Tigera product comparison
Calico Open Source​
The base product that comprises both Calico Enterprise and Calico Cloud. It provides the core networking and network policy features.
Calico Enterprise​
Includes the Calico Open Source core networking and network policy, but adds advanced features for networking, network policy, visibility and troubleshooting, threat defense, and compliance reports.
Calico Cloud​
The SaaS version of Calico Enterprise. It adds Image Assurance to scan and detect vulnerabilities in images, and container threat defense to detect malware. It also adds onboarding tutorials, and eliminates the cost to manage Elasticsearch logs and storage that comes with Calico Enterprise.
What is the best fit for you? It depends on your needs. The following table provides a high-level comparison.
| Product | Cost and support | Best fit |
|---|---|---|
| Calico Open Source | Free, community-supported | Users who want best-in-class networking and network policy capabilities for Kubernetes without any costs. |
| Calico Enterprise | Paid subscription | Enterprise teams who need full control to customize their networking security deployment to meet regulatory and compliance requirements for Kubernetes at scale. Teams who want Tigera Customer Support for day-zero to production best practices, custom training and workshops, and Solution Architects to customize solutions. |
| Calico Cloud | Free trial with hands-on training from Customer Support, then pay-as-you-go with self-service training. Also offered as an annual subscription. | Small teams who need to manage the full spectrum of compliance in a web-based console for novice users: - Secure clusters, pods, and applications - Scan images for vulnerabilities - Web-based UI for visibility to troubleshoot Kubernetes - Detect and mitigate threats - Run compliance reports Enterprise teams who want to scale their Calico Enterprise on-premises deployments by providing more self-service to developers. |
Product comparison by feature​
| Networking security and scalability | |||
| High-performance, scalable pod networking | |||
| Advanced IP address management | |||
| Direct infrastructure peering without the overlay | |||
| Dual ToR peering | |||
| Egress gateway | |||
| Multiple Calico networks on a pod | |||
| Application, pod, cluster security | |||
| Seamless support with Kubernetes network policy | |||
| Label-based (identity-aware) policy | |||
| Namespace and cluster-wide scope | |||
| Global default deny policy design | |||
| Application layer policy | |||
| Policy for services | |||
| Web UI | |||
| Onboarding tutorials and lab cluster | |||
| DNS/FQDN-based policy | |||
| Hierarchical tiered network policy | |||
| Policy recommendations | |||
| Preview and staged network policy | |||
| Policy integration for third-party firewalls | |||
| Network sets to limit IP ranges for egress and ingress traffic to workloads | |||
| Data security and storage | |||
| Data-in-transit encryption for pod traffic using WireGuard | |||
| SIEM integration | |||
| Non-cluster host security | |||
| Restrict traffic to/from hosts using network policy | |||
| Automatic host endpoints | |||
| Secure Kubernetes nodes with host endpoints managed by Calico | |||
| Apply policy to host-forwarded traffic | |||
| Dataplane support | |||
| eBPF | |||
| iptables | |||
| Windows HNS | |||
| VPP | |||
| Image vulnerability management | |||
| Scan images for vulnerabilities for workloads in Kubernetes cluster | |||
| Create policy to block vulnerable images from your clusters | |||
| Runtime view to assess impact of newly-found vulnerabilities | |||
| Application observability and troubleshooting | |||
| Graphical view of deployment (Service Graph) | |||
| Packet capture | |||
| Exportable logs | Preconfigured Elasticsearch dashboards: flow, audit, bgp, dns, L7 | Preconfigured Elasticsearch dashboards: flow, audit, bgp, dns, L7 | |
| Prometheus for metrics and alert monitoring | |||
| Kibana DNS dashboards | |||
| Traffic Flow Visualizer | |||
| Kubernetes security posture management | |||
| Review overall score based on namespace isolation, container image vulnerabilities, and egress access | |||
| Prioritized list of remediation actions | |||
| Cluster mesh | |||
| Native Kubernetes cross-cluster networking (ToR and IP-in-IP) | |||
| Multi-cluster management with RBAC integration | |||
| Federated cross-cluster networking (VXLAN) | |||
| Federated identity-aware policy and services enforcement | |||
| Threat defense | |||
| Container threat detection | |||
| Workload-centric Web Application Firewall (WAF) | |||
| Honeypods to see intruder activity | |||
| Add threatfeeds to trace suspicious network flows | |||
| Compliance | |||
| Compliance reports | |||
| CIS benchmark reports | |||
| Monitor Calico components | |||
| Prometheus |