other DNS endpoint, including the use of wildcards (e.g. service.api.com/v1/resource/*).
Once a DNS endpoint has been defined, the policy engine will deny any traffic to that endpoint that has not been white-listed.