Calico Enterprise

Calico Enterprise is the only Kubernetes security and observability platform that provides a common, unified security model that works across hybrid or multi-cloud configurations, on any cloud, any Kubernetes distribution, VM and bare metal


Calico Enterprise is a self-managed Kubernetes security and observability platform built on a Kubernetes-native architecture that extends the declarative nature of Kubernetes to specify “security and observability as code.” This ensures consistent enforcement of security policies and compliance, and provides observability for troubleshooting across multi-cluster, multi-cloud and hybrid deployments.

Cloud-native applications are composed of containers and microservices that directly access other public cloud services, cloud and legacy applications. Traditional perimeter-based security solutions are unaware of containers and microservices inside a Kubernetes cluster. Moreover, microservices are highly dynamic and ephemeral, rendering any static IP address-based security control inadequate. The deployment characteristics of cloud-native applications makes them harder to secure, observe and troubleshoot.


Kubernetes-native security and observability as code

Pluggable dataplane includes eBPF, Linux and Windows

Any cloud, any distribution, any application

Enterprise hardened and proven



North-South Controls

Control north-south traffic, limit access to external endpoints on a per-pod basis and protect your Kubernetes cluster. The Calico Enterprise Egress Gateway enables you to securely integrate with firewalls, monitoring systems like SIEMS, and other systems that don’t understand the dynamic nature of container orchestration.

You can author DNS policies that implement fine-grained access controls between a workload and the external services it needs to connect to, like Amazon RDS, ElasticCache, and more.

In addition, Calico Enterprise tightly integrates with AWS Security Groups giving you secure, pod-level access to Amazon EKS.


  • DNS Policy
  • Egress Gateway
  • AWS Security Group Integration

East-West Controls

East-West controls enable you to limit the blast radius when a security breach results in an APT (advanced persistent threat). You can perform micro-segmentation for both container and VM workloads. Calico Enterprise’s “defense-in-depth” approach provides protection on three levels: host, container/VM and application. Using a single policy framework, you can set controls at all of these levels using a declarative model.


  • Microsegmentation

Security and Compliance

If you’re working with sensitive data that falls under regulatory compliance mandates like PCI, HIPAA, SOC2, or GDPR, Calico Enterprise provides data-in-transit encryption with industry-leading performance, as well as compliance reporting for security policies and controls.

Calico Enterprise has an incredibly rich Intrusion Detection and Protection (IDS/IPS) feature set that includes threat feeds to identify known bad actors like bots, custom alerts for known attacks, anomaly detection, and honeypods. We take an automated approach to malware detection and response to target and remediate threats like DGA (Domain Generation Algorithm) and the unpatched Kubernetes CVE-2020-8554 vulnerability.


  • Data-in-Transit Encryption
  • Intrusion Detection and Prevention
  • Compliance Reporting and Alerts


Distributed applications are very difficult to troubleshoot. Calico Enterprise solves that problem by dynamically generating a service graph that enables anyone to easily understand how microservices are behaving and interacting with each other at run-time, simplifying the debugging process.

The Dynamic Service Graph provides a rich set of information with Kubernetes context, including across which namespaces workloads are communicating, detailed DNS information, detailed logs for every single flow in your cluster, and how network policies are being evaluated. DevOps teams can quickly identify the source of a problem at the application, process, and socket levels as well as through an automated packet capture function.


  • Dynamic Service Graph
  • Application Layer Observability
  • DNS Dashboard
  • Dynamic Packet Capture

Unified Controls

Unified controls in Calico Enterprise enable security and observability across multi-cluster, multi-cloud and hybrid cloud environments, and provide a single pane of glass to ensure consistent application of security controls across both containers and VMs. Unified controls also reduce the complexity for DevOps teams running the clusters by supporting self-service security and CI/CD integration. Using “policy as code”, Calico Enterprise fully automates the cluster-wide, end-to-end policy deployment process including any necessary security changes.

Built on open-source Calico, the most widely adopted Kubernetes CNI, Calico Enterprise also supports third-party CNIs including EKS VPC, Azure CNI, and GKE to expand your choice of public cloud providers.


  • Unified Controls: Security and Observability across Multi-cluster, Multi- and Hybrid Cloud Environments

Shift Left Security

Enable Developers, DevOps and SREs to follow a simple workflow and generate security policies with minimal effort. Create your own security policies using policy tiers and customize permissions based on your organizational structure.

Calico ensures the policies in the left-most tiers are given precedence over those on the right. Tiers are a Kubernetes object, so you can control who can view/modify policies in specific tiers. Every change of record to tiers and policies is captured, enabling you or auditors to go back in time for review or troubleshooting purposes.


  • Policy Automation

Networking and Other Features

For cluster operators who need reliable, consistent connectivity to resources outside of the cluster as well as cluster nodes on different racks, Calico Enterprise dual ToR connectivity ensures high availability with active-active redundant connectivity planes between cluster nodes and ToR switches running BGP.

Calico Enterprise was designed from the ground up with a pluggable data plane architecture. Along with the standard Linux data plane, it includes a Windows HNS dataplane and a high performance eBPF (extended Berkeley Packet Filter) dataplane, thus future-proofing your decision to deploy Calico Enterprise.


  • Pluggable data planes - eBPF, standard Linux, Windows
  • High availability for Kubernetes

How It Works

Calico Enterprise is a self-managed Kubernetes Security and Observability platform that works across hybrid or multi-cloud configurations, any cloud, any Kubernetes distribution, VM and bare metal.


Overview Blog

Learn More

Free eBook



Learn More

Latest Content

A Sneak Peek at the “Calico Certified Operator: AWS Expert” Course

A Sneak Peek at the "Calico Certified Operator: AWS Expert" Course

By Chris Tomkins on Jul 29, 2021

This One’s All About You Recently, we released our new “Calico Certified Operator: AWS Expert” course. You can read more about why we created this course and how it can

Read more >
A Holistic Approach to Securing and Troubleshooting Cloud Native Applications: A Fireside Chat

A Holistic Approach to Securing and Troubleshooting Cloud Native Applications: A Fireside Chat

By Neeraj Shahdadpuri on Jul 30, 2021

Over the years building Calico, we have gotten to see the Kubernetes user journey for various organizations. We have seen many users focus on getting their workloads deployed in Kubernetes...

Register here >
Hands-on workshop: Learn best practices to address enterprise security and compliance challenges in Kubernetes

Hands-on workshop: Learn best practices to address enterprise security and compliance challenges in Kubernetes

By Neeraj Shahdadpuri on Jul 30, 2021

In this enterprise compliance focussed workshop for Kubernetes, you will work with a Calico subject matter expert to learn how to design, deploy, and observe security and networking policies to...

Watch here >