Egress Access Controls

Control Access To Endpoints Outside The Cluster

Overview Video (1min 47s)

Calico Enterprise packages several features that enable fine-grained access controls between your microservices and databases, cloud services, APIs, and other applications that may be protected behind a firewall.

Enforce Access Controls from Within the Cluster

Extends the Kubernetes Network Policy model to define egress rules from your pods to DNS/FQDN Endpoints outside the cluster.

Learn More about DNS Policy

Access Controls Enforced Somewhere Outside the Cluster

Assign a fixed IP to any egress traffic originating from a given namespace. Enforce access controls using tools and firewalls outside of the cluster.

Learn More about Calico Egress Gateway

Integrate with Security Groups

Restrict access to only those pods that need access to your AWS VPC resources like RDS Instances and ElasticCache.

Learn more about Security Group Integration

Product Details Video (4min 11s)

Calico Enterprise DNS Policy

Establishing service to service connectivity within your cluster is easy. But how do you enable some of your workloads to securely connect to services like Amazon RDS, ElasticCache, etc. that are external to the cluster.

With Calico Enterprise, you can author DNS Policies that implement fine-grained access controls between a workload and the external services it needs to connect to.

Calico Enterprise DNS Policy is an extension to the open-source Calico policy model that enables fully-qualified domain names and DNS endpoints to be used within your policy rules. DNS policies support wildcard values (e.g. https://api.twilio.com/* ).

Once a DNS policy has been implemented, no other pods will be allowed to communicate with that DNS endpoint unless allowed by the policy.

With the DNS policy model, you are enforcing your egress security policies within your cluster. If you also need to enforce security policies at an external control point (e.g. a firewall) then the please see the Calico Enterprise Egress Gateway.

Calico Enterprise Egress Gateway

Integrating Kubernetes with Firewalls, Monitoring platforms, and other external systems is difficult because most of those tools struggle to identify Kubernetes workloads. It would be easier to integrate Kubernetes with external systems if there were a way to assign a fixed IP to a microservice.

The Calico Enterprise Egress Gateway enables you to define a fixed IP and assign it to a Kubernetes namespace. All egress traffic from that namespace will be assigned the fixed IP address.

You can use the namespace’s fixed IP address as the identity of the application(s) running within that namespace, which enables you to integrate with firewalls, monitoring systems, and other systems that don’t understand the dynamic nature of container orchestration.

The Calico Enterprise Egress Gateway can be used in conjunction with DNS Policies for an added layer of protection.

AWS Security Group Integration

Whether you are using a self-managed Kubernetes cluster on AWS, or using a managed service like Amazon EKS, you will need to figure out how to connect your pods to other AWS resources outside of your cluster. Restricting access is done using AWS Security Groups, however, they do not offer the granularity to restrict access to only specific pods.

Calico Enterprise can be deployed along with an additional security group that can manage pod-level security. All you need to do is annotate your pod to connect to the Calico-provided security group and you will achieve pod-level access controls to AWS resources

Interested in trying Calico Enterprise to securely manage your egress traffic?

Sign up for our free trial – we’ll even provide sample workloads to test with.