# Calico Cloud > SaaS-based Kubernetes security and observability platform. ## About Calico - [About Calico](https://docs.tigera.io/calico-cloud/about/): A brief description of Calico, deployment options, and features. - [Calico product editions](https://docs.tigera.io/calico-cloud/about/calico-product-editions): Compare Calico product editions to find the right one for your needs. ## Calico Cloud Free Tier - [Calico Cloud Free Tier](https://docs.tigera.io/calico-cloud/free/): Placeholder description. - [Calico Cloud Free Tier](https://docs.tigera.io/calico-cloud/free/overview): Overview of Calico Cloud Free Tier - [Calico Cloud Free Tier quickstart guide](https://docs.tigera.io/calico-cloud/free/quickstart): Quickstart guide for Calico Cloud Free Tier. - [Connect a cluster to Calico Cloud Free Tier](https://docs.tigera.io/calico-cloud/free/connect-cluster-free): Securely connect your cluster to Calico Cloud Free Tier to access centralized network observability for your Kubernetes deployment. - [Remove a cluster from Calico Cloud Free Tier](https://docs.tigera.io/calico-cloud/free/disconnect-cluster-free): Disconnect and remove your cluster from Calico Cloud Free Tier ## Install and upgrade - [Install and upgrade](https://docs.tigera.io/calico-cloud/get-started/): Steps to connect clusters to Calico Cloud and upgrade. - [Calico Cloud architecture](https://docs.tigera.io/calico-cloud/get-started/cc-arch-diagram): Understand the main components of Calico Cloud. - [What happens when you connect a cluster to Calico Cloud](https://docs.tigera.io/calico-cloud/get-started/connect-cluster): Get answers to your questions about connecting to Calico Cloud. - [System requirements](https://docs.tigera.io/calico-cloud/get-started/system-requirements): Review cluster requirements to connect to Calico Cloud. - [Prepare your cluster for Calico Cloud](https://docs.tigera.io/calico-cloud/get-started/prepare-cluster): Prepare your cluster to install Calico Cloud. - [Connect a cluster to Calico Cloud](https://docs.tigera.io/calico-cloud/get-started/install-cluster): Steps to connect your cluster to Calico Cloud. - [Connect a cluster to Calico Cloud using a private registry](https://docs.tigera.io/calico-cloud/get-started/install-private-registry): Steps to connect your cluster to Calico Cloud. - [Install Calico Cloud as part of an automated workflow](https://docs.tigera.io/calico-cloud/get-started/install-automated): Install Calico Cloud as part of an automated workflow. - [Set up a private registry](https://docs.tigera.io/calico-cloud/get-started/setup-private-registry): Add images to a private registry for installing Calico Cloud on a cluster. - [Limitations and known issues for Windows nodes](https://docs.tigera.io/calico-cloud/get-started/windows-limitations): Review limitations before starting installation. - [Troubleshooting checklist](https://docs.tigera.io/calico-cloud/get-started/checklist): Review this checklist before opening a Support ticket. - [Tigera Operator troubleshooting checklist](https://docs.tigera.io/calico-cloud/get-started/operator-checklist): Additional troubleshooting for the Tigera Operator. - [Upgrade Calico Cloud](https://docs.tigera.io/calico-cloud/get-started/upgrade-cluster): Steps to upgrade to the latest version of Calico Cloud. ## Users - [Users](https://docs.tigera.io/calico-cloud/users/): Manage users and user permissions for the web console. - [Set up users](https://docs.tigera.io/calico-cloud/users/user-management): Authenticate and authorize users. - [Creating and assigning custom roles](https://docs.tigera.io/calico-cloud/users/create-and-assign-custom-roles): Create and assign custom roles to give specific, cluster-specific permission to your users. - [Give role-based access to an Entra ID group](https://docs.tigera.io/calico-cloud/users/create-custom-role-for-entra-id-group): Create custom roles for Entra ID groups. ## Tutorials - [Tutorials](https://docs.tigera.io/calico-cloud/tutorials/): Learn more about Calico Cloud and Kubernetes network policy. - [Web console features](https://docs.tigera.io/calico-cloud/tutorials/calico-cloud-features/): Learn about visibility and troubleshooting features in the web console. - [Web console tutorial](https://docs.tigera.io/calico-cloud/tutorials/calico-cloud-features/tour): A quick tour of the Calico Cloud user interface. - [Service Graph tutorial](https://docs.tigera.io/calico-cloud/tutorials/calico-cloud-features/service-graph): Learn the basics of using Service Graph. - [Understanding network sets](https://docs.tigera.io/calico-cloud/tutorials/calico-cloud-features/networksets): Learn the power of network sets and why you should create them. - [Projects](https://docs.tigera.io/calico-cloud/tutorials/calico-cloud-features/projects): About projects - [Secure ingress and egress for applications](https://docs.tigera.io/calico-cloud/tutorials/applications/): Learn how to secure ingress and egress access to/from applications and microservices. - [Secure ingress access to a microservice or application](https://docs.tigera.io/calico-cloud/tutorials/applications/ingress-microservices): Create policy to secure ingress access to your microservice or application. - [Secure egress access from workloads to destinations outside the cluster](https://docs.tigera.io/calico-cloud/tutorials/applications/egress-controls): Learn egress access controls using domains and IP addresses. - [Implement enterprise security controls](https://docs.tigera.io/calico-cloud/tutorials/enterprise-security/): Implement common enterprise security controls for security and platform tiers. - [Namespace isolation and access controls](https://docs.tigera.io/calico-cloud/tutorials/enterprise-security/namespace-isolation): Learn how to isolate namespaces for ingress traffic. - [Global egress access controls](https://docs.tigera.io/calico-cloud/tutorials/enterprise-security/global-egress): Implement global egress access controls. - [Global default deny policy](https://docs.tigera.io/calico-cloud/tutorials/enterprise-security/default-deny): Implement a global default deny policy in the default tier to block unwanted traffic. - [Platform application access controls](https://docs.tigera.io/calico-cloud/tutorials/enterprise-security/platform): Implement ingress and egress access controls for platform applications. - [Kubernetes for beginners](https://docs.tigera.io/calico-cloud/tutorials/training/): Learn the basics of Kubernetes networking and Calico Cloud networking. - [What is network policy?](https://docs.tigera.io/calico-cloud/tutorials/training/about-network-policy): Learn the basics of Kubernetes and Calico Cloud network policy - [Kubernetes services](https://docs.tigera.io/calico-cloud/tutorials/training/about-kubernetes-services): Learn the three main service types and how to use them. - [Kubernetes ingress](https://docs.tigera.io/calico-cloud/tutorials/training/about-kubernetes-ingress): Learn the different ingress implementations and how ingress and policy interact. - [Kubernetes egress](https://docs.tigera.io/calico-cloud/tutorials/training/about-kubernetes-egress): Learn why you should restrict egress traffic and how to do it. - [Kubernetes tutorials and demos](https://docs.tigera.io/calico-cloud/tutorials/kubernetes-tutorials/): Kubernetes tutorials and demos - [Kubernetes policy, demo](https://docs.tigera.io/calico-cloud/tutorials/kubernetes-tutorials/kubernetes-demo): An interactive demo that visually shows how applying Kubernetes policy allows and denies connections. - [Get started with Kubernetes network policy](https://docs.tigera.io/calico-cloud/tutorials/kubernetes-tutorials/kubernetes-network-policy): Learn Kubernetes policy syntax, rules, and features for controlling network traffic. - [Kubernetes policy, basic tutorial](https://docs.tigera.io/calico-cloud/tutorials/kubernetes-tutorials/kubernetes-policy-basic): Learn how to use basic Kubernetes network policy to securely restrict traffic to/from pods. - [Kubernetes policy, advanced tutorial](https://docs.tigera.io/calico-cloud/tutorials/kubernetes-tutorials/kubernetes-policy-advanced): Learn how to create more advanced Kubernetes network policies (namespace, allow and deny all ingress and egress). ## Network policy - [Network policy](https://docs.tigera.io/calico-cloud/network-policy/): Calico Cloud Network Policy and Calico Cloud Global Network Policy are the fundamental resources to secure workloads and hosts, and to adopt a zero trust security model. - [Policy recommendations](https://docs.tigera.io/calico-cloud/network-policy/recommendations/): Enable policy recommendations for namespaces to improve your security posture. - [Enable policy recommendations](https://docs.tigera.io/calico-cloud/network-policy/recommendations/policy-recommendations): Enable continuous policy recommendations to secure unprotected namespaces or workloads. - [Policy recommendations tutorial](https://docs.tigera.io/calico-cloud/network-policy/recommendations/learn-about-policy-recommendations): Policy recommendations tutorial. - [Policy best practices](https://docs.tigera.io/calico-cloud/network-policy/policy-best-practices): Learn policy best practices for security, scalability, and performance. - [Policy tiers](https://docs.tigera.io/calico-cloud/network-policy/policy-tiers/): Learn how policy tiers allow diverse teams to securely manage Kubernetes policy. - [Get started with policy tiers](https://docs.tigera.io/calico-cloud/network-policy/policy-tiers/tiered-policy): Understand how tiered policy works and supports microsegmentation. - [Network policy tutorial](https://docs.tigera.io/calico-cloud/network-policy/policy-tiers/policy-tutorial-ui): Covers the basics of Calico Cloud network policy. - [Change allow-tigera tier behavior](https://docs.tigera.io/calico-cloud/network-policy/policy-tiers/allow-tigera): Understand how to change the behavior of the allow-tigera tier. - [Configure RBAC for tiered policies](https://docs.tigera.io/calico-cloud/network-policy/policy-tiers/rbac-tiered-policies): Configure RBAC to control access to policies and tiers. - [Get started with network sets](https://docs.tigera.io/calico-cloud/network-policy/networksets): Learn the power of network sets and why you should create them. - [Global default deny policy best practices](https://docs.tigera.io/calico-cloud/network-policy/default-deny): Implement a global default deny policy in the default tier to block unwanted traffic. - [Stage, preview impacts, and enforce policy](https://docs.tigera.io/calico-cloud/network-policy/staged-network-policies): Stage and preview policies to observe traffic implications before enforcing them. - [Troubleshoot policies](https://docs.tigera.io/calico-cloud/network-policy/policy-troubleshooting): Common policy implementation problems. - [Calico Cloud network policy for beginners](https://docs.tigera.io/calico-cloud/network-policy/beginners/): Learn how to create your first Calico Cloud network policy. - [Enable a default deny policy for Kubernetes pods](https://docs.tigera.io/calico-cloud/network-policy/beginners/kubernetes-default-deny): Create a default deny network policy so pods that are missing policy are not allowed traffic until appropriate network policy is defined. - [Get started with Calico network policy](https://docs.tigera.io/calico-cloud/network-policy/beginners/calico-network-policy): Create your first Calico network policies. Shows the rich features using sample policies that extend native Kubernetes network policy. - [Calico Cloud automatic labels](https://docs.tigera.io/calico-cloud/network-policy/beginners/calico-labels): Calico Cloud automatic labels for use with resources. - [Calico Cloud for Kubernetes demo](https://docs.tigera.io/calico-cloud/network-policy/beginners/simple-policy-cnx): Learn the extra features for Calico Cloud that make it so important for production environments. - [Policy rules](https://docs.tigera.io/calico-cloud/network-policy/beginners/policy-rules/): Control traffic to/from endpoints using Calico network policy rules. - [Basic rules](https://docs.tigera.io/calico-cloud/network-policy/beginners/policy-rules/policy-rules-overview): Define network connectivity for Calico endpoints using policy rules and label selectors. - [Use namespace rules in policy](https://docs.tigera.io/calico-cloud/network-policy/beginners/policy-rules/namespace-policy): Use namespaces and namespace selectors in Calico network policy to group or separate resources. Use network policies to allow or deny traffic to/from pods that belong to specific namespaces. - [Use service accounts rules in policy](https://docs.tigera.io/calico-cloud/network-policy/beginners/policy-rules/service-accounts): Use Kubernetes service accounts in policies to validate cryptographic identities and/or manage RBAC controlled high-priority rules across teams. - [Use service rules in policy](https://docs.tigera.io/calico-cloud/network-policy/beginners/policy-rules/service-policy): Use Kubernetes Service names in policy rules. - [Use external IPs or networks rules in policy](https://docs.tigera.io/calico-cloud/network-policy/beginners/policy-rules/external-ips-policy): Limit egress and ingress traffic using IP address either directly within Calico network policy or managed as Calico network sets. - [Use ICMP/ping rules in policy](https://docs.tigera.io/calico-cloud/network-policy/beginners/policy-rules/icmp-ping): Control where ICMP/ping is used by creating a Calico network policy to allow and deny ICMP/ping messages for workloads and host endpoints. - [Policy for Kubernetes services](https://docs.tigera.io/calico-cloud/network-policy/beginners/services/): Apply Calico policy to Kubernetes node ports, and to services that are exposed externally as cluster IPs. - [Apply Calico Cloud policy to Kubernetes node ports](https://docs.tigera.io/calico-cloud/network-policy/beginners/services/kubernetes-node-ports): Restrict access to Kubernetes node ports using Calico Cloud global network policy. Follow the steps to secure the host, the node ports, and the cluster. - [Apply Calico Cloud policy to services exposed externally as cluster IPs](https://docs.tigera.io/calico-cloud/network-policy/beginners/services/services-cluster-ips): Expose Kubernetes service cluster IPs over BGP using Calico Cloud, and restrict who can access them using Calico Cloud network policy. - [DNS policy](https://docs.tigera.io/calico-cloud/network-policy/domain-based-policy): Use domain names to allow traffic to destinations outside of a cluster by their DNS names instead of by their IP addresses. - [Application layer policies to control ingress traffic](https://docs.tigera.io/calico-cloud/network-policy/application-layer-policies/): Use application layer policies to restrict ingress traffic based on HTTP attributes. - [Enable and enforce application layer policies](https://docs.tigera.io/calico-cloud/network-policy/application-layer-policies/alp): Enforce application layer policies in your cluster to configure access controls based on L7 attributes. - [Application layer policy tutorial](https://docs.tigera.io/calico-cloud/network-policy/application-layer-policies/alp-tutorial): Learn how to apply ALP to your workloads and control ingress traffic. - [Policy for firewalls](https://docs.tigera.io/calico-cloud/network-policy/policy-firewalls/): Use Calico Cloud policy with existing firewalls. - [Fortinet firewall integrations](https://docs.tigera.io/calico-cloud/network-policy/policy-firewalls/fortinet-integration/): Calico Cloud Fortinet firewall integrations. - [Determine the best Calico Cloud/Fortinet solution](https://docs.tigera.io/calico-cloud/network-policy/policy-firewalls/fortinet-integration/overview): Learn how to integrate Kubernetes clusters with existing Fortinet firewall workflows using Calico Cloud. - [Extend Kubernetes to Fortinet firewall devices](https://docs.tigera.io/calico-cloud/network-policy/policy-firewalls/fortinet-integration/firewall-integration): Enable FortiGate firewalls to control traffic from Kubernetes workloads. - [Extend FortiManager firewall policies to Kubernetes](https://docs.tigera.io/calico-cloud/network-policy/policy-firewalls/fortinet-integration/fortimgr-integration): Extend FortiManager firewall policies to Kubernetes with Calico Cloud - [Protect Kubernetes nodes](https://docs.tigera.io/calico-cloud/network-policy/hosts/kubernetes-nodes): Protect Kubernetes nodes with host endpoints managed by Calico Cloud. - [Apply policy to forwarded traffic](https://docs.tigera.io/calico-cloud/network-policy/hosts/host-forwarded-traffic): Apply Calico Cloud network policy to traffic being forward by hosts acting as routers or NAT gateways. - [Policy for extreme traffic](https://docs.tigera.io/calico-cloud/network-policy/extreme-traffic/): Use Calico network policy early in the Linux packet processing pipeline to handle extreme traffic scenarios. - [Enable extreme high-connection workloads](https://docs.tigera.io/calico-cloud/network-policy/extreme-traffic/high-connection-workloads): Create a Calico network policy rule to bypass Linux conntrack for traffic to workloads that experience extremely large number of connections. - [Defend against DoS attacks](https://docs.tigera.io/calico-cloud/network-policy/extreme-traffic/defend-dos-attack): Define DoS mitigation rules in Calico Cloud policy to quickly drop connections when under attack. Learn how rules use eBPF and XDP, including hardware offload when available. ## Observability - [Observability and troubleshooting](https://docs.tigera.io/calico-cloud/observability/): Use Elasticsearch logs for visibility into all network traffic with Kubernetes context. - [Manage alerts](https://docs.tigera.io/calico-cloud/observability/alerts): Manage alerts and events for Calico Enterprise features. - [Dashboards](https://docs.tigera.io/calico-cloud/observability/dashboards): Dashboards help you see what's going on in your cluster. See how your cluster is performing and visualize your system's log data. - [Create a custom dashboard](https://docs.tigera.io/calico-cloud/observability/create-custom-dashboard): Create a custom dashboard - [Kibana dashboards and logs](https://docs.tigera.io/calico-cloud/observability/kibana): Learn the basics of using Elasticsearch logs and Kibana to gain visibility and troubleshoot. - [Packet capture](https://docs.tigera.io/calico-cloud/observability/packetcapture): Capture live traffic for debugging microservices and application interaction. - [Visualize traffic to and from a cluster](https://docs.tigera.io/calico-cloud/observability/visualize-traffic): Learn the power of network sets. - [Manage Calico Cloud logs](https://docs.tigera.io/calico-cloud/observability/elastic/): Configure logs for visibility in the web console. - [Overview](https://docs.tigera.io/calico-cloud/observability/elastic/overview): Summary of the out-of-box features for Calico Cloud logs. - [Archive logs](https://docs.tigera.io/calico-cloud/observability/elastic/archive-storage): Archive logs to Syslog, Splunk, or Amazon S3 for maintaining compliance data. - [Configure flow logs](https://docs.tigera.io/calico-cloud/observability/elastic/flow/): Configure, filter, and aggregate flow logs. - [Flow log data types](https://docs.tigera.io/calico-cloud/observability/elastic/flow/datatypes): Data that Calico Cloud sends to Elasticsearch. - [Filter flow logs](https://docs.tigera.io/calico-cloud/observability/elastic/flow/filtering): Filter Calico Cloud flow logs. - [Configure flow log aggregation](https://docs.tigera.io/calico-cloud/observability/elastic/flow/aggregation): Configure flow log aggregation to reduce log volume and costs. - [Enable HostEndpoint reporting in flow logs](https://docs.tigera.io/calico-cloud/observability/elastic/flow/hep): Enable hostendpoint reporting in flow logs. - [Enabling TCP socket stats in flow logs](https://docs.tigera.io/calico-cloud/observability/elastic/flow/tcpstats): Enabling TCP socket stats information in flow logs - [Enable process-level information in flow logs](https://docs.tigera.io/calico-cloud/observability/elastic/flow/processpath): Get visibility into process-level network activity in flow logs. - [Audit logs](https://docs.tigera.io/calico-cloud/observability/elastic/audit-overview): Calico Cloud audit logs provide data on changes to resources. - [Manage DNS logs for Calico Cloud](https://docs.tigera.io/calico-cloud/observability/elastic/dns/): Configure and filter DNS logs. - [Query DNS logs](https://docs.tigera.io/calico-cloud/observability/elastic/dns/dns-logs): Key/value pairs of DNS activity logs and how to construct queries. - [Filter DNS logs](https://docs.tigera.io/calico-cloud/observability/elastic/dns/filtering-dns): Suppress DNS logs of low significance using filters. - [BGP logs](https://docs.tigera.io/calico-cloud/observability/elastic/bgp): Key/value pairs of BGP activity logs and how to construct queries. - [L7 logs](https://docs.tigera.io/calico-cloud/observability/elastic/l7/): Configure Elasticsearch L7 logs. - [Configure L7 logs](https://docs.tigera.io/calico-cloud/observability/elastic/l7/configure): Configure and aggregate L7 logs. - [L7 log data types](https://docs.tigera.io/calico-cloud/observability/elastic/l7/datatypes): L7 data that Calico Cloud sends to Elasticsearch. - [Kubernetes audit logs](https://docs.tigera.io/calico-cloud/observability/kube-audit): Enable Kubernetes audit logs on changes to Kubernetes resources. - [iptables logs](https://docs.tigera.io/calico-cloud/observability/iptables): Learn how policy audit mode rules can affect the number of iptables logs. ## Threat defense - [Threat defense](https://docs.tigera.io/calico-cloud/threat/): Trace, analyze, and block malicious threats using intelligent feeds and alerts. - [Webhooks for security event alerts](https://docs.tigera.io/calico-cloud/threat/configuring-webhooks): Use webhooks to send security event alerts to third-party systems. - [Security event management](https://docs.tigera.io/calico-cloud/threat/security-event-management): Manage security events from your cluster in a single place. - [Trace and block suspicious IPs](https://docs.tigera.io/calico-cloud/threat/suspicious-ips): Add threat intelligence feeds to trace network flows of suspicious IP addresses, and optionally block traffic to them. - [Trace and alert on suspicious domains](https://docs.tigera.io/calico-cloud/threat/suspicious-domains): Add threat intelligence feeds to trace DNS queries that involve suspicious domains. - [Anonymization attacks](https://docs.tigera.io/calico-cloud/threat/tor-vpn-feed-and-dashboard): Detect and analyze malicious anonymization activity using Tor-VPN feeds. - [Deep packet inspection](https://docs.tigera.io/calico-cloud/threat/deeppacketinspection): Monitor live traffic for malicious activities. - [Container threat detection](https://docs.tigera.io/calico-cloud/threat/container-threat-detection): Threat detection for containerized workloads. - [Workload-based Web Application Firewall (WAF)](https://docs.tigera.io/calico-cloud/threat/web-application-firewall): Configure Calico to use with Layer 7 Web Application Firewall. - [Deploy a web application firewall with Calico Ingress Gateway](https://docs.tigera.io/calico-cloud/threat/deploying-waf-ingress-gateway): Deploy WAF with ingress gateways - [Image Assurance](https://docs.tigera.io/calico-cloud/image-assurance/): Detect and block vulnerable images from container workloads. - [Scanners](https://docs.tigera.io/calico-cloud/image-assurance/scanners/): Scan images and workloads for vulnerabilities. - [Choose an image scanning method](https://docs.tigera.io/calico-cloud/image-assurance/scanners/overview): Choose a method to scan images for vulnerabilities. - [Scan images in a Kubernetes cluster](https://docs.tigera.io/calico-cloud/image-assurance/scanners/cluster-scanner): Detect vulnerabilities in a Kubernetes cluster. - [Integrate the scanner into your build pipeline](https://docs.tigera.io/calico-cloud/image-assurance/scanners/pipeline-scanner): Scan images in your build pipeline using Image Assurance. - [Scan images in container registries](https://docs.tigera.io/calico-cloud/image-assurance/scanners/registry-scanner): Scan images in container registries. - [View scanned and running images](https://docs.tigera.io/calico-cloud/image-assurance/understanding-scan-results): Understand scan results in the web console. - [Exclude vulnerabilities from scan results](https://docs.tigera.io/calico-cloud/image-assurance/exclude-vulnerabilities-from-scan-results): Reduce noise in your Image Assurance scan results by excluding vulnerabilities. - [Set up alerts on vulnerabilities](https://docs.tigera.io/calico-cloud/image-assurance/set-up-alerts): Get alerts on vulnerabilities. - [Create policy to block vulnerable images from your cluster](https://docs.tigera.io/calico-cloud/image-assurance/install-the-admission-controller): Block vulnerable containers from being deployed into your cluster using the Admission Controller. - [Create a Jira issue for your image scan results](https://docs.tigera.io/calico-cloud/image-assurance/creating-jira-issues-for-scan-results): Creating Jira Issues for you scan results. ## Compliance and security - [Compliance and security](https://docs.tigera.io/calico-cloud/compliance/): Get reports on Kubernetes workloads and environments for regulatory compliance. - [Enable compliance reports](https://docs.tigera.io/calico-cloud/compliance/enable-compliance): Enable compliance reports to configure reports to assess compliance for all assets in a Kubernetes cluster. - [Schedule and run compliance reports](https://docs.tigera.io/calico-cloud/compliance/overview): Get the reports for regulatory compliance on Kubernetes workloads and environments. - [Configure CIS benchmark reports](https://docs.tigera.io/calico-cloud/compliance/compliance-reports-cis): Configure reports to assess compliance for all assets in a Kubernetes cluster. - [Encrypt data in transit](https://docs.tigera.io/calico-cloud/compliance/encrypt-cluster-pod-traffic): Enable WireGuard for state-of-the-art cryptographic security between pods for Calico Enterprise clusters. - [Configure an outbound HTTP proxy](https://docs.tigera.io/calico-cloud/compliance/configure-http-proxy): Configure an HTTP proxy to use for connections that leave the cluster ## Networking - [Networking](https://docs.tigera.io/calico-cloud/networking/): Calico's flexible networking options reduce the barriers to adopting a CaaS platform solution. Determine the best networking option for your implementation. - [Calico Ingress Gateway](https://docs.tigera.io/calico-cloud/networking/ingress-gateway/about-calico-ingress-gateway): Understand what Calico Ingress Gateway is and how it works. - [Create an ingress gateway](https://docs.tigera.io/calico-cloud/networking/ingress-gateway/create-ingress-gateway): Create an ingress gateway to manage ingress traffic with the Kubernetes Gateway API. - [Customizing your ingress gateway](https://docs.tigera.io/calico-cloud/networking/ingress-gateway/customize-ingress-gateway): Learn how to customize your ingress gateway. - [Tutorial: Launch a canary deployment with Calico Ingress Gateway](https://docs.tigera.io/calico-cloud/networking/ingress-gateway/tutorial-ingress-gateway-canary): Tutorial for ingress gateways and canary deployment - [Networking basics](https://docs.tigera.io/calico-cloud/networking/training/): Learn the basics of Kubernetes networking and Calico Cloud networking. - [Networking overview](https://docs.tigera.io/calico-cloud/networking/training/about-networking): Learn about networking layers, packets, IP addressing, and routing. - [Kubernetes network model](https://docs.tigera.io/calico-cloud/networking/training/about-kubernetes-networking): Learn network behaviors of the Kubernetes network model. - [Configure Calico Cloud networking](https://docs.tigera.io/calico-cloud/networking/configuring/): Configure Calico networking options. - [Configure BGP peering](https://docs.tigera.io/calico-cloud/networking/configuring/bgp): Configure BGP peering with full mesh, node-specific peering, ToR, and/or Calico route reflectors. - [Configure BGP peering with nested clusters running on KubeVirt VMs](https://docs.tigera.io/calico-cloud/networking/configuring/bgp-to-workload): Configure BGP peering with nested clusters running on KubeVirt VMs - [Deploy a dual ToR cluster](https://docs.tigera.io/calico-cloud/networking/configuring/dual-tor): Configure a dual plane cluster for redundant connectivity between workloads. - [Configure multiple Calico Cloud networks on a pod](https://docs.tigera.io/calico-cloud/networking/configuring/multiple-networks): Configure a cluster with multiple Calico Cloud networks on each pod, and enforce security using Calico Cloud tiered network policy. - [Overlay networking](https://docs.tigera.io/calico-cloud/networking/configuring/vxlan-ipip): Configure Calico to use IP in IP or VXLAN overlay networking so the underlying network doesn’t need to understand pod addresses. - [Advertise Kubernetes service IP addresses](https://docs.tigera.io/calico-cloud/networking/configuring/advertise-service-ips): Configure Calico to advertise Kubernetes service cluster IPs and external IPs outside the cluster using BGP. - [Configure MTU to maximize network performance](https://docs.tigera.io/calico-cloud/networking/configuring/mtu): Optimize network performance for workloads by configuring the MTU in Calico to best suit your underlying network. - [Custom BGP Configuration](https://docs.tigera.io/calico-cloud/networking/configuring/custom-bgp-config): Apply a custom BGP configuration - [Configure outgoing NAT](https://docs.tigera.io/calico-cloud/networking/configuring/workloads-outside-cluster): Configure Calico Cloud networking to perform outbound NAT for connections from pods to outside of the cluster. - [Use a specific MAC address for a pod](https://docs.tigera.io/calico-cloud/networking/configuring/pod-mac-address): Specify the MAC address for a pod instead of allowing the operating system to assign one - [Use NodeLocal DNSCache in your cluster](https://docs.tigera.io/calico-cloud/networking/configuring/node-local-dns-cache): Install NodeLocal DNSCache - [Configure QoS Controls](https://docs.tigera.io/calico-cloud/networking/configuring/qos-controls): Configure QoS (Quality of Service) Controls to limit ingress and/or egress bandwidth, packet rate and number of connections of Calico workloads. - [Egress gateways](https://docs.tigera.io/calico-cloud/networking/egress/): Configure specific application traffic to exit the cluster through an egress gateway for additional security. - [Configure egress gateways, on-premises](https://docs.tigera.io/calico-cloud/networking/egress/egress-gateway-on-prem): Configure specific application traffic to exit the cluster through an egress gateway. - [Configure egress gateways, AWS](https://docs.tigera.io/calico-cloud/networking/egress/egress-gateway-aws): Configure specific application traffic to exit the cluster through an egress gateway with a native AWS IP address. - [Configure egress gateways, Azure](https://docs.tigera.io/calico-cloud/networking/egress/egress-gateway-azure): Configure specific application traffic to exit the cluster through an egress gateway with a native Azure IP address. - [Optimize egress networking for workloads with long-lived TCP connections](https://docs.tigera.io/calico-cloud/networking/egress/egress-gateway-maintenance): React to egress gateway maintenance windows and minimize the impact of egress gateway downtime on sensitive workloads - [Configure egress traffic to multiple external networks](https://docs.tigera.io/calico-cloud/networking/egress/external-network): Allows workloads from different namespaces of a Kubernetes cluster to egress onto different external networks that (may) have overlapping IPs with each other. - [Troubleshoot egress gateways](https://docs.tigera.io/calico-cloud/networking/egress/troubleshoot): Use checklist to troubleshoot common problems. - [IP address management](https://docs.tigera.io/calico-cloud/networking/ipam/): Calico IPAM is flexible and efficient. Learn how to interoperate with legacy firewalls using IP address ranges, advertise Kubernetes service IPs, and more. - [Get started with IP address management](https://docs.tigera.io/calico-cloud/networking/ipam/get-started-ip-addresses): Configure Calico Cloud to use Calico Cloud IPAM or host-local IPAM, and when to use one or the other. - [Configure default IP pools](https://docs.tigera.io/calico-cloud/networking/ipam/initial-ippool): Configure the default IP address ranges for operator installation. - [Configure IP autodetection](https://docs.tigera.io/calico-cloud/networking/ipam/ip-autodetection): Calico IP autodetection ensures the correct IP address is used for routing. Learn how to customize it. - [Configure dual stack](https://docs.tigera.io/calico-cloud/networking/ipam/ipv6): Configure dual stack for workloads. - [Use a specific IP address with a pod](https://docs.tigera.io/calico-cloud/networking/ipam/use-specific-ip): Specify the IP address for a pod instead of allowing Calico Cloud to automatically choose one. - [Assign IP addresses based on topology](https://docs.tigera.io/calico-cloud/networking/ipam/assign-ip-addresses-topology): Configure Calico Cloud to use specific IP pools for different topologies including zone, rack, or region. - [Migrate from one IP pool to another](https://docs.tigera.io/calico-cloud/networking/ipam/migrate-pools): Migrate pods from one IP pool to another on a running cluster without network disruption. - [Change IP pool block size](https://docs.tigera.io/calico-cloud/networking/ipam/change-block-size): Expand or shrink the IP pool block size to efficiently manage IP pool addresses. - [Restrict a pod to use an IP address in a specific range](https://docs.tigera.io/calico-cloud/networking/ipam/legacy-firewalls): Restrict the IP address chosen for a pod to a specific range of IP addresses. - [LoadBalancer IP address management](https://docs.tigera.io/calico-cloud/networking/ipam/service-loadbalancer): LoadBalancer IP address management ## Cluster mesh - [Cluster mesh](https://docs.tigera.io/calico-cloud/multicluster/): Steps to configure cluster mesh. - [Overview](https://docs.tigera.io/calico-cloud/multicluster/overview): Configure a cluster mesh for cross-cluster endpoints sharing, cross-cluster connectivity, and cross-cluster service discovery. - [Creating the cluster mesh](https://docs.tigera.io/calico-cloud/multicluster/kubeconfig): Configure a local cluster to pull endpoint data from a remote cluster. - [Configure federated services](https://docs.tigera.io/calico-cloud/multicluster/services-controller): Configure a federated service for cross-cluster service discovery for local clusters. - [Cluster mesh example for clusters in AWS](https://docs.tigera.io/calico-cloud/multicluster/aws): A sample configuration of Calico Enterprise federated endpoint identity and federated services for an AWS cluster. ## Operations - [Operations](https://docs.tigera.io/calico-cloud/operations/): Manage clusters and add new users. - [Manage clusters](https://docs.tigera.io/calico-cloud/operations/cluster-management): Manage cluster storage, add new clusters, and configure alerts. - [Uninstall Calico Cloud from a cluster](https://docs.tigera.io/calico-cloud/operations/disconnect): Steps to use migration script to uninstall Calico Cloud from a cluster. - [Calico Cloud Pro usage and billing](https://docs.tigera.io/calico-cloud/operations/usage-metrics): Where to find Calico Cloud usage metrics. - [Secure Calico component communications](https://docs.tigera.io/calico-cloud/operations/comms/): Secure communications for Calico components. - [Secure Calico Cloud Prometheus endpoints](https://docs.tigera.io/calico-cloud/operations/comms/secure-metrics): Limit access to Calico Cloud metric endpoints using network policy. - [Secure BGP sessions](https://docs.tigera.io/calico-cloud/operations/comms/secure-bgp): Configure BGP passwords to prevent attackers from injecting false routing information. - [Monitoring](https://docs.tigera.io/calico-cloud/operations/monitor/): Tools for scraping useful metrics. - [Prometheus](https://docs.tigera.io/calico-cloud/operations/monitor/prometheus/): Configure open-source toolkit for systems monitoring and alerting. - [Prometheus support](https://docs.tigera.io/calico-cloud/operations/monitor/prometheus/support): Prometheus support in Calico Cloud. - [Recommended Prometheus metrics](https://docs.tigera.io/calico-cloud/operations/monitor/metrics/recommended-metrics): Recommended Prometheus metrics for monitoring Calico Enterprise components. - [Bring your own Prometheus](https://docs.tigera.io/calico-cloud/operations/monitor/prometheus/byo-prometheus): Steps to get Calico Cloud metrics using your own Prometheus. - [Configure Prometheus](https://docs.tigera.io/calico-cloud/operations/monitor/prometheus/configure-prometheus): Configure rules for alerts and denied packets, for persistent storage. - [Configure Alertmanager](https://docs.tigera.io/calico-cloud/operations/monitor/prometheus/alertmanager): Configure Alertmanager, a Prometheus feature that routes alerts. - [Metrics](https://docs.tigera.io/calico-cloud/operations/monitor/metrics/): Configure Prometheus metrics. - [BGP metrics](https://docs.tigera.io/calico-cloud/operations/monitor/metrics/bgp-metrics): Monitor BGP peering and route exchange in your cluster and get alerts by defining rules and thresholds. - [Policy metrics](https://docs.tigera.io/calico-cloud/operations/monitor/metrics/policy-metrics): Monitor the effects of policy in your cluster and received alerts by defining rules and thresholds. - [Fluentd metrics](https://docs.tigera.io/calico-cloud/operations/monitor/metrics/elasticsearch-and-fluentd-metrics): Monitor Fluentd metrics and get alerts on log storage or collection issues. - [eBPF data plane mode](https://docs.tigera.io/calico-cloud/operations/ebpf/): Documentation for eBPF data plane mode, including how to enable eBPF data plane mode. - [eBPF use cases](https://docs.tigera.io/calico-cloud/operations/ebpf/use-cases-ebpf): Learn when to use eBPF, and when not to. - [Enable eBPF on an existing cluster](https://docs.tigera.io/calico-cloud/operations/ebpf/enabling-ebpf): Steps to enable the eBPF data plane on an existing cluster. - [Troubleshoot eBPF mode](https://docs.tigera.io/calico-cloud/operations/ebpf/troubleshoot-ebpf): How to troubleshoot when running in eBPF mode. - [Component logs](https://docs.tigera.io/calico-cloud/operations/component-logs): Where to find component logs. ## Reference - [Reference](https://docs.tigera.io/calico-cloud/reference/): Resource definitions and APIs. - [Tigera Client library](https://docs.tigera.io/calico-cloud/reference/api): Learn about the Tigera client library and how to use it. - [Installation reference](https://docs.tigera.io/calico-cloud/reference/installation/api): Installation API reference - [Image Assurance Installation reference](https://docs.tigera.io/calico-cloud/reference/installation/ia-api): Image Assurance Installation API reference - [Resource definitions](https://docs.tigera.io/calico-cloud/reference/resources/): APIs for all Calico networking and network policy resources. - [Resource definitions](https://docs.tigera.io/calico-cloud/reference/resources/overview): Calico Cloud resources (APIs) that you can manage using calicoctl. - [BFD configuration](https://docs.tigera.io/calico-cloud/reference/resources/bfdconfig): API for this Calico Enterprise resource. - [BGP configuration](https://docs.tigera.io/calico-cloud/reference/resources/bgpconfig): API for this Calico Cloud resource. - [BGP peer](https://docs.tigera.io/calico-cloud/reference/resources/bgppeer): API for this Calico Cloud resource. - [BGP Filter](https://docs.tigera.io/calico-cloud/reference/resources/bgpfilter): API for this Calico Cloud resource. - [Block affinity](https://docs.tigera.io/calico-cloud/reference/resources/blockaffinity): IP address management block affinity - [Calico node status](https://docs.tigera.io/calico-cloud/reference/resources/caliconodestatus): API for this Calico resource. - [Container admission policy](https://docs.tigera.io/calico-cloud/reference/resources/containeradmissionpolicy): Resource definition. - [Compliance reports (deprecated)](https://docs.tigera.io/calico-cloud/reference/resources/compliance-reports/): Compliance reporting API. - [Compliance reports (deprecated)](https://docs.tigera.io/calico-cloud/reference/resources/compliance-reports/overview): Schedule reports and configure report scope. - [Inventory report](https://docs.tigera.io/calico-cloud/reference/resources/compliance-reports/inventory): API for this resource. - [Network Access report](https://docs.tigera.io/calico-cloud/reference/resources/compliance-reports/network-access): API for this resource. - [Policy audit report](https://docs.tigera.io/calico-cloud/reference/resources/compliance-reports/policy-audit): API for this resource. - [CIS benchmark report](https://docs.tigera.io/calico-cloud/reference/resources/compliance-reports/cis-benchmark): API for this resource. - [Deep packet inspection](https://docs.tigera.io/calico-cloud/reference/resources/deeppacketinspection): API for this Calico Cloud resource. - [Felix configuration](https://docs.tigera.io/calico-cloud/reference/resources/felixconfig): API for this Calico Enterprise resource. - [Egress gateway policy](https://docs.tigera.io/calico-cloud/reference/resources/egressgatewaypolicy): API for this Calico Enterprise resource. - [Global Alert](https://docs.tigera.io/calico-cloud/reference/resources/globalalert): API for this Calico Enterprise resource. - [Global network policy](https://docs.tigera.io/calico-cloud/reference/resources/globalnetworkpolicy): API for this Calico Cloud resource. - [Global network set](https://docs.tigera.io/calico-cloud/reference/resources/globalnetworkset): API for this Calico Cloud resource. - [Global report](https://docs.tigera.io/calico-cloud/reference/resources/globalreport): API for this Calico Cloud resource. - [Global threat feed](https://docs.tigera.io/calico-cloud/reference/resources/globalthreatfeed): API for this Calico Cloud resource. - [Host endpoint](https://docs.tigera.io/calico-cloud/reference/resources/hostendpoint): API for this Calico Cloud resource. - [IP pool](https://docs.tigera.io/calico-cloud/reference/resources/ippool): API for this Calico Cloud resource. - [IP reservation](https://docs.tigera.io/calico-cloud/reference/resources/ipreservation): API for this Calico resource. - [IPAM configuration](https://docs.tigera.io/calico-cloud/reference/resources/ipamconfig): IP address management global configuration - [License key](https://docs.tigera.io/calico-cloud/reference/resources/licensekey): API for this Calico Cloud resource. - [Kubernetes controllers configuration](https://docs.tigera.io/calico-cloud/reference/resources/kubecontrollersconfig): API for KubeControllersConfiguration resource. - [Managed Cluster](https://docs.tigera.io/calico-cloud/reference/resources/managedcluster): API for this Calico Cloud resource. - [Network policy](https://docs.tigera.io/calico-cloud/reference/resources/networkpolicy): API for this Calico Cloud resource. - [Network set](https://docs.tigera.io/calico-cloud/reference/resources/networkset): API for this Calico Cloud resource. - [Node](https://docs.tigera.io/calico-cloud/reference/resources/node): API for this Calico Cloud resource. - [PacketCapture](https://docs.tigera.io/calico-cloud/reference/resources/packetcapture): API for this Calico Cloud resource. - [Remote cluster configuration](https://docs.tigera.io/calico-cloud/reference/resources/remoteclusterconfiguration): API for this Calico Cloud resource. - [RuntimeSecurity](https://docs.tigera.io/calico-cloud/reference/resources/runtimesecurity): API for this Calico Cloud resource - [Security event webhook](https://docs.tigera.io/calico-cloud/reference/resources/securityeventwebhook): API for this Calico Enterprise resource. - [Staged global network policy](https://docs.tigera.io/calico-cloud/reference/resources/stagedglobalnetworkpolicy): API for this resource. - [Staged Kubernetes network policy](https://docs.tigera.io/calico-cloud/reference/resources/stagedkubernetesnetworkpolicy): API for this Calico Cloud resource. - [Staged network policy](https://docs.tigera.io/calico-cloud/reference/resources/stagednetworkpolicy): API for this Calico Cloud resource. - [Tier](https://docs.tigera.io/calico-cloud/reference/resources/tier): API for this Calico Cloud resource. - [Workload endpoint](https://docs.tigera.io/calico-cloud/reference/resources/workloadendpoint): API for this Calico Cloud resource. - [Architecture](https://docs.tigera.io/calico-cloud/reference/architecture/): Calico Cloud component architecture diagram, network design, and the data path between workloads. - ['The Calico Cloud data path: IP routing and iptables'](https://docs.tigera.io/calico-cloud/reference/architecture/data-path): Learn how packets flow between workloads in a datacenter, or between a workload and the internet. - [Network design](https://docs.tigera.io/calico-cloud/reference/architecture/design/): Deep dive into using Calico over Ethernet and IP fabrics. - [Calico over Ethernet fabrics](https://docs.tigera.io/calico-cloud/reference/architecture/design/l2-interconnect-fabric): Understand the interconnect fabric options in a Calico network. - [Calico over IP fabrics](https://docs.tigera.io/calico-cloud/reference/architecture/design/l3-interconnect-fabric): Understand considerations for implementing interconnect fabrics with Calico. - [Component resources](https://docs.tigera.io/calico-cloud/reference/component-resources/): Reference content for Calico Cloud component resources. - [Configuring the Calico Cloud CNI plugins](https://docs.tigera.io/calico-cloud/reference/component-resources/configuration): Details for configuring the Calico Cloud CNI plugins. - [Configure resource requests and limits](https://docs.tigera.io/calico-cloud/reference/component-resources/configure-resources): Configure Resource requests and limits. - [kube-controllers](https://docs.tigera.io/calico-cloud/reference/component-resources/kube-controllers/): kube-controllers is a set of Kubernetes controllers for Calico - [Configuring the Calico Cloud Kubernetes controllers](https://docs.tigera.io/calico-cloud/reference/component-resources/kube-controllers/configuration): Calico Cloud Kubernetes controllers monitor the Kubernetes API and perform actions based on cluster state. - [Monitoring kube-controllers with Prometheus](https://docs.tigera.io/calico-cloud/reference/component-resources/kube-controllers/prometheus): Review metrics for the kube-controllers component if you are using Prometheus. - [Calico Cloud node (cnx-node)](https://docs.tigera.io/calico-cloud/reference/component-resources/node/): Learn about the components that comprise the cnx-node. - [Configuring cnx-node](https://docs.tigera.io/calico-cloud/reference/component-resources/node/configuration): Customize cnx-node using environment variables. - [Felix](https://docs.tigera.io/calico-cloud/reference/component-resources/node/felix/): Felix is a Calico component that runs on every machine that provides endpoints. - [Configuring Felix](https://docs.tigera.io/calico-cloud/reference/component-resources/node/felix/configuration): Configure Felix, the daemon that runs on every machine that provides endpoints. - [Monitoring Felix with Prometheus](https://docs.tigera.io/calico-cloud/reference/component-resources/node/felix/prometheus): Review metrics for the Felix component if you are using Prometheus. - [Configuration on public clouds](https://docs.tigera.io/calico-cloud/reference/public-cloud/): Tips for configuring Calico Cloud in your public cloud provider. - [Amazon Web Services](https://docs.tigera.io/calico-cloud/reference/public-cloud/aws): Advantages of using Calico Cloud in AWS. - [Azure](https://docs.tigera.io/calico-cloud/reference/public-cloud/azure): Support for Calico Cloud in Azure. - [Google Compute Engine](https://docs.tigera.io/calico-cloud/reference/public-cloud/gce): Methods to ensure that traffic between containers on different hosts is not dropped by GCE fabric. - [Host endpoints](https://docs.tigera.io/calico-cloud/reference/host-endpoints/): Protect host endpoints with Calico network policy. - [Host endpoints](https://docs.tigera.io/calico-cloud/reference/host-endpoints/overview): Secure host network interfaces. - [Creating policy for basic connectivity](https://docs.tigera.io/calico-cloud/reference/host-endpoints/connectivity): Customize the Calico failsafe policy to protect host endpoints. - [Creating host endpoint objects](https://docs.tigera.io/calico-cloud/reference/host-endpoints/objects): To protect a host interface, start by creating a host endpoint object in etcd. - [Selector-based policies](https://docs.tigera.io/calico-cloud/reference/host-endpoints/selector): Apply ordered policies to endpoints that match specific label selectors. - [Failsafe rules](https://docs.tigera.io/calico-cloud/reference/host-endpoints/failsafe): Avoid cutting off connectivity to hosts because of incorrect network policies. - [Pre-DNAT policy](https://docs.tigera.io/calico-cloud/reference/host-endpoints/pre-dnat): Apply rules in a host endpoint policy before any DNAT. - [Apply on forwarded traffic](https://docs.tigera.io/calico-cloud/reference/host-endpoints/forwarded): Learn the subtleties using the applyOnForward option in host endpoint policies. - [Summary of host endpoint policies](https://docs.tigera.io/calico-cloud/reference/host-endpoints/summary): How different host endpoint rules affect packet flows. - [Connection tracking](https://docs.tigera.io/calico-cloud/reference/host-endpoints/conntrack): Workaround for Linux conntrack if Calico policy is not working as it should. - [Attribution](https://docs.tigera.io/calico-cloud/reference/attribution): Attribution report - [REST API Reference](https://docs.tigera.io/calico-cloud/reference/rest-api-reference): REST API reference - [Frequently asked questions](https://docs.tigera.io/calico-cloud/reference/faq): Common questions that users ask about Calico Enterprise. ## Support and feedback - [Support and feedback](https://docs.tigera.io/calico-cloud/get-help/support): Ways to get help and provide feedback. ## Optional - [Calico Cloud release notes](https://docs.tigera.io/calico-cloud/release-notes/): What's new, and why features provide value for upgrading.