Amazon Web Services Feed
Enterprise Security and Networking for Amazon EKS Clusters with Calico and Calico Enterprise
By Amit Gupta, VP of Product Management and Business Development at Tigera
By Troy Ameigh, Sr. Partner Solutions Architect at AWS
Tigera, an AWS Advanced Technology Partner with the AWS Containers Competency, is excited to announce that Calico and Calico Enterprise are both now available as AWS Quick Starts.
Everything you need to leverage Calico and Calico Enterprise is installed and configured in your Amazon Elastic Kubernetes Service (Amazon EKS) cluster. This enables you to take advantage of the full set of Kubernetes security, observability, and networking features, including Calico’s flexible IP address management capabilities.
To get started, visit the Quick Start pages for either solution:
Calico is a network policy engine for Kubernetes. With Calico network policy enforcement, you can implement network segmentation and tenant isolation. This is useful in multi-tenant environments where you must isolate tenants from each other, or when you want to create separate environments for development, staging, and production.
Network policies are similar to Amazon Web Services (AWS) security groups in that you can create network ingress and egress rules. Instead of assigning instances to a security group, you assign network policies (rules) to pods and control traffic among the pods using pod selectors and labels.
Calico Enterprise builds on top of open source Calico to provide additional higher-level features and capabilities. It integrates with your existing AWS tools including security groups, Amazon CloudWatch, and AWS Security Hub so you can leverage existing processes and workflows in your EKS or Kubernetes infrastructure.
Addressing the Most Common Kubernetes Challenges
Tigera’s experience as a leading provider of Kubernetes CNIs tells us that Kubernetes users face one or more of these common security, observability and networking challenges.
Controlling Cluster Egress Access
New applications and workloads are constantly being added to Kubernetes clusters. When deploying your apps on Amazon EKS, you need a way to securely connect your pods to resources such as databases and APIs outside of your cluster.
Kubernetes has no built-in capability to enforce network policy, so you must use a CNI like Calico Enterprise to securely control access to external resources (egress access).
Calico Enterprise provides you with three choices for controlling egress access: AWS Security Group integration, DNS policy, and Egress Access Gateway. In each of these cases, Calico Enterprise provides a common network policy model using Kubernetes constructs like labels and selectors to control and restrict access to specific pods.
AWS security group integration for Calico Enterprise enables you to combine AWS security groups with network policy to enforce granular access control between Kubernetes pods and Amazon Virtual Private Cloud (VPC) resources.
We’ve compiled detailed instructions to help you configure AWS security group integration for Calico Enterprise.
Applying Existing Compliance Controls to Kubernetes
Many applications have compliance requirements, such as workload isolation, ensuring developers cannot talk to production and implementing network zones; for example, microservices in the DMZ can communicate with the public internet but not directly with your backend databases.
Using open source Calico, you can implement these types of segmentation rules in your Amazon EKS cluster.
With Calico Enterprise, you can move to the next level and ensure your enterprise-wide security and compliance requirements are being enforced in the Kubernetes environment.
For example:
- Implement security controls at a higher-precedent policy tier that cannot be changed or overridden by other users.
- Alert on any changes to your security controls.
- Generate audit reports that prove compliance, currently and historically.
Learn how to integrate your existing enterprise security controls with your Kubernetes environment.
Network Visualization and Troubleshooting
Connectivity issues between microservices are extremely difficult to troubleshoot. It often requires collaboration between multiple teams to identify and resolve the problem.
Calico Enterprise offers tools to rapidly pinpoint and resolve the source of a connectivity issue between your microservices running on Kubernetes clusters, and tools to identify and resolve potential connectivity issues before they happen.
Calico Enterprise logs all connection attempts between microservices as well as performance metrics for those connections.
Important Kubernetes metadata is included with each log entry, including:
- Source and destination namespaces.
- Source and destination pods and labels.
- Which policy evaluated the connection, was it accepted or denied, and why.
The Flow Log Visualizer in Calico Enterprise queries your flow log data and renders an interactive graph that visualizes your microservice connections, volume of connections, and whether or not the connection was successful. Using filters, you can drill down into specific namespaces, workloads, and view connection status.
Learn how to rapidly pinpoint and resolve connectivity issues between microservices running on Kubernetes.
Getting Started
A pair of leading Kubernetes-native network security solutions, Calico and Calico Enterprise are now available as AWS Quick Starts. Everything you need to get up and running is installed and configured in your Amazon EKS cluster, enabling you to take advantage of a rich set of Kubernetes security, observability, and networking features.
Tigera – AWS Partner Spotlight
Tigera is Advanced Technology Partner that delivers network security solutions for the cloud-native world.
Contact Tigera | Partner Overview
*Already worked with Tigera? Rate the Partner
*To review an AWS Partner, you must be a customer that has worked with them directly on a project.