Calico Enterprise

A self-managed active cloud-native application security platform for containers, Kubernetes, and cloud

Overview

Calico Enterprise is Kubernetes-native and extends the declarative nature of Kubernetes to specify security and observability as code. This ensures consistent enforcement of security policies and compliance, and provides observability for troubleshooting across multi-cluster, multi-cloud and hybrid deployments.

Benefits

Security and observability as code

Choice of data planes, including eBPF, Windows, and Linux

Any cloud, any distribution, any application

Enterprise hardened and proven

Architecture

Capabilities

Zero-trust Workload Security

Implement zero-trust workload access controls for traffic to and from individual pods to external endpoints on a per-pod basis, to protect your Kubernetes cluster. Author DNS policies that implement fine-grained access controls between a workload and the external services it needs to connect to, like Amazon RDS, ElastiCache, and more.

Limit the blast radius when a security breach results in an APT (advanced persistent threat) with identity-aware microsegmentation for both container and VM workloads. Use a single policy framework and Kubernetes declarative model to set controls at the host, container/VM, and application levels.

Extend the use of existing firewalls and SIEMs to your Kubernetes environment with out-of-the-box firewall and SIEM integrations.

KEY FEATURES INCLUDE

  • Zero-trust workload access controls
  • Identity-aware microsegmentation for workloads
  • Firewall and SIEM integration
  • Envoy-based application-level protection

Runtime Threat Defense

Calico Enterprise protects your workloads at runtime from both known and zero-day threats.

Calico provides workload-based intrusion detection and prevention, deep packet inspection, protection from DDoS attacks, Envoy-based application-level protection, and WAF.

Calico Enterprise uses AlienVault and custom threat feeds to actively protect your containers from known malware and DGA attacks.

In addition, Calico Enterprise uses advanced machine learning techniques to detect zero-day threats by baselining signals from processes, file systems, system calls, and the network.

KEY FEATURES INCLUDE

  • Workload-based IDS/IPS, DDoS, DPI, and WAF

Active Risk Mitigation

Calico Enterprise’s robust and highly performant security policy engine can alert, pause, quarantine, or terminate infected pods within milliseconds in multi-cloud and hybrid environments.

The Security Policy Recommender scans your environment and recommends policies for robust security.

KEY FEATURES INCLUDE

  • Security Policy Recommender

Compliance

If you’re working with sensitive data that falls under regulatory compliance mandates like PCI DSS, HIPAA, SOC 2, or GDPR, Calico Enterprise provides data-in-transit encryption with industry-leading performance, as well as compliance reporting for security policies and controls.

KEY FEATURES INCLUDE

  • Compliance for regulatory and custom frameworks
  • Data-in-transit encryption
  • Evidence and audit reports

Observability and Troubleshooting

Distributed applications are very difficult to troubleshoot. Calico solves this problem by dynamically generating a Dynamic Service and Threat Graph, as well as providing a built-in, UI-driven troubleshooting tool that enables easy monitoring and troubleshooting for microservices.

The Dynamic Service and Threat Graph provides a rich set of information with Kubernetes context, including across which namespaces workloads are communicating, detailed DNS information, detailed logs for every flow in your cluster, and how security policies are being evaluated.

Dynamic Packet Capture is a self-service, on-demand tool for capturing and evaluating traffic for a specific pod or collection of pods based on secure user access. It allows you to monitor how microservices are behaving and interacting with each other at runtime.

KEY FEATURES INCLUDE

  • Dynamic Service and Threat Graph
  • Application-level observability
  • Dynamic Packet Capture
  • DNS Dashboard
  • Performance hotspots

Unified Controls

Unified controls in Calico Enterprise enable security and observability across multi-cluster, multi-cloud, and hybrid environments, and provide a single pane of glass to ensure consistent application of security controls across both containers and VMs. Unified controls also reduce the complexity for DevOps teams running the clusters by supporting self-service security and CI/CD integration. Using “policy as code,” Calico Enterprise fully automates the cluster-wide, end-to-end policy deployment process including any necessary security changes.

Built on Calico Open Source, the most widely adopted networking and security solution for containers and Kubernetes, Calico Enterprise also supports third-party CNIs including EKS VPC, Azure CNI, and GKE to expand your choice of public cloud providers.

KEY FEATURES INCLUDE

  • Unified controls: Security and observability across multi-cluster, multi-cloud, and hybrid environments

Shift-Left Security with Policy Tiers and Automation

Enable developers, DevOps, and SREs to follow a simple workflow and generate security policies with minimal effort. Create your own security policies using policy tiers and customize permissions based on your organizational structure.

Calico ensures the policies in the left-most tiers are given precedence over those on the right. Tiers are a Kubernetes object, so you can control who can view/modify policies in specific tiers. Every change of record to tiers and policies is captured, enabling you or auditors to go back in time for review or troubleshooting purposes.

KEY FEATURES INCLUDE

  • Policy automation

Networking and Other Features

For cluster operators who need reliable, consistent connectivity to resources outside of the cluster as well as cluster nodes on different racks, Calico Enterprise’s dual ToR connectivity ensures high availability with active-active redundant connectivity planes between cluster nodes and ToR switches running BGP.

Calico Enterprise was designed from the ground up with a pluggable data plane architecture. Along with the standard Linux data plane, it includes a Windows HNS data plane and a high-performance eBPF (extended Berkeley Packet Filter) data plane, thus future-proofing your decision to deploy Calico Enterprise.

KEY FEATURES INCLUDE

  • Pluggable data planes – eBPF, standard Linux, Windows
  • High availability for Kubernetes

Key Features

How It Works

Calico Enterprise is a self-managed security and observability platform for containers, Kubernetes, and cloud that works across hybrid or multi-cloud configurations for any container, any Kubernetes distribution, any virtual machine, or bare metal.

Get Started

Resources

Overview Blog

Learn more

Free eBook

Download

Documentation

Learn more

Latest Content

Boosting your cluster networking with the Calico VPP data plane (beta)!

Boosting your cluster networking with the Calico VPP data plane (beta)!

By Casey Davenport on May 27, 2022

This is a guest post from Nathan Skrzypczak at Cisco. Nathan is part of a team of external contributors to Calico Open Source that have been working on an integration...

Read more >
Prevent a potential DDoS Attack with Application-Layer Security Controls

Prevent a potential DDoS Attack with Application-Layer Security Controls

By Neeraj Shahdadpuri on May 4, 2022

Layer 7 refers to the top layer in the 7-layer OSI Model of the Internet. It is also known as the “application layer.” It’s the top layer of the data...

Watch here >
Hands-on workshop: Implementing security controls on containerized workloads on AWS, Microsoft, Red Hat or Rancher

Hands-on workshop: Implementing security controls on containerized workloads on AWS, Microsoft, Red Hat or Rancher

By Neeraj Shahdadpuri on May 6, 2022

Attend this in-depth, hands-on workshop with a Calico expert to design and implement container security, zero-trust workload security, and advanced troubleshooting for your containerized workloads. The 90-minute interactive lab comes...

Register here >