Your Kubernetes journey…
During each stage, there are common use cases that block initiatives from moving forward. Learn about the Calico Enterprise features that remove these blockers.
Open source Calico Essentials
- Training
- Personalized workshops
- Enterprise integration strategies
- Troubleshooting strategies
Egress access controls
Calico Enterprise packages several features that enable fine-grained access controls between your microservices and databases, cloud services, APIs, and other applications that are protected behind a firewall.
2-minute video
Documentation
Visibility and troubleshooting
Connectivity issues between microservices are difficult to troubleshoot. Troubleshooting often requires collaboration between multiple teams to identify and resolve the problem.
Calico Enterprise offers tools to rapidly pinpoint and resolve the source of a connectivity issue between your microservices running on Kubernetes clusters, as well as tools to identify and resolve potential connectivity issues before they happen.
2-minute video
Documentation
Enterprise security controls
Many applications have compliance requirements such as workload isolation, ensuring dev cannot talk to prod, and implementing network zones (e.g. microservices in the DMZ can communicate with the public internet but not directly with your backend databases). With Calico Enterprise, you can;
- Implement security controls at a higher precedent policy tier that cannot be changed or overridden by other users
- Alert on changes to your security controls
- Generate audit reports that demonstrate compliance now and historically
2-minute video
Documentation
Extend firewalls to Kubernetes
When deploying microservices to an environment managed by firewalls, it may become necessary to work within the confines of your IT Security Architecture. For applications that make or accept connections with the internet, or need to connect to databases, a firewall is typically going to be part of that architecture.
Most security teams are short-staffed and don’t have the capacity to take on new tools that understand workload orchestration like Kubernetes. Defining a firewall rule for ingress or egress access controls does not work in this architecture and can block deployments or worse, result in service disruptions if implemented improperly. Furthermore, defining a zone-based security architecture in your cluster using a firewall requires routing all service-to-service traffic through the firewall, introducing latency into your application.
2-minute video
Documentation
Enable self service network security
When deploying a new microservice to a secure cluster, it needs to be deployed along with a network policy to enable the service to communicate with other services and APIs. Often this means having a central function that reviews or creates policies for every microservice deployment. Otherwise, a deployment may inadvertently override an important security policy implemented to protect sensitive workloads that process payment information, customer data, etc. This process does not scale when 100’s or 1000’s of microservices are being deployed daily and deployments are delayed.
Calico Enterprise enables self-service deployments to a secure cluster without the risk of an important policy being overridden or otherwise violated. No central person or team is required to create or review policies and deployments along with the network policies required to allow access are completely automated.
2-minute video
Documentation
- Tiered network policy
- RBAC for tiered network policy
- Policy recommendations
- Policy impact preview
- Staged network policies
Microsegmentation
Every cloud and hosting environment has a unique approach to segmentation, which leads to operational overhead and security gaps when segmenting traffic within and between these environments. Calico Enterprise provides a common segmentation protocol that works across all of your environments, and scales at the pace of your microservices environment.
2-minute video
Documentation
Intrusion detection
In addition to cloud microsegmentation and zero trust network security, Calico Enterprise provides another layer of security through its Intrusion detection system (IDS).
Calico Enterprise IDS identifies Advanced persistent threats (APTs) through behavior-based detection using machine learning and a rule-based engine that enables active monitoring.
2-minute video
Documentation
Zero trust network security
Zero trust network security is a strong security posture that assumes that something in your application or infrastructure has been compromised and is currently hosting some form of malware.
Kubernetes is particularly vulnerable to the spread of malware due to the open nature of cluster networking; by default, any pod can connect to any other pod, even across namespaces. It is very difficult to detect malware or its spread within a Kubernetes cluster without implementing a strong security framework like zero trust.
2-minute video
Documentation