Solution

VM Migration to Kubernetes

Move VMs to Kubernetes without breaking everything around them. Preserve VM network identity, translate existing security policy, and run VMs and containers on the same cluster.

VLAN 100 extended into Kubernetes
Physical network
VLAN 100
10.10.5.0/24
Calico L2 Bridge
KubeVirt VM
payments-api
eth0 → pod CIDR (Kubernetes)
net1 → 10.10.5.42 · VLAN 100
The Problems

Your connectivity and security model lives in NSX constructs Kubernetes doesn’t have.

When VMs land on Kubernetes with default pod networking, the NSX constructs they depended on such as segments, gateways and the distributed firewall have no default equivalent. Teams are looking at rebuilding each NSX outcome by hand, or even re-architecting their network.

What You Lose When NSX Goes Away
Segments
Groups workloads into isolated L2 networks
Subnets / IP pools
Defines the IP ranges assigned to a segment
VLAN-backed segments
Maps a segment onto an existing physical VLAN
Overlay segments
Virtual networks decoupled from the physical fabric
Tier-0 / Tier-1 gateways
Route traffic between networks and to the outside
Distributed firewall
Per-workload east-west traffic rules
Gateway firewall & NAT
Controls and translates north-south traffic
Advanced Load Balancer (AVI)
Distributes traffic across workloads via VIPs
QoS
Limits and prioritizes workload bandwidth
Traceflow & Flow Visibility
Traces paths and logs traffic flows

A VM’s network identity is embedded across dozens of systems.

When a VM migrates to Kubernetes with default pod networking, it gets a new IP from the cluster CIDR. The original IP is gone. Every system that referenced it is now pointing at nothing.

A migration budgeted as a lift-and-shift gets delivered as a network redesign — per VM. At scale, the coordination cost makes migration impractical.

When the IP changes
Firewall rules
No longer match
DNS records
Go stale
Monitoring dashboards
Lose continuity
Compliance audit trail
Years of evidence broken
Load balancer pools
Track by IP
Peer service configs
Hardcoded references break
VLAN trust boundary
Security team review required
CMDB entries
Reference the old address

Benefits

Migrate VMs to Kubernetes with their network identity, security model, and operational continuity intact.

Preserve VM network identity

VMs retain their original IP and VLAN membership. Nothing upstream changes. Firewalls stay the same. DNS stays the same. Peer services don’t notice.

One platform for VMs and containers

Run both migration paths on the same cluster, with the same policy model and the same observability tooling.

Move now. Modernise later.

Migrate with L2 to preserve identity and avoid cross-team coordination. Modernise to Services and label-based policy when the organisation is ready.

Features

What Calico provides for VM migration to Kubernetes.

Announced at KubeCon EU 2026
L2 secondary interface
$ virtctl ssh payments-api -- ip addr show net1
net1: <BROADCAST,MULTICAST,UP> mtu 1500
inet 10.10.5.42/24 brd 10.10.5.255 scope global net1
net1 is the secondary interface connected to the L2 bridge on the node. That's the VM's original IP on its original subnet.
Replaces: NSX VLAN-backed segments

Calico L2 Bridge Mode

Calico L2 Bridge Mode is designed to extend existing VLANs into Kubernetes so VMs retain their original IP and VLAN membership by supporting live migration — the IP and VLAN follow the workload when it moves between nodes, with no NAT and no enforcement gap.

The upstream network sees no change. payments-api is still 10.10.5.42 on VLAN 100. The firewall doesn’t know it moved.

Both L2 and L3, on the same cluster

Calico offers both L3 (BGP, VXLAN, IPIP) and L2 (L2 Bridge Mode) networking. Some VMs need L2 now and L3 later. Some can go straight to L3.

Calico supports both on the same cluster, with the same policy model and the same observability tooling. The choice is a per-workload scoping exercise — not a platform-wide decision.

L2
Preserve
Keep original IP and VLAN membership. Lift-and-shift VMs.
L3
Modernise
New pod IP. Services, DNS, label-based policy.
Same cluster
Same policy model · Same observability tooling
Policy tiers
Security tier
Highest priority · owned by the security team
01
Platform tier
Owned by platform engineering
02
Application tier
Owned by developers
03
Policies in higher tiers are evaluated first and cannot be overridden by lower tiers.
Replaces: NSX distributed-firewall sections & rule order

Tiered and staged policies

Calico supports tiered/hierarchical policies and staged policy validation, useful for teams translating NSX rules.

Staged policies evaluate real production traffic but don’t enforce decisions — they log what would have been allowed or denied. Deploy a translated rule in staging mode, observe its impact for days or weeks, and promote it to enforcement only with production evidence.

Replaces: NSX Traceflow & Flow Visibility

eBPF-based observability for every workload

Flow logs show source, destination, port, protocol, and whether traffic was allowed or denied by policy. Some flows include L7 visibility (HTTP method, path, response code), service topology graphs, and policy hit-count metrics.

Invest in flow logs early — they’re the single most valuable data source for network troubleshooting and compliance.

Flow log
timestamp src dst port proto action
14:22:01.124 10.10.5.42 10.10.5.100 443 TCP ALLOW
14:22:02.357 10.10.5.42 10.10.5.100 443 TCP ALLOW
14:22:04.812 10.10.5.42 8.8.8.8 53 UDP DENY
14:22:05.124 10.10.5.42 10.10.5.100 443 TCP ALLOW
14:22:08.901 10.10.5.42 10.10.5.55 3306 TCP ALLOW
Any Kubernetes distribution
No lock-in. No rewrite when environments change.

Runs on any Kubernetes distribution

Calico runs on any Kubernetes distribution. The same CNI, the same policy model, and the same operational tooling — wherever your VMs land.

Replacing NSX

Your NSX design already has a Calico equivalent

NSX concepts like segments, gateways, and the distributed firewall map cleanly to Calico primitives. This table shows what each becomes; the migration itself is still phased work, done segment by segment.

NSX concept Calico Enterprise / Kubernetes capability Architectural outcome
Segment Calico Networks Workloads attach to defined networks with clear connectivity and policy intent.
Segment subnet / CIDR Calico IPPool Workload addresses are allocated from a defined IP address pool or range.
VLAN-backed Segment Calico L2 Bridge Existing underlay VLANs can be extended into Kubernetes for VMs that require L2 continuity (network stretching).
Overlay Segment Calico Overlay Network Create dedicated virtual networks for tenants, applications, business units, etc. without depending on the physical network.
Tier-0 Gateway Calico BGP Kubernetes-hosted workload networks can exchange routes with the external network.
Tier-1 Gateway Calico Multi-VRF (tenant routing domain), Routing Policies, and Egress Gateway Tenant or application routing domains can be isolated and advertised independently.
Distributed Firewall Calico NetworkPolicy, DNS Policies, Tiers, and Staged Network Policies East-west traffic can be controlled close to workloads using workload identity and selectors.
Gateway Firewall and NAT Calico Egress Gateways and DNS Policies North-south traffic can be controlled with predictable source identity and policy enforcement.
NSX Advanced Load Balancer / AVI Calico Load Balancer and Calico Ingress Gateway Kubernetes-native application delivery can provide stable VIPs, L4 load distribution, L7 routing, and upstream reachability.
QoS Calico QoS Bandwidth, packet rate, connection limits, and traffic markings can be applied to workloads. This guarantees network performance.
Traceflow and Flow Visibility Calico Service Graph, Dashboards, and Packet Capture Architects and operators can validate application flows with Kubernetes workload context.
You’re not just swapping a distributed firewall for a NetworkPolicy. You’re choosing one policy model for VMs and containers, on any Kubernetes distribution — instead of carrying NSX’s operating model into an environment it was never built for.

Network concept translation

How traditional VM-networking concepts map to Kubernetes equivalents.

VM world Kubernetes equivalent What changes
VLAN L2 bridge / L2 overlay / VLAN underlay (CNI-dependent) Depends on CNI and L2/L3 choice
VM NIC (fixed IP) Secondary interface via Multus Preservation depends on CNI
Distributed firewall / NSX Kubernetes NetworkPolicy + CNI extensions Model shifts: IP-based → label-based
Firewall sections (ordered) Tiered/hierarchical policies (if CNI supports) Requires CNI with tier support
vMotion KubeVirt live migration IP changes by default — CNI must handle
NSX microsegmentation eBPF or OVN ACL-based policy Applied at hypervisor level, no agents in VM
Flow logs / SIEM feeds CNI flow logs + Prometheus metrics Different sources, same compliance purpose
Port groups / vDS NetworkAttachmentDefinition + Multus Declarative K8s resources replace GUI config

Move now. Modernise later. On your own timeline.

When you’re ready to discuss migrations against your own VM estate, contact our team for a technical walkthrough.

X