4 min Analytics

Calico boxes up universal microsegmentation for containers 

Calico boxes up universal microsegmentation for containers 

Containers need to be contained. The very nature of software ‘containerisation’ provides software engineers with a means of grasping compartmentalised units of code, algorithmic logic and data services that can be used in a commoditised composable fashion. But these units of software need containment in the sense that they need robust networking connection technologies and security services, Tigera, the creator of Project Calico, is a container networking and security that works to deliver universal microsegmentation capabilities. But what is universal microsegmentation, who slices up this pie and why does it matter?

Calico says its microsegmentation capabilities are designed to address the ‘shortcomings’ of existing network segmentation in the age of Kubernetes and container-based architectures. Put simply, microsegmentation technology takes the form of a network policy engine that performs segmentation across a range of workloads.

What’s inside microsegmentation?

In terms of what a software engineer gets in the microsegmentation toolbox, right up front there are observability functions, which offer a dynamic service and threat graph built on flow logs. This tool collects and analyzes information about applications and their communication flows to map out a view for administrators to eliminate the guesswork involved in understanding the applications’ upstream and downstream dependencies and policy gaps.

There are also automated policy recommendations i.e. Calico’s policy recommendation engine recommends policies are based on the traffic flow of workloads. Calico helps preview and stage policies prior to enforcement to secure workloads and understand policies’ impact on the application’s performance and security posture. It also provides immediate feedback on policy rule changes in the production environment before enforcement.

Unified security model

“Traditional network segmentation solutions, designed for static virtual machine (VM) environments, are inadequate for the ever-evolving nature of Kubernetes,” said Amit Gupta, chief product officer, Tigera. “A modern segmentation solution needs to cater to both VMs and containers across single and hybrid environments, spread across on-premises and public cloud. Calico addresses these needs with its advanced microsegmentation capabilities, offering a unified security model, streamlined management, dynamic policy enforcement, granular policies, and reduced overhead. Enterprises that integrate Calico can achieve seamless and efficient segmentation that keeps pace with their virtualization environments.”

Gupta suggests that open source technologies such as KubeVirt extend Kubernetes by adding virtualisation capabilities, allowing it to manage virtual machines alongside containers within the same infrastructure. He insists that the architecture of ‘traditional’ (there’s that word Calico likes to use once again) network segmentation solutions are not well-equipped to support the rapidly changing nature of Kubernetes environments and a flat open network approach. 

Because Kubernetes workloads are highly dynamic, with pods being created and destroyed frequently and network configurations and policies constantly changing, the company thinks its microsegmentation technology proposition is validated.

Workload metadata 

“Calico provides dynamic segmentation capabilities based on workload metadata such as namespace and labels, which ensures that new workloads are segmented automatically upon deployment. Calico simplifies the segmentation process with declarative, user-friendly policy language, complemented by an intuitive policy user interface to enforce this segmentation. This simplicity not only eases the creation of network policies but also enhances troubleshooting through the integration of Calico flow logs and observability capabilities, leading to a seamless and efficient operational experience,” noted the company, in a press statement.

Calico’s microsegmentation offers policy-as-code i.e. Calico implements network security and observability as code, enabling automated, scalable and compliant workload management. It uses Kubernetes primitives and declarative models, using the same versioning that teams use for source code which the company says ensures continuous compliance and security for all components, regardless of deployment, distribution, or container type.

Calico purring away?

If microsegmentation becomes a more prevalent part of the ‘why is Kubernetes so complicated and what can we do about it?’ debate (and that is a popular industry rant, then we get to know the shape of network policy engines rather better. Given the drive from organisations like Progress to champion policy-as-code in this vein, there looks to be fairly safe money on this sector purring away (Calico is an American term for a tri-colour cat, pun intended) contentedly enough.