What’s New in Calico: Winter 2025

As we kick off the new year, we’re excited to introduce the latest updates to Calico, designed to create a single, unified platform for all your Kubernetes networking, security, and observability needs. These new features help organizations reduce tool sprawl, streamline operations, and lower costs, making it more convenient and efficient to manage Kubernetes environments.

In this blog, we’ll highlight some of the most exciting additions that include a major new product capability, an ingress gateway.

Introducing the Calico Ingress Gateway

Managing and securing traffic in Kubernetes environments is one of the most complex and critical challenges organizations face today. With more than 60% of enterprises having adopted Kubernetes, according to an annual CNCF survey, controlling and optimizing how external traffic enters clusters is more important than ever. As applications grow in scale and complexity, legacy ingress solutions often fall short, plagued by operational inefficiencies, reliance on proprietary APIs, limited scalability, and difficulty in customization. These limitations make it difficult for teams to maintain consistent performance and robust security across their environments.

To address these challenges, we’re excited to introduce the Calico Ingress Gateway, an enterprise hardened, 100% upstream distribution of Envoy Gateway that leverages and expands the Kubernetes Gateway API to deliver advanced, scalable, customizable, and standards-based ingress management.

Upcoming improvements to the Ingress Gateway will include enhancements in network-based threat detection—through better use of our WAF with ingress traffic, enhanced observability features, and advanced policy management, further strengthening its role as a comprehensive Kubernetes ingress traffic management solution.

So Why An Ingress Gateway?

An ingress gateway serves as the first point of contact for external traffic entering a Kubernetes cluster. For most modern applications, this traffic includes API requests, user connections, or service calls, all of which need to be routed to the appropriate workloads securely and efficiently. Without a robust ingress solution, organizations face a range of challenges:

  • Customization Challenges: Legacy ingress solutions provide limited flexibility, frequently requiring annotations to extend functionality increasing the time and complexity of implementations.
  • Operational Complexity: Traditional ingress controllers often rely on proprietary configurations, making deployments harder to manage and less portable across environments.
  • Limited Traffic Control: Basic ingress controllers lack the advanced features needed to manage, shape, and secure traffic effectively.

The Calico Ingress Gateway solves these problems by providing a standardized, feature-rich, and highly customizable ingress solution designed for Kubernetes environments.

Key Capabilities of the Calico Ingress Gateway

The Calico Ingress Gateway combines advanced traffic control features with seamless integration into the Calico platform, offering flexibility and functionality:

  • Enterprise Hardened, 100% Upstream Distribution of Envoy Gateway: The Calico Ingress Gateway is an enterprise hardened, 100% upstream distribution of the Envoy Gateway which is a leading OSS implementation of the Kubernetes Gateway API, and provides a standardized, vendor-neutral approach to ingress management. This ensures consistency across environments and eliminates reliance on proprietary ingress controllers.
  • Advanced Traffic Control: It supports header-based routing, traffic shaping, retries, fault injection, and rate limiting, giving teams fine-grained control over ingress traffic. For example, traffic splitting can be used to route 95% of traffic to the current stable application service while directing 5% to a new version for testing, ensuring a controlled and safe rollout of updates.
  • Integrated Load Balancing: The gateway ensures even distribution of incoming traffic, reducing latency and improving application reliability.
  • Role-Oriented: Very similar to Calico policy tiers, the role-oriented implementation of Gateway API resources ensures that different aspects of configuring the Ingress Gateway can be delegated to application developers, and cluster-wide configuration settings can be managed by admins or DevOps teams.
  • Enterprise Support from Tigera: Tigera provides 100% enterprise support and backing for the Envoy Gateway included as part of the Calico Cloud and Calico Enterprise products. This backing includes CVE-protection.

Calico Ingress Gateway Examples Diagram

Figure 1: An Ingress Gateway showing how it can perform different traffic control including traffic splitting (dividing traffic between different services by weight), rate limiting (restricting the number of requests to prevent overloading services), and load balancing (distributing incoming traffic).

By consolidating ingress management with Calico’s networking and security capabilities, Calico simplifies operations, enhances security, and provides deep visibility into Kubernetes traffic.

The Value of Ingress Gateway in a Single Security and Networking Platform

What makes the Calico Ingress Gateway stand out is combining it with Calico’s existing features, creating a unified platform for managing Kubernetes networking, security, and observability that works across mult-cloud, hybrid, multi-cluster, and multiple Kubernetes distributions.

  • Improved Observability: With real-time traffic insights provided by Calico Dashboards, teams can monitor traffic, identify anomalies, and optimize routing in a single interface.
  • Network Policies: Teams can apply Calico’s powerful network policies to secure traffic, protecting workloads from unauthorized access and improving overall security posture.
  • Cost Efficiency: Eliminating the need for multiple standalone tools improves operational efficiency and reduces infrastructure and licensing costs.
  • Seamless Deployment: Easily installed and managed via the Calico Operator, enabling a smooth hassle-free setup.

Calico Cloud Ingress Gateway Diagram

Figure 2: Calico Cloud, a unified solution for networking security and observability, now offers an ingress gateway.

Business and Technical Impact

With the addition of the Calico Ingress Gateway, Calico delivers significant value to organizations by simplifying operations, improving scalability, and enhancing security.

  • Business Impact: Organizations benefit from reduced operational costs and complexity by consolidating ingress, egress, and policy management into a single platform. This also improves collaboration between platform, developer, DevOps, and security teams, enabling faster deployment cycles.
  • Technical Impact: The ingress gateway’s advanced traffic control features working in concert with Calico’s networking and security capabilities provide a robust solution for managing and securing high volumes of ingress traffic. Teams can scale confidently while ensuring secure and optimized application performance.

Introducing Calico Dashboards

Observability is a critical component of Kubernetes security and operations, yet many organizations struggle with fragmented tools that make it difficult to monitor network activity, troubleshoot performance issues, and enforce security policies. Traditional approaches often require reliance on multiple third-party solutions, increasing operational complexity and limiting real-time visibility into workloads.

Key Capabilities of Calico Dashboards

Calico Dashboards allow teams to visualize and analyze critical security and networking data without relying on external logging or observability tools. Some of the key capabilities include:

  • Flow Log Analysis: Provides real-time visibility into network traffic, enabling teams to monitor, diagnose, and troubleshoot connectivity issues.
  • DNS Activity Monitoring: Helps track egress connections and identify domains contacted by workloads to support DNS-based policy creation.
  • TCP Performance Metrics: Identifies latency and round-trip time issues, allowing teams to troubleshoot bottlenecks and improve application performance.
  • Role-Based Access Control (RBAC): Enables organizations to provision access to a broader set of users, including admins, DevOps, and developers.

Use Cases: How Customers Benefit from Calico Dashboards

Here we illustrate two use cases on how dashboards can be used, one for creating and testing network policies, and the other for troubleshooting performance issues:

1. Creating and Testing Policies Before Enforcement

Security teams often need to define network policies that protect workloads without inadvertently blocking critical traffic. Flow Log, DNS, and Layer 7 (HTTP) dashboards make it easy to identify all of the information needed to build effective policies. You can also use dashboards to examine the traffic flow of network policies to identify potential negative impacts before deployment. For extra reassurance, staged policies can be filtered on the flow logs dashboard to show the potential impacts of changes to network policies before being enforced.

  • Example: A user can apply a staged policy filter on the Flow Log Dashboard to see which traffic flows would be affected, helping them refine network policies before rolling them out.
  • Benefit: Reduces operational risk by ensuring network policies are correctly configured before deployment, preventing accidental service outages.

Flow Logs Dashboard Screenshot

2. Troubleshooting Domain Name Service (DNS) Issues

DNS resolution (core dns) misconfigurations, infrastructure failures, or performance bottlenecks in DNS can lead to latency, transaction timeouts, and a poor end-user experience, making troubleshooting and resolution especially challenging.

  • Example: An NXDOMAIN error indicates that a queried domain doesn’t exist—this can occur due to misconfigurations, an application querying an incorrect domain, or a domain that has been decommissioned while a service still attempts to access it. Calico’s DNS Dashboard is instrumental in such cases, as it helps identify NXDOMAIN errors and provides key details including the authority, the name server, and the authoritative name server for the queried domain. Different charts within the dashboard leverage this data to quickly pinpoint which services are generating these errors, making it easier to troubleshoot.
  • Benefit: Helps reduce downtime and mitigates issues related to DNS misconfigurations or incorrect domain queries, ultimately enhancing overall application reliability and delivering a consistently better customer experience.

DNS Logs Dashboard Screenshot

Business and Technical Impact of Calico Dashboards

  • Business Impact: Organizations benefit from streamlined security operations, faster incident response, and reduced reliance on external observability tools, leading to lower costs and improved team productivity.
  • Technical Impact: Teams can proactively monitor network activity, troubleshoot security and performance issues, and refine policies with confidence, ensuring Kubernetes workloads remain secure and optimized.

Calico Dashboards provide a centralized, real-time observability solution that simplifies Kubernetes security and operations. Start leveraging Calico Dashboards today to enhance your Kubernetes observability and security.

Multi-Cloud and Networking Enhancements

Control-Plane Label Customization on AKS Clusters

When deploying Calico on Azure Kubernetes Service (AKS), certain system-generated namespaces like calico-system and tigera-system are automatically labeled as control-plane. This can create conflicts with AKS admission controllers, which often exempt control-plane-labeled namespaces from policy enforcement.

To address this, Calico now supports control-plane label customization for AKS clusters, giving users greater control over how labels are applied during installation. Teams can choose between the default behavior—where only calico-system and tigera-system receive the control-plane label—or opt to exclude the control-plane label entirely. This ensures that security policies are applied consistently across all namespaces, preventing unintended exemptions.

This enhancement strengthens security and ensures consistent policy enforcement across AKS clusters, reducing the risk of misconfigurations while improving compliance.

Unified IP Address Management for LoadBalancer IPs

As Kubernetes environments scale, managing IP addresses for LoadBalancer services becomes increasingly complex. Many organizations rely on third-party IP Address Management (IPAM) solutions or manually allocate IPs, leading to fragmentation, conflicts, and operational inefficiencies. Without a unified IP management system, teams struggle to maintain visibility, ensure availability, and prevent overlapping IP allocations, particularly in large, multi-cluster environments.

To solve this challenge, Calico now extends its IPAM capabilities to support service LoadBalancer IP allocation, providing a centralized, automated approach to managing LoadBalancer IPs within Kubernetes clusters. This feature allows organizations to dynamically allocate and track IP addresses for LoadBalancer services, ensuring seamless interoperability with MetalLB and cloud-native load balancer implementations in AWS, Azure, and Google Cloud. By managing IPs for both workloads and services in a single solution, Calico eliminates the need for external IPAM tools while improving operational efficiency and network reliability.

With unified LoadBalancer IP management, organizations benefit from simplified operations, reduced risk of IP conflicts, and improved scalability in dynamic Kubernetes environments. Whether running on-premises, in hybrid deployments, or across multiple cloud providers, this enhancement ensures consistent and automated IP management.

Summary

This Calico release not only introduces a major new capability, the Calico Ingress Gateway, but showcases Calico’s commitment to addressing the most pressing challenges in Kubernetes multi-cloud and hybrid-cloud environments. With these new features, Calico continues to enhance security, simplify operations, and improve scalability across Kubernetes infrastructures.

To learn more about these new product capabilities and see them in action, schedule a demo.

Join our mailing list

Get updates on blog posts, workshops, certification programs, new releases, and more!

X