Calico (Tigera) 2026: Kubernetes Networking & Network Security

Name: Calico
Availability: OnlineOnly

Calico is an open-source Kubernetes CNI plugin and network security platform that handles pod-to-pod networking and network policy enforcement in a single solution. Created and maintained by Tigera, it is the most widely adopted Kubernetes networking solution, powering over 8 million nodes daily across 166 countries. 7.1k GitHub stars, latest version v3.31.4 (February 2026).

Unlike tools that only scan images or check configurations, Calico operates at the network layer — controlling which pods can talk to each other, encrypting traffic between nodes with WireGuard, and enforcing microsegmentation policies that follow workloads across clusters.

Calico Cloud dashboard showing cluster observability with DNS requests, policies, and process instances

Overview

Calico provides two core capabilities in one platform: Kubernetes networking (routing pod traffic) and network security (controlling what traffic is allowed). This dual role sets Calico apart from pure security tools — it is both the network fabric and the policy enforcement engine.

The project offers a pluggable data plane architecture. Teams can choose between:

Data Plane	Best For
eBPF	High-performance environments, source IP preservation
Standard Linux (nftables/iptables)	Maximum compatibility, proven stability
Windows HNS	Mixed Linux/Windows Kubernetes clusters
VPP	Telco and high-throughput edge workloads

Calico pluggable data planes supporting eBPF, iptables, nftables, VPP, and Windows

This flexibility lets Calico run everywhere from single-node development clusters to production environments at companies like AT&T, Discover, Merck, and ServiceNow.

Feature	Details
Deployment model	Self-managed (Open Source, Enterprise) or SaaS (Calico Cloud)
Data planes	eBPF, standard Linux (nftables/iptables), Windows HNS, VPP
Encryption	WireGuard (pod-to-pod), ~73% throughput on 5Gbps with eBPF
Policy types	Kubernetes NetworkPolicy, GlobalNetworkPolicy, tiered policies
Routing	BGP peering, VXLAN, IP-in-IP, cross-subnet optimization
IP support	Dual-stack IPv4/IPv6
OS support	Linux, Windows
Compliance	PCI DSS, SOC 2, GDPR, HIPAA (Enterprise/Cloud)
Adoption	8M+ nodes daily, 1M+ clusters, 166 countries
GitHub	7.1k stars, Apache 2.0

Key Features

Network Policy Engine

Extends Kubernetes NetworkPolicy with GlobalNetworkPolicy and tiered policy CRDs. Security teams define guardrail policies that override namespace-level rules, enabling centralized governance without slowing down developers.

eBPF Dataplane

Production-ready eBPF alternative to iptables-based networking. Delivers lower latency, higher throughput, and source IP preservation without kube-proxy — eliminating a common bottleneck in large clusters.

WireGuard Encryption

Automatic WireGuard tunnels between nodes encrypt all pod-to-pod traffic on the wire. Combined with eBPF, achieves roughly 73% throughput on 5Gbps links. The performance cost is low.

Microsegmentation and Zero Trust

Calico’s network policies enable microsegmentation at the pod level. Instead of broad subnet-based firewall rules, I can define policies that specify exactly which pods, namespaces, and services are allowed to communicate. Labels and selectors keep policies dynamic: they follow workloads as pods scale up, restart, or move across nodes.

For Zero Trust implementations, Calico supports deny-by-default policies combined with explicit allow rules. Tiered policies (available in Enterprise/Cloud editions) let security teams set non-negotiable baseline policies while giving development teams freedom within those guardrails.

Calico tiered policy board showing security, platform, and default policy tiers with enforcement status

BGP and Non-Overlay Networking

Calico is one of few CNI plugins that supports native BGP peering, which eliminates the overhead of overlay networks like VXLAN. In environments where BGP is available (on-premises data centers, bare-metal clusters), this gives pods routable IP addresses directly on the infrastructure network — reducing latency and simplifying troubleshooting.

For environments that need overlays, Calico supports both VXLAN and IP-in-IP encapsulation with cross-subnet optimization.

Multi-Cluster and Hybrid Support

Calico works across EKS, GKE, AKS, OpenShift, RKE, k3s, and self-managed Kubernetes clusters. It runs on Linux and Windows nodes, and supports dual-stack IPv4/IPv6 networking. The commercial editions add multi-cluster management for federated policy enforcement across environments.

Use Cases

Platform engineering teams use Calico as the default CNI across all Kubernetes clusters, standardizing on one networking and security solution rather than managing separate tools for routing and policy.

Security teams implement microsegmentation and Zero Trust networking through Calico’s tiered policies, enforcing baseline security rules across all namespaces without requiring changes from application developers.

Compliance-driven organizations use Calico Enterprise or Calico Cloud for continuous compliance monitoring against PCI DSS, SOC 2, GDPR, and HIPAA frameworks, with audit trails and reporting built into the platform.

Calico Cloud compliance reports showing Kubernetes CIS Benchmark results with node failure summary

Hybrid and multi-cloud deployments rely on Calico’s consistent networking model across cloud providers and on-premises infrastructure, using BGP peering to connect environments without overlay overhead.

Integrations

Kubernetes Distributions

Kubernetes

Amazon EKS

Google GKE

Azure AKS

OpenShift

k3s

RKE

Observability & Security

Elasticsearch

Prometheus

Grafana

Fluentd

Falco

Pricing

Calico is available in three tiers:

Tier	Model	Key Additions
Calico Open Source	Free (Apache 2.0)	Networking, network policy, eBPF, WireGuard, BGP
Calico Enterprise	Commercial (self-managed)	Dynamic Service Graph, compliance reporting, tiered policies, threat feeds, egress controls
Calico Cloud	SaaS (starts at $0.05/node-hour)	Fully managed, AI assistant, multi-cluster management

Calico Cloud also offers a free tier for single-cluster environments, providing observability dashboards, policy recommendations, and staged policy previews at no cost. Enterprise pricing requires contacting Tigera directly.

Best for

Platform engineering and DevOps teams standardizing Kubernetes networking and network security across multiple clusters. Calico makes the most sense when you need one solution for both pod networking (CNI) and network policy enforcement, especially in hybrid environments with mixed Linux/Windows nodes or on-premises BGP requirements.

Getting Started

Install Calico as your CNI plugin. Deploy using the Tigera operator via Helm chart or kubectl manifest. Works with new or existing Kubernetes clusters on any distribution.

Configure your data plane. Choose between eBPF (for performance), standard Linux (for compatibility), or Windows HNS (for mixed-OS clusters). Enable WireGuard encryption if you need on-the-wire pod traffic security.

Define network policies. Start with Calico’s Kubernetes NetworkPolicy support, then extend with GlobalNetworkPolicy CRDs for cluster-wide rules. Use label selectors to target workloads dynamically.

Visualize traffic (commercial). Calico Enterprise and Calico Cloud provide Dynamic Service Graph to visualize actual traffic flows between workloads, identify unprotected communication paths, and get policy recommendations.

Calico Dynamic Service Graph showing point-to-point network traffic visualization between namespaces

Strengths & Limitations

Strengths:

Most widely deployed Kubernetes CNI — 8M+ nodes, 1M+ clusters globally
Multiple data plane options (eBPF, Linux, Windows, VPP) for different requirements
Native BGP support eliminates overlay overhead in data center environments
WireGuard encryption adds transport-layer security with minimal performance cost
Tiered policies enable centralized security governance without blocking developer autonomy
Free tier of Calico Cloud provides observability without commercial commitment

Limitations:

eBPF dataplane was added after initial design (unlike Cilium’s eBPF-first architecture) — some eBPF features lag behind Cilium
Layer 7 (application-layer) policy enforcement is limited compared to Cilium’s HTTP/gRPC-aware policies
No built-in observability tool equivalent to Cilium’s Hubble (commercial Service Graph fills this gap)
Calico Open Source lacks compliance reporting, threat feeds, and centralized multi-cluster management
Windows support covers networking but not all security features available on Linux

For a broader view of Kubernetes and container security options, see the container security tools category page. Calico pairs well with runtime security tools like Falco for kernel-level threat detection and image scanners like Trivy for pre-deployment vulnerability scanning.

Frequently Asked Questions

What is Calico?

Calico is an open-source Kubernetes networking and network security solution created and maintained by Tigera. It functions as a CNI (Container Network Interface) plugin that handles both pod networking and network policy enforcement. Calico powers over 8 million nodes daily across 166 countries, making it the most widely adopted solution in its category. The open-source project uses the Apache 2.0 license and has 7.1k GitHub stars.

What is the difference between Calico Open Source and Calico Enterprise?

Calico Open Source provides Kubernetes networking, network policy enforcement, eBPF dataplane, WireGuard encryption, and BGP peering. Calico Enterprise (self-managed) and Calico Cloud (SaaS) add commercial features: Dynamic Service Graph for traffic visualization, tiered policy management, compliance reporting for PCI/SOC 2/GDPR/HIPAA, egress access controls, threat detection feeds, and enterprise support from Tigera. Calico Cloud also offers a free tier for single-cluster observability and policy management.

How does Calico compare to Cilium?

Both are popular Kubernetes CNI plugins. Cilium was built from the ground up around eBPF, while Calico added eBPF as an alternative to its standard Linux dataplane. With both in eBPF mode, throughput differences are typically under 5%. Calico offers broader OS support (Linux, Windows), multiple dataplane options, and mature BGP capabilities. Cilium provides Hubble for L3-L7 observability and has stronger Layer 7 policy features. Calico is better suited for hybrid environments and strict compliance needs; Cilium excels in greenfield cloud-native deployments on modern kernels.

Does Calico support eBPF?

Yes. Calico’s eBPF dataplane is a production-ready alternative to the standard Linux dataplane. It provides lower latency, higher throughput, source IP preservation without kube-proxy, and reduced CPU overhead compared to iptables-based networking. The eBPF dataplane is compatible with WireGuard encryption — combined, they achieve roughly 73% throughput on a 5Gbps link. Calico 3.31 further improved eBPF with better IPv6 support.

Is Calico a CNCF project?

Calico is not an official CNCF graduated, incubating, or sandbox project. However, Tigera (Calico’s creator) is a CNCF member, and Calico appears in the CNCF Landscape under networking. Calico is supported by all major Kubernetes distributions and cloud providers including EKS, GKE, AKS, and OpenShift.