(CNAPP) Calico Cloud and Protecting Cloud Native Workloads

Calico Cloud is a cloud-native security solution that integrates with Azure to provide enhanced security for Kubernetes clusters. In this blog post, we’ll take a look at what Calico Cloud is and how it works, as well as how you can get started using it in Azure.

In this post I’ll show off some of the capabilities of the managed portion which includes Calico cloud offering you can run a free trial to evaluate the solution. Calico is also available in the Azure Marketplace should you want to take advantage of this. Originally I’ve heard of Calico back in 2020 but didn’t get to far along with the training until later in 2021-2022. I’m a huge fan of the learning academy as its supremely in-depth and the labs are top notch to expand your knowledge on security and network segmentation in kubernetes with hands-on training.

What is Calico Cloud and how does it work.

Calico Cloud is a cloud-based platform that provides enhanced security for Kubernetes clusters in Azure. Calico Cloud uses a number of features to provide this enhanced security, including network segmentation, role-based access control, and activity monitoring. By using Calico Cloud, you can help ensure that your Kubernetes cluster is better protected from malicious attacks.

There are several benefits to using Calico Cloud to secure your Kubernetes cluster in Azure. First, Calico Cloud can help you segment your network so that only authorized users can access sensitive data. This can help prevent unauthorized access to your cluster. Second, Calico Cloud can help you monitor activity on your cluster so that you can quickly identify and respond to potential threats. Finally, by using Calico Cloud, you can help ensure that your Kubernetes cluster meets compliance requirements.

Using Calico Cloud to secure your Kubernetes cluster in Azure is an effective way to improve the security of your cluster. By segmenting your network and monitoring activity on your cluster, you can help prevent malicious attacks and ensure compliance with security requirements.

Let’s jump into on boarding our cluster the process is relatively straight forward

Navigate to calicocloud.io to set up your account after you verify this will lead you through on-boarding we will select Connect for the cluster information we will provide.

Ensure that you have the requirements for the whichever cloud your hosting your cloud environment.

Ensure your kubernetes cluster is not above 1.23 if it is you’ll have to contact support.

Once you go through the onboarding the status should update with the installation process

If you navigate to the monitor icon you can see metrics across your environment

If I want some more information such as network flow and what is approved and denied we can also have this in a visual

So what does this mean? Well let’s zoom in on the right portion of the page that shows we can see our ingress and egress movement along with the color of allowed/denied identified we can also filter that makes this more granular to troubleshoot.

We can even utilize kibana from Elastic to get some deeper insights I’ve loaded the kubernetes dashboard

The best part is the out of the box dashboards that are already created for you mind you can customize this with your own visualization of resources you’d like to monitor.

To ensure we have container runtime security in terms of the container threat detection we will have to activate this.

It would also be a great addition to know my CIS benchmark of the clusters that calico is running let’s take a look at that

While understanding the complexity of kubernetes Calico Cloud simplifies the management of many tedious task that don’t have a necessary UI this will give you fine grained reports that can show where you stand continuously.

Should you want to craft a policy with a intuitive UI this also has a policy dashboard that you can get going fairly quickly.

I selected the option “Recommend a Policy” to test it out and here is the prompts within that feature

We can also hit “Preview” to see how the rule will affect our current environment

To get us to another cluster you will navigate to the top right hand screen and select our cluster similar to switching subscriptions in Azure.

For our own purposes of this I want to highlight how you can also enable alerts

On various detection out of box that should be of your concern when running kubernetes clusters

It is important to note that Calico Cloud is not a silver bullet and will not magically secure your Kubernetes cluster on its own. It is simply one tool that can help you achieve greater security for your deployment. As such, it is important to follow best practices for securing Kubernetes clusters in general, which include but are not limited to:

• Use role-based access control (RBAC) to limit who has access to what resources in your cluster.

• Encrypt all data in transit between nodes using SSL/TLS certificates.

• Deploy applications using immutable infrastructure principles whenever possible. This means creating images of your application code and configurations which can be deployed without ever having to be changed or updated directly on the server itself.

• Use a tool like Calico Cloud to monitor and audited all activity within your Kubernetes cluster.

Conclusion

If you’re looking for a way to increase the security of your Kubernetes cluster in Azure, then Calico Cloud is a great option. It’s easy to get started with and provides a number of benefits, including improved security posture and increased visibility into your cluster. To get started, all you need to do is configure Calico Cloud in Azure and follow best practices for using it to secure your Kubernetes cluster.