Traditional SDNs are complex, making them hard to deploy and troubleshoot. Calico removes that complexity, with a simplified networking model designed for the demands of today's cloud-native applications.
Unlike SDNs that require a central controller, limiting scalability, Calico is built on a fully distributed, scale-out architecture. So it scales smoothly from a single developer laptop to large enterprise deployments.
Defining secure network policy used to be reserved for skilled network engineers. Calico's powerful micro-segmentation capabilities build on a simple policy language that naturally expresses the developer's intent.
What do you get when you combine internet routing protocols with the industry's leading consensus-based data store? Unparalleled scalability.
When designing Calico's control plane, we turned for inspiration to the internet. Serving billions of endpoints around the world, it is the largest network ever built. We figured, if we can do that, then scaling the cloud to millions of workloads should be easy, right? So we borrowed proven IP routing technology to connect containers (and VMs) to one another and to underlying infrastructure. We then have to distribute security policy rules. Here, we turned to the latest cloud techniques pioneered by web-scale operators such as Google. Making use of the same raft consensus algorithm found in systems like Kubernetes, we achieved consistent, fast convergence times (typically a few milliseconds, even at scale) with high levels of fault tolerance.
"A micro-firewall for every workload" minimizes attack surface
Perimeter security (edge firewalls) has been demonstrated time and again to be insufficient. That's why we built a security layer into Calico that enables developers and operations staff to easily define with fine granularity which connections are allowed, and which are not. These rules implement and extend the Kubernetes Network Policy API – but also work on all other platforms supported by Calico. They might separate development from production workloads, or limit access to a specific restricted service to ensure regulatory compliance. A distributed algorithm calculates which rules are required on each node in the cluster and updates them dynamically as workloads are created and terminated. As a result, malicious actors – or just errant applications – are detected and stopped before they can cause damage.
Why add another layer of overhead when you don't need it?
Sometimes, an overlay network (encapsulating packets inside an extra IP header) is necessary. Often, though, it just adds unnecessary overhead, resulting in multiple layers of nested packets, impacting performance and complicating trouble-shooting. Wouldn't it be nice if your virtual networking solution adapted to the underlying infrastructure, using an overlay only when required? That's what Calico does. In most environments, Calico simply routes packets from the workload onto the underlying IP network without any extra headers. Where an overlay is needed – for example when crossing availability zone boundaries in public cloud – it can use lightweight encapsulation including IP-in-IP and VxLAN. Project Calico even supports both IPv4 and IPv6 networks!
The best policy model supported on your choice of data plane
Calico was designed from the start with a fully pluggable data plane. This enables Calico to use the best technologies for the job at hand. Calico currently uses the standard Linux kernel data plane, Windows Host Networking Service (HNS), and some capabilties of Extended Berkeley Packet Filter (eBPF).
From Kubernetes to OpenStack, AWS to GCE, we've got you covered
We know you don't want to be writing lots of integration code to get Calico working with your favorite orchestrator. That is why Calico comes out of the box with a variety of plug-ins and recipes. Support for industry standard APIs such as Container Network Interface (CNI), Neutron, and libnetwork, enables Calico to plug into a wide variety of cloud orchestrators including Kubernetes, Mesos, Docker, OpenStack, and various vendor derivatives and distributions. So you've no excuse not to get started today!
Hundreds of enterprises trust Calico to connect and secure their cloud networks
Calico is the most trusted networking solution for mission-critical cloud-native applications. Not just because of its simple architecture, but also because it has been field tested by hundreds of users in real-world production deployments. From a multi-exabyte public storage cloud delivering 99.99999999999% (that's 13 9's!) durability, to multi-tenant public cloud services powered by Calico+OpenStack, to the Kubernetes platform that delivers Yahoo! services to Japan, Calico has established a reputation for enterprise-grade performance and reliability.
"Yahoo! JAPAN recommends to build data center with pure L3 networking. Project Calico matches this direction."Read more
"Calico... provided the out-of-the box functionality we needed to ship a cluster quickly"Read more
"The combination of Calico with OpenShift enabled us to engineer a fully automated production grade setup in a few weeks."Read more
"We chose Calico as the network plugin to ensure security, isolation, and the right performance for all the applications"Read more
"Calico should be a default requirement for production-grade Kubernetes deployments in the enterprise"
"Calico produces immediate advantages such as improved scalability, more reliable and flexible isolation at pod and cluster levels, and out-of-the-box support of the most popular public cloud platforms"
"Calico has clearly become the de facto solution for Kubernetes networking"
- Sasha Klizhentas, CTO, Gravitational
"We have integrated Project Calico so you have production-ready, secure networking right out of the box."
- Craig McLuckie, CEO, Heptio