Secure access from individual pods in a Kubernetes cluster to external resources, including cloud services, databases, and 3rd-party APIs with DNS policies and network sets.
Solution
Zero-Trust Workload Access Security
Reduce attack surface and mitigate risk with egress access controls, microsegmentation, and security policy recommendations.
Benefits
Secure Kubernetes traffic within and outside the cluster to reduce risk, achieve compliance, and actively protect against security threats
Reduce the Risk of Data Exfiltration
Secure workload access to external resources using DNS policies and network sets
Limit the Blast Radius of Breaches
Eliminate lateral threat movement in the cluster with identity-aware microsegmentation
Workload Isolation
Isolate workloads and prevent unauthorized cross-tenant access
Trusted by Customers Worldwide
DNS Policies
Enforce DNS policies at the source pod so that fully qualified domain names (FQDN/DNS) can be used to allow access from a pod or set of pods (via label selector) to external resources—eliminating the need for a firewall rule or equivalent.
Define DNS endpoints as an exact address (e.g., google.com) or with wildcards (e.g., *.google.com).
Global and Namespaced Network Sets
Automatically update access controls for all IPs described by the CIDR notation using IP subnet/CIDR in security policies.
Control incoming or outgoing traffic from external, non-Calico networks with the same policy. Easily scale by using the same set of IPs in multiple policies.
Egress Gateway
Identify the traffic source at the namespace or pod level from a Kubernetes cluster to communicate to the external resource.
Assign a fixed, routable IP to a Kubernetes namespace to identify workloads running within that namespace.
Identity-Aware Microsegmentation
Segment workloads using workload identities to achieve workload isolation and limit lateral communication.
Define security policies as code to enforce consistent segmentation policies across the environment.
Application-Layer Policy
Apply security controls at the application level to secure pod-to-pod traffic, including HTTP methods and URL paths. Eliminate the operational complexity of deploying an additional service mesh.
Gain application-layer visibility into service-to-service communication.
Available on Microsoft Azure, AWS, and Google Marketplace
Get started right away on Azure, AWS, or Google Cloud—every Calico component you need to get up and running is ready to go.
Customer Testimonial
Here’s what our customers are saying about us
Tigera helped Upwork migrate to Kubernetes on Amazon EKS and meet our InfoSec team’s mandate for zero-trust security. We were able to deploy Calico in two weeks and secure our EKS cluster in just six months.
Featured Resources
Developer-created resources to help you secure your Kubernetes deployment
White Paper
Using Access Controls for Containerized Workload Protection
Without workload access controls, organizations risk non-compliance, ransomware attacks, and more.
Datasheet
Microsegmentation Datasheet
Scalable, unified microsegmentation for cloud-native workloads across all of your environments.
Case Study
Achieving EU GDPR Compliance in a Multi-Tenant Environment
Using Calico, Aldagi achieved EU GDPR compliance and accelerated application launch times at scale.
Ready to Get Started?
Get started for free or request a demo to see Calico in action
