Visibility and Troubleshooting

Visibility Into All Network Traffic With Kubernetes Context

Connectivity issues between microservices are difficult to troubleshoot. Troubleshooting often requires collaboration between multiple teams to identify and resolve the problem.

Calico Enterprise offers tools to rapidly pinpoint and resolve the source of a connectivity issue between your microservices running on Kubernetes clusters, as well as tools to identify and resolve potential connectivity issues before they happen.

Log All Connections

Capture and log all network traffic between microservices as well as ingress and egress. Your logs contain all the Kubernetes context you need to identify the source of the issue.

Learn more about Calico Enterprise Flow Logs

Troubleshoot Connectivity Issues

Visualize all network activity to rapidly identify which services are attempting to communicate but cannot. Drill into denied network connections to identify the root cause.

Learn more about the Calico Enterprise Flow Visualizer

Review the Impact of Policy Changes

Before committing a security policy change, see what traffic will be allowed and blocked when the policy is enforced.

Learn more about Policy Preview

Permissive Traffic Evaluation

Deploy your security policies in a permissive mode that logs the traffic being evaluated and whether each connection will be allowed or denied.

Learn more about Staged Policies

Calico Enterprise Flow Logs

Calico Enterprise logs all connection attempts between microservices as well as performance metrics for those connections.

What makes the Calico Enterprise approach unique is that important Kubernetes metadata is included with each log entry

  • Source and destination namespaces
  • Source and destination pods and labels
  • Which policies evaluated the connection and whether it was accepted or denied and why

Calico Enterprise Flow Logs are stored in a central data store that is shared across all of your clusters. You just need to set up Calico Enterprise once and can then monitor and report on microservices connections across all your clusters.

Flow Log Data can be queried by Kibana, often used for compliance reporting. You can also use the Flow Log Visualizer to visualize the connections and interactively drill in to identify where connections are being dropped.

Flow Log Visualizer

The Flow Log Visualizer queries your flow log data and renders an interactive graph that visualizes your microservice connections, the volume of connections, and whether the connection was successful.

Using filters you can drill down into specific namespaces, workloads, and connection status. Highlight any connection to see performance metrics as well as security policies that evaluated the traffic and whether the connection was allowed or denied by that policy.

For example, if microservice A is unable to connect to microservice B, you set a filter in the Flow Log Visualizer to display only denied connections, and then filter by microservice A. You could see all connection attempts from Microservice A. Clicking on the connection you are troubleshooting will show you traffic statistics as well as which security policy blocked the connection.

Policy Preview

Kubernetes Network Policies are the Kubernetes-standard approach to network security. The challenge with Network Policies is that they are immediately enforced when applied. A typo or forgotten dependency can result in connectivity issues between your microservices that would need to be debugged.

Calico Enterprise Policy Preview evaluates historic connections between your microservices and reports on which connections will be accepted or denied when the policy is committed. With Policy Preview you can have confidence that you are not breaking things or creating a regression resulting from changes to your security policies.

Staged Policies

Calico Enterprise can run your security policies in a “Staged”. With staged mode, you can run policies in a permissive mode that allows all connections, but logs any that would have been accepted or denied. This enables you to safely automated network-security-as-code as part of your continuous deployment process, with a manual or automated gate to evaluate the results of security changes before deciding to commit and enforce the policy.

Interested in trying Calico Enterprise to troubleshoot microservice connectivity?

Sign up for our free trial – we’ll even provide sample workloads that need troubleshooting.