Skip to main content
Version: 3.28 (latest)

Network set

A network set resource (NetworkSet) represents an arbitrary set of IP subnetworks/CIDRs, allowing it to be matched by Calico policy. Network sets are useful for applying policy to traffic coming from (or going to) external, non-Calico, networks.

NetworkSet is a namespaced resource. NetworkSets in a specific namespace only applies to network policies in that namespace. Two resources are in the same namespace if the namespace value is set the same on both. (See GlobalNetworkSet for non-namespaced network sets.)

The metadata for each network set includes a set of labels. When Calico is calculating the set of IPs that should match a source/destination selector within a network policy rule, it includes the CIDRs from any network sets that match the selector.


Since Calico matches packets based on their source/destination IP addresses, Calico rules may not behave as expected if there is NAT between the Calico-enabled node and the networks listed in a network set. For example, in Kubernetes, incoming traffic via a service IP is typically SNATed by the kube-proxy before reaching the destination host so Calico's workload policy will see the kube-proxy's host's IP as the source instead of the real source. For calicoctl commands that specify a resource type on the CLI, the following aliases are supported (all case-insensitive): networkset, networksets, netsets.

Sample YAML

kind: NetworkSet
name: external-database
namespace: staging
role: db

Network set definition


FieldDescriptionAccepted ValuesSchemaDefault
nameThe name of this network set. Required.Lower-case alphanumeric with optional _ or -.string
namespaceNamespace provides an additional qualification to a resource name.string"default"
labelsA set of labels to apply to this


FieldDescriptionAccepted ValuesSchemaDefault
netsThe IP networks/CIDRs to include in the set.Valid IPv4 or IPv6 CIDRs, for example ""list