Zero-Trust Workload Security

Reduce attack surface and enable runtime security with zero-trust workload access controls, identity-aware microsegmentation, and workload-based IDS/IPS, DPI, DDoS protection, and WAF



Cloud-native applications require a modern approach based on the zero-trust principles of identity-based access, least privilege access, and proactively detecting threats and reducing the blast radius in case of a breach.

Calico Cloud enables fine-grained, zero-trust workload access controls between your microservices and external databases, cloud services, APIs, and other applications. It also prevents the lateral movement of threats with identity-aware segmentation that works across all of your workload environments, including hosts, VMs, Kubernetes components, and services. Finally, Calico Cloud provides workload-based security controls for runtime intrusion detection and prevention, protection from DDoS attacks, deep packet inspection (DPI) and an envoy-based web application firewall (WAF) capability.


Zero-trust workload access

Secure access from cloud-native workloads to external resources including cloud services, databases, and 3rd-party APIs

Limit the blast radius of breaches

Eliminate the risks associated with lateral movement of malicious actors in the cluster

Protection from network-based threats

Protect containerized applications on Kubernetes from network-based threats using integrated threat feeds and anomaly detection to monitor for indicators of compromise (IoCs)

Key Features

Zero-Trust Workload Access Controls

Calico provides an Egress Access Gateway, DNS policy, and Networksets to restrict access between individual pods in a Kubernetes cluster and external resources or other workloads. Learn more.

Identity-Aware Microsegmentation

Calico’s unified security policy framework provides a defense-in-depth security posture. It segments workloads based on metadata and labels attached to those workloads, thus simplifying new or updated workload deployment without having to add or change your segmentation policies. Learn more.

Workload-based IDS/IPS, DPI, DDoS protection, and WAF

Calico protects containerized workloads at a granular container level from network-based external threats and lateral movement. With support for both north-south and east-west security, Calico’s firewall prevents malicious actors from gaining a foothold and moving laterally across Kubernetes clusters.

Calico also provides the following for network-based attacks:

  • Security as declarative code to protect containers
  • Intrusion detection and prevention
  • Deep packet inspection
  • Protection from DDoS attacks
  • Honeypods to detect and trap malicious traffic/actors/activity
Learn more.

How It Works


Learn how Calico Cloud provides cloud-native network security with zero-trust workload access controls, identity-aware microsegmentation, and workload-based IDS/IPS, DPI, DDoS protection, and WAF





Learn More