Calico is an open source networking and network security solution for containers, virtual machines, and native host-based workloads. Calico supports a broad range of platforms including Kubernetes, OpenShift, Mirantis Kubernetes Engine (MKE), OpenStack, and bare metal services.

Whether you opt to use Calico’s eBPF data plane or Linux’s standard networking pipeline, Calico delivers blazing fast performance with true cloud-native scalability. Calico provides developers and cluster operators with a consistent experience and set of capabilities whether running in public cloud or on-prem, on a single node, or across a multi-thousand node cluster.

Why use Calico?

Choice of dataplanes

Calico gives you a choice of dataplanes, including a pure Linux eBPF dataplane, a standard Linux networking dataplane, and a Windows HNS dataplane. Whether you prefer cutting edge features of eBPF, or the familiarity of the standard primitives that existing system administrators already know, Calico has you covered.

Whichever choice is right for you, you’ll get the same, easy to use, base networking, network policy and IP address management capabilities, that have made Calico the most trusted networking and network policy solution for mission-critical cloud-native applications.

Best practices for network security

Calico’s rich network policy model makes it easy to lock down communication so the only traffic that flows is the traffic you want to flow. Plus with built in support for Wireguard encryption, securing your pod-to-pod traffic across the network has never been easier.

Calico’s policy engine can enforce the same policy model at the host networking layer and (if using Istio & Envoy) at the service mesh layer, protecting your infrastructure from compromised workloads and protecting your workloads from compromised infrastructure.


Depending on your preference, Calico uses either Linux eBPF or the Linux kernel’s highly optimized standard networking pipeline to deliver high performance networking. Calico’s networking options are flexible enough to run without using overlays in most environments, avoiding the overheads of packet encap/decap. Calico’s control plane and policy engine has been fine tuned over many years of production use to minimize overall CPU usage and occupancy.


Calico’s core design principles leverage best practice cloud-native design patterns combined with proven standards based network protocols trusted worldwide by the largest internet carriers. The result is a solution with exceptional scalability that has been running at scale in production for years. Calico’s development test cycle includes regularly testing multi-thousand node clusters. Whether you are running a 10 node cluster, 100 node cluster, or more, you reap the benefits of the improved performance and scalability characteristics demanded by the largest Kubernetes clusters.

Calico Cloud compatible

Calico Cloud builds on top of open source Calico to provide Kubernetes security and observability features and capabilities:

  • Egress access controls (DNS policies, egress gateways)
  • Extend firewall to Kubernetes
  • Hierarchical tiers
  • FQDN / DNS based policy
  • Micro-segmentation across host/VMs/containers
  • Security policy preview, staging, and recommendation
  • Compliance reporting and alerts
  • Intrusion detection & prevention (IDS / IPS) for Kubernetes
  • SIEM Integrations
  • Application Layer (L7) observability
  • Dynamic packet capture
  • DNS dashboards

Information Source: