Calico Network and Security

Calico is an open-source networking and network security solution for containers, virtual machines, and bare-metal hosts, designed for Kubernetes, OpenShift, Docker, and other container platforms. Originally created by Metaswitch (now part of Microsoft) in 2015 and maintained by Tigera, Calico is one of the most widely used CNI (Container Network Interface) plugins. Key features: Layer 3 networking using pure IP routing for pod-to-pod communication, enabling massive scale without overlay overhead, with optional VXLAN or IP-in-IP encapsulation for cross-subnet connectivity. BGP (Border Gateway Protocol) routing for advertising pod routes to the underlay network, enabling native routing without NAT or encapsulation for optimal performance. BGP route reflectors for scaling to thousands of nodes with efficient route distribution. Network policy enforcement using Kubernetes NetworkPolicy API plus Calico's extended GlobalNetworkPolicy and NetworkPolicy CRDs for advanced traffic control including order, deny, pass, and log actions. Istio and Envoy integration for securing service mesh traffic with both L3 and L7 policy enforcement. WireGuard encryption for securing pod traffic at the network layer with minimal performance overhead. Egress Gateway for controlling outbound traffic from pods to external services with NAT and IP pooling. IP address management (IPAM) with flexible block-based allocation, supporting IPv4 and IPv6 dual-stack. Host protection for securing the host itself with endpoint policies. Multi-cluster connectivity for connecting Kubernetes clusters across regions and clouds. Kubernetes API datastore mode for storing Calico state in the Kubernetes API server, eliminating the need for a separate etcd cluster. Typha for scaling to large clusters by caching and distributing Kubernetes API data to Felix agents. Used by thousands of organizations including Tigera commercial customers. Open source under Apache 2.0.