Self Service Network Security Changes

When deploying a new microservice to a secure cluster, it needs to be deployed along with a network policy to enable the service to communicate with other services and APIs. Often this means having a central function that reviews or creates policies for every microservice deployment. Otherwise, a deployment may inadvertently override an important security policy implemented to protect sensitive workloads that process payment information, customer data, etc. This process does not scale when 100’s or 1000’s of microservices are being deployed daily and deployments are delayed.

Calico Enterprise enables self-service deployments to a secure cluster without the risk of an important policy being overridden or otherwise violated. No central person or team is required to create or review policies and deployments along with the network policies required to allow access are completely automated.

Tiered Policies

Self Service


Watch Details Video

Tiered Policies

Calico Enterprise introduces the concept of Policy Tiers. Policy Tiers define the order in which network security policies are evaluated. Higher tiers evaluate traffic first. This is where you define and implement your security controls. Self-service deployments cannot override these rules.

Self Service

When deploying a new microservice, you need to define which other microservices it can and should connect to. Changes to microservices may also require additional connections to additional services.

Each change requires a network policy change, and when hundreds of deployments happen every day, it is not possible to have one person govern and administer those changes without slowing velocity.

With Calico Enterprise, microservices can be deployed along with network policies without the risk of overriding your critical security policies that are required for compliance.


Network policies are represented as code that is deployed alongside your microservices. With policy as code, you fully automate the end to end deployment process including the necessary network security changes. This radically improves the speed of deployment into secure clusters.

You can also automate a validate step that ensures your network policy works properly before being committed. Calico Enterprise can deploy your policies in a “staged” mode that will report back on which traffic is being allowed or denied without actually enforcing the policy rule. The policy can then be committed if the policy is operating properly. This step avoids any potential problems introduced by incorrect or incomplete network policy definitions.

Watch Product Details Video


Interested in trying Calico Enterprise to provide self-service deployments to a secure cluster?

Try Calico Enterprise or contact us if you have some questions – we’d love to hear from you!