Extend Firewalls to Kubernetes

When deploying microservices to an environment managed by firewalls, it may become necessary to work within the confines of your IT Security Architecture. For applications that make or accept connections with the internet, or need to connect to databases, a firewall is typically going to be part of that architecture.

Most security teams are short-staffed and don’t have the capacity to take on new tools that understand workload orchestration like Kubernetes. Defining a firewall rule for ingress or egress access controls does not work in this architecture and can block deployments or worse, result in service disruptions if implemented improperly. Furthermore, defining a zone-based security architecture in your cluster using a firewall requires routing all service-to-service traffic through the firewall, introducing latency into your application.

Firewall Manager Integration

Universal Firewall Integration

Watch Details Video

Firewall Manager Integration

Firewall managers are tools used by your network security team to manage multiple firewalls from a central pane of glass, to secure the network and define access controls.

There are 2 primary use cases for firewall manager integration:

  1. A zone-based architecture must be implemented and enforced within your Kubernetes cluster, and the firewall team must own the implementation and operations
  2. The security team needs to extend advanced Next-Gen firewall capabilities to your microservices

1. Implementing Zone-Based Security using a Firewall Manager

A zone-based security architecture separates your workloads into different “zones” where workloads of different needs and risk levels reside. The firewall then controls the traffic flow between those zones. For example, the demilitarized (DMZ) zone is where internet-facing workloads would run, and those workloads should not be able to connect directly to confidential data to reduce the risk of exposure. Zone-based architectures are often required for compliance purposes.

Calico Enterprise integrates with Fortinet FortiGuard and Palo Alto Panorama to extend those firewall managers to Kubernetes. The firewall manager can be used to create a zone-based architecture for your Kubernetes cluster, and Calico Enterprise will read those firewall rules and translate them into Kubernetes security policies that control traffic between your microservices. The firewall manager can be used to explicitly whitelist which microservices are allowed to traverse zones, providing the network security team the controls they need to maintain compliance.

While a zone-based architecture can be created in Calico Enterprise without the use of a firewall manager, the security teams are often short-staffed, do not have the capacity to take on another tool, and would prefer to use the firewall managers they use for the rest of the datacenter.

2. Extending Next-Gen Firewall Capabilities to Kubernetes

Next-generation firewalls provide advanced security features such as live threat feeds, intrusion detection systems, and tools used by the security operations center to identify and resolve security incidents.

Tigera partnered with Fortinet to offer 4 integrations that extend their next-generation platform to your microservices running on Kubernetes.

  • FortiManager Calico Kubernetes Controller: Manage Calico Enterprise security policies directly from the FortiManager platform.
  • FortiGate Calico Kubernetes Controller: Calico Enterprise dynamically populates source IPs from your microservices to FortiManager address object groups. FortiGate next-generation firewalls (NGFWs) can then control egress from your microservices to destinations outside the cluster.
  • FortiGuard Threat Feed Integration: Calico Enterprise ingests threat data from the real-time threat intelligence database from FortiGuard Labs. Calico Enterprise then blocks any traffic to or from those endpoints.
  • Calico FortiSIEM Plugin: Calico Enterprise appends FortiSIEM telemetry with Kubernetes-specific context that provides deeper visibility for security operations teams to respond to security incidents identified within your microservices.

Universal Firewall Integration

Calico Enterprise offers universal firewall integration through the Calico Egress Gateway. The Calico Egress Gateway assigns a fixed IP address to any Kubernetes namespace (Egress IP Namespace). Calico Enterprise will SNAT all traffic leaving the cluster from that namespace. You can now use the fixed Egress IP as the application identity for your microservice and open firewall rules based on that IP. As your microservices scale up and back, you can run as many replicas as needed without the need to open an additional firewall rule per replica.

Watch Product Details Video


Interested in trying Calico Enterprise to integrate Kubernetes with your on-premises firewall?

Try Calico Enterprise or contact us if you have some questions – we’d love to hear from you!