Tigera product comparison
Calico Open Source
The base product that comprises both Calico Enterprise and Calico Cloud. It provides the core networking and network policy features.
Calico Enterprise
Includes the Calico Open Source core networking and network policy, but adds advanced features for networking, network policy, visibility and troubleshooting, threat defense, and compliance reports.
Calico Cloud
The SaaS version of Calico Enterprise. It adds Image Assurance to scan and detect vulnerabilities in images, and container threat defense to detect malware. It also adds onboarding tutorials, and eliminates the cost to manage Elasticsearch logs and storage that comes with Calico Enterprise.
What is the best fit for you? It depends on your needs. The following table provides a high-level comparison.
Product | Cost and support | Best fit |
---|---|---|
Calico Open Source | Free, community-supported | Users who want best-in-class networking and network policy capabilities for Kubernetes without any costs. |
Calico Enterprise | Paid subscription | Enterprise teams who need full control to customize their networking security deployment to meet regulatory and compliance requirements for Kubernetes at scale. Teams who want Tigera Customer Support for day-zero to production best practices, custom training and workshops, and Solution Architects to customize solutions. |
Calico Cloud | Free trial with hands-on training from Customer Support, then pay-as-you-go with self-service training. Also offered as an annual subscription. | Small teams who need to manage the full spectrum of compliance in a web-based console for novice users: - Secure clusters, pods, and applications - Scan images for vulnerabilities - Web-based UI for visibility to troubleshoot Kubernetes - Detect and mitigate threats - Run compliance reports Enterprise teams who want to scale their Calico Enterprise on-premises deployments by providing more self-service to developers. |
Product comparison by feature
Calico Open Source | Calico Cloud | Calico Enterprise | |
---|---|---|---|
Networking | |||
High-performance, scalable pod networking | |||
Advanced IP address management | |||
Direct infrastructure peering without the overlay | |||
Dual ToR peering | |||
Egress gateway | |||
Multiple Calico networks on a pod | |||
Apps, pods, clusters | |||
Seamless support with Kubernetes network policy | |||
Label-based (identity-aware) policy | |||
Namespace and cluster-wide scope | |||
Global default deny policy design | |||
Application layer policy | |||
Policy for services | |||
Web UI | |||
Onboarding tutorials and lab cluster | |||
DNS/FQDN-based policy | |||
Hierarchical tiered network policy | |||
Policy recommendations | |||
Preview and staged network policy | |||
Policy integration for third-party firewalls | |||
Network sets to limit IP ranges for egress and ingress traffic to workloads | |||
Data | |||
Data-in-transit encryption for pod traffic using WireGuard | |||
SIEM integration | |||
Non-cluster hosts | |||
Restrict traffic to/from hosts using network policy | |||
Automatic host endpoints | |||
Secure Kubernetes nodes with host endpoints managed by Calico | |||
Apply policy to host-forwarded traffic | |||
Dataplane | |||
eBPF | |||
iptables | |||
Windows HNS | |||
VPP | |||
Image vulnerability management | |||
Scan images for vulnerabilities for workloads in Kubernetes cluster | |||
Create policy to block vulnerable images from your clusters | |||
Runtime view to assess impact of newly-found vulnerabilities | |||
Observability and troubleshooting | |||
Application level observability and troubleshooting | |||
Service Graph | |||
Packet capture | |||
Elasticsearch logs (flow, l7, audit, bgp, dns, events) | |||
Alerts | |||
Kibana DNS dashboards | |||
Traffic Flow Visualizer | |||
Multi-cluster management | |||
Multi-cluster management | |||
Federated identity and services | |||
Threat defense | |||
Anomaly detection | |||
Container threat detection | |||
Workload-centric Web Application Firewall (WAF) | |||
Honeypods to see intruder activity | |||
Add threatfeeds to trace suspicious network flows | |||
Reports | |||
Compliance reports | |||
CIS benchmark reports | |||
Monitor Calico components | |||
Prometheus |