Calico Open Source is a networking and security solution for containers, virtual machines, and native host-based workloads. Calico supports a broad range of platforms, including Kubernetes, OpenShift, Docker EE, OpenStack, and bare metal services.
Whether you use Calico’s eBPF data plane, Linux’s standard networking stack, or the Windows data plane, Calico delivers blazing-fast performance with true cloud-native scalability.
As per independent reports by Datadog and Dynatrace, Calico is the most adopted container networking and security technology.
Cilium is a CNCF open-source project based on eBPF that provides cloud-native networking, security, and observability for cloud-native environments, such as Kubernetes clusters and other container orchestration platforms. It’s a platform that helps Kubernetes users manage and secure the communication between their containerized applications based on eBPF programs.
eBPF provides Cilium access to deep insights into network traffic and enables it to perform networking and security functions at the kernel level. Currently, no market adoption numbers have been published for Cilium.
This is part of a series of articles about Kubernetes networking.
In this article:
The following table briefly compares the key aspects of Calico and Cilium. We provide more details on each of these aspects below.
| Calico | Cilium | |
| Core Technology | Supports eBPF, Linux IP Tables, Windows HNS, and VPP dataplanes. | Solely based on eBPF-based dataplane. |
| Network Security | Offers network security policies at both application and network levels. | Similar capabilities in network security policies. |
| Load Balancing & Networking | Efficient load-balancing with eBPF dataplane for routing and overlay networks. | Similar approach to load balancing and networking. |
| Container Orchestrator Integration | Broad integration including Kubernetes, OpenShift, Docker EE, etc. | Focused on Kubernetes and container orchestration platforms. |
| Observability & Monitoring | Extensive visibility with integration options like Prometheus, Grafana, Istio, and Jaeger. | Uses Hubble for observability, might have limitations in data export. |
| Scalability & Performance | Highly scalable with minimal performance overhead, supports large-scale deployments. | Scalable, but limited by identities in packet headers and eBPF map sizes. |
| Encryption | Supports WireGuard and mTLS (with Istio). | Supports WireGuard and IPsec. |
| Architecture | Flexible architecture with multiple dataplane options. | Single eBPF-based dataplane, focuses on security identities. |
| Policy Management | Advanced policy management with Calico API, Calicoctl, and enhanced options in Enterprise and Cloud versions. | Basic policy management, lacks advanced lifecycle management. |
| Kubernetes Platform Support | Supports a range of platforms and maintains compatibility with Kubernetes versions. | Primarily supports Kubernetes. |
| Multi-Cluster Management | Advanced multi-cluster management, especially in Enterprise and Cloud versions. | Standard multi-cluster management with kubectl and Hubble. |
| Cluster Mesh | Flexible multi-cluster setup using BGP protocol. | Supports up to 255 clusters in a cluster mesh. |
| Deployment & Configuration | Utilizes Tigera operator or Calico manifests for deployment. | Deployment via Cilium CLI utility. |
Before we discuss the differences, both Calico and Cilium offer the following:
eBPF-based Technology: Both projects leverage extended Berkeley Packet Filter (eBPF) for various networking, security, and observability tasks. eBPF allows them to dynamically insert and update networking, observability, and security logic without having to restart processes or operations. Calico can operate with not only eBPF dataplane but also Windows HNS, high-performance VPP and Linux IP tables.
Network Security: Both projects provide network security policies to enable secure communication between container workloads. Policies are often implemented in Kubernetes environments and can be extended to other environments. Both Calico and Cilium are capable of enforcing security policies at both the application (Layer 7) and network (Layer 3/4) levels.
Load Balancing and Networking: Calico eBPF dataplane offers efficient load-balancing for distributed services, including North-South and East-West traffic in a Kubernetes cluster. Calico eBPF dataplane can handle networking functions like routing and overlay networks, too. Cilium has a similar approach to Calico in these areas.
Integration with Container Orchestrators: Both are available as CNI options with managed Kubernetes service providers for one of their services.
Observability and Monitoring: Both projects provide extensive visibility into network flows and security events, making it easier for developers and operators to understand and troubleshoot network behavior and performance issues.
Scalability and Performance: Thanks to eBPF, Calico and Cilium are scalable and efficient, making them suitable for small to very large-scale deployments. Both are capable of handling high throughput and a large number of network policies with minimal performance overhead.
Encryption: Calico supports WireGuard encryption and mTLS encryption with Istio. Cilium supports both WireGuard and IPsec.
Calico and Cilium are both used by organizations that need a scalable and secure networking solution for their containerized services, especially in dynamic, distributed, and microservices-based architectures.
Calico and Cilium are both suited for environments needing scalable and secure networking for containerized services.
Calico is ideal for diverse platforms and offers multiple dataplane options, making it flexible for various needs including Kubernetes, VMs, and bare-metal services. It excels in large-scale deployments and complex network policies.
Cilium, based solely on eBPF, is a strong choice for Kubernetes-focused environments requiring advanced network security and observability at the kernel level. Its use of security identities and eBPF map sizes makes it particularly effective in environments where these features align with the network security and performance requirements.
Calico: Calico provides a flexible approach to establishing networking and security in your environment. It also features an eBPF dataplane that leverages eBPF programs to establish high-speed networking for your setup. In addition, Calico offers support for additional data planes, including Linux IP Tables, Windows HNS, and VPP. Calico provides the ability to switch dataplanes at any time based on your specific requirements. The challenge of testing and selecting the optimal dataplane for your environment becomes pronounced when dealing with a program confined to a single dataplane.
Cilium: Cilium has a single eBPF-based dataplane and implements networking and security via eBPF programs. For observability, Cilium relies on Hubble, another open-source project that can communicate via GRPC to visualize and report back cluster flows.
Calico: Calico is highly scalable and is tuned out of the box to run in any environment, regardless of its size. Numerous organizations, including Reddit (multi-cluster), Box (IPtables), and CoreWeave (eBPF), choose Calico for its scalability and other features. Moreover, Calico delivers blazing-fast performance for applications requiring UDP communication and demonstrates comparable performance to other eBPF-based solutions for various protocols. Thanks to its flexible design, Calico provides high-performance networking with minimal overhead and can outperform most CNIs in unexpected scenarios. An independent write-up showcases how Calico can scale while maintaining performance in such scenarios. See this benchmark study by Thomas Graf.
Cilium: Cilium offers a new way to categorize policies; rather than using IP addresses, it uses security identities, which are injected into packet headers. While this is a new way for policies to be identified in an environment, given the fixed size of a packet header, each cluster is limited to 65k (2^16) identities, which could significantly impact the scalability of your cluster. On top of that, since Cilium heavily relies on eBPF maps to store policies, it is limited to 16k entities in a map which can impact the overall performance. This notion is something that Google has been trying to grapple with for quite some time now. Furthermore, in a cluster mesh scenario, Cilium can only be used to connect 255 clusters.
Calico: The Calico policy engine is fully compatible with the Kubernetes policy standard and completely implements its requirements across all its dataplanes. Calico extends the Kubernetes policy model by implementing its own network security resources, elevating security measures by offering global network policies (not namespaced), host endpoint protection, policy actions (allow, deny, log), and custom selectors to fine-tune policies and build a zero-trust environment.
Calico Enterprise and Cloud offer even more capabilities, such as DNS policies, native application-layer policies, policy recommendations, and policy tiers.
Cilium: Cilium supports native Kubernetes policies, except Port range is not working. Cilium also extends the Kubernetes policy model by implementing its own resources, and similar to Calico but in a different way, it implements a global policy context and DNS filter rules.
Learn more in our detailed guide to networking concepts
Calico: Calico offers multiple interfaces to interact with network security policies implemented in your environment.
The Calico API server facilitates integration with Kubectl policy management and provides a REST API that seamlessly integrates with your GitOps and CI/CD pipelines.
Calicoctl, a standalone binary, allows direct access to Calico resources, enabling manipulation of these resources with ease.
Calico Enterprise and Calico Cloud further enhance policy lifecycle management with a graphical interface that visualizes your policies, providing metrics on the number of flows and the instances they’ve impacted, enhancing your visibility and control over network security. It also provides policy recommendations that can be staged, previewed, and enforced to strengthen the security posture of your Kubernetes cluster.
Cilium: Cilium lacks policy lifecycle management and policy recommendation, but similar to Calico, offers policy management with kubectl, REST API, and Cilium command-line binary.
Calico: Calico Open Source integrates with Prometheus and Grafana, enabling you to gain insight into its inner workings and overall performance. These metrics serve as a valuable resource to assess the health of your cluster and overall network performance. Additionally, you can pair these metrics with the logging functionality to construct an observability framework at the networking level (Layer 3-4). Calico can integrate with other open-source projects, such as Istio and Jaeger, to offer application-layer observability in cases where users require such a feature (Layer 7).
Calico Enterprise and Calico Cloud provide a graph-based visualization to observe and troubleshoot workload communication, identify network security gaps, and also active/inactive policies.
Cilium: Cilium can integrate with Hubble to provide observability for your environment. Hubble is a companion program to Cilium that establishes a GRPC connection to Cilium CNI and can visualize flows in a graphical and command-line way. Given that Hubble doesn’t export flows, its integration with tools and databases that require data ingestion can be difficult.
Calico: Calico Open Source has a support strategy similar to Kubernetes; this means at any time, Calico supports down to two versions of the latest release. On top of that, Calico also provides support for platforms such as Mesos, OpenShift, VMs, and hosts.
Cilium: Cilium is open-source software for transparently securing the network connectivity between application services deployed using Linux container management platforms like Docker and Kubernetes.
Calico: Calico Open Source relies on kubectl to manage a multi-cluster environment and can annotate logs depending on the context to accommodate the multi-cluster nature of an environment.
Calico Enterprise and Calico Cloud provide a unique way to manage a multi-cluster environment via an easy and intuitive GUI. In a multi-cluster context, Calico enterprise GUI can visualize crucial information such as network security policies, DNS flow logs, and much more in the participating clusters.
Cilium: Cilium relies on kubectl to manage a multi-cluster environment; Hubble can annotate logs depending on the context to accommodate the multi-cluster nature of an environment.
Learn more in our detailed guide to Kubernetes multi cluster
Calico: Calico has great flexibility when it comes to establishing and managing a multi-cluster (cluster mesh) environment. Leveraging the strength of the BGP protocol, Calico enables seamless communication between two or more clusters. With its support for overlays, Calico can establish a multi-cluster environment effortlessly, irrespective of underlying networking restrictions.
In a multi-cluster environment, Calico allows you to establish communication between internal resources, such as pods and services that are on different clusters, providing next-level load balancing and high availability.
Cilium: Cilium also provides cluster mesh capabilities by using native routing, which provides support for up to 255 clusters in a single mesh.
Calico: Calico utilizes the power of the Tigera operator to deploy and configure your clusters; while not recommended, it is also possible to use Calico manifests to deploy a customized version of Calico for your environment.
Cilium: Cilium installation is done by using the Cilium CLI utility; this stand-alone binary can be used to deploy and configure Cilium for your environment.
Calico offers a flexible approach with multiple data plane options (eBPF, Linux IP Tables, Windows HNS, VPP), allowing you to switch data planes based on specific needs. It’s highly scalable and suitable for various environments, including large-scale deployments. Cilium, with its eBPF-based data plane, focuses on implementing networking and security via eBPF programs. It categorizes policies using security identities and limits the number of identities and entities in a map, which might affect scalability in large clusters.
In terms of network policy, both Calico and Cilium are compatible with Kubernetes standards and extend policy models in unique ways. Calico offers a more comprehensive policy engine, including DNS policies and application-layer policies in its enterprise versions. Cilium, while supporting native Kubernetes policies, has its limitations.
For observability, Calico integrates with popular open source projects such as Prometheus and Grafana, while Cilium uses Hubble for visualizing network flows.
In conclusion, while Cilium is a strong contender, Calico is more widely adopted and provides more data plane options and more robust network capabilities for more use cases.
Calico Enterprise and Calico Cloud offer several features for zero-trust workload security for cloud-native applications. These include:
Next Steps
Get updates on blog posts, workshops, certification programs, new releases, and more!
