Your microservices may need to connect to resources that reside outside your cluster, such as databases, cloud services, APIs, and traditional applications. By default, all of your pods will have access to egress from the cluster and successfully connect to those resources. This is generally not the desired behavior and poses a security and access risk.Calico DNS Policy is a way to put controls on traffic egressing from your cluster.
Calico Enterprise DNS Policy is an extension of Network Policy that enables Egress endpoints and rules to be defined. DNS Policies can define a fully qualified domain name (FQDN) or other DNS endpoint, including the use of wildcards (e.g. service.api.com/v1/resource/*).
Once a DNS endpoint has been defined, the policy engine will deny any traffic to that endpoint that has not been whitelisted.
Interested in trying Calico Enterprise DNS Policy?
Sign up for our free trial – we’ll even provide sample workloads to test with.