Calico Cloud
  • Get up and running in minutes
  • No upfront infrastructure or support costs
  • Includes self-guided labs to explore core use cases
  • Connect one or more of your Kubernetes environments
    • EKS, AKS, GKE, VMware Tanzu, Rancher, OpenShift, Kubeadm
Why Calico Cloud?
Key Features

Why Calico Cloud?

Cloud-native applications are composed of containers and microservices that directly access other public cloud services, cloud and legacy applications. Traditional perimeter-based security solutions are unaware of containers and microservices inside a Kubernetes cluster. Moreover, microservices are highly dynamic and ephemeral rendering any static IP address-based security control inadequate. The deployment characteristics of cloud-native applications make them harder to secure, observe and troubleshoot.

Without granular levels of security and observability, there is a potential for unauthorized access to and from microservices. And once a service is compromised, it is easy for the malicious actors to move laterally.

Calico Cloud’s Kubernetes native architecture extends the declarative nature of Kubernetes to specify “security and observability as code,” which ensures consistent enforcement of security policies and compliance and provides observability and troubleshooting across multi-cluster, multi-cloud and hybrid deployments.

“While Kubernetes provides great flexibility, we’ve learned how challenging it is to secure, observe, and troubleshoot this environment. With the detailed visibility and robust security offered by Calico Cloud via features such as the Dynamic Service Graph, we’re able to observe exactly what is going on, which helps us analyze and troubleshoot far more effectively.”
Jeff Puccinelli

Senior DevOps Engineer, Mulligan Funding


North-South Controls

Control north-south traffic, limit access to external endpoints on a per-pod basis and protect your Kubernetes cluster.
The Calico Cloud Egress Gateway enables you to securely integrate with firewalls, monitoring systems like SIEMS, and other systems that don’t understand the dynamic nature of container orchestration.

You can author DNS Policies that implement fine-grained access controls between a workload and the external services it needs to connect to, like Amazon RDS, ElasticCache, and more. In addition, Calico Cloud tightly integrates with AWS Security Groups giving you secure, pod-level access to Amazon EKS.


  • DNS Policy
  • Egress Gateway
  • AWS Security Group Integration

East-West Controls

East-West controls enable you to limit the blast radius when a security breach results in an APT (advanced persistent threat). You can perform micro-segmentation for both container and VM workloads. Calico Cloud’s “defense-in-depth” approach provides protection on three levels: host, container/VM and application. Using a single policy framework, you can set controls at all of these levels using a declarative model.


  • Microsegmentation
  • Host, Container/VM and application protection
  • Single policy framework

Security and Compliance

If you’re working with sensitive data that falls under regulatory compliance mandates like PCI, HIPAA, SOC2, or GDPR, Calico Enterprise provides data-in-transit encryption with industry-leading performance, as well as compliance reporting for security policies and controls.
Calico Cloud has an incredibly rich Intrusion Detection feature set that includes threat feeds to identify known bad actors like bots, custom alerts for known attacks, anomaly detection, and honeypods. We take an automated approach to malware detection and response to target and remediate threats like DGA (Domain Generation Algorithm) and the unpatched Kubernetes CVE-2020-8554 vulnerability.


  • Data-in-Transit Encryption
  • Intrusion Detection and Prevention
  • Compliance Reporting and Alerts


Distributed applications are very difficult to troubleshoot. Calico Cloud solves that problem by dynamically generating a service graph that enables anyone to easily understand how microservices are behaving and interacting with each other at run-time, simplifying the debugging process.

Dynamic Service Graph provides a rich set of information with Kubernetes context including across which namespaces workloads are communicating, detailed DNS information, detailed logs for every single flow in your cluster, and how network policies are being evaluated. Software engineers can quickly identify the source of a problem at the application, process, and socket levels as well as through an automated packet capture function.


  • Dynamic Service Graph
  • Flow Log Visualizer
  • Dynamic Packet Capture
  • DNS Dashboard
  • Application Layer Observability

Unified Controls

Unified controls in Calico Cloud enable security and observability across multi-cluster, multi-cloud and hybrid cloud environments, and provide a single pane of glass to ensure consistent application of security controls across both containers and VMs. Unified controls also reduce the complexity for DevOps teams running the clusters by supporting self-service security and CI/CD integration. Using “policy as code”, Calico Cloud fully automates the cluster-wide, end-to-end policy deployment process including any necessary security changes.

Built on open-source Calico, the most widely adopted Kubernetes CNI, Calico Cloud also supports third-party CNIs including EKS VPC, Azure CNI, and GKE to expand your choice of public cloud providers.


  • Unified Controls: Security and Observability across Multi-cluster, Multi- and Hybrid Cloud Environments
  • Self-Service Security
  • Policy Tiers

Key Features

Unified Control

Self-Service Security

Egress Gateway

Compliance Reporting & Alerts

Application Layer Observability

DNS Policy

DNS Dashboard

Dynamic Service Graph

Flow Visualizer

Dynamic Packet Capture

Host, Container/VM & Application protection

Data-in-Transit Encryption

Intrusion Detection and Prevention (IDS/ IPS)


AWS Security Groups Integration

Policy Tiers

Ready to Get Started?

(No credit-card required)

📣 Read our new O'Reilly eBook on Kubernetes Security and ObservabilityLearn more >>>