Calico Provides Universal Microsegmentation for Containers and Virtual Machines
September 2, 2024Tigera delivers universal microsegmentation capabilities with Calico. Designed to support a diverse range of workloads, including virtual machines (VM), containers, and bare metals, Calico provides a robust, dynamic, and high-performance network policy engine to perform segmentation across both on-premises and cloud deployments.
Many organizations are rapidly modernizing their current virtualization environments to address the rising costs of leveraging certain platforms, and as a result are adopting Kubernetes as a comprehensive orchestrator for managing various workloads for their applications. Open source innovations such as KubeVirt extend Kubernetes by adding virtualization capabilities, allowing it to manage virtual machines alongside containers within the same infrastructure. The architecture of traditional network segmentation solutions are not well-equipped to support the rapidly changing nature of Kubernetes environments and a flat open network approach. Kubernetes workloads are highly dynamic, with pods being created and destroyed frequently and network configurations and policies constantly changing.
Calico provides dynamic segmentation capabilities based on workload metadata such as namespace and labels, which ensures that new workloads are segmented automatically upon deployment. Calico simplifies the segmentation process with declarative, user-friendly policy language, complemented by an intuitive policy user interface to enforce this segmentation. This simplicity not only eases the creation of network policies but also enhances troubleshooting through the integration of Calico flow logs and observability capabilities, leading to a seamless and efficient operational experience.
Calico’s microsegmentation offers several benefits for managing different workloads:
- Unified Security Model: Provides a consistent security model across various environments.
- Simplified Management: Unified security model simplifies the creation and enforcement of network policies across different types of infrastructure.
- Agile Policy Management: Network policies are dynamically applied as workloads are moved, created, or terminated, ensuring network policies are always up-to-date without manual intervention.
- Granular Policies: Allows the creation of fine-grained policies for particular workloads in a hybrid environment, providing precise control over allowed and denied traffic.
- Reduced Overhead: With a single segmentation solution, enterprises also lower the overhead of managing multiple segmentation solutions.
Calico provides users with the following key features:
- Tenant and Workload Isolation: Author, preview, stage and enforce network policies at the networking and application layer. Use Calico to define which pods, services, or namespaces can communicate with each other by leveraging Kubernetes-native constructs like labels and namespaces, thus preventing unauthorized access and enhancing security across the cluster.
- Automatic Namespace Isolation: Calico automatically isolates tenants in separate namespaces, thus restricting any unauthorized communication between tenants by default and preventing lateral movement of threats within a cluster.
- Automated Policy Recommendations: Calico’s policy recommendation engine recommends policies based on the traffic flow of an organization’s workloads and can be enforced with just one click, without the need for coding. All recommended policies can also be modified before enforcement.
- Policy Lifecycle Management: Calico helps preview and stage policies prior to enforcement to secure workloads and understand policies’ impact on the application’s performance and security posture. It also provides immediate feedback on policy rule changes in the production environment before enforcement.
- Dynamic Policy Enforcement: With Calico’s Dynamic Policy Segmentation, users experience real-time network policy updates within milliseconds, ensuring immediate response to network changes and minimizing the risk of potential vulnerabilities.
- Policy as Code: Calico implements network security and observability as code, enabling automated, scalable, and compliant workload management. It uses Kubernetes primitives and declarative models, using the same versioning that teams use for source code. This ensures continuous compliance and security for all components, regardless of deployment, distribution, or container type.
- Observability: Calico’s Dynamic Service & Threat Graph, built on flow logs, collects and analyzes information about applications and their communication flows to create a comprehensive map that helps administrators eliminate the speculation often involved in understanding an application’s upstream and downstream dependencies and policy gaps.
- Distributed IDS/IPS: Calico’s workload-centric IDS/IPS protects against network-based threats by ingesting different threat feeds such as AlienVault by default and custom sources to pinpoint the source of malicious activity in case of a breach.
“Traditional network segmentation solutions, designed for static VM environments, are inadequate for the dynamic and ever-evolving nature of Kubernetes,” said Amit Gupta, Chief Product Officer, Tigera. “A modern segmentation solution needs to cater to both VMs and containers across single and hybrid environments, spread across on-premises and public cloud. Calico addresses these needs with its advanced microsegmentation capabilities, offering a unified security model, streamlined management, dynamic policy enforcement, granular policies, and reduced overhead. Enterprises that integrate Calico can achieve seamless and efficient segmentation that keeps pace with their virtualization environments.”