Skip to main content

Calico

Calico is an open-source networking and network security (cloud-native networking and security) project that provides connectivity and policy enforcement for container workloads, virtual machines, and host-based workloads across cloud and on-premises (on-prem) environments.

  • Container, Virtual Machine (VM), and host networking with IP routing and encapsulation options (cloud-native networking)
  • Network Policy Enforcement (NPE) for Kubernetes and other orchestrators (network security)
  • Support for Kubernetes-native NetworkPolicy and extended policy models (network security)
  • Integration with major Kubernetes platforms and cloud providers (platform integration)
  • Observability and troubleshooting for network flows and policy behavior (network observability)

More About Calico

Calico addresses network connectivity and network security (cloud-native networking and security) for container orchestration platforms, virtual machines, and bare-metal hosts. It focuses on IP-based networking that aligns with standard routing concepts, enabling policy-based control over traffic between workloads in cloud, hybrid, and on-prem deployments.

The project provides a data plane that supports multiple modes, including pure IP routing and overlay encapsulation (cloud-native networking). This allows operators to choose between non-encapsulated routing for environments where underlay networking is configurable and encapsulated overlays when underlying networks impose constraints. Calico uses standard IP constructs to route traffic between pods, nodes, and external networks.

Calico implements NPE (network security) for Kubernetes and other orchestrators. It supports Kubernetes NetworkPolicy resources and extends them with additional policy constructs for more granular controls, such as policies across namespaces, host endpoints, and egress traffic. Policies are enforced at the workload and host endpoints, enabling segmentation and isolation between services, tenants, or environments.

The project integrates with Kubernetes distributions and cloud provider environments (platform integration), including managed Kubernetes services. It can operate with multiple orchestrators and supports mixed environments with containers, Vulnerability Management System (VMS), and host-based workloads. Calico’s architecture separates the control plane, which manages policy and configuration, from the data plane, which programs packet filtering and routing rules on each node.

Calico provides tools and telemetry for network observability (network observability), enabling administrators to inspect policy decisions, audit flows, and troubleshoot connectivity issues. Flow logs, policy metrics, and status information can be integrated with monitoring and logging platforms for enterprise operations and compliance workflows.

In enterprise environments, Calico is used to implement Kubernetes Container Network Interface (CNI) (Container Network Interface) networking (container networking), network segmentation, zero-trust-style workload access controls (network security), and multi-tenant isolation. It supports deployment across multiple clusters and hybrid topologies, allowing consistent policy models across on-prem data centers and public cloud infrastructure.

Within an enterprise technology taxonomy, Calico fits into categories such as Kubernetes CNI plugin (container networking), microsegmentation and workload security (network security), and network observability tooling (network observability). Its focus on IP routing, policy-driven security, and integration with Kubernetes and cloud platforms makes it a component for platform engineering, Security Operations (SecOps), and network engineering teams managing cloud-native workloads.