Skip to main content
Version: 3.18 (latest)

About Calico Enterprise

What is Calico Enterprise?

Calico Enterprise is a security solution with full-stack observability for cloud-native applications running on containers and Kubernetes. Built upon the Calico CNI and network policy, Calico Enterprise works across all multi-cloud and hybrid environments with any combination of VMs, containers, Kubernetes, cloud instances, hosts, and bare metal servers.


Best fit

The best fit for Calico Enterprise is enterprise teams who need full control to customize their networking security deployment to meet regulatory and compliance requirements for Kubernetes at scale.

Key features

Web UI for observability and troubleshooting
Single UI for all enterprise teams to observe traffic, troubleshoot logs, get alerts, manage policy lifecycle (preview, stage, enforce), and generate compliance reports.
 Service Graph to visualize traffic to/from a cluster
Elasticsearch logs (flow, L7, DNS, audit) with workload identity context
 Packet capture
 SIEM integration (Syslog, Splunk, or Amazon S3)
Threat defense Global alerts
 Workload-based Web Application Firewall (WAF)
Threat feeds to detect and alert on suspicious IPs, domains, and external IPs
 Honeypods (decoys) to detect suspicious activity in a Kubernetes cluster
 Deep packet inspection (DPI) on selected workloads
Multi-cluster management Unified management plane to manage clusters and workloads running on different infrastructures and using different Kubernetes distributions
 Federated endpoints for policy-writing efficiency
Federated services to extend and automate endpoint sharing
 Federated Prometheus metrics
Logs and compliance reports Out-of-the-box support for PCI DSS, SOC 2, HIPAA, GDPR, NIST, and custom frameworks
 Out-of-the-box CIS benchmarks for Kubernetes compliance reports
 Pre-defined and custom compliance reports for audit reporting (on-demand or scheduled)
 Auditor-ready cluster compliance history
Advanced Calico networking WireGuard pod-to-pod and host-to-host encryption
 Egress gateways to identify the source of traffic at the namespace or pod level when it leaves a Kubernetes cluster to communicate to external resources to avoid opening up a larger set of IP addresses.
Dual top-of-rack (ToR) peering for redundant, active-active network path for business-critical cluster applications (for example, streaming and AI/ML applications)
Advanced Calico networking policy Policy recommendations to isolate namespaces with network policy
Tiered policy
Stage and preview impacts on traffic before enforcing policy
Network sets to reuse and scale sets of IP addresses used in policies
DNS policy
 Application layer policy with Envoy as daemonset
 Auto host endpoints
Policy integration with Fortinet and AWS firewalls

For a detailed list of Calico Enterprise features, see Tigera product comparison

Going into production with Calico Enterprise

It is not easy navigating the cultural shifts that come with adopting Kubernetes. Tigera's Customer Success has spent many years working with enterprise companies in highly-regulated industries to understand the sticking points that stall going into production. Common hurdles seen during pre-production are:

  • Troubleshooting in Kubernetes across teams (cluster and pod failures, apps failures, and security breaches/attacks)
  • Writing policy with granular security controls for workloads
  • Ensuring security team requirements are met while allowing developer self-service with guardrails
  • Implementing compliance controls

Tigera's Customer Success has invested heavily in custom and self-service training to address these obstacles. Guided by their best-practices-to-production workflows, you can keep progressing and join the growing list of companies who are in production with Calico Enterprise.

Need more info?