Zero-Trust Workload Access Security

Reduce attack surface and mitigate risk with egress access controls, microsegmentation, and security policy recommendations.


Secure Kubernetes traffic within and outside the cluster to reduce risk, achieve compliance, and actively protect against security threats

Reduce the Risk of Data Exfiltration

Secure workload access to external resources using DNS policies and network sets

Limit the Blast Radius of Breaches

Eliminate lateral threat movement in the cluster with identity-aware microsegmentation

Workload Isolation

Isolate workloads and prevent unauthorized cross-tenant access

Trusted by Customers Worldwide

Calico is the chosen active security platform for enterprises small and large

Egress Access Controls

Secure access from individual pods in a Kubernetes cluster to external resources, including cloud services, databases, and 3rd-party APIs with DNS policies and network sets.

Learn More

DNS Policies

Enforce DNS policies at the source pod so that fully qualified domain names (FQDN/DNS) can be used to allow access from a pod or set of pods (via label selector) to external resources—eliminating the need for a firewall rule or equivalent.

Define DNS endpoints as an exact address (e.g., or with wildcards (e.g., *

Learn More

Global and Namespaced Network Sets

Automatically update access controls for all IPs described by the CIDR notation using IP subnet/CIDR in security policies.

Control incoming or outgoing traffic from external, non-Calico networks with the same policy. Easily scale by using the same set of IPs in multiple policies.

Learn More

Egress Gateway

Identify the traffic source at the namespace or pod level from a Kubernetes cluster to communicate to the external resource.

Assign a fixed, routable IP to a Kubernetes namespace to identify workloads running within that namespace.

Learn More

Identity-Aware Microsegmentation

Segment workloads using workload identities to achieve workload isolation and limit lateral communication.

Define security policies as code to enforce consistent segmentation policies across the environment.

Learn More

Application-Layer Policy

Apply security controls at the application level to secure pod-to-pod traffic, including HTTP methods and URL paths. Eliminate the operational complexity of deploying an additional service mesh.

Gain application-layer visibility into service-to-service communication.

Learn More

Available on Microsoft Azure and AWS Marketplace

Get started right away on Azure or AWS—every Calico component you need to get up and running is ready to go.

Customer Testimonial

Here’s what our customers are saying about us

Tigera helped Upwork migrate to Kubernetes on Amazon EKS and meet our InfoSec team’s mandate for zero-trust security. We were able to deploy Calico in two weeks and secure our EKS cluster in just six months.
Angelos Lenis
Sr. Manager, Platform Engineering,
Learn More
Read Customer Stories

Featured Resources

Developer-created resources to help you secure your Kubernetes deployment

White Paper

Using Access Controls for Containerized Workload Protection

Without workload access controls, organizations risk non-compliance, ransomware attacks, and more.
Read More

Microsegmentation Datasheet

Scalable, unified microsegmentation for cloud-native workloads across all of your environments.
Read More
Case Study

Achieving EU GDPR Compliance in a Multi-Tenant Environment

Using Calico, Aldagi achieved EU GDPR compliance and accelerated application launch times at scale.
Read More
All Resources

Ready to Get Started?

Start a free trial or contact us to see Calico in action