Observability and Troubleshooting

Connectivity issues between microservices are difficult to troubleshoot. Troubleshooting often requires collaboration between multiple teams to identify and resolve the problem.

Calico Enterprise offers tools to rapidly pinpoint and resolve the source of a connectivity issue between your microservices running on Kubernetes clusters, as well as tools to identify and resolve potential connectivity issues before they happen.

Flow Logs

Flow Log Visualizer

Policy Preview

Staged Policies

Watch Details Video

Calico Enterprise Flow Logs

Calico Enterprise logs all connection attempts between microservices as well as performance metrics for those connections.

What makes the Calico Enterprise approach unique is that important Kubernetes metadata is included with each log entry

  • Source and destination namespaces
  • Source and destination pods and labels
  • Which policies evaluated the connection and whether it was accepted or denied and why

Calico Enterprise Flow Logs are stored in a central data store that is shared across all of your clusters. You just need to set up Calico Enterprise once and can then monitor and report on microservices connections across all your clusters.

Flow Log Data can be queried by Kibana, often used for compliance reporting. You can also use the Flow Log Visualizer to visualize the connections and interactively drill in to identify where connections are being dropped.

Flow Log Visualizer

The Flow Log Visualizer queries your flow log data and renders an interactive graph that visualizes your microservice connections, the volume of connections, and whether the connection was successful.

Using filters you can drill down into specific namespaces, workloads, and connection status. Highlight any connection to see performance metrics as well as security policies that evaluated the traffic and whether the connection was allowed or denied by that policy.

For example, if microservice A is unable to connect to microservice B, you set a filter in the Flow Log Visualizer to display only denied connections, and then filter by microservice A. You could see all connection attempts from Microservice A. Clicking on the connection you are troubleshooting will show you traffic statistics as well as which security policy blocked the connection.

Policy Preview

Kubernetes Network Policies are the Kubernetes-standard approach to network security. The challenge with Network Policies is that they are immediately enforced when applied. A typo or forgotten dependency can result in connectivity issues between your microservices that would need to be debugged.

Calico Enterprise Policy Preview evaluates historic connections between your microservices and reports on which connections will be accepted or denied when the policy is committed. With Policy Preview you can have confidence that you are not breaking things or creating a regression resulting from changes to your security policies.

Staged Policies

Calico Enterprise can run your security policies in a “Staged”. With staged mode, you can run policies in a permissive mode that allows all connections, but logs any that would have been accepted or denied. This enables you to safely automated network-security-as-code as part of your continuous deployment process, with a manual or automated gate to evaluate the results of security changes before deciding to commit and enforce the policy.

Watch Product Details Video


Interested in trying Calico Enterprise to troubleshoot microservice connectivity?

Try Calico Enterprise or contact us if you have some questions – we’d love to hear from you!