Skip to main content
Version: 3.26 (latest)

Tigera product comparison

Calico Open Source

The base product that comprises both Calico Enterprise and Calico Cloud. It provides the core networking and network policy features.


Calico Enterprise

Includes the Calico Open Source core networking and network policy, but adds advanced features for networking, network policy, visibility and troubleshooting, threat defense, and compliance reports.


Calico Cloud

The SaaS version of Calico Enterprise. It adds Image Assurance to scan and detect vulnerabilities in images, and container threat defense to detect malware. It also adds onboarding tutorials, and eliminates the cost to manage Elasticsearch logs and storage that comes with Calico Enterprise.


What is the best fit for you? It depends on your needs. The following table provides a high-level comparison.

ProductCost and supportBest fit
Calico Open SourceFree, community-supportedUsers who want best-in-class networking and network policy capabilities for Kubernetes without any costs.
Calico EnterprisePaid subscriptionEnterprise teams who need full control to customize their networking security deployment to meet regulatory and compliance requirements for Kubernetes at scale. Teams who want Tigera Customer Support for day-zero to production best practices, custom training and workshops, and Solution Architects to customize solutions.
Calico CloudFree trial with hands-on training from Customer Support, then pay-as-you-go with self-service training. Also offered as an annual subscription.Small teams who need to manage the full spectrum of compliance in a web-based console for novice users:
- Secure clusters, pods, and applications
- Scan images for vulnerabilities
- Web-based UI for visibility to troubleshoot Kubernetes
- Detect and mitigate threats
- Run compliance reports

Enterprise teams who want to scale their Calico Enterprise on-premises deployments by providing more self-service to developers.

Product comparison by feature

Calico Open SourceCalico CloudCalico Enterprise
High-performance, scalable pod networking
Advanced IP address management
Direct infrastructure peering without the overlay
Dual ToR peering
Egress gateway
Multiple Calico networks on a pod
Apps, pods, clusters
Seamless support with Kubernetes network policy
Label-based (identity-aware) policy
Namespace and cluster-wide scope
Global default deny policy design
Application layer policy
Policy for services
Web UI
Onboarding tutorials and lab cluster
DNS/FQDN-based policy
Hierarchical tiered network policy
Policy recommendations
Preview and staged network policy
Policy integration for third-party firewalls
Network sets to limit IP ranges for egress and ingress traffic to workloads
Data-in-transit encryption for pod traffic using WireGuard
SIEM integration
Non-cluster hosts
Restrict traffic to/from hosts using network policy
Automatic host endpoints
Secure Kubernetes nodes with host endpoints managed by Calico
Apply policy to host-forwarded traffic
Windows HNS
Image vulnerability management
Scan images for vulnerabilities for workloads in Kubernetes cluster
Create policy to block vulnerable images from your clusters
Runtime view to assess impact of newly-found vulnerabilities
Observability and troubleshooting
Application level observability and troubleshooting
Service Graph
Packet capture
Elasticsearch logs (flow, l7, audit, bgp, dns, events)
Kibana DNS dashboards
Traffic Flow Visualizer
Multi-cluster management
Multi-cluster management
Federated identity and services
Threat defense
Anomaly detection
Container threat detection
Workload-centric Web Application Firewall (WAF)
Honeypods to see intruder activity
Add threatfeeds to trace suspicious network flows
Compliance reports
CIS benchmark reports
Monitor Calico components