When deploying microservices to an environment that is protected by firewalls, it may become necessary to work within the confines of your IT security architecture. For applications that make or accept connections with the internet, or need to connect to databases, a firewall is typically going to be part of that architecture.
Most security teams are short-staffed and have limited capacity to take on new technologies that understand workload orchestration like Kubernetes. Security controls like firewall rules are based on IP addresses to allow or deny traffic. However, this model begins to break down in the dynamic environment of Kubernetes, where IP addresses are transient, and the static IP approach used in firewalls cannot be applied.
Furthermore, defining a zone-based security architecture in your cluster using a firewall requires routing all service-to-service traffic through the firewall, introducing latency into your application.
Enables next-generation firewall (NGFW) managers to implement and enforce a zone-based security architecture in Kubernetes
Enables organizations migrating to Kubernetes architectures to maintain their security posture and ensure the successful adoption of the Kubernetes platform throughout the enterprise
Enables enterprise security teams to leverage familiar, existing firewall tools, processes, and architecture, thereby simplifying and facilitating Kubernetes adoption and deployment
Firewall managers are used by your security team to manage multiple firewalls from a central pane of glass, to secure the network and define access controls.
There are two primary use cases for firewall manager integration:
A zone-based security architecture separates your workloads into different “zones” where workloads with different needs and risk levels reside. The firewall then controls the traffic flow between those zones. For example, the demilitarized zone (DMZ) is where internet-facing workloads run. To reduce the risk of exposure, those workloads should not be able to connect directly to confidential data resources. Zone-based architectures are often required for compliance purposes.
Calico Enterprise integrates with Fortinet FortiGuard and Palo Alto Panorama to extend those firewall managers to Kubernetes. The firewall manager can be used to create a zone-based architecture for your Kubernetes cluster, and Calico Enterprise will read those firewall rules and translate them into Kubernetes security policies that control traffic between your microservices. The firewall manager can be used to explicitly define which microservices are allowed to traverse zones, providing the network security team the controls they need to maintain compliance.
While a zone-based architecture can be created in Calico Enterprise without the use of a firewall manager, security teams are often short-staffed, do not have the capacity to take on another tool, and would prefer to use the firewall managers they use for the rest of the data center.
Next-generation firewalls provide advanced security features such as live threat feeds, intrusion detection, and tools used by the security operations center (SOC) to identify and resolve security incidents. Tigera has partnered with Fortinet to offer four integrations that extend their NGFW platform to your microservices running on Kubernetes.
Calico Enterprise and Calico Cloud provide universal firewall integration through the Calico Egress Gateway. The Calico Egress Gateway assigns a fixed IP address to any Kubernetes namespace (Egress IP Namespace). In Calico Enterprise and Calico Cloud, all traffic leaving the cluster from that namespace will undergo secure network address translation (SNAT). You can now use the fixed egress IP as the application identity for your microservice and open firewall rules based on that IP. As your microservices scale up and back, you can run as many replicas as needed without the need to open an additional firewall rule per replica.