Calico Documentation
Active, zero-trust based security for containers and Kubernetes
Select a doc set
About Tigera products
Calico Open Source
A free, self-managed networking and security solution for containers, virtual machines, and native host-based workloads.
Provides networking, network policy, and IP address management capabilities for cloud-native applications.
Calico Enterprise
A paid, self-managed security and observability solution for containers and Kubernetes.
Extends Calico Open Source’s networking and network security capabilities to offer more advanced security and observability capabilities for organizations running Kubernetes at scale.
Calico Cloud
A pay-as-you-go, SaaS application that provides comprehensive container security across the entire container lifecycle (build, deploy, runtime).
A fully-managed version of Calico Enterprise that adds container image scanning and advanced threat detection capabilities.
Best fit
 | Free, self-managed | Users - Who want best-in-class networking and network policy capabilities. |
 | Paid, self-managed | Enterprise teams - Who need full control to customize their networking security deployment to meet regulatory and compliance requirements for Kubernetes at scale. - Who want Tigera Customer Support for day-zero to production best practices custom training and workshops, and Solution Architects to customize solutions. |
 | Pay-as-you-go, SaaS | Small teams - Who need to manage the full spectrum of compliance in a web-based console for novice users:   - Secure clusters, pods, and applications   - Scan images for vulnerabilities   - Web-based UI for visibility to troubleshoot Kubernetes   - Detect and mitigate threats   - Run compliance reports Enterprise teams- Who want to scale their Calico Enterprise on-premises deployments by providing more self-service to developers. |
Product comparison by feature
Networking
| Calico Open Source | Calico Enterprise | Calico Cloud | |
|---|---|---|---|
| High-performance, scalable pod networking | |||
| Advanced IP address management | |||
| Direct infrastructure peering without the overlay | |||
| Dual ToR peering | |||
| Egress gateway | |||
| Multiple Calico networks on a pod |
Apps, pods, clusters
| Calico Open Source | Calico Enterprise | Calico Cloud | |
|---|---|---|---|
| Seamless support with Kubernetes network policy | |||
| Label-based (identity-aware) policy | |||
| Namespace and cluster-wide scope | |||
| Global default deny policy design | |||
| Application layer policy | |||
| Policy for services | |||
| Web UI | |||
| Onboarding tutorials and lab cluster | |||
| DNS/FQDN-based policy | |||
| Hierarchical tiered network policy | |||
| Policy recommendations | |||
| Preview and staged network policy | |||
| Policy integration for third-party firewalls | |||
| Network sets to limit IP ranges for egress and ingress traffic to workloads |
Data
| Calico Open Source | Calico Enterprise | Calico Cloud | |
|---|---|---|---|
| Data-in-transit encryption for pod traffic using WireGuard | |||
| SIEM integration |
Non-cluster hosts
| Calico Open Source | Calico Enterprise | Calico Cloud | |
|---|---|---|---|
| Restrict traffic to/from hosts using network policy | |||
| Automatic host endpoints | |||
| Secure Kubernetes nodes with host endpoints managed by Calico | |||
| Apply policy to host-forwarded traffic |
Dataplane
| Calico Open Source | Calico Enterprise | Calico Cloud | |
|---|---|---|---|
| eBPF | |||
| iptables | |||
| Windows HNS | |||
| VPP |
Images
| Calico Open Source | Calico Enterprise | Calico Cloud | |
|---|---|---|---|
| Scan images for vulnerabilities | |||
| Create policy to block vulnerable images from your clusters |
Observability and troubleshooting
| Calico Open Source | Calico Enterprise | Calico Cloud | |
|---|---|---|---|
| Application-level observability and troubleshooting | |||
| Service Graph | |||
| Elasticsearch logs (flow, l7, audit, bgp, dns, events) | |||
| Alerts | |||
| Kibana DNS dashboards | |||
| Traffic Flow Visualizer |
Multi-cluster management
| Calico Open Source | Calico Enterprise | Calico Cloud | |
|---|---|---|---|
| Federated identity and services |
Threat defense
| Calico Open Source | Calico Enterprise | Calico Cloud | |
|---|---|---|---|
| Container threat detection | |||
| Workload-centric Web Application Firewall (WAF) | |||
| Add threatfeeds to trace suspicious network flows |
Reports
| Calico Open Source | Calico Enterprise | Calico Cloud | |
|---|---|---|---|
| Compliance reports | |||
| CIS benchmark reports |
Monitor Calico components
| Calico Open Source | Calico Enterprise | Calico Cloud | |
|---|---|---|---|
| Prometheus |