Networking
The Calico Enterprise network plugins provide a range of networking options to fit your implementation and maximize performance.
Getting started
Determine best networking option
Compare networking choices in Calico Enterprise — overlay versus non-overlay, BGP, CNI, and IPAM — to land on the right configuration for your cluster.
Networking overview
Reference primer for general networking fundamentals — OSI layers, packet anatomy, MTU, IP addressing, routing, overlays, DNS, and NAT — that underpin Calico Enterprise.
Kubernetes network model
Reference primer for Kubernetes networking concepts that help when operating Calico Enterprise — pod IPs, services, DNS, NAT outgoing, and dual stack.
Configuring networking
Configure BGP peering
Set up BGP peering for Calico Enterprise — full mesh, per-node peers, top-of-rack switches, and route reflectors — using BGPPeer and BGPConfiguration resources.
Deploy a dual ToR cluster
Deploy a dual ToR cluster with Calico Enterprise so two independent connectivity planes provide redundancy between racks for on-premises clusters.
Configure multiple Calico Enterprise networks on a pod
Add extra Calico Enterprise networks to each pod with the Multus-CNI plugin, then control access with tiered network policy on every interface.
Overlay networking
Choose VXLAN or IP-in-IP overlay encapsulation in Calico Enterprise so pod traffic crosses underlay networks that don't route pod CIDRs natively.
Advertise Kubernetes service IP addresses
Advertise Kubernetes service cluster IPs and external IPs out of the cluster over BGP with Calico Enterprise so upstream routers can reach them directly.
Configure MTU to maximize network performance
Tune the Calico Enterprise MTU on the Installation resource so pod traffic matches the underlay, accounting for VXLAN, IP-in-IP, and WireGuard overhead.
Custom BGP configuration
Override the default BIRD BGP templates for Calico Enterprise to access advanced BIRD features for proof-of-concept and special-case routing setups.
Configure outgoing NAT
Configure NAT outgoing on Calico Enterprise IP pools so pod traffic destined outside the cluster is source-NATed to the node IP.
Use a specific MAC address for a pod
Pin a chosen MAC address on a Kubernetes pod interface with the Calico Enterprise CNI plugin for cases such as MAC-bound software licenses.
Use NodeLocal DNSCache in your cluster
Run NodeLocal DNSCache alongside Calico Enterprise and write the network policy that lets pod DNS traffic reach the per-node cache.
Configure QoS Controls
Apply Calico Enterprise QoS controls to cap pod ingress and egress bandwidth, packet rate, and connection counts, plus DiffServ marking on egress.
IP address management
Configure BGP peering
Set up BGP peering for Calico Enterprise — full mesh, per-node peers, top-of-rack switches, and route reflectors — using BGPPeer and BGPConfiguration resources.
Deploy a dual ToR cluster
Deploy a dual ToR cluster with Calico Enterprise so two independent connectivity planes provide redundancy between racks for on-premises clusters.
Configure multiple Calico Enterprise networks on a pod
Add extra Calico Enterprise networks to each pod with the Multus-CNI plugin, then control access with tiered network policy on every interface.
Overlay networking
Choose VXLAN or IP-in-IP overlay encapsulation in Calico Enterprise so pod traffic crosses underlay networks that don't route pod CIDRs natively.
Advertise Kubernetes service IP addresses
Advertise Kubernetes service cluster IPs and external IPs out of the cluster over BGP with Calico Enterprise so upstream routers can reach them directly.
Configure MTU to maximize network performance
Tune the Calico Enterprise MTU on the Installation resource so pod traffic matches the underlay, accounting for VXLAN, IP-in-IP, and WireGuard overhead.
Custom BGP configuration
Override the default BIRD BGP templates for Calico Enterprise to access advanced BIRD features for proof-of-concept and special-case routing setups.
Configure outgoing NAT
Configure NAT outgoing on Calico Enterprise IP pools so pod traffic destined outside the cluster is source-NATed to the node IP.
Use a specific MAC address for a pod
Pin a chosen MAC address on a Kubernetes pod interface with the Calico Enterprise CNI plugin for cases such as MAC-bound software licenses.
Use NodeLocal DNSCache in your cluster
Run NodeLocal DNSCache alongside Calico Enterprise and write the network policy that lets pod DNS traffic reach the per-node cache.
LoadBalancer IP address management
Use the Calico Enterprise LoadBalancer controller to allocate IPs to Kubernetes Service type LoadBalancer from configured IPPool resources.
Egress gateways
Configure egress gateways, on-premises
Send selected application traffic through Calico Enterprise egress gateways on-premises so external firewalls see a predictable source IP for cluster workloads.
Configure egress gateways, Azure
Route specific application traffic out of a Calico Enterprise cluster through egress gateways that use native Azure VNet IPs recognised by Azure routing.
Configure egress gateways, AWS
Route specific application traffic out of a Calico Enterprise cluster through egress gateways that use VPC subnet IPs visible to the AWS fabric.
Optimize egress networking for workloads with long-lived TCP connections
Reduce the impact of Calico Enterprise egress gateway maintenance on workloads with long-lived TCP sessions by reading termination annotations and timing draining.
Configure egress traffic to multiple external networks
Steer Calico Enterprise egress gateway traffic onto multiple external networks with potentially overlapping IPs by associating gateways with named ExternalNetworks.
Troubleshoot egress gateways
Troubleshooting guide for Calico Enterprise egress gateways covering connection failures, source IP mismatches, BGP route advertisement, and required pod metadata.