Skip to main content
Version: 3.18 (latest)

Enable and enforce application layer policies

Application layer policies let you configure access controls based on L7 attributes.

Before you begin


  • Calico Enterprise implements application layer policy using Envoy as a DaemonSet. This means you cannot use application layer policy alongside a service mesh like Istio.
  • GKE


  • Application layer policy supports restricting only ingress traffic
  • Support for L7 attributes are limited to HTTP method and URL exact/prefix path
  • Supported protocols are limited to TCP-based protocols (for example, HTTP, HTTPS, or gRPC)
  • You can control application layer policies only at the cluster level (not per namespace)

How to

Enable application layer policies (ALP)

In the ApplicationLayer custom resource, set the applicationLayerPolicy field to Enabled.

kind: ApplicationLayer
name: tigera-secure
applicationLayerPolicy: Enabled

Enforce application layer policies for ingress traffic

You can restrict ingress traffic using HTTP match criteria using Global network policy. For a list of all HTTP match parameters, see Global network policy.

In the following example, the trading app is allowed ingress traffic only for HTTP GET requests that match the exact path /projects/calico, or that begins with the prefix, /users.

kind: GlobalNetworkPolicy
name: customer
selector: app == 'tradingapp'
- action: Allow
methods: ["GET"]
- exact: "/projects/calico"
- prefix: "/users"
- action: Allow

Disable application layer policies

To disable the policies, do one of the following steps:

  • Set the applicationLayerPolicy field in the ApplicationLayer custom resource to Disabled.
  • Remove the applicationLayerPolicy field entirely.
  • Delete the ApplicationLayer` custom resource.