What do you get when you combine internet routing protocols with the industry's leading consensus-based data store? Unparalleled scalability.
When designing Calico's control plane, we turned for inspiration to the internet. Serving billions of endpoints around the world, it is the largest network ever built. We figured, if we can do that, then scaling the cloud to millions of workloads should be easy, right? So we borrowed proven IP routing technology to connect containers (and VMs) to one another and to underlying infrastructure. We then have to distribute security policy rules. Here, we turned to the latest cloud techniques pioneered by web-scale operators such as Google. Making use of the same raft consensus algorithm found in systems like Kubernetes, we achieved consistent, fast convergence times (typically a few milliseconds, even at scale) with high levels of fault tolerance.
"A micro-firewall for every workload" minimizes attack surface
Perimeter security (edge firewalls) has been demonstrated time and again to be insufficient. That's why we built a security layer into Calico that enables developers and operations staff to easily define with fine granularity which connections are allowed, and which are not. These rules implement and extend the Kubernetes Network Policy API – but also work on all other platforms supported by Calico. They might separate development from production workloads, or limit access to a specific restricted service to ensure regulatory compliance. A distributed algorithm calculates which rules are required on each node in the cluster and updates them dynamically as workloads are created and terminated. As a result, malicious actors – or just errant applications – are detected and stopped before they can cause damage.
Why add another layer of overhead when you don't need it?
Sometimes, an overlay network (encapsulating packets inside an extra IP header) is necessary. Often, though, it just adds unnecessary overhead, resulting in multiple layers of nested packets, impacting performance and complicating trouble-shooting. Wouldn't it be nice if your virtual networking solution adapted to the underlying infrastructure, using an overlay only when required? That's what Calico does. In most environments, Calico simply routes packets from the workload onto the underlying IP network without any extra headers. Where an overlay is needed – for example when crossing availability zone boundaries in public cloud – it can use lightweight encapsulation including IP-in-IP and VxLAN. Project Calico even supports both IPv4 and IPv6 networks!
From Kubernetes and OpenShift to OpenStack, AWS to GCE, we've got you covered
We know you don't want to be writing lots of integration code to get Calico working with your favorite orchestrator. That is why Calico comes out of the box with a variety of plug-ins and recipes. Support for industry standard APIs such as Container Network Interface (CNI), Neutron, and libnetwork, enables Calico to plug into a wide variety of cloud orchestrators including Kubernetes, Mesos, Docker, OpenStack, and various vendor derivatives and distributions. Calico is deployed with OpenShift using the standard openshift-ansible deployment flow, and works seamlessly with other Kubernetes and OpenShift components including kube-proxy. So you've no excuse not to get started today!
Hundreds of enterprises trust Calico to connect and secure their cloud networks
Calico is the most trusted networking solution for mission-critical cloud-native applications. Not just because of its simple architecture, but also because it has been field tested in thousands of real-world production deployments. From a multi-exabyte public storage cloud delivering 99.99999999999% (that's 13 9's!) durability, to large, multi-tenant Kubernetes public cloud services networked and secured with Calico, to the Kubernetes Platform forYahoo! services to Japan and Github, Calico has established a reputation for enterprise-grade performance and reliability.