Skip to main content

Calico Documentation

Active, zero-trust based security for containers and Kubernetes

Select a doc set

About Tigera products

Calico Open Source

A free, self-managed networking and security solution for containers, virtual machines, and native host-based workloads.

Provides networking, network policy, and IP address management capabilities for cloud-native applications.

Visit the documentation

Calico Enterprise

A paid, self-managed security and observability solution for containers and Kubernetes.

Extends Calico Open Source’s networking and network security capabilities to offer more advanced security and observability capabilities for organizations running Kubernetes at scale.

Calico Cloud

A pay-as-you-go, SaaS application that provides comprehensive container security across the entire container lifecycle (build, deploy, runtime).

A fully-managed version of Calico Enterprise that adds container image scanning and advanced threat detection capabilities.

Best fit

Calico Open Source

Free, self-managed

Users

- Who want best-in-class networking and network policy capabilities.

Calico Enterprise

Paid, self-managed

Enterprise teams

- Who need full control to customize their networking security deployment to meet regulatory and

compliance requirements for Kubernetes at scale.

- Who want Tigera Customer Support for day-zero to production best practices

custom training and workshops, and Solution Architects to customize solutions.

Calico Cloud

Pay-as-you-go, SaaS

Small teams

- Who need to manage the full spectrum of compliance in a web-based console for novice users:

- Secure clusters, pods, and applications

- Scan images for vulnerabilities

- Web-based UI for visibility to troubleshoot Kubernetes

- Detect and mitigate threats

- Run compliance reports

Enterprise teams

- Who want to scale their Calico Enterprise on-premises deployments by providing more self-service to developers.

Product comparison by feature

Networking

Calico Open SourceCalico EnterpriseCalico Cloud
High-performance, scalable pod networking
Advanced IP address management
Direct infrastructure peering without the overlay
Dual ToR peering
Egress gateway
Multiple Calico networks on a pod

Apps, pods, clusters

Calico Open SourceCalico EnterpriseCalico Cloud
Seamless support with Kubernetes network policy
Label-based (identity-aware) policy
Namespace and cluster-wide scope
Global default deny policy design
Application layer policy
Policy for services
Web UI
Onboarding tutorials and lab cluster
DNS/FQDN-based policy
Hierarchical tiered network policy
Policy recommendations
Preview and staged network policy
Policy integration for third-party firewalls
Network sets to limit IP ranges for egress and ingress traffic to workloads

Data

Calico Open SourceCalico EnterpriseCalico Cloud
Data-in-transit encryption for pod traffic using WireGuard
SIEM integration

Non-cluster hosts

Calico Open SourceCalico EnterpriseCalico Cloud
Restrict traffic to/from hosts using network policy
Automatic host endpoints
Secure Kubernetes nodes with host endpoints managed by Calico
Apply policy to host-forwarded traffic

Dataplane

Calico Open SourceCalico EnterpriseCalico Cloud
eBPF
iptables
Windows HNS
VPP

Images

Calico Open SourceCalico EnterpriseCalico Cloud
Scan images for vulnerabilities
Create policy to block vulnerable images from your clusters

Observability and troubleshooting

Calico Open SourceCalico EnterpriseCalico Cloud
Application-level observability and troubleshooting
Service Graph
Elasticsearch logs (flow, l7, audit, bgp, dns, events)
Alerts
Kibana DNS dashboards
Traffic Flow Visualizer

Multi-cluster management

Calico Open SourceCalico EnterpriseCalico Cloud
Federated identity and services

Threat defense

Calico Open SourceCalico EnterpriseCalico Cloud
Container threat detection
Workload-centric Web Application Firewall (WAF)
Add threatfeeds to trace suspicious network flows

Reports

Calico Open SourceCalico EnterpriseCalico Cloud
Compliance reports
CIS benchmark reports

Monitor Calico components

Calico Open SourceCalico EnterpriseCalico Cloud
Prometheus