Tigera, creator of Calico Open Source, has announced the availability of Calico Container Networking Interface (CNI) for Azure Kubernetes Service (AKS). The release of Calico CNI means users can use Calico Open Source as a CNI for robust, scalable and higher performance networking for their environments. Calico supports hybrid and multi-cloud environments, giving users the ability to expand to those environments. Calico also provides a Cloud-Native Application Protection Platform (CNAPP) platform built on top of Calico, which enables organizations to provide active security for their container and Kubernetes environments.
“We’ve been working with Microsoft for a number of years, and it just made perfect sense for us to extend our security policy capabilities, which are already available on Azure to also allow CNI capabilities. And we are the first vendor and probably right now the only vendor to offer CNI capabilities, in addition to the CNI that Microsoft provides,” says Utpal Bhatt, CMO of Tigera on the latest episode of TFiR Insights.
Key highlights from this video interview are:
- A lot of the organizations adopting AKS are larger organizations with a combination of applications running in their own infrastructure on their servers and applications that are running in the cloud. Bhatt discusses why the needs of that multi-cluster hybrid environment are so critical for those types of organizations and what drove Tigera to bring CNI to AKS users.
- Security challenges are critical due to the microservices-based architecture which has a large attack surface. Bhatt explains how CNAPP aims to reduce the attack surface bringing the principles of zero trust to the platform. He explains how the policy engine that is built alongside Calico helps protect ingress and egress traffic.
- Bhatt explains the rich set of capabilities and key benefits of Calico CNI, the policy engine and CNAPP. He discusses how CNAPP provides a set of runtime security controls to identify zero day threats and micro segment their workloads for better security posture.
Connect with Utpal Bhatt (LinkedIn, Twitter)
The summary of the show is written by Emily Nicholls.
Here is the automated and unedited transcript of the recording. Please note that the transcript has not been edited or reviewed.
Swapnil Bhartiya: Hi, this is Swapnil Bhartiya and welcome to TFIR Insights. And today we have you this once again, Utpal Bhatt of Tigera. And today we are going to talk about two things. Number one, the announcement of the open source CNI for AKS, as well as the state of cloud security report. Utpal, it’s great to have you back on the show.
Utpal Bhatt: Very excited to be back on the show again, Swapnil.
Swapnil Bhartiya: Let’s talk about Calico container network interface, which is now available or accessible to a case user. What does it mean for these users? How will the benefit from it? Or what are the benefits they will get from it?
Utpal Bhatt: Yeah. So first, a little bit of background, and then I’ll tell you what the benefits are. So AKS is a very fast growing service for Kubernetes and of course, it’s a Microsoft service. Up until now, for the AKS users, the option was to use the AKS provided CNI or the Microsoft provided CNI. And they could on top of that use any policy engine including Calico which is one of the most popular policy engines for Microsoft users as well. And with this announcement, what Microsoft has made it possible is for their customers to bring their own CNI. And we are super excited that one of the CNIs that they can bring on top of theirs clusters is Calico.
And what does it mean for the AKS customers? Primarily, in addition to the choice of CNIs they have with Calico, they have the ability to use what is clearly the world’s most adopted CNI and CNI that’s known for its robustness, for its performance and for its blazing fast scale and connectivity. So those are the reasons that have led to the growth of Calico as a CNI and now Microsoft users or OKS users have the option to use that. Another key requirement for a lot of organizations today is the deployment of hybrid and multi-cloud architectures. And the fact the choice of CNI will make it possible for such architectures to come to life. The fact that Calico supports a multi-cluster environment, a hybrid multi-cloud environment that as soon as a user of a AKS chooses Calico, they have the ability to expand to those environments.
And then the third biggest benefit is that in addition to the open source, Calico, we also provide a CNAPP platform which is built on top of Calico that enables organizations to provide active security for their container and Kubernetes environments all the way from bill to deploy time. And so this enables a one stop kind of shop and a seamless upgrade from your choice of CNI to complete security platform for your AKS clusters.
Swapnil Bhartiya: Thanks for explaining all of that. I’m also curious, you did talk about, of course, that Microsoft bring your own CNI, but what was the driver that kind of encourager drove Tigera to bring this to AKS users?
Utpal Bhatt: The biggest thing is the growth of Microsoft AKS clusters. It’s being adopted very rapidly across enterprise organizations. And as we look at the kinds of organizations that are adopting AKS, you’ll see that a lot of these organizations are larger organizations. They have a combination of applications that are both running in their own infrastructure on their servers and combination of applications that are running in the cloud. So the needs of that multi-cluster hybrid environment is going to be very critical for these types of organizations and hence, and it makes perfect sense. In addition, we’ve had a longstanding relationship with Microsoft. We’ve been working with Microsoft for a number of years, and it just made perfect sense for us to extend our security policy capabilities, which are already available on Azure to also allow a CNI capabilities. And we are the first vendor and probably right now the only vendor to offer CNI capabilities, in addition to the CNI that Microsoft provides.
Swapnil Bhartiya: No, let’s talk about security. What will be the impact on or how is it going to help with zero trust workload security because you and I talk about security a lot?
Utpal Bhatt: Yeah. So the thing about Calico CNAPP in addition to the CNI is it enables organizations, especially, and if you look at folks who are adopting AKS and a AKS clusters, they have to think about security all the way from build to run time. And because it’s a microservices based architecture that a tax surface is extremely large. And on top of that, you throw in components that are dynamic, that are ephemeral, that are scaling, sometimes scaling across clouds, across hybrid environments. Security challenges are critical. And what this means, the way we have thought about our CNAPP is that it’s not just about trying to find the most number of threats, but it’s also actively reducing the attack surface by bringing the principles of zero trust to your platform, which is what we do.
And the policy engine that is built alongside Calico will help you protect your ingress and egress traffic. It’ll also protect workload to workload communication and secure it using the principles of zero trust. And we also have the Calico CNAPP platform also provides significant threat detection capabilities using threat feeds and machine learning. And then finally, you can also easily mitigate any sort of risks if you identify risks by specifying the right set of policies. So all these security advantages will now be available to users of AKS, and they can secure their application all the way from their build to run time stages.
Swapnil Bhartiya: Can you also talk about, in addition to of course security, what are the other key benefits can lead to that in the big thing when we were talking about, but what are the other benefits that users will reap from this?
Utpal Bhatt: There are a few things. I can break down the entire set of products and how they build upon each other. So with CNI, they have the ability to get the most scalable and high performance container networking. And that’s kind of the base level functionality that they’ll be able to get with the CNI. In addition to that, they also have access to the policy engine and the policy engine enables them to specify security policies, they’ll control traffic between the various endpoints using Kubernetes context, right?
And then on top of that, the last piece that they can add on is the Calico CNAPP, which is what’s going to add a few different things. So it’s going to add image assurance so they can bring in scanning. So they’re able to scan their images before they get deployed. It also provides configuration security. So if you are, in this case, the orchestrator would be AKS. And if they want to compare their security of the orchestrator against SUSE benchmarks, they can do that. It also provides workload compliance for frameworks, such as PCI, GDPR, CCPA, SOC2 and more. They can also use their custom frameworks.
And then finally it provides a set of runtime security controls, including malware detection, ransomware detection, the ability to identify zero day threats and also micro segment their workloads for better security posture. And then on top of all these things, what the platform also will provide is in depth observability, where they’re able to see service to service communication, they’re able to see where the potential vulnerabilities are, what’s the exposure radius of those vulnerabilities and take actions based on that information. So it’s a very rich set of capabilities that they’ll be able to get beyond just the CNI.