Tigera product comparison

Calico Open Source

The base product that comprises both Calico Enterprise and Calico Cloud. It provides the core networking and network policy features.

Calico Enterprise

Includes the Calico Open Source core networking and network policy, but adds advanced features for networking, network policy, visibility and troubleshooting, threat defense, and compliance reports.

Calico Cloud

The SaaS version of Calico Enterprise. It adds Image Assurance to scan and detect vulnerabilities in images, and container threat defense to detect malware. It also adds onboarding tutorials, and eliminates the cost to manage Elasticsearch logs and storage that comes with Calico Enterprise.

Best fit

What is the best fit for you? It depends on your needs. The following table provides a high-level comparison.

Product	Cost and support	Best fit
Calico Open Source	Free, community-supported	Users who want best-in-class networking and network policy capabilities for Kubernetes without any costs.
Calico Enterprise	Paid subscription	Enterprise teams who need full control to customize their networking security deployment to meet regulatory and compliance requirements for Kubernetes at scale. Teams who want Tigera Customer Support for day-zero to production best practices, custom training and workshops, and Solution Architects to customize solutions.
Calico Cloud	Free trial with hands-on training from Customer Support, then pay-as-you-go with self-service training. Also offered as an annual subscription.	Small teams who need to manage the full spectrum of compliance in a web-based console for novice users: - Secure clusters, pods, and applications - Scan images for vulnerabilities - Web-based UI for visibility to troubleshoot Kubernetes - Detect and mitigate threats - Run compliance reports Enterprise teams who want to scale their Calico Enterprise Enterprise on-premises deployments by providing more self-service to developers.

Product comparison by feature

	Calico Open Source	Calico Cloud	Calico Enterprise
Networking
High-performance, scalable pod networking	✓	✓	✓
Advanced IP address management	✓	✓	✓
Direct infrastructure peering without the overlay	✓	✓	✓
Dual ToR peering		✓	✓
Egress gateway		✓	✓
Multiple Calico networks on a pod		✓	✓
Apps, pods, clusters
Seamless support with Kubernetes network policy	✓	✓	✓
Label-based (identity-aware) policy	✓	✓	✓
Namespace and cluster-wide scope	✓	✓	✓
Global default deny policy design	✓	✓	✓
Application layer policy	✓	✓	✓
Policy for services	✓	✓	✓
Web UI		✓	✓
Onboarding tutorials and lab cluster		✓
DNS/FQDN-based policy		✓	✓
Hierarchical tiered network policy		✓	✓
Policy recommendations		✓	✓
Preview and staged network policy		✓	✓
Policy integration for third-party firewalls		✓	✓
Network sets to limit IP ranges for egress and ingress traffic to workloads	✓	✓	✓
Data
Data-in-transit encryption for pod traffic using WireGuard	✓	✓	✓
SIEM integration		✓	✓
Non-cluster hosts	✓	✓	✓
Restrict traffic to/from hosts using network policy	✓		✓
Automatic host endpoints	✓		✓
Secure Kubernetes nodes with host endpoints managed by Calico	✓	✓	✓
Apply policy to host-forwarded traffic	✓	✓	✓
Dataplane
eBPF	✓	✓	✓
iptables	✓	✓	✓
Windows HNS	✓	✓	✓
VPP	✓
Image Assurance
Scan images for vulnerabilities for workloads in Kubernetes cluster		✓
Create policy to block vulnerable images from your clusters		✓
Runtime view to assess impact of newly-found vulnerabilities		✓
Observability and troubleshooting
Application level observability and troubleshooting		✓	✓
Service Graph		✓	✓
Packet capture		✓	✓
Elasticsearch logs (flow, l7, audit, bgp, dns, events)		✓	✓
Alerts		✓	✓
Kibana DNS dashboards		✓	✓
Traffic Flow Visualizer		✓	✓
Multi-cluster management		✓	✓
Multi-cluster management			✓
Federated identity and services		✓	✓
Threat defense
Container threat detection		✓
Workload-centric Web Application Firewall (WAF)		✓	✓
Honeypods to see intruder activity		✓	✓
Add threatfeeds to trace suspicious network flows		✓	✓
Reports
Compliance reports		✓	✓
CIS benchmark reports		✓	✓
Monitor Calico components
Prometheus	✓	✓	✓