Egress Gateway

There are situations where you’ll need a fixed IP address for your microservice. You may have a resource you need to connect to that is protected behind a firewall, or you may need to send data to a monitoring system that requires an IP address to correlate the data sent with the microservice. While it’s possible to setup routable IPs in a Kubernetes cluster, routable IPs are a finite resource and will eventually become exhausted as the cluster grows.

The Egress Gateway in Calico Enterprise and Calico Cloud assigns a fixed IP to a namespace and will NAT all egress traffic from that namespace to the fixed IP.

When you deploy your microservice to that namespace, the service gets a consistent IP assigned for all egress. This includes all replicas of your microservice as you scale up and back.

The fixed IP can then be used to create a rule in an external firewall that will enforce access control at that point.

You can also use the fixed IP to represent your microservice within a monitoring platform, enabling monitoring and other systems that collect data from your microservice to correlate the IP to your service.


📣 Read our new O'Reilly eBook on Kubernetes Security and ObservabilityLearn more >>>