Overview
Calico Enterprise is a self-managed Kubernetes security and observability platform built on a Kubernetes-native architecture that extends the declarative nature of Kubernetes to specify security and observability as code. This ensures consistent enforcement of security policies and compliance, and provides observability for troubleshooting across multi-cluster, multi-cloud and hybrid deployments.
Cloud-native applications are composed of containers and microservices that directly access other public cloud services, cloud, and legacy applications. Traditional perimeter-based security solutions are unaware of containers and microservices inside a Kubernetes cluster. Moreover, microservices are highly dynamic and ephemeral, rendering any static IP address-based security control inadequate. The deployment characteristics of cloud-native applications makes them harder to secure, observe, and troubleshoot.
Benefits
Kubernetes-native security and observability as code
Pluggable data plane includes eBPF, Linux, and Windows
Any cloud, any distribution, any application
Enterprise hardened and proven
Architecture
Capabilities
North-South Controls
Control north-south traffic, limit access to external endpoints on a per-pod basis and protect your Kubernetes cluster. The Calico Enterprise Egress Gateway enables you to securely integrate with firewalls, monitoring systems like SIEMs, and other systems that don’t understand the dynamic nature of container orchestration.
You can author DNS policies that implement fine-grained access controls between a workload and the external services it needs to connect to, like Amazon RDS, ElasticCache, and more.
In addition, you can use Global and Namespaced NetworkSets to apply policy to control traffic going to or coming from external, non-Calico networks. Using Calico network sets, you can easily scale out by using the same set of IPs in multiple policies.
FEATURES INCLUDE
- Egress Gateway
- DNS Policies
- Global and Namespaced NetworkSets
East-West Controls
East-West controls enable you to limit the blast radius when a security breach results in an APT (advanced persistent threat). You can perform microsegmentation for both container and VM workloads. Calico Enterprise’s “defense-in-depth” approach provides protection on three levels: host, container/VM and application. Using a single policy framework, you can set controls at all of these levels using a declarative model.
FEATURES INCLUDE
- Microsegmentation
Security and Compliance
If you’re working with sensitive data that falls under regulatory compliance mandates like PCI, HIPAA, SOC 2, or GDPR, Calico Enterprise provides data-in-transit encryption with industry-leading performance, as well as compliance reporting for security policies and controls.
Calico Enterprise has an incredibly rich intrusion detection and protection (IDS/IPS) feature set that includes threat feeds to identify known bad actors like bots, custom alerts for known attacks, anomaly detection, and honeypods. We take an automated approach to malware detection and response to target and remediate threats like DGA (Domain Generation Algorithm) and the unpatched Kubernetes CVE-2020-8554 vulnerability.
FEATURES INCLUDE
- Data-in-transit encryption
- Intrusion detection and prevention
- Compliance reporting and alerts
Observability and Troubleshooting
Distributed applications are very difficult to troubleshoot. Calico solves this problem by dynamically generating a service graph, as well as providing a built-in, UI-driven troubleshooting tool that enables easy monitoring and troubleshooting for microservices.
The Dynamic Service Graph provides a rich set of information with Kubernetes context, including across which namespaces workloads are communicating, detailed DNS information, detailed logs for every flow in your cluster, and how security policies are being evaluated.
Dynamic Packet Capture is a self-service, on-demand tool for capturing and evaluating traffic for a specific pod or collection of pods based on secure user access. It allows you to monitor how microservices are behaving and interacting with each other at runtime.
FEATURES INCLUDE
- Dynamic Service Graph
- Application-layer observability
- DNS dashboard
- Dynamic Packet Capture
Unified Controls
Unified controls in Calico Enterprise enable security and observability across multi-cluster, multi-cloud, and hybrid environments, and provide a single pane of glass to ensure consistent application of security controls across both containers and VMs. Unified controls also reduce the complexity for DevOps teams running the clusters by supporting self-service security and CI/CD integration. Using “policy as code,” Calico Enterprise fully automates the cluster-wide, end-to-end policy deployment process including any necessary security changes.
Built on Calico Open Source, the most widely adopted networking and security solution for containers and Kubernetes, Calico Enterprise also supports third-party CNIs including EKS VPC, Azure CNI, and GKE to expand your choice of public cloud providers.
FEATURES INCLUDE
- Unified controls: Security and observability across multi-cluster, multi-cloud, and hybrid environments
Shift Left Security
Enable developers, DevOps, and SREs to follow a simple workflow and generate security policies with minimal effort. Create your own security policies using policy tiers and customize permissions based on your organizational structure.
Calico ensures the policies in the left-most tiers are given precedence over those on the right. Tiers are a Kubernetes object, so you can control who can view/modify policies in specific tiers. Every change of record to tiers and policies is captured, enabling you or auditors to go back in time for review or troubleshooting purposes.
FEATURES INCLUDE
- Policy automation
Networking and Other Features
For cluster operators who need reliable, consistent connectivity to resources outside of the cluster as well as cluster nodes on different racks, Calico Enterprise dual ToR connectivity ensures high availability with active-active redundant connectivity planes between cluster nodes and ToR switches running BGP.
Calico Enterprise was designed from the ground up with a pluggable data plane architecture. Along with the standard Linux data plane, it includes a Windows HNS data plane and a high-performance eBPF (extended Berkeley Packet Filter) data plane, thus future-proofing your decision to deploy Calico Enterprise.
FEATURES INCLUDE
- Pluggable data planes – eBPF, standard Linux, Windows
- High availability for Kubernetes
Key Features
How It Works
Calico Enterprise is a self-managed security and observability platform for containers, Kubernetes, and cloud that works across hybrid or multi-cloud configurations for any container, any Kubernetes distribution, any virtual machine, or bare metal.
Resources
Latest Content
Turbocharging AKS networking with Calico eBPF
A single Kubernetes cluster expends a small percentage of its total available assigned resources on delivering in-cluster networking. We don’t have to be satisfied with this, though—achieving the lowest possible overhead can provide significant cost...
Read more >
Automate EKS workloads security and observability using Calico integration with Amazon Control Tower
Streamline the security and observability of your landing zone for EKS clusters by automating the process of connecting an EKS cluster to Calico Cloud. Users get granular workload access controls,...
Register here >
Rancher Masterclass: 90 mins hands-on workshop to learn security and observability for Containers, Kubernetes, and Cloud on RKE2 and Calico
In this RKE2-focused workshop for networking, security and observability on containers, Kubernetes and Calico, you will work with a Calico and RKE expert to learn how to design, deploy, and...
Watch here >