Extend Firewalls to Kubernetes

Use a firewall manager to create a zone-based architecture for your Kubernetes cluster

Kubernetes and Security Zones

Security teams use firewalls to secure their production environments, often using a zone-based architecture. Workloads are profiled for risk and placed into zones, and traffic between zones is whitelisted and monitored.

Kubernetes does not natively deploy well to that architecture due to the dynamic nature of each pod’s IP address and the firewall’s inability to create rules for pods. When Kubernetes applications are internet-facing, this can create big problems for your security team.

Manage Zones and Rules using a Firewall Manager

Firewall Managers, such as Palo Alto Networks Panorama, can connect to Calico Enterprise and treat it like any other firewall in the network.

Zones are defined and firewall rules are created the same way all other rules have been created. Calico Enterprise will then automatically translate those rules into Kubernetes Network Policy that segment the cluster into zones and apply the correct firewall rules.

Calico Enterprise then enforces the firewall rules in a higher-precedent policy tier, enabling guardrails for DevOps to deploy their workloads without overriding any of the zone architecture rules.

Traffic crossing zones can be sent to the security team’s SIEM, enabling them the same visibility they would have received using their firewall.

Security Zones

Extend a zone-based network security architecture to Kubernetes

Preserve existing investments in firewalls, people, and processes

Access Controls

Fine-grained control for access to services outside of the cluster – databases, cloud services, and third-party APIs

Fine-grained network security policies within the cluster and external resources


Accurate flow logs with application identity

Enforce controls and gain visibility into Kubernetes. Produce accurate evidence reports

Ready to get started?

Seeing is believing! Get a free demo of Calico Enterprise.