Egress Access Controls

Calico Enterprise packages several features that enable fine-grained access controls between your microservices and databases, cloud services, APIs, and other applications that may be protected behind a firewall.


DNS Policy

Egress Gateway

Security Group Integration

Watch a Demo

Calico Enterprise DNS Policy

Establishing service to service connectivity within your cluster is easy. But how do you enable some of your workloads to securely connect to services like Amazon RDS, ElasticCache, etc. that are external to the cluster.

With Calico Enterprise, you can author DNS Policies that implement fine-grained access controls between a workload and the external services it needs to connect to.

Calico Enterprise DNS Policy is an extension to the open-source Calico policy model that enables fully-qualified domain names and DNS endpoints to be used within your policy rules. DNS policies support wildcard values (e.g.* ).

Once a DNS policy has been implemented, no other pods will be allowed to communicate with that DNS endpoint unless allowed by the policy.

With the DNS policy model, you are enforcing your egress security policies within your cluster. If you also need to enforce security policies at an external control point (e.g. a firewall) then the please see the Calico Enterprise Egress Gateway.

Calico Enterprise Egress Gateway

Integrating Kubernetes with Firewalls, Monitoring platforms, and other external systems is difficult because most of those tools struggle to identify Kubernetes workloads. It would be easier to integrate Kubernetes with external systems if there were a way to assign a fixed IP to a microservice.

The Calico Enterprise Egress Gateway enables you to define a fixed IP and assign it to a Kubernetes namespace. All egress traffic from that namespace will be assigned the fixed IP address.

You can use the namespace’s fixed IP address as the identity of the application(s) running within that namespace, which enables you to integrate with firewalls, monitoring systems, and other systems that don’t understand the dynamic nature of container orchestration.

The Calico Enterprise Egress Gateway can be used in conjunction with DNS Policies for an added layer of protection.

AWS Security Group Integration

Whether you are using a self-managed Kubernetes cluster on AWS, or using a managed service like Amazon EKS, you will need to figure out how to connect your pods to other AWS resources outside of your cluster. Restricting access is done using AWS Security Groups, however, they do not offer the granularity to restrict access to only specific pods.

Calico Enterprise can be deployed along with an additional security group that can manage pod-level security. All you need to do is annotate your pod to connect to the Calico-provided security group and you will achieve pod-level access controls to AWS resources

Watch a Demo


Interested in trying Calico Enterprise to securely manage your egress traffic?

Try Calico Enterprise or contact us if you have some questions – we’d love to hear from you!