Firewalls are a requirement for conventional security and compliance frameworks, and are deployed enterprise-wide using a zone-based architecture (trusted, untrusted, DMZ). But deploying in Kubernetes is a challenge. A firewall rule needs a static source and destination IP address. But Kubernetes pods have short-lived, ephemeral IPs that can’t be used for firewall rules. Pods can be assigned routable IPs, but there are not enough IPs for every pod to have one. And frequent, manual firewall rule changes are error-prone, costly, and resource-intensive.
Existing firewall managers must be able to integrate with the Kubernetes cluster, and then define and manage Kubernetes security policies. The onus is on the platform and networking teams to comply with zone-based security requirements before any application can be deployed to Kubernetes.
The Calico Egress Gateway provides universal firewall integration, enabling Kubernetes resources to securely access endpoints behind a firewall. With this integration, firewalls can extend their zone-based architectures to Kubernetes. Tigera’s Calico-Fortinet integration enables Fortinet customers to leverage existing investments in Fortinet solutions to enforce security and compliance requirements and protect cloud-native Kubernetes workloads using the same familiar tools, processes and security workflows that you use to protect your non-Kubernetes workloads.
Enforce zone-based security in Kubernetes
Enables next-generation firewall (NGFW) managers to implement and enforce a zone-based security architecture in Kubernetes
Maintain enterprise security posture
Enables organizations migrating to Kubernetes architectures to maintain their security posture and ensure the successful adoption of the Kubernetes platform throughout the enterprise
Leverage existing infrastructure and processes
Enables enterprise security teams to leverage familiar, existing firewall tools, processes, and architecture, thereby simplifying and facilitating Kubernetes adoption and deployment
- Enterprise firewall managers can be used to create a zone-based architecture for your Kubernetes cluster
- Calico reads those firewall rules and translates them into Kubernetes security policies that control traffic between microservices
- The firewall manager can be used to explicitly white-list which microservices are allowed to traverse zones, providing the network security team with the controls they need to maintain compliance
- A zone-based architecture can also be created without the use of a firewall manager using Calico’s egress access gateway
- Tigera has partnered with Fortinet to offer four Calico integrations that extend Fortinet’s next-generation firewall platform to microservices running on Kubernetes
- FortiManager Calico Kubernetes Controller: Manage Calico security policies directly from the FortiManager platform
- FortiGate Calico Kubernetes Controller: Calico dynamically populates source IPs from your microservices to FortiManager address object groups. FortiGate next-generation firewalls (NGFWs) can then control egress from your microservices to destinations outside the cluster
- FortiGuard Threat Feed Integration: Calico ingests threat data from FortiGuard Labs’ real-time threat intelligence database, and blocks any malicious traffic to or from identified endpoints
- Calico FortiSIEM Plugin: Calico appends FortiSIEM telemetry with Kubernetes-specific context that provides deeper visibility for security operations teams to respond to security incidents identified within your microservices
How It Works
Calico enables universal firewall integration with Kubernetes via the Calico Egress Gateway, enabling Kubernetes resources to securely access endpoints behind a firewall. With this integration, firewalls can extend their zone-based architectures to Kubernetes. Tigera’s Calico-Fortinet integration enables Fortinet customers to leverage existing investments in Fortinet solutions to enforce security and compliance requirements and protect cloud-native Kubernetes workloads using the same familiar tools, processes and security workflows used to protect non-Kubernetes workloads.