Self Service Network Security Changes

Enable Self Service Microservice Deployment to Secure Clusters

Overview Video (1min 46s)

When deploying a new microservice to a secure cluster, it needs to be deployed along with a network policy to enable the service to communicate with other services and APIs. Often this means having a central function that reviews or creates policies for every microservice deployment. Otherwise, a deployment may inadvertently override an important security policy implemented to protect sensitive workloads that process payment information, customer data, etc. This process does not scale when 100’s or 1000’s of microservices are being deployed daily and deployments are delayed.

Calico Enterprise enables self-service deployments to a secure cluster without the risk of an important policy being overridden or otherwise violated. No central person or team is required to create or review policies and deployments along with the network policies required to allow access are completely automated.

Tamper-Proof Your Policies

Define higher-precedent policies that cannot be modified or overridden by other policies being deployed

Learn more about Tiered Policies

Self Service Deployment

Empower teams to deploy security policies along with their services without going through a gatekeeper

Learn more about Self Service

Automate Security

Deploy security policies as code as part of your CI/CD pipeline

Learn more about Policy-as-code

Product Details Video (5mins 46s)

Tiered Policies

Calico Enterprise introduces the concept of Policy Tiers. Policy Tiers define the order in which network security policies are evaluated. Higher tiers evaluate traffic first. This is where you define and implement your security controls. Self-service deployments cannot override these rules.

Self Service

When deploying a new microservice, you need to define which other microservices it can and should connect to. Changes to microservices may also require additional connections to additional services.

Each change requires a network policy change, and when hundreds of deployments happen every day, it is not possible to have one person govern and administer those changes without slowing velocity.

With Calico Enterprise, microservices can be deployed along with network policies without the risk of overriding your critical security policies that are required for compliance.

Policy-as-code

Network policies are represented as code that is deployed alongside your microservices. With policy as code, you fully automate the end to end deployment process including the necessary network security changes. This radically improves the speed of deployment into secure clusters.

You can also automate a validate step that ensures your network policy works properly before being committed. Calico Enterprise can deploy your policies in a “staged” mode that will report back on which traffic is being allowed or denied without actually enforcing the policy rule. The policy can then be committed if the policy is operating properly. This step avoids any potential problems introduced by incorrect or incomplete network policy definitions.

Interested in trying Calico Enterprise to provide self-service deployments to a secure cluster?

Sign up for a free trial or get a demo