Egress Access Controls

Calico Enterprise and Calico Cloud include several features that enable fine-grained access controls between your microservices and databases, cloud services, APIs, and other applications that may be protected behind a firewall.


DNS Policy

Egress Gateway

Security Group Integration

Watch a Demo

DNS Policy

Establishing service-to-service connectivity within your cluster is easy. But how do you enable some of your workloads to securely connect to services like Amazon RDS, ElasticCache, etc. that are external to the cluster?

With Calico Enterprise and Calico Cloud, you can author DNS Policies that implement fine-grained access controls between a workload and the external services it needs to connect to.

Calico Enterprise DNS Policy is an extension to the open-source Calico policy model that enables fully-qualified domain names and DNS endpoints to be used within your policy rules. DNS policies support wildcard values (e.g.* ).

Once a DNS policy has been implemented, no other pods will be allowed to communicate with that DNS endpoint unless allowed by the policy.

With the DNS policy model, you are enforcing your egress security policies within your cluster. If you also need to enforce security policies at an external control point (e.g. a firewall) then take a closer look at the Egress Gateway.

Egress Gateway

Integrating Kubernetes with firewalls, monitoring platforms, and other external systems is difficult because most of those tools struggle to identify Kubernetes workloads. It would be easier to integrate Kubernetes with external systems if there was a way to assign a fixed IP address to a microservice.

The Egress Gateway enables you to define a fixed IP and assign it to a Kubernetes namespace. All egress traffic from that namespace will be assigned to the fixed IP address.

You can use the namespace’s fixed IP address as the identity of the application(s) running within that namespace. This enables you to integrate with firewalls, monitoring systems, and other systems that don’t understand the dynamic nature of container orchestration.

The Egress Gateway can be used in conjunction with DNS Policies for an added layer of protection.

AWS Security Group Integration

Whether you are using a self-managed Kubernetes cluster on AWS, or using a managed service like Amazon EKS, you will need to figure out how to connect your pods to other AWS resources outside of your cluster. Restricting access is done using AWS Security Groups.

Calico Enterprise and Calico Cloud can be deployed along with an additional security group to manage pod-level security. All you need to do is annotate your pod to connect to the Calico-provided security group and you will achieve pod-level access controls to AWS resources

Watch a Demo


📣 Read our new O'Reilly eBook on Kubernetes Security and ObservabilityLearn more >>>