What Is Calico?
Calico Open Source is a networking and security solution for containers, virtual machines, and native host-based workloads. Calico supports a broad range of platforms, including Kubernetes, OpenShift, Docker EE, OpenStack, and bare metal services.
Whether you use Calico’s eBPF data plane, Linux’s standard networking stack, or the Windows data plane, Calico delivers blazing-fast performance with true cloud-native scalability.
As per independent reports by Datadog and Dynatrace, Calico is the most adopted container networking and security technology.
Editor’s note: Updated to reflect Calico and Cilium features and capabilities in 2026.
What Is Cilium?
Cilium is a CNCF open-source project based on eBPF that provides cloud-native networking, security, and observability for cloud-native environments, such as Kubernetes clusters and other container orchestration platforms. It’s a platform that helps Kubernetes users manage and secure the communication between their containerized applications based on eBPF programs.
eBPF provides Cilium access to deep insights into network traffic and enables it to perform networking and security functions at the kernel level. Currently, no market adoption numbers have been published for Cilium.
This is part of a series of articles about Kubernetes networking.
In this article:
- Calico vs. Cilium: Quick Comparison
- Calico and Cilium: Key Features and Offerings
- Calico and Cilium: Ideal Use Cases
- Calico vs. Cilium: The Key Differences
- Cilium vs. Calico: How to Choose?
- Kubernetes Networking for the Enterprise with Calico
Calico vs. Cilium: Quick Comparison
The following table briefly compares the key aspects of Calico and Cilium. We provide more details on each of these aspects below.
| Calico | Cilium | |
| Core Technology | Supports multiple dataplanes: Linux routing/iptables, eBPF, Windows HNS, and VPP | Built around a single eBPF-based datapath in the Linux kernel |
| Network Security | Fully compliant with the upstream Kubernetes NetworkPolicy plus Calico CRDs (GlobalNetworkPolicy, etc.); L3/L4 enforcement L7 via native Gateway API | Kubernetes NetworkPolicy plus Cilium CRDs; identity-based L3–L7 enforcement (HTTP, gRPC, Kafka) |
| Load Balancing & Networking | eBPF data plane can replace kube-proxy; supports BGP routing and overlay or non-overlay modes | eBPF-based service handling replaces kube-proxy; distributed load balancing in kernel |
| Container Orchestrator Integration | Kubernetes CNI; also supports VMs and bare metal environments | Kubernetes-focused CNI; tightly integrated with Kubernetes APIs |
| Observability & Monitoring | Flow logs, metrics, and integrations with Prometheus; optional enterprise visibility tools | Hubble for real-time L3–L7 visibility; CLI and UI access; Prometheus integration |
| Scalability & Performance | Scales via Typha for API load reduction; supports BGP for large clusters; optional overlay avoidance | Scales using eBPF maps and identity model; Cluster Mesh supports multi-cluster scaling |
| Encryption | Supports WireGuard and mTLS (via service mesh integrations) | Supports WireGuard and IPsec encryption |
| Architecture | Modular architecture with Felix, Typha, and optional BGP peering | Unified eBPF-centric architecture with kube-proxy replacement |
| Policy Management | Managed via Kubernetes CRDs and calicoctl; enterprise multi-cluster policy options | Managed via Kubernetes CRDs and Cilium CLI; fully Kubernetes-native workflow |
| Kubernetes Platform Support | Supports Linux and Windows nodes; flexible deployment models | Primarily Linux-based Kubernetes environments |
| Multi-Cluster Management | Enterprise edition offers centralized multi-cluster management | Cluster Mesh connects clusters with shared identity-based policy |
| Cluster Mesh | Uses BGP and route reflectors for inter-cluster connectivity | Native Cluster Mesh (up to 255 clusters by default) |
| Deployment & Configuration | Installed via Tigera Operator or manifests; lifecycle automation supported | Installed via Cilium CLI or Helm; configuration via CRDs and Helm values |
Calico and Cilium: Key Features and Offerings
Before we discuss the differences, both Calico and Cilium offer the following:
eBPF-based Technology: Both projects leverage extended Berkeley Packet Filter (eBPF) for various networking, security, and observability tasks. eBPF allows them to dynamically insert and update networking, observability, and security logic without having to restart processes or operations. Calico can operate with not only eBPF data plane but also Windows HNS, high-performance VPP and Linux IP tables.
Network Security: Both projects provide network security policies to enable secure communication between container workloads. Policies are often implemented in Kubernetes environments and can be extended to other environments. Both Calico and Cilium are capable of enforcing security policies at both the application (Layer 7) and network (Layer 3/4) levels.
Load Balancing and Networking: Calico eBPF data plane offers efficient load-balancing for distributed services, including North-South and East-West traffic in a Kubernetes cluster. Calico eBPF data plane can handle networking functions like routing and overlay networks, too. Cilium has a similar approach to Calico in these areas.
Integration with Container Orchestrators: Both are available as Kubernetes CNI options with managed Kubernetes service providers for one of their services.
Observability and Monitoring: Both projects provide extensive visibility into network flows and security events, making it easier for developers and operators to understand and troubleshoot network behavior and performance issues.
Scalability and Performance: Thanks to eBPF, Calico and Cilium are scalable and efficient, making them suitable for small to very large-scale deployments. Both are capable of handling high throughput and a large number of network policies with minimal performance overhead.
Encryption: Calico supports WireGuard encryption and mTLS encryption with Istio. Cilium supports both WireGuard and IPsec.
Calico and Cilium are both used by organizations that need a scalable and secure networking solution for their containerized services, especially in dynamic, distributed, and microservices-based architectures.
Related content: Read our guide to Cilium service mesh
Calico and Cilium: Ideal Use Cases
Calico and Cilium are both suited for environments needing scalable and secure networking for containerized services.
Calico is ideal for diverse platforms and offers multiple data plane options, making it flexible for various needs including Kubernetes, VMs, and bare-metal services. It excels in large-scale deployments and complex network policies.
Cilium, based solely on eBPF, is a strong choice for Kubernetes-focused environments requiring advanced network security and observability at the kernel level. Its use of security identities and eBPF map sizes makes it particularly effective in environments where these features align with the network security and performance requirements.
Calico vs. Cilium: The Key Differences
1. High-Level Architecture
Calico provides a flexible architecture with multiple data plane options. In Kubernetes environments, it uses the Kubernetes API datastore and distributes policy and routing information to nodes via components such as Felix and Typha. Typha reduces load on the Kubernetes API server in large clusters by acting as a fan-out proxy for updates. Calico supports multiple dataplanes, including a standard Linux routing/iptables mode and an eBPF data plane. It also supports Windows nodes using the Windows Host Networking Service (HNS), and can integrate BGP for route distribution between nodes or to external networks.
Cilium is built around a single eBPF-based datapath. Networking, service load balancing, and security enforcement are implemented using eBPF programs running in the Linux kernel. It replaces kube-proxy functionality with eBPF-based service handling. Cilium assigns numeric security identities derived from workload labels and enforces policies using identity-based lookups in eBPF maps.
2. Performance and Scalability
Calico supports both a standard data plane (which interoperates with kube-proxy and iptables) and an eBPF data plane that replaces kube-proxy to improve service performance and reduce latency. For large clusters, Typha reduces the number of direct connections to the Kubernetes API server, improving scalability. Calico also supports BGP-based routing, which can eliminate the need for overlays in certain architectures and reduce encapsulation overhead.
Cilium implements distributed load balancing and service handling in eBPF, fully replacing kube-proxy. Its scalability characteristics are influenced by eBPF map sizes and its identity model. In multi-cluster deployments, Cluster Mesh supports up to 255 clusters by default, and increasing the limit reduces the number of cluster-local identities available. See this benchmark study by Thomas Graf.
3. Network Policy
Calico supports Kubernetes NetworkPolicy and extends it with additional custom resources such as GlobalNetworkPolicy and NetworkPolicy resources specific to Calico. These resources allow cluster-wide policies, explicit rule ordering, and broader endpoint selection beyond namespace boundaries. Calico policies can target workloads, host endpoints, and network sets.
Policies can be enforced at Layer 3 and Layer 4 in both standard and eBPF dataplanes. Calico also integrates with service meshes and supports application-layer enforcement when combined with additional components.
Cilium supports Kubernetes NetworkPolicy along with CiliumNetworkPolicy and CiliumClusterwideNetworkPolicy CRDs. These allow defining policies at Layer 3/4 and extending enforcement to Layer 7 for protocols such as HTTP, gRPC, and Kafka.
Policy enforcement is identity-based. Instead of relying solely on IP addresses, Cilium matches traffic using workload identities derived from labels. This allows policies to remain stable even when IPs change due to rescheduling or scaling events.
Learn more in our detailed guide to Kubernetes network policy
4. Policy Management
Calico policies are managed through Kubernetes CRDs and the calicoctl CLI. calicoctl allows direct management of Calico resources and can operate against the Kubernetes API datastore. Enterprise editions provide centralized management and enhanced lifecycle capabilities, including multi-cluster policy control.
The operator-based installation model allows lifecycle management of Calico components and configuration validation during deployment and upgrades.
Cilium policies are defined declaratively using Kubernetes CRDs and managed with standard Kubernetes tooling such as kubectl. Policy definitions are stored in Kubernetes and distributed automatically to Cilium agents.
The Cilium CLI supports installation, upgrades, and validation of cluster readiness, helping manage configuration changes and operational lifecycle.
5. Observability
Calico provides observability through flow logs and policy metrics. Flow logs can be accessed through Calico Whisker and the Flow Logs API. The Flow Logs API exposes aggregated traffic information including policy decisions and traffic statistics such as packet and byte counts. Calico metrics integrate with Prometheus-based monitoring systems.
Cilium provides observability through Hubble, which offers real-time visibility into network flows and security events. Hubble Relay enables cluster-wide visibility, and observability data can be accessed via CLI or UI. Hubble can export metrics for integration with Prometheus and other monitoring systems.
Hubble leverages the same eBPF datapath to capture L3–L7 visibility without sidecar proxies.
6. Kubernetes Platform Support
Calico supports installation in self-managed Kubernetes clusters and various environments. Administrators can choose between iptables and eBPF dataplanes during installation. Calico also supports Windows nodes using Windows HNS integration, enabling mixed OS clusters.
Cilium is designed primarily for Kubernetes and is installed as a CNI plugin using the Cilium CLI, Helm, or manifests. Its configuration and operational state are managed through Kubernetes CRDs, reflecting its Kubernetes-native design.
7. Multi-Cluster Management
Calico supports centralized multi-cluster management, enabling secure connectivity and unified policy management across multiple clusters, including those running in different cloud environments. This provides centralized control and visibility for multi-cluster deployments.
Cilium supports multi-cluster connectivity through Cluster Mesh, which connects Kubernetes clusters into a unified network and preserves identity-based policy enforcement across them. This enables service-to-service communication across clusters with consistent policy enforcement.
Learn more in our detailed guide to Kubernetes multi cluster
8. Cluster Mesh
Calico enables multi-cluster and external connectivity using BGP. Nodes can peer with each other or with external routers, and route reflectors can be used to scale large deployments. This approach integrates with existing network infrastructure.
Cilium Cluster Mesh interconnects multiple clusters and supports up to 255 clusters by default. The cluster limit is configurable, with identity allocation trade-offs when increasing the number of clusters.
9. Deployment and Configuration
Calico can be installed using the Tigera Operator or Kubernetes manifests. The operator automates lifecycle management, component upgrades, and configuration validation. Configuration is handled via Kubernetes CRDs and optional CLI tools.
Cilium is typically deployed using the Cilium CLI or Helm charts. The CLI simplifies installation, validation, and upgrades. Configuration is managed through Helm values and Kubernetes CRDs, aligning with Kubernetes-native operational workflows.
Cilium vs. Calico: How to Choose?
Calico offers a flexible approach with multiple data plane options (eBPF, Linux IP Tables, Windows HNS, VPP), allowing you to switch data planes based on specific needs. It’s highly scalable and suitable for various environments, including large-scale deployments. Cilium, with its eBPF-based data plane, focuses on implementing networking and security via eBPF programs. It categorizes policies using security identities and limits the number of identities and entities in a map, which might affect scalability in large clusters.
In terms of network policy, both Calico and Cilium are compatible with Kubernetes standards and extend policy models in unique ways. Calico offers a more comprehensive policy engine, including DNS policies and application-layer policies in its enterprise versions. Cilium, while supporting native Kubernetes policies, has its limitations.
For observability, Calico integrates with popular open source projects such as Prometheus and Grafana, while Cilium uses Hubble for visualizing network flows.
In conclusion, while Cilium is a strong contender, Calico is more widely adopted and provides more data plane options and more robust network capabilities for more use cases.
Kubernetes Networking for the Enterprise with Calico
The Calico platform offers several features for zero-trust workload security for cloud-native applications. These include:
- Egress access controls – Securely and granularly control workload access between Kubernetes clusters and external resources like APIs and applications.
- Identity-aware microsegmentation for workloads – Deploy a scalable, unified microsegmentation model for hosts, VMs, containers, pods, and services that works across all your environments.
- Egress Gateway – The Calico Egress Gateway provides universal firewall integration, enabling Kubernetes resources to securely access endpoints behind a firewall. This allows you to extend your existing firewall manager and zone-based architecture to Kubernetes for cloud-native architecture.
- Encryption – Calico utilizes WireGuard to implement data-in-transit encryption. WireGuard runs as a module inside the Linux kernel and provides better performance and lower CPU utilization than IPsec and OpenVPN tunneling protocols. Calico supports WireGuard for self-managed environments such as AWS, Azure, and OpenShift, and managed services such as EKS and AKS.
- Dynamic Service and Threat Graph – A point-to-point, topographical representation of traffic flow and policy that shows how workloads within the cluster are communicating, and across which namespaces. Also includes advanced capabilities to filter resources, save views, and troubleshoot service issues.
- Policy lifecycle management – Create, test, stage, deploy, and manage security policies. Deploy recommended policies with a single click. Enforce hierarchical policy tiers and get real-time policy evaluations.
Next Steps
- A step-by-step guide for implementing microsegmentation
- Calico WireGuard support with Azure CNI
- Best practices: Using workload access controls for containerized workload protection
See Additional Guides on Key Kubernetes Topics
Together with our content partners, we have authored in-depth guides on several other topics that can also be useful as you explore the world of Kubernetes.
Kubernetes Networking
Authored by Tigera
- [Guide] Kubernetes Network Policy: Use Cases, Examples & Tips [2025]
- [Guide] 6 Ways to Improve Kubernetes Network Security
- [Blog] How Network Security Policies Can Protect Your Environment
- [Product] Calico | Unified Network Security & Observability for Kubernetes
Container Security
Authored by Tigera
- [Guide] Container Security: 7 Key Components & 8 Critical Best Practices
- [Guide] Top 5 Docker Security Risks and Best Practices
- [eBook] O’Reilly eBook: Kubernetes Security and Observability
- [Product] Calico | Unified Network Security & Observability for Kubernetes
Kubernetes Security
Authored by Tigera
