
Network & Infrastructure SecurityContainer Security
Calico
Kubernetes network security with eBPF data plane for high-performance policy enforcement.
Calico Overview
What it does
Calico provides container and Kubernetes network security through network policy enforcement, zero-trust networking, and runtime threat defense built on open-source Project Calico. Unlike traditional Kubernetes networking relying on iptables creating performance bottlenecks, Calico delivers eBPF-powered data plane performing packet processing directly in Linux kernel eliminating overhead while providing native Kubernetes service handling without kube-proxy.
How it works
Built on pluggable data plane architecture supporting eBPF, standard Linux networking, Windows HNS, and VPP, Calico powers over 100 million containers across 8 million nodes in 166 countries. Core capabilities include Kubernetes Network Policy enforcement with fine-grained pod-to-pod communication controls, DNS policy enforcement controlling domain-based access, egress gateway managing outbound traffic, and WireGuard encrypted tunneling. The eBPF data plane delivers higher throughput with lower CPU consumption, scales to thousands of services, and provides XDP-based DDoS mitigation with source IP-preserving load balancing. Additional capabilities include runtime threat detection with threat intelligence integration, vulnerability management with container image scanning, compliance automation for CIS Benchmarks, and detailed flow logs with network visualization for forensics.
Credentials and traction
Calico was named a Leader and Outperformer in the 2025 GigaOm Radar for Container Networking, recognized for its container networking security, cross-environment networking, and scalability. Customers include Discover, Chipotle, NBCUniversal, Box, Siemens Healthineers, Royal Bank of Canada, and Bell Canada. The underlying open-source Project Calico secures container networking across enterprise Kubernetes environments, with adoption spanning large-scale and regulated cloud-native deployments.
Key Capabilities
mapped to solution categoriesCaptures and logs all pod-to-pod network flows including service mesh traffic, providing full observability for anomaly detection and policy validation.
Enforces network policies using eBPF programs attached to kernel hooks, providing lower overhead and higher throughput than iptables-based NetworkPolicy enforcement.
Enforces DNS-based and IP-based egress policies for pod outbound traffic, preventing C2 communication, data exfiltration, and unauthorized external API calls.
Analyzes observed pod-to-pod traffic and generates Kubernetes NetworkPolicy manifests that allow only observed legitimate connections, reducing policy authoring to review and approval.
Applies consistent microsegmentation policy to cloud VMs and containers alongside on-premises workloads, using cloud-native enforcement mechanisms (security groups, NSGs) under unified policy.
Enforces identity-based allow policies (user identity, workload identity, device posture), rather than IP-based rules, policy follows the workload regardless of network location.
Evaluates proposed segmentation policies against observed traffic to identify what legitimate connections would be blocked, enabling policy validation without a production enforcement change.
Enforces segmentation via a host agent at the OS network stack or through upstream network controls (cloud security groups, SDN, switch ACLs) where agents are not viable.
Integrations
compatible toolsImplementation & support
Info last updated on May 28, 2026
Vendors
Is this your product?
Claim your profile to connect with the teams looking for your solutions.