Egress Access Controls

Control Access To Endpoints Outside The Cluster

Calico Enterprise packages several features that enable fine-grained access controls between your microservices and databases, cloud services, APIs, and other applications that may be protected behind a firewall.

Enforce Access Controls from Within the Cluster

Extends the Kubernetes Network Policy model to define egress rules from your pods to DNS/FQDN Endpoints outside the cluster.

Learn More about DNS Policy

Access Controls Enforced Somewhere Outside the Cluster

Assign a fixed IP to any egress traffic originating from a given namespace. Enforce access controls using tools and firewalls outside of the cluster.

Learn More about Calico Egress Gateway

Calico Enterprise DNS Policy

Establishing service to service connectivity within your cluster is easy. But how do you enable some of your workloads to securely connect to services like Amazon RDS, ElasticCache, etc. that are external to the cluster.

With Calico Enterprise, you can author DNS Policies that implement fine-grained access controls between a workload and the external services it needs to connect to.

Calico Enterprise DNS Policy is an extension to the open-source Calico policy model that enables fully-qualified domain names and DNS endpoints to be used within your policy rules. DNS policies support wildcard values (e.g. https://api.twilio.com/* ).

Once a DNS policy has been implemented, no other pods will be allowed to communicate with that DNS endpoint unless allowed by the policy.

With the DNS policy model, you are enforcing your egress security policies within your cluster. If you also need to enforce security policies at an external control point (e.g. a firewall) then the please see the Calico Enterprise Egress Gateway.

Calico Enterprise Egress Gateway

Integrating Kubernetes with Firewalls, Monitoring platforms, and other external systems is difficult because most of those tools struggle to identify Kubernetes workloads. It would be easier to integrate Kubernetes with external systems if there were a way to assign a fixed IP to a microservice.

The Calico Enterprise Egress Gateway enables you to define a fixed IP and assign it to a Kubernetes namespace. All egress traffic from that namespace will be assigned the fixed IP address.

You can use the namespace’s fixed IP address as the identity of the application(s) running within that namespace, which enables you to integrate with firewalls, monitoring systems, and other systems that don’t understand the dynamic nature of container orchestration.

The Calico Enterprise Egress Gateway can be used in conjunction with DNS Policies for an added layer of protection.

Interested in trying Calico Enterprise to securely manage your egress traffic?

Sign up for our free trial – we’ll even provide sample workloads to test with.