Get started
Big picture​
Learn about the Calico Enterprise AWS security groups integration.
Value​
It is common for a Kubernetes cluster in AWS to interact with other Amazon-hosted resources such as application instances and datastores like RDS. The native protection for these resources is VPC security groups. By default, VPC security groups can be applied only to application instances. So to allow a subset of pods access to an RDS instance, you must allow access for your entire Kubernetes cluster -- which allows all Kubernetes pods access to the RDS instance. This is probably not what you want if you are securing microservices and multi-tenant deployments.
Calico Enterprise extends AWS security groups with its tiered network policy, enforcing granular access control between Kubernetes pods and AWS VPC resources. The following challenges are examples of use cases that this integration helps address:
✓ In general, it is hard to implement granular egress and ingress access controls to resources in a cluster.
✓ The load balancers fronting my microservices must be given total access to a Kubernetes cluster, so any compromise in the load balancer exposes every microservice.
✓ Kubernetes clusters must be all-or-nothing access to an RDS; enabling access per application is not possible.
✓ The Kubernetes cluster is shared between development and production, but there is no way to distinguish dev and prod workloads when accessing the RDS and EBS datastores.
Concepts​
Control access between pods and VPC resources​
With native AWS security groups, you cannot secure communications to and from individual pods for VPC resources.
With Calico Enterprise, you can extend AWS security groups to pods,
and use network policy and annotations to secure and control access to VPC resources.
About the integration​
The Calico Enterprise AWS security groups integration uses the Kubernetes cloud controller to monitor the security groups and VPC endpoints in the Amazon VPC, create network policies, and ensure that required security groups are added to VPC endpoints.
The high-level implementation steps are:
| Task | Steps |
|---|---|
| 1 - Prepare AWS security groups | 1. Add your VPC resources (represented by endpoints) to a security group. 2. Create AWS security groups with rules to allow traffic for the cluster. |
| 2 - Enable Calico Enterprise AWS security group integration | Create a custom resource definition (CRD) with VPC security group information. |
| 3 - Control pod access to/from VPC resources | Use Calico Enterprise tiered network policy and annotations to allow and deny access. |