Workload Microsegmentation

Deploy a highly scalable workload microsegmentation model with a unified policy framework for containers, hosts, virtual machines, pods, and services that works across all your environments



Workload microsegmentation is a technique that enables security architects to logically divide the data center into distinct security segments down to the individual workload level, and then define security controls for each unique segment. DevSecOps teams rely on microsegmentation to protect multi-tenant environments from exploitation, and prevent tenants from accessing data from any other tenant.

By default, Kubernetes is an open system with no built-in security controls. Without east-west controls like microsegmentation, a cyberattacker, having gained unauthorized access, can move laterally within a cluster in search of sensitive data and other high-value assets. Given the large attack area within a Kubernetes cluster it’s essential to isolate endpoints and prevent lateral movement.

Every cloud and hosting environment, for example AWS security groups, VMware NSX, and Google Cloud firewalls, uses its own implementation of segmentation. Each of these uses different tools and requires different skill-sets to implement. However, none of these can integrate with other implementations, which limits their applicability, creates silos and can lead to unnecessary deployment of multiple, disparate segmentation solutions.

Calico provides a unified, cloud-native workload segmentation model and single policy framework that makes multiple, siloed approaches a thing of the past, and works across all of your existing microservices environments. Calico’s unified solution is an operationally simpler replacement for multiple, costly, proprietary approaches and the skillsets required to manage them.


Eliminates Lateral Movement

Eliminates the risks associated with lateral movement in the cluster by cyberattackers in search of sensitive data and other high-value assets

Works Everywhere

Eliminates the operational inefficiencies of deploying multiple siloed workload segmentation solutions by providing a single security model and unified policy framework that works seamlessly across multiple application and workload environments

Instant Response

Enables faster response to security threats with a cloud-native distributed architecture that can dynamically enforce security policy changes across cloud-scale environments in milliseconds in response to an attack


Unified Policy Framework

  • Calico provides a unified workload segmentation solution that works across all of your existing environments including any combination of:
    • Cloud and hybrid solution providers
    • Kubernetes distributions
    • Containers
    • Pods
    • Virtual machines
    • Bare metals
    • Cloud instances
    • Hosts
  • Calico provides a single framework to define policies across all of your application and workload environments, including hosts, VMs, containers and Kubernetes
  • Calico’s unified solution is an operationally simpler replacement for multiple, proprietary approaches and the skillsets required to manage them
  • Calico simplifies the process of creating host level policies by providing visibility into traffic between HostEndpoints and determining the appropriate rules to accept or deny a connection

Dynamic Workload Segmentation

  • Calico uses a dynamic workload segmentation model that is not based on a specific workload, but instead is based on the metadata attached to that workload, such as pod name, namespace, node, labels, and annotations.
  • With the Calico model, you can rapidly scale a service without having to change security policies by using appropriate labels when deploying new workloads.

High-Performance, Distributed Architecture for Workload Microsegmentation

  • Calico’s distributed cloud-native architecture eliminates centralized congestion points associated with legacy approaches to workload microsegmentation that can impact performance.
  • With Calico, new workloads can be securely deployed to environments with 10’s of thousands of servers, and be online within milliseconds (vs. hours and days for legacy approaches).

How It Works


Calico’s workload microsegmentation solution with a unified policy framework works across all of your existing environments: any combination of cloud providers, cloud instances, containers, Kubernetes distributions, virtual machines, and bare metals. Calico enables full workload portability and the ability to define workload segmentation policies for multi-cloud and hybrid connections. Calico is built for cloud scale and provides you with the ability to roll out security policy changes in milliseconds, while legacy segmentation tools take hours.


Free eBook

Learn More

Technical Blog

Learn More


Learn More