From 293b526bcb71fcc5a02944478003e4e852457186 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Mon, 18 May 2026 09:47:59 +0000 Subject: [PATCH] chore: update generated llms.txt files --- static/calico-cloud/llms-full.txt | 184 ++++++++++---------- static/calico-cloud/llms.txt | 134 +++++++-------- static/calico-enterprise/llms-full.txt | 228 ++++++++++++++----------- static/calico-enterprise/llms.txt | 144 ++++++++-------- static/calico/llms-full.txt | 226 ++++++++++++------------ static/calico/llms.txt | 110 ++++++------ static/llms.txt | 6 +- 7 files changed, 528 insertions(+), 504 deletions(-) diff --git a/static/calico-cloud/llms-full.txt b/static/calico-cloud/llms-full.txt index 96df180154..2a11248227 100644 --- a/static/calico-cloud/llms-full.txt +++ b/static/calico-cloud/llms-full.txt @@ -14691,87 +14691,87 @@ See what's going on in your cluster with network observability tools and detaile ##### [Manage alerts](https://docs.tigera.io/calico-cloud/observability/alerts) -[Manage alerts and events for Calico Enterprise features.](https://docs.tigera.io/calico-cloud/observability/alerts) +[Configure alerts and review alert events for Calico Cloud features in the web console or CLI. Use built-in templates for visibility and security signals.](https://docs.tigera.io/calico-cloud/observability/alerts) ##### [Kibana dashboards and logs](https://docs.tigera.io/calico-cloud/observability/kibana) -[Learn the basics of using Elasticsearch logs and Kibana to gain visibility and troubleshoot.](https://docs.tigera.io/calico-cloud/observability/kibana) +[Use Kibana with Calico Cloud Elasticsearch to explore flow, L7, audit, BGP, DNS, and intrusion detection event logs from connected clusters.](https://docs.tigera.io/calico-cloud/observability/kibana) ##### [Packet capture](https://docs.tigera.io/calico-cloud/observability/packetcapture) -[Capture live traffic for debugging microservices and application interaction.](https://docs.tigera.io/calico-cloud/observability/packetcapture) +[Capture live pod traffic in Calico Cloud connected clusters from Service Graph or the CLI and export pcap files to Wireshark for analysis.](https://docs.tigera.io/calico-cloud/observability/packetcapture) ##### [Visualize traffic to and from a cluster](https://docs.tigera.io/calico-cloud/observability/visualize-traffic) -[Learn the power of network sets.](https://docs.tigera.io/calico-cloud/observability/visualize-traffic) +[Visualize cluster traffic to and from external endpoints in Calico Cloud Service Graph with network sets that group external IP ranges by purpose.](https://docs.tigera.io/calico-cloud/observability/visualize-traffic) ## Getting started with logs[​](#getting-started-with-logs) ##### [Overview](https://docs.tigera.io/calico-cloud/observability/elastic/overview) -[Summary of the out-of-box features for Calico Cloud logs.](https://docs.tigera.io/calico-cloud/observability/elastic/overview) +[Calico Cloud uses managed Elasticsearch and Kibana for flow, DNS, audit, BGP, and L7 logs with workload context, RBAC, and archival to external SIEMs.](https://docs.tigera.io/calico-cloud/observability/elastic/overview) ##### [Archive logs](https://docs.tigera.io/calico-cloud/observability/elastic/archive-storage) -[Archive logs to Syslog, Splunk, or Amazon S3 for maintaining compliance data.](https://docs.tigera.io/calico-cloud/observability/elastic/archive-storage) +[Forward Calico Cloud flow, DNS, audit, and L7 logs to Syslog, Splunk, or Amazon S3 to retain compliance data beyond managed retention windows.](https://docs.tigera.io/calico-cloud/observability/elastic/archive-storage) ##### [Overview](https://docs.tigera.io/calico-cloud/observability/elastic/overview) -[Summary of the out-of-box features for Calico Cloud logs.](https://docs.tigera.io/calico-cloud/observability/elastic/overview) +[Calico Cloud uses managed Elasticsearch and Kibana for flow, DNS, audit, BGP, and L7 logs with workload context, RBAC, and archival to external SIEMs.](https://docs.tigera.io/calico-cloud/observability/elastic/overview) ##### [BGP logs](https://docs.tigera.io/calico-cloud/observability/elastic/bgp) -[Key/value pairs of BGP activity logs and how to construct queries.](https://docs.tigera.io/calico-cloud/observability/elastic/bgp) +[Reference of key/value fields in Calico Cloud BGP activity logs in Elasticsearch, with sample queries for IPv4, IPv6, and per-node lookups.](https://docs.tigera.io/calico-cloud/observability/elastic/bgp) ##### [Audit logs](https://docs.tigera.io/calico-cloud/observability/elastic/audit-overview) -[Calico Cloud audit logs provide data on changes to resources.](https://docs.tigera.io/calico-cloud/observability/elastic/audit-overview) +[Calico Cloud audit logs record changes to network policies, tiers, network sets, host endpoints, and other resources across connected clusters.](https://docs.tigera.io/calico-cloud/observability/elastic/audit-overview) ## Flow logs[​](#flow-logs) ##### [Flow log data types](https://docs.tigera.io/calico-cloud/observability/elastic/flow/datatypes) -[Data that Calico Cloud sends to Elasticsearch.](https://docs.tigera.io/calico-cloud/observability/elastic/flow/datatypes) +[Reference of key/value fields that Calico Cloud sends to Elasticsearch for flow logs, including endpoints, actions, byte counts, and policy verdicts.](https://docs.tigera.io/calico-cloud/observability/elastic/flow/datatypes) ##### [Filter flow logs](https://docs.tigera.io/calico-cloud/observability/elastic/flow/filtering) -[Filter Calico Cloud flow logs.](https://docs.tigera.io/calico-cloud/observability/elastic/flow/filtering) +[Filter Calico Cloud flow logs through Fluentd to drop low-significance traffic and reduce managed Elasticsearch volume and cost.](https://docs.tigera.io/calico-cloud/observability/elastic/flow/filtering) ##### [Configure flow log aggregation](https://docs.tigera.io/calico-cloud/observability/elastic/flow/aggregation) -[Configure flow log aggregation to reduce log volume and costs.](https://docs.tigera.io/calico-cloud/observability/elastic/flow/aggregation) +[Tune Calico Cloud flow log aggregation levels to balance managed Elasticsearch volume and cost against pod and IP visibility for allowed and denied traffic.](https://docs.tigera.io/calico-cloud/observability/elastic/flow/aggregation) ##### [Enable HostEndpoint reporting in flow logs](https://docs.tigera.io/calico-cloud/observability/elastic/flow/hep) -[Enable hostendpoint reporting in flow logs.](https://docs.tigera.io/calico-cloud/observability/elastic/flow/hep) +[Turn on host endpoint reporting in Calico Cloud flow logs to gain visibility into traffic at HostEndpoint interfaces on Kubernetes nodes.](https://docs.tigera.io/calico-cloud/observability/elastic/flow/hep) ##### [Enable process-level information in flow logs](https://docs.tigera.io/calico-cloud/observability/elastic/flow/processpath) -[Get visibility into process-level network activity in flow logs.](https://docs.tigera.io/calico-cloud/observability/elastic/flow/processpath) +[Add process executable paths and arguments to Calico Cloud flow logs with eBPF instrumentation for process-level visibility into network activity.](https://docs.tigera.io/calico-cloud/observability/elastic/flow/processpath) ##### [Enabling TCP socket stats in flow logs](https://docs.tigera.io/calico-cloud/observability/elastic/flow/tcpstats) -[Enabling TCP socket stats information in flow logs](https://docs.tigera.io/calico-cloud/observability/elastic/flow/tcpstats) +[Add TCP socket statistics to Calico Cloud flow logs with eBPF programs that capture round-trip time, retransmits, and other per-socket metrics.](https://docs.tigera.io/calico-cloud/observability/elastic/flow/tcpstats) ## DNS logs[​](#dns-logs) ##### [Query DNS logs](https://docs.tigera.io/calico-cloud/observability/elastic/dns/dns-logs) -[Key/value pairs of DNS activity logs and how to construct queries.](https://docs.tigera.io/calico-cloud/observability/elastic/dns/dns-logs) +[Reference of key/value fields in Calico Cloud DNS activity logs in Elasticsearch, with guidance for building client and query lookups.](https://docs.tigera.io/calico-cloud/observability/elastic/dns/dns-logs) ##### [Filter DNS logs](https://docs.tigera.io/calico-cloud/observability/elastic/dns/filtering-dns) -[Suppress DNS logs of low significance using filters.](https://docs.tigera.io/calico-cloud/observability/elastic/dns/filtering-dns) +[Suppress low-value Calico Cloud DNS log entries with Fluentd filters configured through a ConfigMap in the operator namespace of connected clusters.](https://docs.tigera.io/calico-cloud/observability/elastic/dns/filtering-dns) ## L7 logs[​](#l7-logs) ##### [Configure L7 logs](https://docs.tigera.io/calico-cloud/observability/elastic/l7/configure) -[Configure and aggregate L7 logs.](https://docs.tigera.io/calico-cloud/observability/elastic/l7/configure) +[Deploy Envoy and aggregate Calico Cloud L7 logs to monitor HTTP traffic patterns between application workloads on connected clusters.](https://docs.tigera.io/calico-cloud/observability/elastic/l7/configure) ##### [L7 log data types](https://docs.tigera.io/calico-cloud/observability/elastic/l7/datatypes) -[L7 data that Calico Cloud sends to Elasticsearch.](https://docs.tigera.io/calico-cloud/observability/elastic/l7/datatypes) +[Reference of key/value fields that Calico Cloud sends to Elasticsearch for L7 logs, including durations, byte counts, and HTTP request metadata.](https://docs.tigera.io/calico-cloud/observability/elastic/l7/datatypes) ### Manage alerts @@ -15767,11 +15767,11 @@ With Service Graph, you know the value of seeing pod-to-pod traffic within your ## [📄️Overview](https://docs.tigera.io/calico-cloud/observability/elastic/overview) -[Summary of the out-of-box features for Calico Cloud logs.](https://docs.tigera.io/calico-cloud/observability/elastic/overview) +[Calico Cloud uses managed Elasticsearch and Kibana for flow, DNS, audit, BGP, and L7 logs with workload context, RBAC, and archival to external SIEMs.](https://docs.tigera.io/calico-cloud/observability/elastic/overview) ## [📄️Archive logs](https://docs.tigera.io/calico-cloud/observability/elastic/archive-storage) -[Archive logs to Syslog, Splunk, or Amazon S3 for maintaining compliance data.](https://docs.tigera.io/calico-cloud/observability/elastic/archive-storage) +[Forward Calico Cloud flow, DNS, audit, and L7 logs to Syslog, Splunk, or Amazon S3 to retain compliance data beyond managed retention windows.](https://docs.tigera.io/calico-cloud/observability/elastic/archive-storage) ## [🗃Flow logs](https://docs.tigera.io/calico-cloud/observability/elastic/flow/) @@ -15779,7 +15779,7 @@ With Service Graph, you know the value of seeing pod-to-pod traffic within your ## [📄️Audit logs](https://docs.tigera.io/calico-cloud/observability/elastic/audit-overview) -[Calico Cloud audit logs provide data on changes to resources.](https://docs.tigera.io/calico-cloud/observability/elastic/audit-overview) +[Calico Cloud audit logs record changes to network policies, tiers, network sets, host endpoints, and other resources across connected clusters.](https://docs.tigera.io/calico-cloud/observability/elastic/audit-overview) ## [🗃DNS logs](https://docs.tigera.io/calico-cloud/observability/elastic/dns/) @@ -15787,7 +15787,7 @@ With Service Graph, you know the value of seeing pod-to-pod traffic within your ## [📄️BGP logs](https://docs.tigera.io/calico-cloud/observability/elastic/bgp) -[Key/value pairs of BGP activity logs and how to construct queries.](https://docs.tigera.io/calico-cloud/observability/elastic/bgp) +[Reference of key/value fields in Calico Cloud BGP activity logs in Elasticsearch, with sample queries for IPv4, IPv6, and per-node lookups.](https://docs.tigera.io/calico-cloud/observability/elastic/bgp) ## [🗃L7 logs](https://docs.tigera.io/calico-cloud/observability/elastic/l7/) @@ -16142,27 +16142,27 @@ Calico Cloud uses Splunk's **HTTP Event Collector** to send data to Splunk serve ## [📄️Flow log data types](https://docs.tigera.io/calico-cloud/observability/elastic/flow/datatypes) -[Data that Calico Cloud sends to Elasticsearch.](https://docs.tigera.io/calico-cloud/observability/elastic/flow/datatypes) +[Reference of key/value fields that Calico Cloud sends to Elasticsearch for flow logs, including endpoints, actions, byte counts, and policy verdicts.](https://docs.tigera.io/calico-cloud/observability/elastic/flow/datatypes) ## [📄️Filter flow logs](https://docs.tigera.io/calico-cloud/observability/elastic/flow/filtering) -[Filter Calico Cloud flow logs.](https://docs.tigera.io/calico-cloud/observability/elastic/flow/filtering) +[Filter Calico Cloud flow logs through Fluentd to drop low-significance traffic and reduce managed Elasticsearch volume and cost.](https://docs.tigera.io/calico-cloud/observability/elastic/flow/filtering) ## [📄️Configure flow log aggregation](https://docs.tigera.io/calico-cloud/observability/elastic/flow/aggregation) -[Configure flow log aggregation to reduce log volume and costs.](https://docs.tigera.io/calico-cloud/observability/elastic/flow/aggregation) +[Tune Calico Cloud flow log aggregation levels to balance managed Elasticsearch volume and cost against pod and IP visibility for allowed and denied traffic.](https://docs.tigera.io/calico-cloud/observability/elastic/flow/aggregation) ## [📄️Enable HostEndpoint reporting in flow logs](https://docs.tigera.io/calico-cloud/observability/elastic/flow/hep) -[Enable hostendpoint reporting in flow logs.](https://docs.tigera.io/calico-cloud/observability/elastic/flow/hep) +[Turn on host endpoint reporting in Calico Cloud flow logs to gain visibility into traffic at HostEndpoint interfaces on Kubernetes nodes.](https://docs.tigera.io/calico-cloud/observability/elastic/flow/hep) ## [📄️Enabling TCP socket stats in flow logs](https://docs.tigera.io/calico-cloud/observability/elastic/flow/tcpstats) -[Enabling TCP socket stats information in flow logs](https://docs.tigera.io/calico-cloud/observability/elastic/flow/tcpstats) +[Add TCP socket statistics to Calico Cloud flow logs with eBPF programs that capture round-trip time, retransmits, and other per-socket metrics.](https://docs.tigera.io/calico-cloud/observability/elastic/flow/tcpstats) ## [📄️Enable process-level information in flow logs](https://docs.tigera.io/calico-cloud/observability/elastic/flow/processpath) -[Get visibility into process-level network activity in flow logs.](https://docs.tigera.io/calico-cloud/observability/elastic/flow/processpath) +[Add process executable paths and arguments to Calico Cloud flow logs with eBPF instrumentation for process-level visibility into network activity.](https://docs.tigera.io/calico-cloud/observability/elastic/flow/processpath) ### Flow log data types @@ -16790,11 +16790,11 @@ Finally, audit logs provide the core data for compliance reports. ## [📄️Query DNS logs](https://docs.tigera.io/calico-cloud/observability/elastic/dns/dns-logs) -[Key/value pairs of DNS activity logs and how to construct queries.](https://docs.tigera.io/calico-cloud/observability/elastic/dns/dns-logs) +[Reference of key/value fields in Calico Cloud DNS activity logs in Elasticsearch, with guidance for building client and query lookups.](https://docs.tigera.io/calico-cloud/observability/elastic/dns/dns-logs) ## [📄️Filter DNS logs](https://docs.tigera.io/calico-cloud/observability/elastic/dns/filtering-dns) -[Suppress DNS logs of low significance using filters.](https://docs.tigera.io/calico-cloud/observability/elastic/dns/filtering-dns) +[Suppress low-value Calico Cloud DNS log entries with Fluentd filters configured through a ConfigMap in the operator namespace of connected clusters.](https://docs.tigera.io/calico-cloud/observability/elastic/dns/filtering-dns) ### Query DNS logs @@ -16936,11 +16936,11 @@ Once a set of BGP logs has accumulated in Elasticsearch, you can perform many in ## [📄️Configure L7 logs](https://docs.tigera.io/calico-cloud/observability/elastic/l7/configure) -[Configure and aggregate L7 logs.](https://docs.tigera.io/calico-cloud/observability/elastic/l7/configure) +[Deploy Envoy and aggregate Calico Cloud L7 logs to monitor HTTP traffic patterns between application workloads on connected clusters.](https://docs.tigera.io/calico-cloud/observability/elastic/l7/configure) ## [📄️L7 log data types](https://docs.tigera.io/calico-cloud/observability/elastic/l7/datatypes) -[L7 data that Calico Cloud sends to Elasticsearch.](https://docs.tigera.io/calico-cloud/observability/elastic/l7/datatypes) +[Reference of key/value fields that Calico Cloud sends to Elasticsearch for L7 logs, including durations, byte counts, and HTTP request metadata.](https://docs.tigera.io/calico-cloud/observability/elastic/l7/datatypes) ### Configure L7 logs @@ -21667,125 +21667,125 @@ The Calico Cloud network plugins provide a range of networking options to fit yo ##### [Networking overview](https://docs.tigera.io/calico-cloud/networking/training/about-networking) -[Learn about networking layers, packets, IP addressing, and routing.](https://docs.tigera.io/calico-cloud/networking/training/about-networking) +[Reference primer for networking fundamentals — OSI layers, packet anatomy, MTU, IP addressing, routing, overlays, DNS, and NAT — that underpin Calico Cloud.](https://docs.tigera.io/calico-cloud/networking/training/about-networking) ##### [Kubernetes network model](https://docs.tigera.io/calico-cloud/networking/training/about-kubernetes-networking) -[Learn network behaviors of the Kubernetes network model.](https://docs.tigera.io/calico-cloud/networking/training/about-kubernetes-networking) +[Reference primer for Kubernetes networking concepts that help when operating Calico Cloud — pod IPs, services, DNS, NAT outgoing, and dual stack.](https://docs.tigera.io/calico-cloud/networking/training/about-kubernetes-networking) ## Configuring networking[​](#configuring-networking) ##### [Configure BGP peering](https://docs.tigera.io/calico-cloud/networking/configuring/bgp) -[Configure BGP peering with full mesh, node-specific peering, ToR, and/or Calico route reflectors.](https://docs.tigera.io/calico-cloud/networking/configuring/bgp) +[Set up BGP peering for Calico Cloud connected clusters — full mesh, per-node peers, top-of-rack switches, and route reflectors — with BGPPeer and BGPConfiguration resources.](https://docs.tigera.io/calico-cloud/networking/configuring/bgp) ##### [Deploy a dual ToR cluster](https://docs.tigera.io/calico-cloud/networking/configuring/dual-tor) -[Configure a dual plane cluster for redundant connectivity between workloads.](https://docs.tigera.io/calico-cloud/networking/configuring/dual-tor) +[Deploy a dual ToR cluster connected to Calico Cloud so two independent connectivity planes provide redundancy between racks for on-premises clusters.](https://docs.tigera.io/calico-cloud/networking/configuring/dual-tor) ##### [Configure multiple Calico Cloud networks on a pod](https://docs.tigera.io/calico-cloud/networking/configuring/multiple-networks) -[Configure a cluster with multiple Calico Cloud networks on each pod, and enforce security using Calico Cloud tiered network policy.](https://docs.tigera.io/calico-cloud/networking/configuring/multiple-networks) +[Add extra Calico Cloud networks to each pod in a connected cluster with the Multus-CNI plugin, then control access with tiered network policy on every interface.](https://docs.tigera.io/calico-cloud/networking/configuring/multiple-networks) ##### [Overlay networking](https://docs.tigera.io/calico-cloud/networking/configuring/vxlan-ipip) -[Configure Calico to use IP in IP or VXLAN overlay networking so the underlying network doesn’t need to understand pod addresses.](https://docs.tigera.io/calico-cloud/networking/configuring/vxlan-ipip) +[Choose VXLAN or IP-in-IP overlay encapsulation in a Calico Cloud connected cluster so pod traffic crosses underlay networks that don't route pod CIDRs natively.](https://docs.tigera.io/calico-cloud/networking/configuring/vxlan-ipip) ##### [Advertise Kubernetes service IP addresses](https://docs.tigera.io/calico-cloud/networking/configuring/advertise-service-ips) -[Configure Calico to advertise Kubernetes service cluster IPs and external IPs outside the cluster using BGP.](https://docs.tigera.io/calico-cloud/networking/configuring/advertise-service-ips) +[Advertise Kubernetes service cluster IPs and external IPs out of a Calico Cloud connected cluster over BGP so upstream routers can reach them directly.](https://docs.tigera.io/calico-cloud/networking/configuring/advertise-service-ips) ##### [Configure MTU to maximize network performance](https://docs.tigera.io/calico-cloud/networking/configuring/mtu) -[Optimize network performance for workloads by configuring the MTU in Calico to best suit your underlying network.](https://docs.tigera.io/calico-cloud/networking/configuring/mtu) +[Tune the Calico Cloud MTU on the Installation resource so pod traffic matches the underlay, accounting for VXLAN, IP-in-IP, and WireGuard overhead.](https://docs.tigera.io/calico-cloud/networking/configuring/mtu) ##### [Custom BGP Configuration](https://docs.tigera.io/calico-cloud/networking/configuring/custom-bgp-config) -[Apply a custom BGP configuration](https://docs.tigera.io/calico-cloud/networking/configuring/custom-bgp-config) +[Override the default BIRD BGP templates in a Calico Cloud connected cluster to access advanced BIRD features for proof-of-concept and special-case routing.](https://docs.tigera.io/calico-cloud/networking/configuring/custom-bgp-config) ##### [Configure outgoing NAT](https://docs.tigera.io/calico-cloud/networking/configuring/workloads-outside-cluster) -[Configure Calico Cloud networking to perform outbound NAT for connections from pods to outside of the cluster.](https://docs.tigera.io/calico-cloud/networking/configuring/workloads-outside-cluster) +[Configure NAT outgoing on Calico Cloud IP pools in a connected cluster so pod traffic destined outside the cluster is source-NATed to the node IP.](https://docs.tigera.io/calico-cloud/networking/configuring/workloads-outside-cluster) ##### [Use a specific MAC address for a pod](https://docs.tigera.io/calico-cloud/networking/configuring/pod-mac-address) -[Specify the MAC address for a pod instead of allowing the operating system to assign one](https://docs.tigera.io/calico-cloud/networking/configuring/pod-mac-address) +[Pin a chosen MAC address on a Kubernetes pod interface in a Calico Cloud connected cluster with the CNI plugin, for cases such as MAC-bound software licenses.](https://docs.tigera.io/calico-cloud/networking/configuring/pod-mac-address) ##### [Use NodeLocal DNSCache in your cluster](https://docs.tigera.io/calico-cloud/networking/configuring/node-local-dns-cache) -[Install NodeLocal DNSCache](https://docs.tigera.io/calico-cloud/networking/configuring/node-local-dns-cache) +[Run NodeLocal DNSCache alongside Calico Cloud in a connected cluster and write the network policy that lets pod DNS traffic reach the per-node cache.](https://docs.tigera.io/calico-cloud/networking/configuring/node-local-dns-cache) ## IP address management[​](#ip-address-management) ##### [Configure BGP peering](https://docs.tigera.io/calico-cloud/networking/configuring/bgp) -[Configure BGP peering with full mesh, node-specific peering, ToR, and/or Calico route reflectors.](https://docs.tigera.io/calico-cloud/networking/configuring/bgp) +[Set up BGP peering for Calico Cloud connected clusters — full mesh, per-node peers, top-of-rack switches, and route reflectors — with BGPPeer and BGPConfiguration resources.](https://docs.tigera.io/calico-cloud/networking/configuring/bgp) ##### [Deploy a dual ToR cluster](https://docs.tigera.io/calico-cloud/networking/configuring/dual-tor) -[Configure a dual plane cluster for redundant connectivity between workloads.](https://docs.tigera.io/calico-cloud/networking/configuring/dual-tor) +[Deploy a dual ToR cluster connected to Calico Cloud so two independent connectivity planes provide redundancy between racks for on-premises clusters.](https://docs.tigera.io/calico-cloud/networking/configuring/dual-tor) ##### [Configure multiple Calico Cloud networks on a pod](https://docs.tigera.io/calico-cloud/networking/configuring/multiple-networks) -[Configure a cluster with multiple Calico Cloud networks on each pod, and enforce security using Calico Cloud tiered network policy.](https://docs.tigera.io/calico-cloud/networking/configuring/multiple-networks) +[Add extra Calico Cloud networks to each pod in a connected cluster with the Multus-CNI plugin, then control access with tiered network policy on every interface.](https://docs.tigera.io/calico-cloud/networking/configuring/multiple-networks) ##### [Overlay networking](https://docs.tigera.io/calico-cloud/networking/configuring/vxlan-ipip) -[Configure Calico to use IP in IP or VXLAN overlay networking so the underlying network doesn’t need to understand pod addresses.](https://docs.tigera.io/calico-cloud/networking/configuring/vxlan-ipip) +[Choose VXLAN or IP-in-IP overlay encapsulation in a Calico Cloud connected cluster so pod traffic crosses underlay networks that don't route pod CIDRs natively.](https://docs.tigera.io/calico-cloud/networking/configuring/vxlan-ipip) ##### [Advertise Kubernetes service IP addresses](https://docs.tigera.io/calico-cloud/networking/configuring/advertise-service-ips) -[Configure Calico to advertise Kubernetes service cluster IPs and external IPs outside the cluster using BGP.](https://docs.tigera.io/calico-cloud/networking/configuring/advertise-service-ips) +[Advertise Kubernetes service cluster IPs and external IPs out of a Calico Cloud connected cluster over BGP so upstream routers can reach them directly.](https://docs.tigera.io/calico-cloud/networking/configuring/advertise-service-ips) ##### [Configure MTU to maximize network performance](https://docs.tigera.io/calico-cloud/networking/configuring/mtu) -[Optimize network performance for workloads by configuring the MTU in Calico to best suit your underlying network.](https://docs.tigera.io/calico-cloud/networking/configuring/mtu) +[Tune the Calico Cloud MTU on the Installation resource so pod traffic matches the underlay, accounting for VXLAN, IP-in-IP, and WireGuard overhead.](https://docs.tigera.io/calico-cloud/networking/configuring/mtu) ##### [Custom BGP Configuration](https://docs.tigera.io/calico-cloud/networking/configuring/custom-bgp-config) -[Apply a custom BGP configuration](https://docs.tigera.io/calico-cloud/networking/configuring/custom-bgp-config) +[Override the default BIRD BGP templates in a Calico Cloud connected cluster to access advanced BIRD features for proof-of-concept and special-case routing.](https://docs.tigera.io/calico-cloud/networking/configuring/custom-bgp-config) ##### [Configure outgoing NAT](https://docs.tigera.io/calico-cloud/networking/configuring/workloads-outside-cluster) -[Configure Calico Cloud networking to perform outbound NAT for connections from pods to outside of the cluster.](https://docs.tigera.io/calico-cloud/networking/configuring/workloads-outside-cluster) +[Configure NAT outgoing on Calico Cloud IP pools in a connected cluster so pod traffic destined outside the cluster is source-NATed to the node IP.](https://docs.tigera.io/calico-cloud/networking/configuring/workloads-outside-cluster) ##### [Use a specific MAC address for a pod](https://docs.tigera.io/calico-cloud/networking/configuring/pod-mac-address) -[Specify the MAC address for a pod instead of allowing the operating system to assign one](https://docs.tigera.io/calico-cloud/networking/configuring/pod-mac-address) +[Pin a chosen MAC address on a Kubernetes pod interface in a Calico Cloud connected cluster with the CNI plugin, for cases such as MAC-bound software licenses.](https://docs.tigera.io/calico-cloud/networking/configuring/pod-mac-address) ##### [Use NodeLocal DNSCache in your cluster](https://docs.tigera.io/calico-cloud/networking/configuring/node-local-dns-cache) -[Install NodeLocal DNSCache](https://docs.tigera.io/calico-cloud/networking/configuring/node-local-dns-cache) +[Run NodeLocal DNSCache alongside Calico Cloud in a connected cluster and write the network policy that lets pod DNS traffic reach the per-node cache.](https://docs.tigera.io/calico-cloud/networking/configuring/node-local-dns-cache) ##### [LoadBalancer IP address management](https://docs.tigera.io/calico-cloud/networking/ipam/service-loadbalancer) -[LoadBalancer IP address management](https://docs.tigera.io/calico-cloud/networking/ipam/service-loadbalancer) +[Use the Calico Cloud LoadBalancer controller to allocate IPs to Kubernetes Service type LoadBalancer from configured IPPool resources in a connected cluster.](https://docs.tigera.io/calico-cloud/networking/ipam/service-loadbalancer) ## Egress gateways[​](#egress-gateways) ##### [Configure egress gateways, on-premises](https://docs.tigera.io/calico-cloud/networking/egress/egress-gateway-on-prem) -[Configure specific application traffic to exit the cluster through an egress gateway.](https://docs.tigera.io/calico-cloud/networking/egress/egress-gateway-on-prem) +[Send selected application traffic through Calico Cloud egress gateways on-premises so external firewalls see a predictable source IP for cluster workloads.](https://docs.tigera.io/calico-cloud/networking/egress/egress-gateway-on-prem) ##### [Configure egress gateways, Azure](https://docs.tigera.io/calico-cloud/networking/egress/egress-gateway-azure) -[Configure specific application traffic to exit the cluster through an egress gateway with a native Azure IP address.](https://docs.tigera.io/calico-cloud/networking/egress/egress-gateway-azure) +[Route selected application traffic out of a Calico Cloud connected cluster through egress gateways with native Azure VNet IPs.](https://docs.tigera.io/calico-cloud/networking/egress/egress-gateway-azure) ##### [Configure egress gateways, AWS](https://docs.tigera.io/calico-cloud/networking/egress/egress-gateway-aws) -[Configure specific application traffic to exit the cluster through an egress gateway with a native AWS IP address.](https://docs.tigera.io/calico-cloud/networking/egress/egress-gateway-aws) +[Route selected application traffic out of a Calico Cloud connected cluster through egress gateways with native AWS VPC subnet IPs.](https://docs.tigera.io/calico-cloud/networking/egress/egress-gateway-aws) ##### [Optimize egress networking for workloads with long-lived TCP connections](https://docs.tigera.io/calico-cloud/networking/egress/egress-gateway-maintenance) -[React to egress gateway maintenance windows and minimize the impact of egress gateway downtime on sensitive workloads](https://docs.tigera.io/calico-cloud/networking/egress/egress-gateway-maintenance) +[Reduce egress gateway downtime impact on long-lived TCP sessions in Calico Cloud connected clusters by reading termination annotations and draining gracefully.](https://docs.tigera.io/calico-cloud/networking/egress/egress-gateway-maintenance) ##### [Configure egress traffic to multiple external networks](https://docs.tigera.io/calico-cloud/networking/egress/external-network) -[Allows workloads from different namespaces of a Kubernetes cluster to egress onto different external networks that (may) have overlapping IPs with each other.](https://docs.tigera.io/calico-cloud/networking/egress/external-network) +[Direct Calico Cloud egress gateway traffic onto multiple external networks with potentially overlapping IPs by associating gateways with named ExternalNetworks.](https://docs.tigera.io/calico-cloud/networking/egress/external-network) ##### [Troubleshoot egress gateways](https://docs.tigera.io/calico-cloud/networking/egress/troubleshoot) -[Use checklist to troubleshoot common problems.](https://docs.tigera.io/calico-cloud/networking/egress/troubleshoot) +[Troubleshooting guide for Calico Cloud egress gateways covering connection failures, source IP mismatches, BGP route propagation, and required pod metadata.](https://docs.tigera.io/calico-cloud/networking/egress/troubleshoot) ### Calico Ingress Gateway @@ -23057,11 +23057,11 @@ For this tutorial, we'll try accessing the app through the gateway by port-forwa ## [📄️Networking overview](https://docs.tigera.io/calico-cloud/networking/training/about-networking) -[Learn about networking layers, packets, IP addressing, and routing.](https://docs.tigera.io/calico-cloud/networking/training/about-networking) +[Reference primer for networking fundamentals — OSI layers, packet anatomy, MTU, IP addressing, routing, overlays, DNS, and NAT — that underpin Calico Cloud.](https://docs.tigera.io/calico-cloud/networking/training/about-networking) ## [📄️Kubernetes network model](https://docs.tigera.io/calico-cloud/networking/training/about-kubernetes-networking) -[Learn network behaviors of the Kubernetes network model.](https://docs.tigera.io/calico-cloud/networking/training/about-kubernetes-networking) +[Reference primer for Kubernetes networking concepts that help when operating Calico Cloud — pod IPs, services, DNS, NAT outgoing, and dual stack.](https://docs.tigera.io/calico-cloud/networking/training/about-kubernetes-networking) ### Networking overview @@ -23248,51 +23248,51 @@ If you want to use a mix of IPv4 and IPv6 then you can enable Kubernetes [dual-s ## [📄️Configure BGP peering](https://docs.tigera.io/calico-cloud/networking/configuring/bgp) -[Configure BGP peering with full mesh, node-specific peering, ToR, and/or Calico route reflectors.](https://docs.tigera.io/calico-cloud/networking/configuring/bgp) +[Set up BGP peering for Calico Cloud connected clusters — full mesh, per-node peers, top-of-rack switches, and route reflectors — with BGPPeer and BGPConfiguration resources.](https://docs.tigera.io/calico-cloud/networking/configuring/bgp) ## [📄️Configure BGP peering with nested clusters running on KubeVirt VMs](https://docs.tigera.io/calico-cloud/networking/configuring/bgp-to-workload) -[Configure BGP peering with nested clusters running on KubeVirt VMs](https://docs.tigera.io/calico-cloud/networking/configuring/bgp-to-workload) +[Peer Calico Cloud nodes with BGP speakers inside KubeVirt VMs so nested clusters connected to Calico Cloud can announce routes from their workloads.](https://docs.tigera.io/calico-cloud/networking/configuring/bgp-to-workload) ## [📄️Deploy a dual ToR cluster](https://docs.tigera.io/calico-cloud/networking/configuring/dual-tor) -[Configure a dual plane cluster for redundant connectivity between workloads.](https://docs.tigera.io/calico-cloud/networking/configuring/dual-tor) +[Deploy a dual ToR cluster connected to Calico Cloud so two independent connectivity planes provide redundancy between racks for on-premises clusters.](https://docs.tigera.io/calico-cloud/networking/configuring/dual-tor) ## [📄️Configure multiple Calico Cloud networks on a pod](https://docs.tigera.io/calico-cloud/networking/configuring/multiple-networks) -[Configure a cluster with multiple Calico Cloud networks on each pod, and enforce security using Calico Cloud tiered network policy.](https://docs.tigera.io/calico-cloud/networking/configuring/multiple-networks) +[Add extra Calico Cloud networks to each pod in a connected cluster with the Multus-CNI plugin, then control access with tiered network policy on every interface.](https://docs.tigera.io/calico-cloud/networking/configuring/multiple-networks) ## [📄️Overlay networking](https://docs.tigera.io/calico-cloud/networking/configuring/vxlan-ipip) -[Configure Calico to use IP in IP or VXLAN overlay networking so the underlying network doesn’t need to understand pod addresses.](https://docs.tigera.io/calico-cloud/networking/configuring/vxlan-ipip) +[Choose VXLAN or IP-in-IP overlay encapsulation in a Calico Cloud connected cluster so pod traffic crosses underlay networks that don't route pod CIDRs natively.](https://docs.tigera.io/calico-cloud/networking/configuring/vxlan-ipip) ## [📄️Advertise Kubernetes service IP addresses](https://docs.tigera.io/calico-cloud/networking/configuring/advertise-service-ips) -[Configure Calico to advertise Kubernetes service cluster IPs and external IPs outside the cluster using BGP.](https://docs.tigera.io/calico-cloud/networking/configuring/advertise-service-ips) +[Advertise Kubernetes service cluster IPs and external IPs out of a Calico Cloud connected cluster over BGP so upstream routers can reach them directly.](https://docs.tigera.io/calico-cloud/networking/configuring/advertise-service-ips) ## [📄️Configure MTU to maximize network performance](https://docs.tigera.io/calico-cloud/networking/configuring/mtu) -[Optimize network performance for workloads by configuring the MTU in Calico to best suit your underlying network.](https://docs.tigera.io/calico-cloud/networking/configuring/mtu) +[Tune the Calico Cloud MTU on the Installation resource so pod traffic matches the underlay, accounting for VXLAN, IP-in-IP, and WireGuard overhead.](https://docs.tigera.io/calico-cloud/networking/configuring/mtu) ## [📄️Custom BGP Configuration](https://docs.tigera.io/calico-cloud/networking/configuring/custom-bgp-config) -[Apply a custom BGP configuration](https://docs.tigera.io/calico-cloud/networking/configuring/custom-bgp-config) +[Override the default BIRD BGP templates in a Calico Cloud connected cluster to access advanced BIRD features for proof-of-concept and special-case routing.](https://docs.tigera.io/calico-cloud/networking/configuring/custom-bgp-config) ## [📄️Configure outgoing NAT](https://docs.tigera.io/calico-cloud/networking/configuring/workloads-outside-cluster) -[Configure Calico Cloud networking to perform outbound NAT for connections from pods to outside of the cluster.](https://docs.tigera.io/calico-cloud/networking/configuring/workloads-outside-cluster) +[Configure NAT outgoing on Calico Cloud IP pools in a connected cluster so pod traffic destined outside the cluster is source-NATed to the node IP.](https://docs.tigera.io/calico-cloud/networking/configuring/workloads-outside-cluster) ## [📄️Use a specific MAC address for a pod](https://docs.tigera.io/calico-cloud/networking/configuring/pod-mac-address) -[Specify the MAC address for a pod instead of allowing the operating system to assign one](https://docs.tigera.io/calico-cloud/networking/configuring/pod-mac-address) +[Pin a chosen MAC address on a Kubernetes pod interface in a Calico Cloud connected cluster with the CNI plugin, for cases such as MAC-bound software licenses.](https://docs.tigera.io/calico-cloud/networking/configuring/pod-mac-address) ## [📄️Use NodeLocal DNSCache in your cluster](https://docs.tigera.io/calico-cloud/networking/configuring/node-local-dns-cache) -[Install NodeLocal DNSCache](https://docs.tigera.io/calico-cloud/networking/configuring/node-local-dns-cache) +[Run NodeLocal DNSCache alongside Calico Cloud in a connected cluster and write the network policy that lets pod DNS traffic reach the per-node cache.](https://docs.tigera.io/calico-cloud/networking/configuring/node-local-dns-cache) ## [📄️Configure QoS Controls](https://docs.tigera.io/calico-cloud/networking/configuring/qos-controls) -[Configure QoS (Quality of Service) Controls to limit ingress and/or egress bandwidth, packet rate and number of connections of Calico workloads.](https://docs.tigera.io/calico-cloud/networking/configuring/qos-controls) +[Apply Calico Cloud QoS controls to cap pod ingress and egress bandwidth, packet rate, and connection counts in a connected cluster, plus DiffServ marking on egress.](https://docs.tigera.io/calico-cloud/networking/configuring/qos-controls) ### Configure BGP peering @@ -25843,27 +25843,27 @@ spec: ## [📄️Configure egress gateways, on-premises](https://docs.tigera.io/calico-cloud/networking/egress/egress-gateway-on-prem) -[Configure specific application traffic to exit the cluster through an egress gateway.](https://docs.tigera.io/calico-cloud/networking/egress/egress-gateway-on-prem) +[Send selected application traffic through Calico Cloud egress gateways on-premises so external firewalls see a predictable source IP for cluster workloads.](https://docs.tigera.io/calico-cloud/networking/egress/egress-gateway-on-prem) ## [📄️Configure egress gateways, AWS](https://docs.tigera.io/calico-cloud/networking/egress/egress-gateway-aws) -[Configure specific application traffic to exit the cluster through an egress gateway with a native AWS IP address.](https://docs.tigera.io/calico-cloud/networking/egress/egress-gateway-aws) +[Route selected application traffic out of a Calico Cloud connected cluster through egress gateways with native AWS VPC subnet IPs.](https://docs.tigera.io/calico-cloud/networking/egress/egress-gateway-aws) ## [📄️Configure egress gateways, Azure](https://docs.tigera.io/calico-cloud/networking/egress/egress-gateway-azure) -[Configure specific application traffic to exit the cluster through an egress gateway with a native Azure IP address.](https://docs.tigera.io/calico-cloud/networking/egress/egress-gateway-azure) +[Route selected application traffic out of a Calico Cloud connected cluster through egress gateways with native Azure VNet IPs.](https://docs.tigera.io/calico-cloud/networking/egress/egress-gateway-azure) ## [📄️Optimize egress networking for workloads with long-lived TCP connections](https://docs.tigera.io/calico-cloud/networking/egress/egress-gateway-maintenance) -[React to egress gateway maintenance windows and minimize the impact of egress gateway downtime on sensitive workloads](https://docs.tigera.io/calico-cloud/networking/egress/egress-gateway-maintenance) +[Reduce egress gateway downtime impact on long-lived TCP sessions in Calico Cloud connected clusters by reading termination annotations and draining gracefully.](https://docs.tigera.io/calico-cloud/networking/egress/egress-gateway-maintenance) ## [📄️Configure egress traffic to multiple external networks](https://docs.tigera.io/calico-cloud/networking/egress/external-network) -[Allows workloads from different namespaces of a Kubernetes cluster to egress onto different external networks that (may) have overlapping IPs with each other.](https://docs.tigera.io/calico-cloud/networking/egress/external-network) +[Direct Calico Cloud egress gateway traffic onto multiple external networks with potentially overlapping IPs by associating gateways with named ExternalNetworks.](https://docs.tigera.io/calico-cloud/networking/egress/external-network) ## [📄️Troubleshoot egress gateways](https://docs.tigera.io/calico-cloud/networking/egress/troubleshoot) -[Use checklist to troubleshoot common problems.](https://docs.tigera.io/calico-cloud/networking/egress/troubleshoot) +[Troubleshooting guide for Calico Cloud egress gateways covering connection failures, source IP mismatches, BGP route propagation, and required pod metadata.](https://docs.tigera.io/calico-cloud/networking/egress/troubleshoot) ### Configure egress gateways, on-premises @@ -29397,43 +29397,43 @@ If the instance ID recorded in the "calico:instance" tag is for ## [📄️Get started with IP address management](https://docs.tigera.io/calico-cloud/networking/ipam/get-started-ip-addresses) -[Configure Calico Cloud to use Calico Cloud IPAM or host-local IPAM, and when to use one or the other.](https://docs.tigera.io/calico-cloud/networking/ipam/get-started-ip-addresses) +[Pick between Calico Cloud IPAM and host-local IPAM, then configure pool selection, NAT outgoing, and per-namespace IP assignment in a connected cluster.](https://docs.tigera.io/calico-cloud/networking/ipam/get-started-ip-addresses) ## [📄️Configure default IP pools](https://docs.tigera.io/calico-cloud/networking/ipam/initial-ippool) -[Configure the default IP address ranges for operator installation.](https://docs.tigera.io/calico-cloud/networking/ipam/initial-ippool) +[Set the default Calico Cloud IP pool CIDR, encapsulation, and NAT outgoing values during Tigera Operator installation through the Installation resource.](https://docs.tigera.io/calico-cloud/networking/ipam/initial-ippool) ## [📄️Configure IP autodetection](https://docs.tigera.io/calico-cloud/networking/ipam/ip-autodetection) -[Calico IP autodetection ensures the correct IP address is used for routing. Learn how to customize it.](https://docs.tigera.io/calico-cloud/networking/ipam/ip-autodetection) +[Pick how Calico Cloud detects each node's primary IP — first-found, Kubernetes internal, interface regex, CIDR, or skip-interface — for reliable routing.](https://docs.tigera.io/calico-cloud/networking/ipam/ip-autodetection) ## [📄️Configure dual stack](https://docs.tigera.io/calico-cloud/networking/ipam/ipv6) -[Configure dual stack for workloads.](https://docs.tigera.io/calico-cloud/networking/ipam/ipv6) +[Configure dual-stack pod networking in a Calico Cloud connected cluster by adding IPv6 IP pools, IPv6 autodetection, and matching CNI plugin settings.](https://docs.tigera.io/calico-cloud/networking/ipam/ipv6) ## [📄️Use a specific IP address with a pod](https://docs.tigera.io/calico-cloud/networking/ipam/use-specific-ip) -[Specify the IP address for a pod instead of allowing Calico Cloud to automatically choose one.](https://docs.tigera.io/calico-cloud/networking/ipam/use-specific-ip) +[Pin a Kubernetes pod to a chosen address in a Calico Cloud connected cluster by setting a pod annotation that supplies the requested address.](https://docs.tigera.io/calico-cloud/networking/ipam/use-specific-ip) ## [📄️Assign IP addresses based on topology](https://docs.tigera.io/calico-cloud/networking/ipam/assign-ip-addresses-topology) -[Configure Calico Cloud to use specific IP pools for different topologies including zone, rack, or region.](https://docs.tigera.io/calico-cloud/networking/ipam/assign-ip-addresses-topology) +[Bind Calico Cloud IP pools to zones, racks, or regions in a connected cluster with node selectors so pods get addresses that match the topology.](https://docs.tigera.io/calico-cloud/networking/ipam/assign-ip-addresses-topology) ## [📄️Migrate from one IP pool to another](https://docs.tigera.io/calico-cloud/networking/ipam/migrate-pools) -[Migrate pods from one IP pool to another on a running cluster without network disruption.](https://docs.tigera.io/calico-cloud/networking/ipam/migrate-pools) +[Move workloads from one Calico Cloud IPPool to another on a running connected cluster without disrupting existing pod connectivity.](https://docs.tigera.io/calico-cloud/networking/ipam/migrate-pools) ## [📄️Change IP pool block size](https://docs.tigera.io/calico-cloud/networking/ipam/change-block-size) -[Expand or shrink the IP pool block size to efficiently manage IP pool addresses.](https://docs.tigera.io/calico-cloud/networking/ipam/change-block-size) +[Resize a Calico Cloud IPPool block — by creating a replacement pool and migrating workloads — to use IP space more efficiently across connected clusters.](https://docs.tigera.io/calico-cloud/networking/ipam/change-block-size) ## [📄️Restrict a pod to use an IP address in a specific range](https://docs.tigera.io/calico-cloud/networking/ipam/legacy-firewalls) -[Restrict the IP address chosen for a pod to a specific range of IP addresses.](https://docs.tigera.io/calico-cloud/networking/ipam/legacy-firewalls) +[Restrict pods to a defined IP range in a Calico Cloud connected cluster so legacy firewalls and appliances can recognise cluster workloads by source IP.](https://docs.tigera.io/calico-cloud/networking/ipam/legacy-firewalls) ## [📄️LoadBalancer IP address management](https://docs.tigera.io/calico-cloud/networking/ipam/service-loadbalancer) -[LoadBalancer IP address management](https://docs.tigera.io/calico-cloud/networking/ipam/service-loadbalancer) +[Use the Calico Cloud LoadBalancer controller to allocate IPs to Kubernetes Service type LoadBalancer from configured IPPool resources in a connected cluster.](https://docs.tigera.io/calico-cloud/networking/ipam/service-loadbalancer) ### Get started with IP address management diff --git a/static/calico-cloud/llms.txt b/static/calico-cloud/llms.txt index 056dbc8fe5..933f428b42 100644 --- a/static/calico-cloud/llms.txt +++ b/static/calico-cloud/llms.txt @@ -114,33 +114,33 @@ ## Observability -- [Observability and troubleshooting](https://docs.tigera.io/calico-cloud/observability/): Use Elasticsearch logs for visibility into all network traffic with Kubernetes context. -- [Manage alerts](https://docs.tigera.io/calico-cloud/observability/alerts): Manage alerts and events for Calico Enterprise features. -- [Dashboards](https://docs.tigera.io/calico-cloud/observability/dashboards): Dashboards help you see what's going on in your cluster. See how your cluster is performing and visualize your system's log data. -- [Create a custom dashboard](https://docs.tigera.io/calico-cloud/observability/create-custom-dashboard): Create a custom dashboard -- [Kibana dashboards and logs](https://docs.tigera.io/calico-cloud/observability/kibana): Learn the basics of using Elasticsearch logs and Kibana to gain visibility and troubleshoot. -- [Packet capture](https://docs.tigera.io/calico-cloud/observability/packetcapture): Capture live traffic for debugging microservices and application interaction. -- [Visualize traffic to and from a cluster](https://docs.tigera.io/calico-cloud/observability/visualize-traffic): Learn the power of network sets. -- [Manage Calico Cloud logs](https://docs.tigera.io/calico-cloud/observability/elastic/): Configure logs for visibility in the web console. -- [Overview](https://docs.tigera.io/calico-cloud/observability/elastic/overview): Summary of the out-of-box features for Calico Cloud logs. -- [Archive logs](https://docs.tigera.io/calico-cloud/observability/elastic/archive-storage): Archive logs to Syslog, Splunk, or Amazon S3 for maintaining compliance data. -- [Configure flow logs](https://docs.tigera.io/calico-cloud/observability/elastic/flow/): Configure, filter, and aggregate flow logs. -- [Flow log data types](https://docs.tigera.io/calico-cloud/observability/elastic/flow/datatypes): Data that Calico Cloud sends to Elasticsearch. -- [Filter flow logs](https://docs.tigera.io/calico-cloud/observability/elastic/flow/filtering): Filter Calico Cloud flow logs. -- [Configure flow log aggregation](https://docs.tigera.io/calico-cloud/observability/elastic/flow/aggregation): Configure flow log aggregation to reduce log volume and costs. -- [Enable HostEndpoint reporting in flow logs](https://docs.tigera.io/calico-cloud/observability/elastic/flow/hep): Enable hostendpoint reporting in flow logs. -- [Enabling TCP socket stats in flow logs](https://docs.tigera.io/calico-cloud/observability/elastic/flow/tcpstats): Enabling TCP socket stats information in flow logs -- [Enable process-level information in flow logs](https://docs.tigera.io/calico-cloud/observability/elastic/flow/processpath): Get visibility into process-level network activity in flow logs. -- [Audit logs](https://docs.tigera.io/calico-cloud/observability/elastic/audit-overview): Calico Cloud audit logs provide data on changes to resources. -- [Manage DNS logs for Calico Cloud](https://docs.tigera.io/calico-cloud/observability/elastic/dns/): Configure and filter DNS logs. -- [Query DNS logs](https://docs.tigera.io/calico-cloud/observability/elastic/dns/dns-logs): Key/value pairs of DNS activity logs and how to construct queries. -- [Filter DNS logs](https://docs.tigera.io/calico-cloud/observability/elastic/dns/filtering-dns): Suppress DNS logs of low significance using filters. -- [BGP logs](https://docs.tigera.io/calico-cloud/observability/elastic/bgp): Key/value pairs of BGP activity logs and how to construct queries. -- [L7 logs](https://docs.tigera.io/calico-cloud/observability/elastic/l7/): Configure Elasticsearch L7 logs. -- [Configure L7 logs](https://docs.tigera.io/calico-cloud/observability/elastic/l7/configure): Configure and aggregate L7 logs. -- [L7 log data types](https://docs.tigera.io/calico-cloud/observability/elastic/l7/datatypes): L7 data that Calico Cloud sends to Elasticsearch. -- [Kubernetes audit logs](https://docs.tigera.io/calico-cloud/observability/kube-audit): Enable Kubernetes audit logs on changes to Kubernetes resources. -- [iptables logs](https://docs.tigera.io/calico-cloud/observability/iptables): Learn how policy audit mode rules can affect the number of iptables logs. +- [Observability and troubleshooting](https://docs.tigera.io/calico-cloud/observability/): Observe and troubleshoot connected clusters with Calico Cloud web console dashboards, Service Graph, packet capture, and managed Elasticsearch logs. +- [Manage alerts](https://docs.tigera.io/calico-cloud/observability/alerts): Configure alerts and review alert events for Calico Cloud features in the web console or CLI. Use built-in templates for visibility and security signals. +- [Dashboards](https://docs.tigera.io/calico-cloud/observability/dashboards): Visualize connected cluster activity in the Calico Cloud web console with prebuilt and custom dashboards for cluster health, policy, DNS, and L7 data. +- [Create a custom dashboard](https://docs.tigera.io/calico-cloud/observability/create-custom-dashboard): Build custom dashboards in the Calico Cloud web console by importing cards from standard dashboards or constructing new cards from flow, DNS, and L7 fields. +- [Kibana dashboards and logs](https://docs.tigera.io/calico-cloud/observability/kibana): Use Kibana with Calico Cloud Elasticsearch to explore flow, L7, audit, BGP, DNS, and intrusion detection event logs from connected clusters. +- [Packet capture](https://docs.tigera.io/calico-cloud/observability/packetcapture): Capture live pod traffic in Calico Cloud connected clusters from Service Graph or the CLI and export pcap files to Wireshark for analysis. +- [Visualize traffic to and from a cluster](https://docs.tigera.io/calico-cloud/observability/visualize-traffic): Visualize cluster traffic to and from external endpoints in Calico Cloud Service Graph with network sets that group external IP ranges by purpose. +- [Manage Calico Cloud logs](https://docs.tigera.io/calico-cloud/observability/elastic/): Configure managed Elasticsearch logs for Calico Cloud so the web console and Kibana can surface flow, DNS, audit, and L7 data from connected clusters. +- [Overview](https://docs.tigera.io/calico-cloud/observability/elastic/overview): Calico Cloud uses managed Elasticsearch and Kibana for flow, DNS, audit, BGP, and L7 logs with workload context, RBAC, and archival to external SIEMs. +- [Archive logs](https://docs.tigera.io/calico-cloud/observability/elastic/archive-storage): Forward Calico Cloud flow, DNS, audit, and L7 logs to Syslog, Splunk, or Amazon S3 to retain compliance data beyond managed retention windows. +- [Configure flow logs](https://docs.tigera.io/calico-cloud/observability/elastic/flow/): Configure, filter, and aggregate Calico Cloud flow logs. Add host endpoint, process path, and TCP socket statistics from managed Elasticsearch. +- [Flow log data types](https://docs.tigera.io/calico-cloud/observability/elastic/flow/datatypes): Reference of key/value fields that Calico Cloud sends to Elasticsearch for flow logs, including endpoints, actions, byte counts, and policy verdicts. +- [Filter flow logs](https://docs.tigera.io/calico-cloud/observability/elastic/flow/filtering): Filter Calico Cloud flow logs through Fluentd to drop low-significance traffic and reduce managed Elasticsearch volume and cost. +- [Configure flow log aggregation](https://docs.tigera.io/calico-cloud/observability/elastic/flow/aggregation): Tune Calico Cloud flow log aggregation levels to balance managed Elasticsearch volume and cost against pod and IP visibility for allowed and denied traffic. +- [Enable HostEndpoint reporting in flow logs](https://docs.tigera.io/calico-cloud/observability/elastic/flow/hep): Turn on host endpoint reporting in Calico Cloud flow logs to gain visibility into traffic at HostEndpoint interfaces on Kubernetes nodes. +- [Enabling TCP socket stats in flow logs](https://docs.tigera.io/calico-cloud/observability/elastic/flow/tcpstats): Add TCP socket statistics to Calico Cloud flow logs with eBPF programs that capture round-trip time, retransmits, and other per-socket metrics. +- [Enable process-level information in flow logs](https://docs.tigera.io/calico-cloud/observability/elastic/flow/processpath): Add process executable paths and arguments to Calico Cloud flow logs with eBPF instrumentation for process-level visibility into network activity. +- [Audit logs](https://docs.tigera.io/calico-cloud/observability/elastic/audit-overview): Calico Cloud audit logs record changes to network policies, tiers, network sets, host endpoints, and other resources across connected clusters. +- [Manage DNS logs for Calico Cloud](https://docs.tigera.io/calico-cloud/observability/elastic/dns/): Configure and filter DNS activity logs for Calico Cloud. Review the schema, build Elasticsearch queries, and trim low-value entries. +- [Query DNS logs](https://docs.tigera.io/calico-cloud/observability/elastic/dns/dns-logs): Reference of key/value fields in Calico Cloud DNS activity logs in Elasticsearch, with guidance for building client and query lookups. +- [Filter DNS logs](https://docs.tigera.io/calico-cloud/observability/elastic/dns/filtering-dns): Suppress low-value Calico Cloud DNS log entries with Fluentd filters configured through a ConfigMap in the operator namespace of connected clusters. +- [BGP logs](https://docs.tigera.io/calico-cloud/observability/elastic/bgp): Reference of key/value fields in Calico Cloud BGP activity logs in Elasticsearch, with sample queries for IPv4, IPv6, and per-node lookups. +- [L7 logs](https://docs.tigera.io/calico-cloud/observability/elastic/l7/): Configure L7 application traffic logs for Calico Cloud. Deploy Envoy, set aggregation, and review the Elasticsearch L7 log schema for connected clusters. +- [Configure L7 logs](https://docs.tigera.io/calico-cloud/observability/elastic/l7/configure): Deploy Envoy and aggregate Calico Cloud L7 logs to monitor HTTP traffic patterns between application workloads on connected clusters. +- [L7 log data types](https://docs.tigera.io/calico-cloud/observability/elastic/l7/datatypes): Reference of key/value fields that Calico Cloud sends to Elasticsearch for L7 logs, including durations, byte counts, and HTTP request metadata. +- [Kubernetes audit logs](https://docs.tigera.io/calico-cloud/observability/kube-audit): Turn on Kubernetes API audit logging for Calico Cloud connected clusters so security teams can review changes to pods, namespaces, and network policies. +- [iptables logs](https://docs.tigera.io/calico-cloud/observability/iptables): Reference explaining how Calico Cloud policy audit mode and the Log rule action influence iptables log volume on connected cluster nodes. ## Threat defense @@ -179,45 +179,45 @@ ## Networking -- [Networking](https://docs.tigera.io/calico-cloud/networking/): Calico's flexible networking options reduce the barriers to adopting a CaaS platform solution. Determine the best networking option for your implementation. -- [Calico Ingress Gateway](https://docs.tigera.io/calico-cloud/networking/ingress-gateway/about-calico-ingress-gateway): Understand what Calico Ingress Gateway is and how it works. -- [Create an ingress gateway](https://docs.tigera.io/calico-cloud/networking/ingress-gateway/create-ingress-gateway): Create an ingress gateway to manage ingress traffic with the Kubernetes Gateway API. -- [Customizing your ingress gateway](https://docs.tigera.io/calico-cloud/networking/ingress-gateway/customize-ingress-gateway): Learn how to customize your ingress gateway. -- [Tutorial: Launch a canary deployment with Calico Ingress Gateway](https://docs.tigera.io/calico-cloud/networking/ingress-gateway/tutorial-ingress-gateway-canary): Tutorial for ingress gateways and canary deployment -- [Networking basics](https://docs.tigera.io/calico-cloud/networking/training/): Learn the basics of Kubernetes networking and Calico Cloud networking. -- [Networking overview](https://docs.tigera.io/calico-cloud/networking/training/about-networking): Learn about networking layers, packets, IP addressing, and routing. -- [Kubernetes network model](https://docs.tigera.io/calico-cloud/networking/training/about-kubernetes-networking): Learn network behaviors of the Kubernetes network model. -- [Configure Calico Cloud networking](https://docs.tigera.io/calico-cloud/networking/configuring/): Configure Calico networking options. -- [Configure BGP peering](https://docs.tigera.io/calico-cloud/networking/configuring/bgp): Configure BGP peering with full mesh, node-specific peering, ToR, and/or Calico route reflectors. -- [Configure BGP peering with nested clusters running on KubeVirt VMs](https://docs.tigera.io/calico-cloud/networking/configuring/bgp-to-workload): Configure BGP peering with nested clusters running on KubeVirt VMs -- [Deploy a dual ToR cluster](https://docs.tigera.io/calico-cloud/networking/configuring/dual-tor): Configure a dual plane cluster for redundant connectivity between workloads. -- [Configure multiple Calico Cloud networks on a pod](https://docs.tigera.io/calico-cloud/networking/configuring/multiple-networks): Configure a cluster with multiple Calico Cloud networks on each pod, and enforce security using Calico Cloud tiered network policy. -- [Overlay networking](https://docs.tigera.io/calico-cloud/networking/configuring/vxlan-ipip): Configure Calico to use IP in IP or VXLAN overlay networking so the underlying network doesn’t need to understand pod addresses. -- [Advertise Kubernetes service IP addresses](https://docs.tigera.io/calico-cloud/networking/configuring/advertise-service-ips): Configure Calico to advertise Kubernetes service cluster IPs and external IPs outside the cluster using BGP. -- [Configure MTU to maximize network performance](https://docs.tigera.io/calico-cloud/networking/configuring/mtu): Optimize network performance for workloads by configuring the MTU in Calico to best suit your underlying network. -- [Custom BGP Configuration](https://docs.tigera.io/calico-cloud/networking/configuring/custom-bgp-config): Apply a custom BGP configuration -- [Configure outgoing NAT](https://docs.tigera.io/calico-cloud/networking/configuring/workloads-outside-cluster): Configure Calico Cloud networking to perform outbound NAT for connections from pods to outside of the cluster. -- [Use a specific MAC address for a pod](https://docs.tigera.io/calico-cloud/networking/configuring/pod-mac-address): Specify the MAC address for a pod instead of allowing the operating system to assign one -- [Use NodeLocal DNSCache in your cluster](https://docs.tigera.io/calico-cloud/networking/configuring/node-local-dns-cache): Install NodeLocal DNSCache -- [Configure QoS Controls](https://docs.tigera.io/calico-cloud/networking/configuring/qos-controls): Configure QoS (Quality of Service) Controls to limit ingress and/or egress bandwidth, packet rate and number of connections of Calico workloads. -- [Egress gateways](https://docs.tigera.io/calico-cloud/networking/egress/): Configure specific application traffic to exit the cluster through an egress gateway for additional security. -- [Configure egress gateways, on-premises](https://docs.tigera.io/calico-cloud/networking/egress/egress-gateway-on-prem): Configure specific application traffic to exit the cluster through an egress gateway. -- [Configure egress gateways, AWS](https://docs.tigera.io/calico-cloud/networking/egress/egress-gateway-aws): Configure specific application traffic to exit the cluster through an egress gateway with a native AWS IP address. -- [Configure egress gateways, Azure](https://docs.tigera.io/calico-cloud/networking/egress/egress-gateway-azure): Configure specific application traffic to exit the cluster through an egress gateway with a native Azure IP address. -- [Optimize egress networking for workloads with long-lived TCP connections](https://docs.tigera.io/calico-cloud/networking/egress/egress-gateway-maintenance): React to egress gateway maintenance windows and minimize the impact of egress gateway downtime on sensitive workloads -- [Configure egress traffic to multiple external networks](https://docs.tigera.io/calico-cloud/networking/egress/external-network): Allows workloads from different namespaces of a Kubernetes cluster to egress onto different external networks that (may) have overlapping IPs with each other. -- [Troubleshoot egress gateways](https://docs.tigera.io/calico-cloud/networking/egress/troubleshoot): Use checklist to troubleshoot common problems. -- [IP address management](https://docs.tigera.io/calico-cloud/networking/ipam/): Calico IPAM is flexible and efficient. Learn how to interoperate with legacy firewalls using IP address ranges, advertise Kubernetes service IPs, and more. -- [Get started with IP address management](https://docs.tigera.io/calico-cloud/networking/ipam/get-started-ip-addresses): Configure Calico Cloud to use Calico Cloud IPAM or host-local IPAM, and when to use one or the other. -- [Configure default IP pools](https://docs.tigera.io/calico-cloud/networking/ipam/initial-ippool): Configure the default IP address ranges for operator installation. -- [Configure IP autodetection](https://docs.tigera.io/calico-cloud/networking/ipam/ip-autodetection): Calico IP autodetection ensures the correct IP address is used for routing. Learn how to customize it. -- [Configure dual stack](https://docs.tigera.io/calico-cloud/networking/ipam/ipv6): Configure dual stack for workloads. -- [Use a specific IP address with a pod](https://docs.tigera.io/calico-cloud/networking/ipam/use-specific-ip): Specify the IP address for a pod instead of allowing Calico Cloud to automatically choose one. -- [Assign IP addresses based on topology](https://docs.tigera.io/calico-cloud/networking/ipam/assign-ip-addresses-topology): Configure Calico Cloud to use specific IP pools for different topologies including zone, rack, or region. -- [Migrate from one IP pool to another](https://docs.tigera.io/calico-cloud/networking/ipam/migrate-pools): Migrate pods from one IP pool to another on a running cluster without network disruption. -- [Change IP pool block size](https://docs.tigera.io/calico-cloud/networking/ipam/change-block-size): Expand or shrink the IP pool block size to efficiently manage IP pool addresses. -- [Restrict a pod to use an IP address in a specific range](https://docs.tigera.io/calico-cloud/networking/ipam/legacy-firewalls): Restrict the IP address chosen for a pod to a specific range of IP addresses. -- [LoadBalancer IP address management](https://docs.tigera.io/calico-cloud/networking/ipam/service-loadbalancer): LoadBalancer IP address management +- [Networking](https://docs.tigera.io/calico-cloud/networking/): Calico Cloud networking covers BGP, overlay encapsulation, IPAM, egress gateways, ingress gateways, and per-cluster training across connected clusters. +- [Calico Ingress Gateway](https://docs.tigera.io/calico-cloud/networking/ingress-gateway/about-calico-ingress-gateway): Overview of Calico Ingress Gateway in Calico Cloud — a hardened Envoy Gateway build that brings the Kubernetes Gateway API to your connected clusters. +- [Create an ingress gateway](https://docs.tigera.io/calico-cloud/networking/ingress-gateway/create-ingress-gateway): Deploy a Calico Ingress Gateway in a Calico Cloud connected cluster by applying GatewayAPI and Gateway resources tied to the Tigera-managed gateway class. +- [Customizing your ingress gateway](https://docs.tigera.io/calico-cloud/networking/ingress-gateway/customize-ingress-gateway): Tune the Calico Ingress Gateway in Calico Cloud via the GatewayAPI resource — multiple gateway classes, pod placement, container resources, and load balancer annotations. +- [Tutorial: Launch a canary deployment with Calico Ingress Gateway](https://docs.tigera.io/calico-cloud/networking/ingress-gateway/tutorial-ingress-gateway-canary): Step-by-step tutorial for running a canary rollout in Calico Cloud by splitting HTTPRoute weights across two backends behind an ingress gateway. +- [Networking basics](https://docs.tigera.io/calico-cloud/networking/training/): Networking training material for Calico Cloud — fundamentals of network layers, IP addressing, routing, and the Kubernetes network model. +- [Networking overview](https://docs.tigera.io/calico-cloud/networking/training/about-networking): Reference primer for networking fundamentals — OSI layers, packet anatomy, MTU, IP addressing, routing, overlays, DNS, and NAT — that underpin Calico Cloud. +- [Kubernetes network model](https://docs.tigera.io/calico-cloud/networking/training/about-kubernetes-networking): Reference primer for Kubernetes networking concepts that help when operating Calico Cloud — pod IPs, services, DNS, NAT outgoing, and dual stack. +- [Configure Calico Cloud networking](https://docs.tigera.io/calico-cloud/networking/configuring/): Networking configuration tasks for Calico Cloud connected clusters — BGP, overlay encapsulation, MTU, multiple pod networks, dual ToR, IPVS, NAT, and QoS controls. +- [Configure BGP peering](https://docs.tigera.io/calico-cloud/networking/configuring/bgp): Set up BGP peering for Calico Cloud connected clusters — full mesh, per-node peers, top-of-rack switches, and route reflectors — with BGPPeer and BGPConfiguration resources. +- [Configure BGP peering with nested clusters running on KubeVirt VMs](https://docs.tigera.io/calico-cloud/networking/configuring/bgp-to-workload): Peer Calico Cloud nodes with BGP speakers inside KubeVirt VMs so nested clusters connected to Calico Cloud can announce routes from their workloads. +- [Deploy a dual ToR cluster](https://docs.tigera.io/calico-cloud/networking/configuring/dual-tor): Deploy a dual ToR cluster connected to Calico Cloud so two independent connectivity planes provide redundancy between racks for on-premises clusters. +- [Configure multiple Calico Cloud networks on a pod](https://docs.tigera.io/calico-cloud/networking/configuring/multiple-networks): Add extra Calico Cloud networks to each pod in a connected cluster with the Multus-CNI plugin, then control access with tiered network policy on every interface. +- [Overlay networking](https://docs.tigera.io/calico-cloud/networking/configuring/vxlan-ipip): Choose VXLAN or IP-in-IP overlay encapsulation in a Calico Cloud connected cluster so pod traffic crosses underlay networks that don't route pod CIDRs natively. +- [Advertise Kubernetes service IP addresses](https://docs.tigera.io/calico-cloud/networking/configuring/advertise-service-ips): Advertise Kubernetes service cluster IPs and external IPs out of a Calico Cloud connected cluster over BGP so upstream routers can reach them directly. +- [Configure MTU to maximize network performance](https://docs.tigera.io/calico-cloud/networking/configuring/mtu): Tune the Calico Cloud MTU on the Installation resource so pod traffic matches the underlay, accounting for VXLAN, IP-in-IP, and WireGuard overhead. +- [Custom BGP Configuration](https://docs.tigera.io/calico-cloud/networking/configuring/custom-bgp-config): Override the default BIRD BGP templates in a Calico Cloud connected cluster to access advanced BIRD features for proof-of-concept and special-case routing. +- [Configure outgoing NAT](https://docs.tigera.io/calico-cloud/networking/configuring/workloads-outside-cluster): Configure NAT outgoing on Calico Cloud IP pools in a connected cluster so pod traffic destined outside the cluster is source-NATed to the node IP. +- [Use a specific MAC address for a pod](https://docs.tigera.io/calico-cloud/networking/configuring/pod-mac-address): Pin a chosen MAC address on a Kubernetes pod interface in a Calico Cloud connected cluster with the CNI plugin, for cases such as MAC-bound software licenses. +- [Use NodeLocal DNSCache in your cluster](https://docs.tigera.io/calico-cloud/networking/configuring/node-local-dns-cache): Run NodeLocal DNSCache alongside Calico Cloud in a connected cluster and write the network policy that lets pod DNS traffic reach the per-node cache. +- [Configure QoS Controls](https://docs.tigera.io/calico-cloud/networking/configuring/qos-controls): Apply Calico Cloud QoS controls to cap pod ingress and egress bandwidth, packet rate, and connection counts in a connected cluster, plus DiffServ marking on egress. +- [Egress gateways](https://docs.tigera.io/calico-cloud/networking/egress/): Egress gateways in Calico Cloud — pin per-namespace or per-pod source IPs for outbound traffic, segment external networks, and integrate with cloud fabrics. +- [Configure egress gateways, on-premises](https://docs.tigera.io/calico-cloud/networking/egress/egress-gateway-on-prem): Send selected application traffic through Calico Cloud egress gateways on-premises so external firewalls see a predictable source IP for cluster workloads. +- [Configure egress gateways, AWS](https://docs.tigera.io/calico-cloud/networking/egress/egress-gateway-aws): Route selected application traffic out of a Calico Cloud connected cluster through egress gateways with native AWS VPC subnet IPs. +- [Configure egress gateways, Azure](https://docs.tigera.io/calico-cloud/networking/egress/egress-gateway-azure): Route selected application traffic out of a Calico Cloud connected cluster through egress gateways with native Azure VNet IPs. +- [Optimize egress networking for workloads with long-lived TCP connections](https://docs.tigera.io/calico-cloud/networking/egress/egress-gateway-maintenance): Reduce egress gateway downtime impact on long-lived TCP sessions in Calico Cloud connected clusters by reading termination annotations and draining gracefully. +- [Configure egress traffic to multiple external networks](https://docs.tigera.io/calico-cloud/networking/egress/external-network): Direct Calico Cloud egress gateway traffic onto multiple external networks with potentially overlapping IPs by associating gateways with named ExternalNetworks. +- [Troubleshoot egress gateways](https://docs.tigera.io/calico-cloud/networking/egress/troubleshoot): Troubleshooting guide for Calico Cloud egress gateways covering connection failures, source IP mismatches, BGP route propagation, and required pod metadata. +- [IP address management](https://docs.tigera.io/calico-cloud/networking/ipam/): IP address management in Calico Cloud — IPPools, block sizes, IPv6 dual stack, service load balancer IPAM, topology-aware allocation, and pool migration. +- [Get started with IP address management](https://docs.tigera.io/calico-cloud/networking/ipam/get-started-ip-addresses): Pick between Calico Cloud IPAM and host-local IPAM, then configure pool selection, NAT outgoing, and per-namespace IP assignment in a connected cluster. +- [Configure default IP pools](https://docs.tigera.io/calico-cloud/networking/ipam/initial-ippool): Set the default Calico Cloud IP pool CIDR, encapsulation, and NAT outgoing values during Tigera Operator installation through the Installation resource. +- [Configure IP autodetection](https://docs.tigera.io/calico-cloud/networking/ipam/ip-autodetection): Pick how Calico Cloud detects each node's primary IP — first-found, Kubernetes internal, interface regex, CIDR, or skip-interface — for reliable routing. +- [Configure dual stack](https://docs.tigera.io/calico-cloud/networking/ipam/ipv6): Configure dual-stack pod networking in a Calico Cloud connected cluster by adding IPv6 IP pools, IPv6 autodetection, and matching CNI plugin settings. +- [Use a specific IP address with a pod](https://docs.tigera.io/calico-cloud/networking/ipam/use-specific-ip): Pin a Kubernetes pod to a chosen address in a Calico Cloud connected cluster by setting a pod annotation that supplies the requested address. +- [Assign IP addresses based on topology](https://docs.tigera.io/calico-cloud/networking/ipam/assign-ip-addresses-topology): Bind Calico Cloud IP pools to zones, racks, or regions in a connected cluster with node selectors so pods get addresses that match the topology. +- [Migrate from one IP pool to another](https://docs.tigera.io/calico-cloud/networking/ipam/migrate-pools): Move workloads from one Calico Cloud IPPool to another on a running connected cluster without disrupting existing pod connectivity. +- [Change IP pool block size](https://docs.tigera.io/calico-cloud/networking/ipam/change-block-size): Resize a Calico Cloud IPPool block — by creating a replacement pool and migrating workloads — to use IP space more efficiently across connected clusters. +- [Restrict a pod to use an IP address in a specific range](https://docs.tigera.io/calico-cloud/networking/ipam/legacy-firewalls): Restrict pods to a defined IP range in a Calico Cloud connected cluster so legacy firewalls and appliances can recognise cluster workloads by source IP. +- [LoadBalancer IP address management](https://docs.tigera.io/calico-cloud/networking/ipam/service-loadbalancer): Use the Calico Cloud LoadBalancer controller to allocate IPs to Kubernetes Service type LoadBalancer from configured IPPool resources in a connected cluster. ## Cluster mesh @@ -341,4 +341,4 @@ ## Optional -- [Calico Cloud release notes](https://docs.tigera.io/calico-cloud/release-notes/): What's new, and why features provide value for upgrading. +- [Calico Cloud release notes](https://docs.tigera.io/calico-cloud/release-notes/): Find what changed in each release of Calico Cloud, including new features, web console updates, enhancements, and fixes across dated releases. diff --git a/static/calico-enterprise/llms-full.txt b/static/calico-enterprise/llms-full.txt index 939c69a654..1ca37f5482 100644 --- a/static/calico-enterprise/llms-full.txt +++ b/static/calico-enterprise/llms-full.txt @@ -26,7 +26,7 @@ The Calico portfolio of products includes Calico Open Source, Calico Enterprise ##### [Determine best networking option](https://docs.tigera.io/calico-enterprise/latest/networking/determine-best-networking) -[Learn about the different networking options Calico Enterprise supports so you can choose the best option for your needs.](https://docs.tigera.io/calico-enterprise/latest/networking/determine-best-networking) +[Compare networking choices in Calico Enterprise — overlay versus non-overlay, BGP, CNI, and IPAM — to land on the right configuration for your cluster.](https://docs.tigera.io/calico-enterprise/latest/networking/determine-best-networking) ##### [Ingress Gateway](https://docs.tigera.io/calico-enterprise/latest/networking/ingress-gateway/about-calico-ingress-gateway) @@ -4846,12 +4846,32 @@ When using Operator install and Windows hostprocess containers (HPC), see [here - Must not be running in eBPF mode -- VXLAN or BGP without encapsulation is supported if using Calico Enterprise CNI. IPIP (Calico Enterprise's default encapsulation mode) is not supported. Use the following command to turn off IPIP. +- VXLAN or BGP without encapsulation is supported if using Calico Enterprise CNI. IPIP (Calico Enterprise's default encapsulation mode) is not supported. Turn off IPIP on the default IP pool. + + + + **Tab: Operator managed IP pools** + + For IP pools managed through the `Installation` resource, patch the `Installation` to update the encapsulation. The operator reconciles these `IPPool` resources from the `Installation`, so direct edits to the `IPPool` are silently reverted. ```bash - kubectl patch felixconfiguration default -p '{"spec":{"ipipEnabled":false}}' + kubectl patch installation default --type=json \ + + -p '[{"op":"replace","path":"/spec/calicoNetwork/ipPools/0/encapsulation","value":"VXLAN"}]' ``` + If your cluster has additional operator-managed IP pools, repeat the command for each, replacing `0` in `/spec/calicoNetwork/ipPools/0` with the index of the pool. Use `"None"` instead of `"VXLAN"` for BGP without encapsulation. + + **Tab: User managed IP pools** + + For `IPPool` resources created directly (not through the `Installation`), patch the `IPPool`: + + ```bash + kubectl patch ippool default-ipv4-ippool -p '{"spec":{"ipipMode":"Never","vxlanMode":"Always"}}' + ``` + + + - If using Calico Enterprise IPAM, strict affinity of IPAM configuration must be set to `true`. ```bash @@ -9389,133 +9409,133 @@ The Calico Enterprise network plugins provide a range of networking options to f ##### [Determine best networking option](https://docs.tigera.io/calico-enterprise/latest/networking/determine-best-networking) -[Learn about the different networking options Calico Enterprise supports so you can choose the best option for your needs.](https://docs.tigera.io/calico-enterprise/latest/networking/determine-best-networking) +[Compare networking choices in Calico Enterprise — overlay versus non-overlay, BGP, CNI, and IPAM — to land on the right configuration for your cluster.](https://docs.tigera.io/calico-enterprise/latest/networking/determine-best-networking) ##### [Networking overview](https://docs.tigera.io/calico-enterprise/latest/networking/training/about-networking) -[Learn about networking layers, packets, IP addressing, and routing.](https://docs.tigera.io/calico-enterprise/latest/networking/training/about-networking) +[Reference primer for general networking fundamentals — OSI layers, packet anatomy, MTU, IP addressing, routing, overlays, DNS, and NAT — that underpin Calico Enterprise.](https://docs.tigera.io/calico-enterprise/latest/networking/training/about-networking) ##### [Kubernetes network model](https://docs.tigera.io/calico-enterprise/latest/networking/training/about-kubernetes-networking) -[Learn network behaviors of the Kubernetes network model.](https://docs.tigera.io/calico-enterprise/latest/networking/training/about-kubernetes-networking) +[Reference primer for Kubernetes networking concepts that help when operating Calico Enterprise — pod IPs, services, DNS, NAT outgoing, and dual stack.](https://docs.tigera.io/calico-enterprise/latest/networking/training/about-kubernetes-networking) ## Configuring networking[​](#configuring-networking) ##### [Configure BGP peering](https://docs.tigera.io/calico-enterprise/latest/networking/configuring/bgp) -[Configure BGP peering with full mesh, node-specific peering, ToR, and/or Calico route reflectors.](https://docs.tigera.io/calico-enterprise/latest/networking/configuring/bgp) +[Set up BGP peering for Calico Enterprise — full mesh, per-node peers, top-of-rack switches, and route reflectors — using BGPPeer and BGPConfiguration resources.](https://docs.tigera.io/calico-enterprise/latest/networking/configuring/bgp) ##### [Deploy a dual ToR cluster](https://docs.tigera.io/calico-enterprise/latest/networking/configuring/dual-tor) -[Configure a dual plane cluster for redundant connectivity between workloads.](https://docs.tigera.io/calico-enterprise/latest/networking/configuring/dual-tor) +[Deploy a dual ToR cluster with Calico Enterprise so two independent connectivity planes provide redundancy between racks for on-premises clusters.](https://docs.tigera.io/calico-enterprise/latest/networking/configuring/dual-tor) ##### [Configure multiple Calico Enterprise networks on a pod](https://docs.tigera.io/calico-enterprise/latest/networking/configuring/multiple-networks) -[Configure a cluster with multiple Calico Enterprise networks on each pod, and enforce security using Calico Enterprise tiered network policy.](https://docs.tigera.io/calico-enterprise/latest/networking/configuring/multiple-networks) +[Add extra Calico Enterprise networks to each pod with the Multus-CNI plugin, then control access with tiered network policy on every interface.](https://docs.tigera.io/calico-enterprise/latest/networking/configuring/multiple-networks) ##### [Overlay networking](https://docs.tigera.io/calico-enterprise/latest/networking/configuring/vxlan-ipip) -[Configure Calico to use IP in IP or VXLAN overlay networking so the underlying network doesn’t need to understand pod addresses.](https://docs.tigera.io/calico-enterprise/latest/networking/configuring/vxlan-ipip) +[Choose VXLAN or IP-in-IP overlay encapsulation in Calico Enterprise so pod traffic crosses underlay networks that don't route pod CIDRs natively.](https://docs.tigera.io/calico-enterprise/latest/networking/configuring/vxlan-ipip) ##### [Advertise Kubernetes service IP addresses](https://docs.tigera.io/calico-enterprise/latest/networking/configuring/advertise-service-ips) -[Configure Calico to advertise Kubernetes service cluster IPs and external IPs outside the cluster using BGP.](https://docs.tigera.io/calico-enterprise/latest/networking/configuring/advertise-service-ips) +[Advertise Kubernetes service cluster IPs and external IPs out of the cluster over BGP with Calico Enterprise so upstream routers can reach them directly.](https://docs.tigera.io/calico-enterprise/latest/networking/configuring/advertise-service-ips) ##### [Configure MTU to maximize network performance](https://docs.tigera.io/calico-enterprise/latest/networking/configuring/mtu) -[Optimize network performance for workloads by configuring the MTU in Calico to best suit your underlying network.](https://docs.tigera.io/calico-enterprise/latest/networking/configuring/mtu) +[Tune the Calico Enterprise MTU on the Installation resource so pod traffic matches the underlay, accounting for VXLAN, IP-in-IP, and WireGuard overhead.](https://docs.tigera.io/calico-enterprise/latest/networking/configuring/mtu) ##### [Custom BGP configuration](https://docs.tigera.io/calico-enterprise/latest/networking/configuring/custom-bgp-config) -[Customize your BGP configuration.](https://docs.tigera.io/calico-enterprise/latest/networking/configuring/custom-bgp-config) +[Override the default BIRD BGP templates for Calico Enterprise to access advanced BIRD features for proof-of-concept and special-case routing setups.](https://docs.tigera.io/calico-enterprise/latest/networking/configuring/custom-bgp-config) ##### [Configure outgoing NAT](https://docs.tigera.io/calico-enterprise/latest/networking/configuring/workloads-outside-cluster) -[Configure networking to perform outbound NAT for connections from pods to outside of the cluster.](https://docs.tigera.io/calico-enterprise/latest/networking/configuring/workloads-outside-cluster) +[Configure NAT outgoing on Calico Enterprise IP pools so pod traffic destined outside the cluster is source-NATed to the node IP.](https://docs.tigera.io/calico-enterprise/latest/networking/configuring/workloads-outside-cluster) ##### [Use a specific MAC address for a pod](https://docs.tigera.io/calico-enterprise/latest/networking/configuring/pod-mac-address) -[Specify the MAC address for a pod instead of allowing the operating system to assign one](https://docs.tigera.io/calico-enterprise/latest/networking/configuring/pod-mac-address) +[Pin a chosen MAC address on a Kubernetes pod interface with the Calico Enterprise CNI plugin for cases such as MAC-bound software licenses.](https://docs.tigera.io/calico-enterprise/latest/networking/configuring/pod-mac-address) ##### [Use NodeLocal DNSCache in your cluster](https://docs.tigera.io/calico-enterprise/latest/networking/configuring/node-local-dns-cache) -[Install NodeLocal DNSCache](https://docs.tigera.io/calico-enterprise/latest/networking/configuring/node-local-dns-cache) +[Run NodeLocal DNSCache alongside Calico Enterprise and write the network policy that lets pod DNS traffic reach the per-node cache.](https://docs.tigera.io/calico-enterprise/latest/networking/configuring/node-local-dns-cache) ##### [Configure QoS Controls](https://docs.tigera.io/calico-enterprise/latest/networking/configuring/qos-controls) -[Configure QoS (Quality of Service) Controls to limit ingress and/or egress bandwidth, packet rate and number of connections of Calico workloads.](https://docs.tigera.io/calico-enterprise/latest/networking/configuring/qos-controls) +[Apply Calico Enterprise QoS controls to cap pod ingress and egress bandwidth, packet rate, and connection counts, plus DiffServ marking on egress.](https://docs.tigera.io/calico-enterprise/latest/networking/configuring/qos-controls) ## IP address management[​](#ip-address-management) ##### [Configure BGP peering](https://docs.tigera.io/calico-enterprise/latest/networking/configuring/bgp) -[Configure BGP peering with full mesh, node-specific peering, ToR, and/or Calico route reflectors.](https://docs.tigera.io/calico-enterprise/latest/networking/configuring/bgp) +[Set up BGP peering for Calico Enterprise — full mesh, per-node peers, top-of-rack switches, and route reflectors — using BGPPeer and BGPConfiguration resources.](https://docs.tigera.io/calico-enterprise/latest/networking/configuring/bgp) ##### [Deploy a dual ToR cluster](https://docs.tigera.io/calico-enterprise/latest/networking/configuring/dual-tor) -[Configure a dual plane cluster for redundant connectivity between workloads.](https://docs.tigera.io/calico-enterprise/latest/networking/configuring/dual-tor) +[Deploy a dual ToR cluster with Calico Enterprise so two independent connectivity planes provide redundancy between racks for on-premises clusters.](https://docs.tigera.io/calico-enterprise/latest/networking/configuring/dual-tor) ##### [Configure multiple Calico Enterprise networks on a pod](https://docs.tigera.io/calico-enterprise/latest/networking/configuring/multiple-networks) -[Configure a cluster with multiple Calico Enterprise networks on each pod, and enforce security using Calico Enterprise tiered network policy.](https://docs.tigera.io/calico-enterprise/latest/networking/configuring/multiple-networks) +[Add extra Calico Enterprise networks to each pod with the Multus-CNI plugin, then control access with tiered network policy on every interface.](https://docs.tigera.io/calico-enterprise/latest/networking/configuring/multiple-networks) ##### [Overlay networking](https://docs.tigera.io/calico-enterprise/latest/networking/configuring/vxlan-ipip) -[Configure Calico to use IP in IP or VXLAN overlay networking so the underlying network doesn’t need to understand pod addresses.](https://docs.tigera.io/calico-enterprise/latest/networking/configuring/vxlan-ipip) +[Choose VXLAN or IP-in-IP overlay encapsulation in Calico Enterprise so pod traffic crosses underlay networks that don't route pod CIDRs natively.](https://docs.tigera.io/calico-enterprise/latest/networking/configuring/vxlan-ipip) ##### [Advertise Kubernetes service IP addresses](https://docs.tigera.io/calico-enterprise/latest/networking/configuring/advertise-service-ips) -[Configure Calico to advertise Kubernetes service cluster IPs and external IPs outside the cluster using BGP.](https://docs.tigera.io/calico-enterprise/latest/networking/configuring/advertise-service-ips) +[Advertise Kubernetes service cluster IPs and external IPs out of the cluster over BGP with Calico Enterprise so upstream routers can reach them directly.](https://docs.tigera.io/calico-enterprise/latest/networking/configuring/advertise-service-ips) ##### [Configure MTU to maximize network performance](https://docs.tigera.io/calico-enterprise/latest/networking/configuring/mtu) -[Optimize network performance for workloads by configuring the MTU in Calico to best suit your underlying network.](https://docs.tigera.io/calico-enterprise/latest/networking/configuring/mtu) +[Tune the Calico Enterprise MTU on the Installation resource so pod traffic matches the underlay, accounting for VXLAN, IP-in-IP, and WireGuard overhead.](https://docs.tigera.io/calico-enterprise/latest/networking/configuring/mtu) ##### [Custom BGP configuration](https://docs.tigera.io/calico-enterprise/latest/networking/configuring/custom-bgp-config) -[Customize your BGP configuration.](https://docs.tigera.io/calico-enterprise/latest/networking/configuring/custom-bgp-config) +[Override the default BIRD BGP templates for Calico Enterprise to access advanced BIRD features for proof-of-concept and special-case routing setups.](https://docs.tigera.io/calico-enterprise/latest/networking/configuring/custom-bgp-config) ##### [Configure outgoing NAT](https://docs.tigera.io/calico-enterprise/latest/networking/configuring/workloads-outside-cluster) -[Configure networking to perform outbound NAT for connections from pods to outside of the cluster.](https://docs.tigera.io/calico-enterprise/latest/networking/configuring/workloads-outside-cluster) +[Configure NAT outgoing on Calico Enterprise IP pools so pod traffic destined outside the cluster is source-NATed to the node IP.](https://docs.tigera.io/calico-enterprise/latest/networking/configuring/workloads-outside-cluster) ##### [Use a specific MAC address for a pod](https://docs.tigera.io/calico-enterprise/latest/networking/configuring/pod-mac-address) -[Specify the MAC address for a pod instead of allowing the operating system to assign one](https://docs.tigera.io/calico-enterprise/latest/networking/configuring/pod-mac-address) +[Pin a chosen MAC address on a Kubernetes pod interface with the Calico Enterprise CNI plugin for cases such as MAC-bound software licenses.](https://docs.tigera.io/calico-enterprise/latest/networking/configuring/pod-mac-address) ##### [Use NodeLocal DNSCache in your cluster](https://docs.tigera.io/calico-enterprise/latest/networking/configuring/node-local-dns-cache) -[Install NodeLocal DNSCache](https://docs.tigera.io/calico-enterprise/latest/networking/configuring/node-local-dns-cache) +[Run NodeLocal DNSCache alongside Calico Enterprise and write the network policy that lets pod DNS traffic reach the per-node cache.](https://docs.tigera.io/calico-enterprise/latest/networking/configuring/node-local-dns-cache) ##### [LoadBalancer IP address management](https://docs.tigera.io/calico-enterprise/latest/networking/ipam/service-loadbalancer) -[LoadBalancer IP address management](https://docs.tigera.io/calico-enterprise/latest/networking/ipam/service-loadbalancer) +[Use the Calico Enterprise LoadBalancer controller to allocate IPs to Kubernetes Service type LoadBalancer from configured IPPool resources.](https://docs.tigera.io/calico-enterprise/latest/networking/ipam/service-loadbalancer) ## Egress gateways[​](#egress-gateways) ##### [Configure egress gateways, on-premises](https://docs.tigera.io/calico-enterprise/latest/networking/egress/egress-gateway-on-prem) -[Configure specific application traffic to exit the cluster through an egress gateway.](https://docs.tigera.io/calico-enterprise/latest/networking/egress/egress-gateway-on-prem) +[Send selected application traffic through Calico Enterprise egress gateways on-premises so external firewalls see a predictable source IP for cluster workloads.](https://docs.tigera.io/calico-enterprise/latest/networking/egress/egress-gateway-on-prem) ##### [Configure egress gateways, Azure](https://docs.tigera.io/calico-enterprise/latest/networking/egress/egress-gateway-azure) -[Configure specific application traffic to exit the cluster through an egress gateway with a native Azure IP address.](https://docs.tigera.io/calico-enterprise/latest/networking/egress/egress-gateway-azure) +[Route specific application traffic out of a Calico Enterprise cluster through egress gateways that use native Azure VNet IPs recognised by Azure routing.](https://docs.tigera.io/calico-enterprise/latest/networking/egress/egress-gateway-azure) ##### [Configure egress gateways, AWS](https://docs.tigera.io/calico-enterprise/latest/networking/egress/egress-gateway-aws) -[Configure specific application traffic to exit the cluster through an egress gateway with a native AWS IP address.](https://docs.tigera.io/calico-enterprise/latest/networking/egress/egress-gateway-aws) +[Route specific application traffic out of a Calico Enterprise cluster through egress gateways that use VPC subnet IPs visible to the AWS fabric.](https://docs.tigera.io/calico-enterprise/latest/networking/egress/egress-gateway-aws) ##### [Optimize egress networking for workloads with long-lived TCP connections](https://docs.tigera.io/calico-enterprise/latest/networking/egress/egress-gateway-maintenance) -[React to egress gateway maintenance windows and minimize the impact of egress gateway downtime on sensitive workloads](https://docs.tigera.io/calico-enterprise/latest/networking/egress/egress-gateway-maintenance) +[Reduce the impact of Calico Enterprise egress gateway maintenance on workloads with long-lived TCP sessions by reading termination annotations and timing draining.](https://docs.tigera.io/calico-enterprise/latest/networking/egress/egress-gateway-maintenance) ##### [Configure egress traffic to multiple external networks](https://docs.tigera.io/calico-enterprise/latest/networking/egress/external-network) -[Allows workloads from different namespaces of a Kubernetes cluster to egress onto different external networks that (may) have overlapping IPs with each other.](https://docs.tigera.io/calico-enterprise/latest/networking/egress/external-network) +[Steer Calico Enterprise egress gateway traffic onto multiple external networks with potentially overlapping IPs by associating gateways with named ExternalNetworks.](https://docs.tigera.io/calico-enterprise/latest/networking/egress/external-network) ##### [Troubleshoot egress gateways](https://docs.tigera.io/calico-enterprise/latest/networking/egress/troubleshoot) -[Use checklist to troubleshoot common problems.](https://docs.tigera.io/calico-enterprise/latest/networking/egress/troubleshoot) +[Troubleshooting guide for Calico Enterprise egress gateways covering connection failures, source IP mismatches, BGP route advertisement, and required pod metadata.](https://docs.tigera.io/calico-enterprise/latest/networking/egress/troubleshoot) ### Determine best networking option @@ -11060,11 +11080,11 @@ For this tutorial, we'll try accessing the app through the gateway by port-forwa ## [📄️Networking overview](https://docs.tigera.io/calico-enterprise/latest/networking/training/about-networking) -[Learn about networking layers, packets, IP addressing, and routing.](https://docs.tigera.io/calico-enterprise/latest/networking/training/about-networking) +[Reference primer for general networking fundamentals — OSI layers, packet anatomy, MTU, IP addressing, routing, overlays, DNS, and NAT — that underpin Calico Enterprise.](https://docs.tigera.io/calico-enterprise/latest/networking/training/about-networking) ## [📄️Kubernetes network model](https://docs.tigera.io/calico-enterprise/latest/networking/training/about-kubernetes-networking) -[Learn network behaviors of the Kubernetes network model.](https://docs.tigera.io/calico-enterprise/latest/networking/training/about-kubernetes-networking) +[Reference primer for Kubernetes networking concepts that help when operating Calico Enterprise — pod IPs, services, DNS, NAT outgoing, and dual stack.](https://docs.tigera.io/calico-enterprise/latest/networking/training/about-kubernetes-networking) ### Networking overview @@ -11243,51 +11263,51 @@ If you want to use a mix of IPv4 and IPv6 then you can enable Kubernetes [dual-s ## [📄️Configure BGP peering](https://docs.tigera.io/calico-enterprise/latest/networking/configuring/bgp) -[Configure BGP peering with full mesh, node-specific peering, ToR, and/or Calico route reflectors.](https://docs.tigera.io/calico-enterprise/latest/networking/configuring/bgp) +[Set up BGP peering for Calico Enterprise — full mesh, per-node peers, top-of-rack switches, and route reflectors — using BGPPeer and BGPConfiguration resources.](https://docs.tigera.io/calico-enterprise/latest/networking/configuring/bgp) ## [📄️Configure BGP peering with nested clusters running on KubeVirt VMs](https://docs.tigera.io/calico-enterprise/latest/networking/configuring/bgp-to-workload) -[Configure BGP peering with nested clusters running on KubeVirt VMs](https://docs.tigera.io/calico-enterprise/latest/networking/configuring/bgp-to-workload) +[Peer Calico Enterprise nodes with BGP speakers inside KubeVirt VMs so nested clusters can announce routes from their workloads upstream.](https://docs.tigera.io/calico-enterprise/latest/networking/configuring/bgp-to-workload) ## [📄️Deploy a dual ToR cluster](https://docs.tigera.io/calico-enterprise/latest/networking/configuring/dual-tor) -[Configure a dual plane cluster for redundant connectivity between workloads.](https://docs.tigera.io/calico-enterprise/latest/networking/configuring/dual-tor) +[Deploy a dual ToR cluster with Calico Enterprise so two independent connectivity planes provide redundancy between racks for on-premises clusters.](https://docs.tigera.io/calico-enterprise/latest/networking/configuring/dual-tor) ## [📄️Configure multiple Calico Enterprise networks on a pod](https://docs.tigera.io/calico-enterprise/latest/networking/configuring/multiple-networks) -[Configure a cluster with multiple Calico Enterprise networks on each pod, and enforce security using Calico Enterprise tiered network policy.](https://docs.tigera.io/calico-enterprise/latest/networking/configuring/multiple-networks) +[Add extra Calico Enterprise networks to each pod with the Multus-CNI plugin, then control access with tiered network policy on every interface.](https://docs.tigera.io/calico-enterprise/latest/networking/configuring/multiple-networks) ## [📄️Overlay networking](https://docs.tigera.io/calico-enterprise/latest/networking/configuring/vxlan-ipip) -[Configure Calico to use IP in IP or VXLAN overlay networking so the underlying network doesn’t need to understand pod addresses.](https://docs.tigera.io/calico-enterprise/latest/networking/configuring/vxlan-ipip) +[Choose VXLAN or IP-in-IP overlay encapsulation in Calico Enterprise so pod traffic crosses underlay networks that don't route pod CIDRs natively.](https://docs.tigera.io/calico-enterprise/latest/networking/configuring/vxlan-ipip) ## [📄️Advertise Kubernetes service IP addresses](https://docs.tigera.io/calico-enterprise/latest/networking/configuring/advertise-service-ips) -[Configure Calico to advertise Kubernetes service cluster IPs and external IPs outside the cluster using BGP.](https://docs.tigera.io/calico-enterprise/latest/networking/configuring/advertise-service-ips) +[Advertise Kubernetes service cluster IPs and external IPs out of the cluster over BGP with Calico Enterprise so upstream routers can reach them directly.](https://docs.tigera.io/calico-enterprise/latest/networking/configuring/advertise-service-ips) ## [📄️Configure MTU to maximize network performance](https://docs.tigera.io/calico-enterprise/latest/networking/configuring/mtu) -[Optimize network performance for workloads by configuring the MTU in Calico to best suit your underlying network.](https://docs.tigera.io/calico-enterprise/latest/networking/configuring/mtu) +[Tune the Calico Enterprise MTU on the Installation resource so pod traffic matches the underlay, accounting for VXLAN, IP-in-IP, and WireGuard overhead.](https://docs.tigera.io/calico-enterprise/latest/networking/configuring/mtu) ## [📄️Custom BGP configuration](https://docs.tigera.io/calico-enterprise/latest/networking/configuring/custom-bgp-config) -[Customize your BGP configuration.](https://docs.tigera.io/calico-enterprise/latest/networking/configuring/custom-bgp-config) +[Override the default BIRD BGP templates for Calico Enterprise to access advanced BIRD features for proof-of-concept and special-case routing setups.](https://docs.tigera.io/calico-enterprise/latest/networking/configuring/custom-bgp-config) ## [📄️Configure outgoing NAT](https://docs.tigera.io/calico-enterprise/latest/networking/configuring/workloads-outside-cluster) -[Configure networking to perform outbound NAT for connections from pods to outside of the cluster.](https://docs.tigera.io/calico-enterprise/latest/networking/configuring/workloads-outside-cluster) +[Configure NAT outgoing on Calico Enterprise IP pools so pod traffic destined outside the cluster is source-NATed to the node IP.](https://docs.tigera.io/calico-enterprise/latest/networking/configuring/workloads-outside-cluster) ## [📄️Use a specific MAC address for a pod](https://docs.tigera.io/calico-enterprise/latest/networking/configuring/pod-mac-address) -[Specify the MAC address for a pod instead of allowing the operating system to assign one](https://docs.tigera.io/calico-enterprise/latest/networking/configuring/pod-mac-address) +[Pin a chosen MAC address on a Kubernetes pod interface with the Calico Enterprise CNI plugin for cases such as MAC-bound software licenses.](https://docs.tigera.io/calico-enterprise/latest/networking/configuring/pod-mac-address) ## [📄️Use NodeLocal DNSCache in your cluster](https://docs.tigera.io/calico-enterprise/latest/networking/configuring/node-local-dns-cache) -[Install NodeLocal DNSCache](https://docs.tigera.io/calico-enterprise/latest/networking/configuring/node-local-dns-cache) +[Run NodeLocal DNSCache alongside Calico Enterprise and write the network policy that lets pod DNS traffic reach the per-node cache.](https://docs.tigera.io/calico-enterprise/latest/networking/configuring/node-local-dns-cache) ## [📄️Configure QoS Controls](https://docs.tigera.io/calico-enterprise/latest/networking/configuring/qos-controls) -[Configure QoS (Quality of Service) Controls to limit ingress and/or egress bandwidth, packet rate and number of connections of Calico workloads.](https://docs.tigera.io/calico-enterprise/latest/networking/configuring/qos-controls) +[Apply Calico Enterprise QoS controls to cap pod ingress and egress bandwidth, packet rate, and connection counts, plus DiffServ marking on egress.](https://docs.tigera.io/calico-enterprise/latest/networking/configuring/qos-controls) ### Configure BGP peering @@ -13864,27 +13884,27 @@ bird: libbpf: prog 'cali_tcx_test': failed to attach to tcx: Invalid argument ## [📄️Configure egress gateways, on-premises](https://docs.tigera.io/calico-enterprise/latest/networking/egress/egress-gateway-on-prem) -[Configure specific application traffic to exit the cluster through an egress gateway.](https://docs.tigera.io/calico-enterprise/latest/networking/egress/egress-gateway-on-prem) +[Send selected application traffic through Calico Enterprise egress gateways on-premises so external firewalls see a predictable source IP for cluster workloads.](https://docs.tigera.io/calico-enterprise/latest/networking/egress/egress-gateway-on-prem) ## [📄️Configure egress gateways, Azure](https://docs.tigera.io/calico-enterprise/latest/networking/egress/egress-gateway-azure) -[Configure specific application traffic to exit the cluster through an egress gateway with a native Azure IP address.](https://docs.tigera.io/calico-enterprise/latest/networking/egress/egress-gateway-azure) +[Route specific application traffic out of a Calico Enterprise cluster through egress gateways that use native Azure VNet IPs recognised by Azure routing.](https://docs.tigera.io/calico-enterprise/latest/networking/egress/egress-gateway-azure) ## [📄️Configure egress gateways, AWS](https://docs.tigera.io/calico-enterprise/latest/networking/egress/egress-gateway-aws) -[Configure specific application traffic to exit the cluster through an egress gateway with a native AWS IP address.](https://docs.tigera.io/calico-enterprise/latest/networking/egress/egress-gateway-aws) +[Route specific application traffic out of a Calico Enterprise cluster through egress gateways that use VPC subnet IPs visible to the AWS fabric.](https://docs.tigera.io/calico-enterprise/latest/networking/egress/egress-gateway-aws) ## [📄️Optimize egress networking for workloads with long-lived TCP connections](https://docs.tigera.io/calico-enterprise/latest/networking/egress/egress-gateway-maintenance) -[React to egress gateway maintenance windows and minimize the impact of egress gateway downtime on sensitive workloads](https://docs.tigera.io/calico-enterprise/latest/networking/egress/egress-gateway-maintenance) +[Reduce the impact of Calico Enterprise egress gateway maintenance on workloads with long-lived TCP sessions by reading termination annotations and timing draining.](https://docs.tigera.io/calico-enterprise/latest/networking/egress/egress-gateway-maintenance) ## [📄️Configure egress traffic to multiple external networks](https://docs.tigera.io/calico-enterprise/latest/networking/egress/external-network) -[Allows workloads from different namespaces of a Kubernetes cluster to egress onto different external networks that (may) have overlapping IPs with each other.](https://docs.tigera.io/calico-enterprise/latest/networking/egress/external-network) +[Steer Calico Enterprise egress gateway traffic onto multiple external networks with potentially overlapping IPs by associating gateways with named ExternalNetworks.](https://docs.tigera.io/calico-enterprise/latest/networking/egress/external-network) ## [📄️Troubleshoot egress gateways](https://docs.tigera.io/calico-enterprise/latest/networking/egress/troubleshoot) -[Use checklist to troubleshoot common problems.](https://docs.tigera.io/calico-enterprise/latest/networking/egress/troubleshoot) +[Troubleshooting guide for Calico Enterprise egress gateways covering connection failures, source IP mismatches, BGP route advertisement, and required pod metadata.](https://docs.tigera.io/calico-enterprise/latest/networking/egress/troubleshoot) ### Configure egress gateways, on-premises @@ -17482,47 +17502,47 @@ If the instance ID recorded in the "calico:instance" tag is for ## [📄️Get started with IP address management](https://docs.tigera.io/calico-enterprise/latest/networking/ipam/get-started-ip-addresses) -[Configure Calico Enterprise to use Calico Enterprise IPAM or host-local IPAM, and when to use one or the other.](https://docs.tigera.io/calico-enterprise/latest/networking/ipam/get-started-ip-addresses) +[Choose between Calico Enterprise IPAM and host-local IPAM, then configure pool selection, NAT outgoing, and per-namespace IP assignment.](https://docs.tigera.io/calico-enterprise/latest/networking/ipam/get-started-ip-addresses) ## [📄️Configure default IP pools](https://docs.tigera.io/calico-enterprise/latest/networking/ipam/initial-ippool) -[Configure the default IP address ranges for operator installation.](https://docs.tigera.io/calico-enterprise/latest/networking/ipam/initial-ippool) +[Set the default Calico Enterprise IP pool CIDR, encapsulation, and NAT outgoing values during Tigera Operator installation through the Installation resource.](https://docs.tigera.io/calico-enterprise/latest/networking/ipam/initial-ippool) ## [📄️Create multiple IP pools](https://docs.tigera.io/calico-enterprise/latest/networking/ipam/ippools) -[Create multiple IP pools](https://docs.tigera.io/calico-enterprise/latest/networking/ipam/ippools) +[Define multiple Calico Enterprise IPPool resources at install time or on a running cluster to serve disjoint ranges, IPv6, or per-topology pod allocation.](https://docs.tigera.io/calico-enterprise/latest/networking/ipam/ippools) ## [📄️Configure IP autodetection](https://docs.tigera.io/calico-enterprise/latest/networking/ipam/ip-autodetection) -[Calico IP autodetection ensures the correct IP address is used for routing. Learn how to customize it.](https://docs.tigera.io/calico-enterprise/latest/networking/ipam/ip-autodetection) +[Pick how Calico Enterprise detects each node's primary IP — first-found, Kubernetes internal, interface regex, CIDR, or skip-interface — for reliable routing.](https://docs.tigera.io/calico-enterprise/latest/networking/ipam/ip-autodetection) ## [📄️Configure dual stack](https://docs.tigera.io/calico-enterprise/latest/networking/ipam/ipv6) -[Configure dual stack for workloads.](https://docs.tigera.io/calico-enterprise/latest/networking/ipam/ipv6) +[Configure dual-stack pod networking with Calico Enterprise by adding IPv6 IP pools, IPv6 autodetection, and matching CNI plugin settings.](https://docs.tigera.io/calico-enterprise/latest/networking/ipam/ipv6) ## [📄️Use a specific IP address with a pod](https://docs.tigera.io/calico-enterprise/latest/networking/ipam/use-specific-ip) -[Specify the IP address for a pod instead of allowing Calico Enterprise to automatically choose one.](https://docs.tigera.io/calico-enterprise/latest/networking/ipam/use-specific-ip) +[Pin a Kubernetes pod to a chosen address with Calico Enterprise IPAM by setting a pod annotation that supplies the requested address.](https://docs.tigera.io/calico-enterprise/latest/networking/ipam/use-specific-ip) ## [📄️Assign IP addresses based on topology](https://docs.tigera.io/calico-enterprise/latest/networking/ipam/assign-ip-addresses-topology) -[Configure Calico Enterprise to use specific IP pools for different topologies including zone, rack, or region.](https://docs.tigera.io/calico-enterprise/latest/networking/ipam/assign-ip-addresses-topology) +[Bind Calico Enterprise IP pools to zones, racks, or regions with node selectors so pods get addresses that match the cluster topology.](https://docs.tigera.io/calico-enterprise/latest/networking/ipam/assign-ip-addresses-topology) ## [📄️Migrate from one IP pool to another](https://docs.tigera.io/calico-enterprise/latest/networking/ipam/migrate-pools) -[Migrate pods from one IP pool to another on a running cluster without network disruption.](https://docs.tigera.io/calico-enterprise/latest/networking/ipam/migrate-pools) +[Move workloads from one Calico Enterprise IPPool to another on a running cluster without disrupting existing pod connectivity.](https://docs.tigera.io/calico-enterprise/latest/networking/ipam/migrate-pools) ## [📄️Change IP pool block size](https://docs.tigera.io/calico-enterprise/latest/networking/ipam/change-block-size) -[Expand or shrink the IP pool block size to efficiently manage IP pool addresses.](https://docs.tigera.io/calico-enterprise/latest/networking/ipam/change-block-size) +[Resize a Calico Enterprise IPPool block — by creating a replacement pool and migrating workloads — to use IP space more efficiently in your cluster.](https://docs.tigera.io/calico-enterprise/latest/networking/ipam/change-block-size) ## [📄️Restrict a pod to use an IP address in a specific range](https://docs.tigera.io/calico-enterprise/latest/networking/ipam/legacy-firewalls) -[Restrict the IP address chosen for a pod to a specific range of IP addresses.](https://docs.tigera.io/calico-enterprise/latest/networking/ipam/legacy-firewalls) +[Restrict pods to a defined IP range with Calico Enterprise so legacy firewalls and external appliances can recognise cluster workloads by source IP.](https://docs.tigera.io/calico-enterprise/latest/networking/ipam/legacy-firewalls) ## [📄️LoadBalancer IP address management](https://docs.tigera.io/calico-enterprise/latest/networking/ipam/service-loadbalancer) -[LoadBalancer IP address management](https://docs.tigera.io/calico-enterprise/latest/networking/ipam/service-loadbalancer) +[Use the Calico Enterprise LoadBalancer controller to allocate IPs to Kubernetes Service type LoadBalancer from configured IPPool resources.](https://docs.tigera.io/calico-enterprise/latest/networking/ipam/service-loadbalancer) ### Get started with IP address management @@ -28824,99 +28844,99 @@ See what's going on in your cluster with network observability tools and detaile ##### [Web console tutorial](https://docs.tigera.io/calico-enterprise/latest/observability/get-started-cem) -[Tour the main features of the web console.](https://docs.tigera.io/calico-enterprise/latest/observability/get-started-cem) +[Tour of the Calico Enterprise Manager UI navbar covering dashboards, Service Graph, policies, alerts, Kibana, and packet capture controls.](https://docs.tigera.io/calico-enterprise/latest/observability/get-started-cem) ##### [Manage alerts](https://docs.tigera.io/calico-enterprise/latest/observability/alerts) -[Manage alerts and events for Calico Enterprise features.](https://docs.tigera.io/calico-enterprise/latest/observability/alerts) +[Configure alerts and review alert events for Calico Enterprise features from the Manager UI or CLI. Use built-in templates for visibility and security.](https://docs.tigera.io/calico-enterprise/latest/observability/alerts) ##### [Kibana dashboards and logs](https://docs.tigera.io/calico-enterprise/latest/observability/kibana) -[Learn the basics of using Elasticsearch logs and Kibana to gain visibility and troubleshoot.](https://docs.tigera.io/calico-enterprise/latest/observability/kibana) +[Use Kibana with Calico Enterprise Elasticsearch to explore flow, L7, audit, BGP, DNS, and intrusion detection event logs across managed clusters.](https://docs.tigera.io/calico-enterprise/latest/observability/kibana) ##### [Packet capture](https://docs.tigera.io/calico-enterprise/latest/observability/packetcapture) -[Capture live traffic for debugging microservices and application interaction.](https://docs.tigera.io/calico-enterprise/latest/observability/packetcapture) +[Capture live pod traffic in self-managed Calico Enterprise clusters from Service Graph or the CLI and export pcap files to Wireshark for analysis.](https://docs.tigera.io/calico-enterprise/latest/observability/packetcapture) ##### [Network visualization](https://docs.tigera.io/calico-enterprise/latest/observability/visualize-traffic) -[Learn the power of network sets.](https://docs.tigera.io/calico-enterprise/latest/observability/visualize-traffic) +[Use Service Graph in the Calico Enterprise Manager UI to visualize namespace, service, and pod communication patterns and investigate traffic flows.](https://docs.tigera.io/calico-enterprise/latest/observability/visualize-traffic) ## Getting started with logs[​](#getting-started-with-logs) ##### [Overview](https://docs.tigera.io/calico-enterprise/latest/observability/elastic/overview) -[Summary of the out-of-box features for Calico Enterprise logs.](https://docs.tigera.io/calico-enterprise/latest/observability/elastic/overview) +[Calico Enterprise deploys an in-cluster Elasticsearch and Kibana stack for flow, DNS, audit, BGP, and L7 logs with workload context, RBAC, and archival to SIEMs.](https://docs.tigera.io/calico-enterprise/latest/observability/elastic/overview) ##### [Configure data retention](https://docs.tigera.io/calico-enterprise/latest/observability/elastic/retention) -[Configure how long to retain logs and compliance reports.](https://docs.tigera.io/calico-enterprise/latest/observability/elastic/retention) +[Set retention windows for Calico Enterprise flow, DNS, audit, BGP, L7, snapshot, and compliance report data in the in-cluster LogStorage resource.](https://docs.tigera.io/calico-enterprise/latest/observability/elastic/retention) ##### [Archive logs](https://docs.tigera.io/calico-enterprise/latest/observability/elastic/archive-storage) -[Archive logs to Syslog, Splunk, or Amazon S3 for maintaining compliance data.](https://docs.tigera.io/calico-enterprise/latest/observability/elastic/archive-storage) +[Forward Calico Enterprise flow, DNS, audit, and L7 logs to Syslog, Splunk, or Amazon S3 to retain compliance data beyond in-cluster Elasticsearch retention.](https://docs.tigera.io/calico-enterprise/latest/observability/elastic/archive-storage) ##### [Overview](https://docs.tigera.io/calico-enterprise/latest/observability/elastic/overview) -[Summary of the out-of-box features for Calico Enterprise logs.](https://docs.tigera.io/calico-enterprise/latest/observability/elastic/overview) +[Calico Enterprise deploys an in-cluster Elasticsearch and Kibana stack for flow, DNS, audit, BGP, and L7 logs with workload context, RBAC, and archival to SIEMs.](https://docs.tigera.io/calico-enterprise/latest/observability/elastic/overview) ##### [Configure RBAC for Elasticsearch logs and events](https://docs.tigera.io/calico-enterprise/latest/observability/elastic/rbac-elasticsearch) -[Configure RBAC to control access to Elasticsearch logs and events.](https://docs.tigera.io/calico-enterprise/latest/observability/elastic/rbac-elasticsearch) +[Set fine-grained Kubernetes RBAC permissions in Calico Enterprise to control access to Elasticsearch flow, audit, DNS, and intrusion detection event indices.](https://docs.tigera.io/calico-enterprise/latest/observability/elastic/rbac-elasticsearch) ##### [BGP logs](https://docs.tigera.io/calico-enterprise/latest/observability/elastic/bgp) -[Key/value pairs of BGP activity logs and how to construct queries.](https://docs.tigera.io/calico-enterprise/latest/observability/elastic/bgp) +[Reference of key/value fields in Calico Enterprise BGP activity logs stored in Elasticsearch, with sample queries for IPv4, IPv6, and per-node lookups.](https://docs.tigera.io/calico-enterprise/latest/observability/elastic/bgp) ##### [Audit logs](https://docs.tigera.io/calico-enterprise/latest/observability/elastic/audit-overview) -[Calico Enterprise audit logs provide data on changes to resources.](https://docs.tigera.io/calico-enterprise/latest/observability/elastic/audit-overview) +[Calico Enterprise audit logs record changes to network policies, tiers, network sets, host endpoints, and other resources for security and compliance review.](https://docs.tigera.io/calico-enterprise/latest/observability/elastic/audit-overview) ## Flow logs[​](#flow-logs) ##### [Flow log data types](https://docs.tigera.io/calico-enterprise/latest/observability/elastic/flow/datatypes) -[Data that Calico Enterprise sends to Elasticsearch.](https://docs.tigera.io/calico-enterprise/latest/observability/elastic/flow/datatypes) +[Reference of key/value fields that Calico Enterprise sends to Elasticsearch for flow logs, including endpoints, actions, byte counts, and policy verdicts.](https://docs.tigera.io/calico-enterprise/latest/observability/elastic/flow/datatypes) ##### [Filter flow logs](https://docs.tigera.io/calico-enterprise/latest/observability/elastic/flow/filtering) -[Filter Calico Enterprise flow logs.](https://docs.tigera.io/calico-enterprise/latest/observability/elastic/flow/filtering) +[Filter Calico Enterprise flow logs through Fluentd to drop low-significance traffic and reduce in-cluster Elasticsearch volume and cost.](https://docs.tigera.io/calico-enterprise/latest/observability/elastic/flow/filtering) ##### [Configure flow log aggregation](https://docs.tigera.io/calico-enterprise/latest/observability/elastic/flow/aggregation) -[Configure flow log aggregation to reduce log volume and costs.](https://docs.tigera.io/calico-enterprise/latest/observability/elastic/flow/aggregation) +[Tune Calico Enterprise flow log aggregation levels to balance Elasticsearch volume and cost against pod and IP visibility for allowed and denied traffic.](https://docs.tigera.io/calico-enterprise/latest/observability/elastic/flow/aggregation) ##### [Enable HostEndpoint reporting in flow logs](https://docs.tigera.io/calico-enterprise/latest/observability/elastic/flow/hep) -[Enable hostendpoint reporting in flow logs.](https://docs.tigera.io/calico-enterprise/latest/observability/elastic/flow/hep) +[Turn on host endpoint reporting in Calico Enterprise flow logs to gain visibility into traffic at HostEndpoint interfaces on Kubernetes nodes.](https://docs.tigera.io/calico-enterprise/latest/observability/elastic/flow/hep) ##### [Enable process-level information in flow logs](https://docs.tigera.io/calico-enterprise/latest/observability/elastic/flow/processpath) -[Get visibility into process-level network activity in flow logs.](https://docs.tigera.io/calico-enterprise/latest/observability/elastic/flow/processpath) +[Add process executable paths and arguments to Calico Enterprise flow logs with eBPF instrumentation for process-level visibility into network activity.](https://docs.tigera.io/calico-enterprise/latest/observability/elastic/flow/processpath) ##### [Enabling TCP socket stats in flow logs](https://docs.tigera.io/calico-enterprise/latest/observability/elastic/flow/tcpstats) -[Enabling TCP socket stats information in flow logs](https://docs.tigera.io/calico-enterprise/latest/observability/elastic/flow/tcpstats) +[Add TCP socket statistics to Calico Enterprise flow logs with eBPF programs that capture round-trip time, retransmits, and other per-socket metrics.](https://docs.tigera.io/calico-enterprise/latest/observability/elastic/flow/tcpstats) ## DNS logs[​](#dns-logs) ##### [Configure DNS logs](https://docs.tigera.io/calico-enterprise/latest/observability/elastic/dns/dns-logs) -[Key/value pairs of DNS activity logs and how to construct queries.](https://docs.tigera.io/calico-enterprise/latest/observability/elastic/dns/dns-logs) +[Reference of key/value fields in Calico Enterprise DNS activity logs stored in Elasticsearch, with guidance for constructing client and query lookups.](https://docs.tigera.io/calico-enterprise/latest/observability/elastic/dns/dns-logs) ##### [Filter DNS logs](https://docs.tigera.io/calico-enterprise/latest/observability/elastic/dns/filtering-dns) -[Suppress DNS logs of low significance using filters.](https://docs.tigera.io/calico-enterprise/latest/observability/elastic/dns/filtering-dns) +[Suppress low-value Calico Enterprise DNS log entries with Fluentd filters configured through a ConfigMap in the operator namespace.](https://docs.tigera.io/calico-enterprise/latest/observability/elastic/dns/filtering-dns) ## L7 logs[​](#l7-logs) ##### [Configure L7 logs](https://docs.tigera.io/calico-enterprise/latest/observability/elastic/l7/configure) -[Configure and aggregate L7 logs.](https://docs.tigera.io/calico-enterprise/latest/observability/elastic/l7/configure) +[Deploy Envoy and aggregate Calico Enterprise L7 logs to monitor HTTP traffic patterns between application workloads in self-managed clusters.](https://docs.tigera.io/calico-enterprise/latest/observability/elastic/l7/configure) ##### [L7 log data types](https://docs.tigera.io/calico-enterprise/latest/observability/elastic/l7/datatypes) -[L7 data that Calico Enterprise sends to Elasticsearch.](https://docs.tigera.io/calico-enterprise/latest/observability/elastic/l7/datatypes) +[Reference of key/value fields that Calico Enterprise sends to Elasticsearch for L7 logs, including durations, byte counts, and HTTP request metadata.](https://docs.tigera.io/calico-enterprise/latest/observability/elastic/l7/datatypes) ### Web console tutorial @@ -30090,19 +30110,19 @@ With Service Graph, you know the value of seeing pod-to-pod traffic within your ## [📄️Overview](https://docs.tigera.io/calico-enterprise/latest/observability/elastic/overview) -[Summary of the out-of-box features for Calico Enterprise logs.](https://docs.tigera.io/calico-enterprise/latest/observability/elastic/overview) +[Calico Enterprise deploys an in-cluster Elasticsearch and Kibana stack for flow, DNS, audit, BGP, and L7 logs with workload context, RBAC, and archival to SIEMs.](https://docs.tigera.io/calico-enterprise/latest/observability/elastic/overview) ## [📄️Configure data retention](https://docs.tigera.io/calico-enterprise/latest/observability/elastic/retention) -[Configure how long to retain logs and compliance reports.](https://docs.tigera.io/calico-enterprise/latest/observability/elastic/retention) +[Set retention windows for Calico Enterprise flow, DNS, audit, BGP, L7, snapshot, and compliance report data in the in-cluster LogStorage resource.](https://docs.tigera.io/calico-enterprise/latest/observability/elastic/retention) ## [📄️Archive logs](https://docs.tigera.io/calico-enterprise/latest/observability/elastic/archive-storage) -[Archive logs to Syslog, Splunk, or Amazon S3 for maintaining compliance data.](https://docs.tigera.io/calico-enterprise/latest/observability/elastic/archive-storage) +[Forward Calico Enterprise flow, DNS, audit, and L7 logs to Syslog, Splunk, or Amazon S3 to retain compliance data beyond in-cluster Elasticsearch retention.](https://docs.tigera.io/calico-enterprise/latest/observability/elastic/archive-storage) ## [📄️Configure RBAC for Elasticsearch logs and events](https://docs.tigera.io/calico-enterprise/latest/observability/elastic/rbac-elasticsearch) -[Configure RBAC to control access to Elasticsearch logs and events.](https://docs.tigera.io/calico-enterprise/latest/observability/elastic/rbac-elasticsearch) +[Set fine-grained Kubernetes RBAC permissions in Calico Enterprise to control access to Elasticsearch flow, audit, DNS, and intrusion detection event indices.](https://docs.tigera.io/calico-enterprise/latest/observability/elastic/rbac-elasticsearch) ## [🗃Flow logs](https://docs.tigera.io/calico-enterprise/latest/observability/elastic/flow/) @@ -30110,7 +30130,7 @@ With Service Graph, you know the value of seeing pod-to-pod traffic within your ## [📄️Audit logs](https://docs.tigera.io/calico-enterprise/latest/observability/elastic/audit-overview) -[Calico Enterprise audit logs provide data on changes to resources.](https://docs.tigera.io/calico-enterprise/latest/observability/elastic/audit-overview) +[Calico Enterprise audit logs record changes to network policies, tiers, network sets, host endpoints, and other resources for security and compliance review.](https://docs.tigera.io/calico-enterprise/latest/observability/elastic/audit-overview) ## [🗃DNS logs](https://docs.tigera.io/calico-enterprise/latest/observability/elastic/dns/) @@ -30118,7 +30138,7 @@ With Service Graph, you know the value of seeing pod-to-pod traffic within your ## [📄️BGP logs](https://docs.tigera.io/calico-enterprise/latest/observability/elastic/bgp) -[Key/value pairs of BGP activity logs and how to construct queries.](https://docs.tigera.io/calico-enterprise/latest/observability/elastic/bgp) +[Reference of key/value fields in Calico Enterprise BGP activity logs stored in Elasticsearch, with sample queries for IPv4, IPv6, and per-node lookups.](https://docs.tigera.io/calico-enterprise/latest/observability/elastic/bgp) ## [🗃L7 logs](https://docs.tigera.io/calico-enterprise/latest/observability/elastic/l7/) @@ -30126,7 +30146,7 @@ With Service Graph, you know the value of seeing pod-to-pod traffic within your ## [📄️Troubleshoot logs](https://docs.tigera.io/calico-enterprise/latest/observability/elastic/troubleshoot) -[Learn how to troubleshoot common issues with Elasticsearch.](https://docs.tigera.io/calico-enterprise/latest/observability/elastic/troubleshoot) +[Troubleshooting guide for in-cluster Elasticsearch problems in Calico Enterprise covering LogStorage, storage classes, persistent volumes, and diagnostic logs.](https://docs.tigera.io/calico-enterprise/latest/observability/elastic/troubleshoot) ### Overview @@ -30854,27 +30874,27 @@ status: ## [📄️Flow log data types](https://docs.tigera.io/calico-enterprise/latest/observability/elastic/flow/datatypes) -[Data that Calico Enterprise sends to Elasticsearch.](https://docs.tigera.io/calico-enterprise/latest/observability/elastic/flow/datatypes) +[Reference of key/value fields that Calico Enterprise sends to Elasticsearch for flow logs, including endpoints, actions, byte counts, and policy verdicts.](https://docs.tigera.io/calico-enterprise/latest/observability/elastic/flow/datatypes) ## [📄️Filter flow logs](https://docs.tigera.io/calico-enterprise/latest/observability/elastic/flow/filtering) -[Filter Calico Enterprise flow logs.](https://docs.tigera.io/calico-enterprise/latest/observability/elastic/flow/filtering) +[Filter Calico Enterprise flow logs through Fluentd to drop low-significance traffic and reduce in-cluster Elasticsearch volume and cost.](https://docs.tigera.io/calico-enterprise/latest/observability/elastic/flow/filtering) ## [📄️Configure flow log aggregation](https://docs.tigera.io/calico-enterprise/latest/observability/elastic/flow/aggregation) -[Configure flow log aggregation to reduce log volume and costs.](https://docs.tigera.io/calico-enterprise/latest/observability/elastic/flow/aggregation) +[Tune Calico Enterprise flow log aggregation levels to balance Elasticsearch volume and cost against pod and IP visibility for allowed and denied traffic.](https://docs.tigera.io/calico-enterprise/latest/observability/elastic/flow/aggregation) ## [📄️Enable HostEndpoint reporting in flow logs](https://docs.tigera.io/calico-enterprise/latest/observability/elastic/flow/hep) -[Enable hostendpoint reporting in flow logs.](https://docs.tigera.io/calico-enterprise/latest/observability/elastic/flow/hep) +[Turn on host endpoint reporting in Calico Enterprise flow logs to gain visibility into traffic at HostEndpoint interfaces on Kubernetes nodes.](https://docs.tigera.io/calico-enterprise/latest/observability/elastic/flow/hep) ## [📄️Enabling TCP socket stats in flow logs](https://docs.tigera.io/calico-enterprise/latest/observability/elastic/flow/tcpstats) -[Enabling TCP socket stats information in flow logs](https://docs.tigera.io/calico-enterprise/latest/observability/elastic/flow/tcpstats) +[Add TCP socket statistics to Calico Enterprise flow logs with eBPF programs that capture round-trip time, retransmits, and other per-socket metrics.](https://docs.tigera.io/calico-enterprise/latest/observability/elastic/flow/tcpstats) ## [📄️Enable process-level information in flow logs](https://docs.tigera.io/calico-enterprise/latest/observability/elastic/flow/processpath) -[Get visibility into process-level network activity in flow logs.](https://docs.tigera.io/calico-enterprise/latest/observability/elastic/flow/processpath) +[Add process executable paths and arguments to Calico Enterprise flow logs with eBPF instrumentation for process-level visibility into network activity.](https://docs.tigera.io/calico-enterprise/latest/observability/elastic/flow/processpath) ### Flow log data types @@ -31505,11 +31525,11 @@ Finally, audit logs provide the core data for compliance reports. ## [📄️Configure DNS logs](https://docs.tigera.io/calico-enterprise/latest/observability/elastic/dns/dns-logs) -[Key/value pairs of DNS activity logs and how to construct queries.](https://docs.tigera.io/calico-enterprise/latest/observability/elastic/dns/dns-logs) +[Reference of key/value fields in Calico Enterprise DNS activity logs stored in Elasticsearch, with guidance for constructing client and query lookups.](https://docs.tigera.io/calico-enterprise/latest/observability/elastic/dns/dns-logs) ## [📄️Filter DNS logs](https://docs.tigera.io/calico-enterprise/latest/observability/elastic/dns/filtering-dns) -[Suppress DNS logs of low significance using filters.](https://docs.tigera.io/calico-enterprise/latest/observability/elastic/dns/filtering-dns) +[Suppress low-value Calico Enterprise DNS log entries with Fluentd filters configured through a ConfigMap in the operator namespace.](https://docs.tigera.io/calico-enterprise/latest/observability/elastic/dns/filtering-dns) ### Configure DNS logs @@ -31651,11 +31671,11 @@ Once a set of BGP logs has accumulated in Elasticsearch, you can perform many in ## [📄️Configure L7 logs](https://docs.tigera.io/calico-enterprise/latest/observability/elastic/l7/configure) -[Configure and aggregate L7 logs.](https://docs.tigera.io/calico-enterprise/latest/observability/elastic/l7/configure) +[Deploy Envoy and aggregate Calico Enterprise L7 logs to monitor HTTP traffic patterns between application workloads in self-managed clusters.](https://docs.tigera.io/calico-enterprise/latest/observability/elastic/l7/configure) ## [📄️L7 log data types](https://docs.tigera.io/calico-enterprise/latest/observability/elastic/l7/datatypes) -[L7 data that Calico Enterprise sends to Elasticsearch.](https://docs.tigera.io/calico-enterprise/latest/observability/elastic/l7/datatypes) +[Reference of key/value fields that Calico Enterprise sends to Elasticsearch for L7 logs, including durations, byte counts, and HTTP request metadata.](https://docs.tigera.io/calico-enterprise/latest/observability/elastic/l7/datatypes) ### Configure L7 logs diff --git a/static/calico-enterprise/llms.txt b/static/calico-enterprise/llms.txt index 70e69a34ed..d261286553 100644 --- a/static/calico-enterprise/llms.txt +++ b/static/calico-enterprise/llms.txt @@ -66,47 +66,47 @@ ## Networking -- [Networking](https://docs.tigera.io/calico-enterprise/latest/networking/): Calico's flexible networking options reduce the barriers to adopting a CaaS platform solution. Determine the best networking option for your implementation. -- [Determine best networking option](https://docs.tigera.io/calico-enterprise/latest/networking/determine-best-networking): Learn about the different networking options Calico Enterprise supports so you can choose the best option for your needs. -- [Calico Ingress Gateway](https://docs.tigera.io/calico-enterprise/latest/networking/ingress-gateway/about-calico-ingress-gateway): Understand what Calico Ingress Gateway is and how it works. -- [Create an ingress gateway](https://docs.tigera.io/calico-enterprise/latest/networking/ingress-gateway/create-ingress-gateway): Create an ingress gateway to manage ingress traffic with the Kubernetes Gateway API. -- [Customizing your ingress gateway](https://docs.tigera.io/calico-enterprise/latest/networking/ingress-gateway/customize-ingress-gateway): Learn how to customize your ingress gateway. -- [Tutorial: Launch a canary deployment with Calico Ingress Gateway](https://docs.tigera.io/calico-enterprise/latest/networking/ingress-gateway/tutorial-ingress-gateway-canary): Tutorial for ingress gateways and canary deployment -- [Networking basics](https://docs.tigera.io/calico-enterprise/latest/networking/training/): Learn the basics of Kubernetes networking and Calico Enterprise networking. -- [Networking overview](https://docs.tigera.io/calico-enterprise/latest/networking/training/about-networking): Learn about networking layers, packets, IP addressing, and routing. -- [Kubernetes network model](https://docs.tigera.io/calico-enterprise/latest/networking/training/about-kubernetes-networking): Learn network behaviors of the Kubernetes network model. -- [Configure Calico Enterprise networking](https://docs.tigera.io/calico-enterprise/latest/networking/configuring/): Configure Calico networking options. -- [Configure BGP peering](https://docs.tigera.io/calico-enterprise/latest/networking/configuring/bgp): Configure BGP peering with full mesh, node-specific peering, ToR, and/or Calico route reflectors. -- [Configure BGP peering with nested clusters running on KubeVirt VMs](https://docs.tigera.io/calico-enterprise/latest/networking/configuring/bgp-to-workload): Configure BGP peering with nested clusters running on KubeVirt VMs -- [Deploy a dual ToR cluster](https://docs.tigera.io/calico-enterprise/latest/networking/configuring/dual-tor): Configure a dual plane cluster for redundant connectivity between workloads. -- [Configure multiple Calico Enterprise networks on a pod](https://docs.tigera.io/calico-enterprise/latest/networking/configuring/multiple-networks): Configure a cluster with multiple Calico Enterprise networks on each pod, and enforce security using Calico Enterprise tiered network policy. -- [Overlay networking](https://docs.tigera.io/calico-enterprise/latest/networking/configuring/vxlan-ipip): Configure Calico to use IP in IP or VXLAN overlay networking so the underlying network doesn’t need to understand pod addresses. -- [Advertise Kubernetes service IP addresses](https://docs.tigera.io/calico-enterprise/latest/networking/configuring/advertise-service-ips): Configure Calico to advertise Kubernetes service cluster IPs and external IPs outside the cluster using BGP. -- [Configure MTU to maximize network performance](https://docs.tigera.io/calico-enterprise/latest/networking/configuring/mtu): Optimize network performance for workloads by configuring the MTU in Calico to best suit your underlying network. -- [Custom BGP configuration](https://docs.tigera.io/calico-enterprise/latest/networking/configuring/custom-bgp-config): Customize your BGP configuration. -- [Configure outgoing NAT](https://docs.tigera.io/calico-enterprise/latest/networking/configuring/workloads-outside-cluster): Configure networking to perform outbound NAT for connections from pods to outside of the cluster. -- [Use a specific MAC address for a pod](https://docs.tigera.io/calico-enterprise/latest/networking/configuring/pod-mac-address): Specify the MAC address for a pod instead of allowing the operating system to assign one -- [Use NodeLocal DNSCache in your cluster](https://docs.tigera.io/calico-enterprise/latest/networking/configuring/node-local-dns-cache): Install NodeLocal DNSCache -- [Configure QoS Controls](https://docs.tigera.io/calico-enterprise/latest/networking/configuring/qos-controls): Configure QoS (Quality of Service) Controls to limit ingress and/or egress bandwidth, packet rate and number of connections of Calico workloads. -- [Egress gateways](https://docs.tigera.io/calico-enterprise/latest/networking/egress/): Configure specific application traffic to exit the cluster through an egress gateway for additional security. -- [Configure egress gateways, on-premises](https://docs.tigera.io/calico-enterprise/latest/networking/egress/egress-gateway-on-prem): Configure specific application traffic to exit the cluster through an egress gateway. -- [Configure egress gateways, Azure](https://docs.tigera.io/calico-enterprise/latest/networking/egress/egress-gateway-azure): Configure specific application traffic to exit the cluster through an egress gateway with a native Azure IP address. -- [Configure egress gateways, AWS](https://docs.tigera.io/calico-enterprise/latest/networking/egress/egress-gateway-aws): Configure specific application traffic to exit the cluster through an egress gateway with a native AWS IP address. -- [Optimize egress networking for workloads with long-lived TCP connections](https://docs.tigera.io/calico-enterprise/latest/networking/egress/egress-gateway-maintenance): React to egress gateway maintenance windows and minimize the impact of egress gateway downtime on sensitive workloads -- [Configure egress traffic to multiple external networks](https://docs.tigera.io/calico-enterprise/latest/networking/egress/external-network): Allows workloads from different namespaces of a Kubernetes cluster to egress onto different external networks that (may) have overlapping IPs with each other. -- [Troubleshoot egress gateways](https://docs.tigera.io/calico-enterprise/latest/networking/egress/troubleshoot): Use checklist to troubleshoot common problems. -- [IP address management](https://docs.tigera.io/calico-enterprise/latest/networking/ipam/): Calico IPAM is flexible and efficient. Learn how to interoperate with legacy firewalls using IP address ranges, advertise Kubernetes service IPs, and more. -- [Get started with IP address management](https://docs.tigera.io/calico-enterprise/latest/networking/ipam/get-started-ip-addresses): Configure Calico Enterprise to use Calico Enterprise IPAM or host-local IPAM, and when to use one or the other. -- [Configure default IP pools](https://docs.tigera.io/calico-enterprise/latest/networking/ipam/initial-ippool): Configure the default IP address ranges for operator installation. -- [Create multiple IP pools](https://docs.tigera.io/calico-enterprise/latest/networking/ipam/ippools): Create multiple IP pools -- [Configure IP autodetection](https://docs.tigera.io/calico-enterprise/latest/networking/ipam/ip-autodetection): Calico IP autodetection ensures the correct IP address is used for routing. Learn how to customize it. -- [Configure dual stack](https://docs.tigera.io/calico-enterprise/latest/networking/ipam/ipv6): Configure dual stack for workloads. -- [Use a specific IP address with a pod](https://docs.tigera.io/calico-enterprise/latest/networking/ipam/use-specific-ip): Specify the IP address for a pod instead of allowing Calico Enterprise to automatically choose one. -- [Assign IP addresses based on topology](https://docs.tigera.io/calico-enterprise/latest/networking/ipam/assign-ip-addresses-topology): Configure Calico Enterprise to use specific IP pools for different topologies including zone, rack, or region. -- [Migrate from one IP pool to another](https://docs.tigera.io/calico-enterprise/latest/networking/ipam/migrate-pools): Migrate pods from one IP pool to another on a running cluster without network disruption. -- [Change IP pool block size](https://docs.tigera.io/calico-enterprise/latest/networking/ipam/change-block-size): Expand or shrink the IP pool block size to efficiently manage IP pool addresses. -- [Restrict a pod to use an IP address in a specific range](https://docs.tigera.io/calico-enterprise/latest/networking/ipam/legacy-firewalls): Restrict the IP address chosen for a pod to a specific range of IP addresses. -- [LoadBalancer IP address management](https://docs.tigera.io/calico-enterprise/latest/networking/ipam/service-loadbalancer): LoadBalancer IP address management +- [Networking](https://docs.tigera.io/calico-enterprise/latest/networking/): Calico Enterprise networking covers BGP, overlay encapsulation, IPAM, egress gateways, ingress gateways, eBPF acceleration, and Kubernetes networking training. +- [Determine best networking option](https://docs.tigera.io/calico-enterprise/latest/networking/determine-best-networking): Compare networking choices in Calico Enterprise — overlay versus non-overlay, BGP, CNI, and IPAM — to land on the right configuration for your cluster. +- [Calico Ingress Gateway](https://docs.tigera.io/calico-enterprise/latest/networking/ingress-gateway/about-calico-ingress-gateway): Overview of Calico Ingress Gateway as offered in Calico Enterprise — a hardened Envoy Gateway build that implements the Kubernetes Gateway API standard. +- [Create an ingress gateway](https://docs.tigera.io/calico-enterprise/latest/networking/ingress-gateway/create-ingress-gateway): Deploy a Calico Ingress Gateway in a Calico Enterprise cluster by applying GatewayAPI and Gateway resources tied to the Tigera-managed gateway class. +- [Customizing your ingress gateway](https://docs.tigera.io/calico-enterprise/latest/networking/ingress-gateway/customize-ingress-gateway): Tune the Calico Ingress Gateway in Calico Enterprise via the GatewayAPI resource — gateway classes, pod placement, container resources, and load balancer annotations. +- [Tutorial: Launch a canary deployment with Calico Ingress Gateway](https://docs.tigera.io/calico-enterprise/latest/networking/ingress-gateway/tutorial-ingress-gateway-canary): Step-by-step tutorial for running a canary rollout in Calico Enterprise by splitting HTTPRoute weights across two backends behind an ingress gateway. +- [Networking basics](https://docs.tigera.io/calico-enterprise/latest/networking/training/): Networking training material for Calico Enterprise — fundamentals of network layers, IP addressing, routing, and the Kubernetes network model. +- [Networking overview](https://docs.tigera.io/calico-enterprise/latest/networking/training/about-networking): Reference primer for general networking fundamentals — OSI layers, packet anatomy, MTU, IP addressing, routing, overlays, DNS, and NAT — that underpin Calico Enterprise. +- [Kubernetes network model](https://docs.tigera.io/calico-enterprise/latest/networking/training/about-kubernetes-networking): Reference primer for Kubernetes networking concepts that help when operating Calico Enterprise — pod IPs, services, DNS, NAT outgoing, and dual stack. +- [Configure Calico Enterprise networking](https://docs.tigera.io/calico-enterprise/latest/networking/configuring/): Networking configuration tasks for Calico Enterprise — BGP, overlay encapsulation, MTU, multiple pod networks, dual ToR, IPVS, NAT, and QoS controls. +- [Configure BGP peering](https://docs.tigera.io/calico-enterprise/latest/networking/configuring/bgp): Set up BGP peering for Calico Enterprise — full mesh, per-node peers, top-of-rack switches, and route reflectors — using BGPPeer and BGPConfiguration resources. +- [Configure BGP peering with nested clusters running on KubeVirt VMs](https://docs.tigera.io/calico-enterprise/latest/networking/configuring/bgp-to-workload): Peer Calico Enterprise nodes with BGP speakers inside KubeVirt VMs so nested clusters can announce routes from their workloads upstream. +- [Deploy a dual ToR cluster](https://docs.tigera.io/calico-enterprise/latest/networking/configuring/dual-tor): Deploy a dual ToR cluster with Calico Enterprise so two independent connectivity planes provide redundancy between racks for on-premises clusters. +- [Configure multiple Calico Enterprise networks on a pod](https://docs.tigera.io/calico-enterprise/latest/networking/configuring/multiple-networks): Add extra Calico Enterprise networks to each pod with the Multus-CNI plugin, then control access with tiered network policy on every interface. +- [Overlay networking](https://docs.tigera.io/calico-enterprise/latest/networking/configuring/vxlan-ipip): Choose VXLAN or IP-in-IP overlay encapsulation in Calico Enterprise so pod traffic crosses underlay networks that don't route pod CIDRs natively. +- [Advertise Kubernetes service IP addresses](https://docs.tigera.io/calico-enterprise/latest/networking/configuring/advertise-service-ips): Advertise Kubernetes service cluster IPs and external IPs out of the cluster over BGP with Calico Enterprise so upstream routers can reach them directly. +- [Configure MTU to maximize network performance](https://docs.tigera.io/calico-enterprise/latest/networking/configuring/mtu): Tune the Calico Enterprise MTU on the Installation resource so pod traffic matches the underlay, accounting for VXLAN, IP-in-IP, and WireGuard overhead. +- [Custom BGP configuration](https://docs.tigera.io/calico-enterprise/latest/networking/configuring/custom-bgp-config): Override the default BIRD BGP templates for Calico Enterprise to access advanced BIRD features for proof-of-concept and special-case routing setups. +- [Configure outgoing NAT](https://docs.tigera.io/calico-enterprise/latest/networking/configuring/workloads-outside-cluster): Configure NAT outgoing on Calico Enterprise IP pools so pod traffic destined outside the cluster is source-NATed to the node IP. +- [Use a specific MAC address for a pod](https://docs.tigera.io/calico-enterprise/latest/networking/configuring/pod-mac-address): Pin a chosen MAC address on a Kubernetes pod interface with the Calico Enterprise CNI plugin for cases such as MAC-bound software licenses. +- [Use NodeLocal DNSCache in your cluster](https://docs.tigera.io/calico-enterprise/latest/networking/configuring/node-local-dns-cache): Run NodeLocal DNSCache alongside Calico Enterprise and write the network policy that lets pod DNS traffic reach the per-node cache. +- [Configure QoS Controls](https://docs.tigera.io/calico-enterprise/latest/networking/configuring/qos-controls): Apply Calico Enterprise QoS controls to cap pod ingress and egress bandwidth, packet rate, and connection counts, plus DiffServ marking on egress. +- [Egress gateways](https://docs.tigera.io/calico-enterprise/latest/networking/egress/): Egress gateways in Calico Enterprise — pin per-namespace or per-pod source IPs for outbound traffic, integrate with cloud fabrics, and segment external networks. +- [Configure egress gateways, on-premises](https://docs.tigera.io/calico-enterprise/latest/networking/egress/egress-gateway-on-prem): Send selected application traffic through Calico Enterprise egress gateways on-premises so external firewalls see a predictable source IP for cluster workloads. +- [Configure egress gateways, Azure](https://docs.tigera.io/calico-enterprise/latest/networking/egress/egress-gateway-azure): Route specific application traffic out of a Calico Enterprise cluster through egress gateways that use native Azure VNet IPs recognised by Azure routing. +- [Configure egress gateways, AWS](https://docs.tigera.io/calico-enterprise/latest/networking/egress/egress-gateway-aws): Route specific application traffic out of a Calico Enterprise cluster through egress gateways that use VPC subnet IPs visible to the AWS fabric. +- [Optimize egress networking for workloads with long-lived TCP connections](https://docs.tigera.io/calico-enterprise/latest/networking/egress/egress-gateway-maintenance): Reduce the impact of Calico Enterprise egress gateway maintenance on workloads with long-lived TCP sessions by reading termination annotations and timing draining. +- [Configure egress traffic to multiple external networks](https://docs.tigera.io/calico-enterprise/latest/networking/egress/external-network): Steer Calico Enterprise egress gateway traffic onto multiple external networks with potentially overlapping IPs by associating gateways with named ExternalNetworks. +- [Troubleshoot egress gateways](https://docs.tigera.io/calico-enterprise/latest/networking/egress/troubleshoot): Troubleshooting guide for Calico Enterprise egress gateways covering connection failures, source IP mismatches, BGP route advertisement, and required pod metadata. +- [IP address management](https://docs.tigera.io/calico-enterprise/latest/networking/ipam/): IP address management in Calico Enterprise — IPPools, block sizes, IPv6 dual stack, service load balancer IPAM, topology-aware allocation, and pool migration. +- [Get started with IP address management](https://docs.tigera.io/calico-enterprise/latest/networking/ipam/get-started-ip-addresses): Choose between Calico Enterprise IPAM and host-local IPAM, then configure pool selection, NAT outgoing, and per-namespace IP assignment. +- [Configure default IP pools](https://docs.tigera.io/calico-enterprise/latest/networking/ipam/initial-ippool): Set the default Calico Enterprise IP pool CIDR, encapsulation, and NAT outgoing values during Tigera Operator installation through the Installation resource. +- [Create multiple IP pools](https://docs.tigera.io/calico-enterprise/latest/networking/ipam/ippools): Define multiple Calico Enterprise IPPool resources at install time or on a running cluster to serve disjoint ranges, IPv6, or per-topology pod allocation. +- [Configure IP autodetection](https://docs.tigera.io/calico-enterprise/latest/networking/ipam/ip-autodetection): Pick how Calico Enterprise detects each node's primary IP — first-found, Kubernetes internal, interface regex, CIDR, or skip-interface — for reliable routing. +- [Configure dual stack](https://docs.tigera.io/calico-enterprise/latest/networking/ipam/ipv6): Configure dual-stack pod networking with Calico Enterprise by adding IPv6 IP pools, IPv6 autodetection, and matching CNI plugin settings. +- [Use a specific IP address with a pod](https://docs.tigera.io/calico-enterprise/latest/networking/ipam/use-specific-ip): Pin a Kubernetes pod to a chosen address with Calico Enterprise IPAM by setting a pod annotation that supplies the requested address. +- [Assign IP addresses based on topology](https://docs.tigera.io/calico-enterprise/latest/networking/ipam/assign-ip-addresses-topology): Bind Calico Enterprise IP pools to zones, racks, or regions with node selectors so pods get addresses that match the cluster topology. +- [Migrate from one IP pool to another](https://docs.tigera.io/calico-enterprise/latest/networking/ipam/migrate-pools): Move workloads from one Calico Enterprise IPPool to another on a running cluster without disrupting existing pod connectivity. +- [Change IP pool block size](https://docs.tigera.io/calico-enterprise/latest/networking/ipam/change-block-size): Resize a Calico Enterprise IPPool block — by creating a replacement pool and migrating workloads — to use IP space more efficiently in your cluster. +- [Restrict a pod to use an IP address in a specific range](https://docs.tigera.io/calico-enterprise/latest/networking/ipam/legacy-firewalls): Restrict pods to a defined IP range with Calico Enterprise so legacy firewalls and external appliances can recognise cluster workloads by source IP. +- [LoadBalancer IP address management](https://docs.tigera.io/calico-enterprise/latest/networking/ipam/service-loadbalancer): Use the Calico Enterprise LoadBalancer controller to allocate IPs to Kubernetes Service type LoadBalancer from configured IPPool resources. ## Network policy @@ -168,36 +168,36 @@ ## Observability -- [Observability and troubleshooting](https://docs.tigera.io/calico-enterprise/latest/observability/): Use Elasticsearch logs for visibility into all network traffic with Kubernetes context. -- [Web console tutorial](https://docs.tigera.io/calico-enterprise/latest/observability/get-started-cem): Tour the main features of the web console. -- [Manage alerts](https://docs.tigera.io/calico-enterprise/latest/observability/alerts): Manage alerts and events for Calico Enterprise features. -- [Dashboards](https://docs.tigera.io/calico-enterprise/latest/observability/dashboards): Dashboards help you see what's going on in your cluster. See how your cluster is performing and visualize your system's log data. -- [Kibana dashboards and logs](https://docs.tigera.io/calico-enterprise/latest/observability/kibana): Learn the basics of using Elasticsearch logs and Kibana to gain visibility and troubleshoot. -- [Packet capture](https://docs.tigera.io/calico-enterprise/latest/observability/packetcapture): Capture live traffic for debugging microservices and application interaction. -- [Network visualization](https://docs.tigera.io/calico-enterprise/latest/observability/visualize-traffic): Learn the power of network sets. -- [Manage Calico Enterprise logs](https://docs.tigera.io/calico-enterprise/latest/observability/elastic/): Configure logs for visibility in the web console. -- [Overview](https://docs.tigera.io/calico-enterprise/latest/observability/elastic/overview): Summary of the out-of-box features for Calico Enterprise logs. -- [Configure data retention](https://docs.tigera.io/calico-enterprise/latest/observability/elastic/retention): Configure how long to retain logs and compliance reports. -- [Archive logs](https://docs.tigera.io/calico-enterprise/latest/observability/elastic/archive-storage): Archive logs to Syslog, Splunk, or Amazon S3 for maintaining compliance data. -- [Configure RBAC for Elasticsearch logs and events](https://docs.tigera.io/calico-enterprise/latest/observability/elastic/rbac-elasticsearch): Configure RBAC to control access to Elasticsearch logs and events. -- [Configure flow logs](https://docs.tigera.io/calico-enterprise/latest/observability/elastic/flow/): Configure, filter, and aggregate flow logs. -- [Flow log data types](https://docs.tigera.io/calico-enterprise/latest/observability/elastic/flow/datatypes): Data that Calico Enterprise sends to Elasticsearch. -- [Filter flow logs](https://docs.tigera.io/calico-enterprise/latest/observability/elastic/flow/filtering): Filter Calico Enterprise flow logs. -- [Configure flow log aggregation](https://docs.tigera.io/calico-enterprise/latest/observability/elastic/flow/aggregation): Configure flow log aggregation to reduce log volume and costs. -- [Enable HostEndpoint reporting in flow logs](https://docs.tigera.io/calico-enterprise/latest/observability/elastic/flow/hep): Enable hostendpoint reporting in flow logs. -- [Enabling TCP socket stats in flow logs](https://docs.tigera.io/calico-enterprise/latest/observability/elastic/flow/tcpstats): Enabling TCP socket stats information in flow logs -- [Enable process-level information in flow logs](https://docs.tigera.io/calico-enterprise/latest/observability/elastic/flow/processpath): Get visibility into process-level network activity in flow logs. -- [Audit logs](https://docs.tigera.io/calico-enterprise/latest/observability/elastic/audit-overview): Calico Enterprise audit logs provide data on changes to resources. -- [Manage DNS logs for Calico Enterprise](https://docs.tigera.io/calico-enterprise/latest/observability/elastic/dns/): Configure and filter DNS logs. -- [Configure DNS logs](https://docs.tigera.io/calico-enterprise/latest/observability/elastic/dns/dns-logs): Key/value pairs of DNS activity logs and how to construct queries. -- [Filter DNS logs](https://docs.tigera.io/calico-enterprise/latest/observability/elastic/dns/filtering-dns): Suppress DNS logs of low significance using filters. -- [BGP logs](https://docs.tigera.io/calico-enterprise/latest/observability/elastic/bgp): Key/value pairs of BGP activity logs and how to construct queries. -- [L7 logs](https://docs.tigera.io/calico-enterprise/latest/observability/elastic/l7/): Configure Elasticsearch L7 logs. -- [Configure L7 logs](https://docs.tigera.io/calico-enterprise/latest/observability/elastic/l7/configure): Configure and aggregate L7 logs. -- [L7 log data types](https://docs.tigera.io/calico-enterprise/latest/observability/elastic/l7/datatypes): L7 data that Calico Enterprise sends to Elasticsearch. -- [Troubleshoot logs](https://docs.tigera.io/calico-enterprise/latest/observability/elastic/troubleshoot): Learn how to troubleshoot common issues with Elasticsearch. -- [Kubernetes audit logs](https://docs.tigera.io/calico-enterprise/latest/observability/kube-audit): Enable Kubernetes audit logs on changes to Kubernetes resources. -- [iptables logs](https://docs.tigera.io/calico-enterprise/latest/observability/iptables): Learn how policy audit mode rules can affect the number of iptables logs. +- [Observability and troubleshooting](https://docs.tigera.io/calico-enterprise/latest/observability/): Observe and troubleshoot self-managed Calico Enterprise clusters with Manager UI dashboards, Service Graph, packet capture, and Elasticsearch logs. +- [Web console tutorial](https://docs.tigera.io/calico-enterprise/latest/observability/get-started-cem): Tour of the Calico Enterprise Manager UI navbar covering dashboards, Service Graph, policies, alerts, Kibana, and packet capture controls. +- [Manage alerts](https://docs.tigera.io/calico-enterprise/latest/observability/alerts): Configure alerts and review alert events for Calico Enterprise features from the Manager UI or CLI. Use built-in templates for visibility and security. +- [Dashboards](https://docs.tigera.io/calico-enterprise/latest/observability/dashboards): Visualize cluster activity in the Calico Enterprise Manager UI with prebuilt dashboards for cluster health, policy, DNS, and L7 log data. +- [Kibana dashboards and logs](https://docs.tigera.io/calico-enterprise/latest/observability/kibana): Use Kibana with Calico Enterprise Elasticsearch to explore flow, L7, audit, BGP, DNS, and intrusion detection event logs across managed clusters. +- [Packet capture](https://docs.tigera.io/calico-enterprise/latest/observability/packetcapture): Capture live pod traffic in self-managed Calico Enterprise clusters from Service Graph or the CLI and export pcap files to Wireshark for analysis. +- [Network visualization](https://docs.tigera.io/calico-enterprise/latest/observability/visualize-traffic): Use Service Graph in the Calico Enterprise Manager UI to visualize namespace, service, and pod communication patterns and investigate traffic flows. +- [Manage Calico Enterprise logs](https://docs.tigera.io/calico-enterprise/latest/observability/elastic/): Configure in-cluster Elasticsearch logs for Calico Enterprise so the Manager UI, Kibana, and the Elasticsearch API can surface flow, DNS, audit, and L7 data. +- [Overview](https://docs.tigera.io/calico-enterprise/latest/observability/elastic/overview): Calico Enterprise deploys an in-cluster Elasticsearch and Kibana stack for flow, DNS, audit, BGP, and L7 logs with workload context, RBAC, and archival to SIEMs. +- [Configure data retention](https://docs.tigera.io/calico-enterprise/latest/observability/elastic/retention): Set retention windows for Calico Enterprise flow, DNS, audit, BGP, L7, snapshot, and compliance report data in the in-cluster LogStorage resource. +- [Archive logs](https://docs.tigera.io/calico-enterprise/latest/observability/elastic/archive-storage): Forward Calico Enterprise flow, DNS, audit, and L7 logs to Syslog, Splunk, or Amazon S3 to retain compliance data beyond in-cluster Elasticsearch retention. +- [Configure RBAC for Elasticsearch logs and events](https://docs.tigera.io/calico-enterprise/latest/observability/elastic/rbac-elasticsearch): Set fine-grained Kubernetes RBAC permissions in Calico Enterprise to control access to Elasticsearch flow, audit, DNS, and intrusion detection event indices. +- [Configure flow logs](https://docs.tigera.io/calico-enterprise/latest/observability/elastic/flow/): Configure, filter, and aggregate Calico Enterprise flow logs. Add host endpoint, process path, and TCP socket statistics from in-cluster Elasticsearch. +- [Flow log data types](https://docs.tigera.io/calico-enterprise/latest/observability/elastic/flow/datatypes): Reference of key/value fields that Calico Enterprise sends to Elasticsearch for flow logs, including endpoints, actions, byte counts, and policy verdicts. +- [Filter flow logs](https://docs.tigera.io/calico-enterprise/latest/observability/elastic/flow/filtering): Filter Calico Enterprise flow logs through Fluentd to drop low-significance traffic and reduce in-cluster Elasticsearch volume and cost. +- [Configure flow log aggregation](https://docs.tigera.io/calico-enterprise/latest/observability/elastic/flow/aggregation): Tune Calico Enterprise flow log aggregation levels to balance Elasticsearch volume and cost against pod and IP visibility for allowed and denied traffic. +- [Enable HostEndpoint reporting in flow logs](https://docs.tigera.io/calico-enterprise/latest/observability/elastic/flow/hep): Turn on host endpoint reporting in Calico Enterprise flow logs to gain visibility into traffic at HostEndpoint interfaces on Kubernetes nodes. +- [Enabling TCP socket stats in flow logs](https://docs.tigera.io/calico-enterprise/latest/observability/elastic/flow/tcpstats): Add TCP socket statistics to Calico Enterprise flow logs with eBPF programs that capture round-trip time, retransmits, and other per-socket metrics. +- [Enable process-level information in flow logs](https://docs.tigera.io/calico-enterprise/latest/observability/elastic/flow/processpath): Add process executable paths and arguments to Calico Enterprise flow logs with eBPF instrumentation for process-level visibility into network activity. +- [Audit logs](https://docs.tigera.io/calico-enterprise/latest/observability/elastic/audit-overview): Calico Enterprise audit logs record changes to network policies, tiers, network sets, host endpoints, and other resources for security and compliance review. +- [Manage DNS logs for Calico Enterprise](https://docs.tigera.io/calico-enterprise/latest/observability/elastic/dns/): Configure and filter DNS activity logs for Calico Enterprise. Review the schema, build Elasticsearch queries, and trim low-value entries. +- [Configure DNS logs](https://docs.tigera.io/calico-enterprise/latest/observability/elastic/dns/dns-logs): Reference of key/value fields in Calico Enterprise DNS activity logs stored in Elasticsearch, with guidance for constructing client and query lookups. +- [Filter DNS logs](https://docs.tigera.io/calico-enterprise/latest/observability/elastic/dns/filtering-dns): Suppress low-value Calico Enterprise DNS log entries with Fluentd filters configured through a ConfigMap in the operator namespace. +- [BGP logs](https://docs.tigera.io/calico-enterprise/latest/observability/elastic/bgp): Reference of key/value fields in Calico Enterprise BGP activity logs stored in Elasticsearch, with sample queries for IPv4, IPv6, and per-node lookups. +- [L7 logs](https://docs.tigera.io/calico-enterprise/latest/observability/elastic/l7/): Configure L7 application traffic logs for Calico Enterprise. Deploy Envoy, set aggregation, and review the Elasticsearch L7 log schema. +- [Configure L7 logs](https://docs.tigera.io/calico-enterprise/latest/observability/elastic/l7/configure): Deploy Envoy and aggregate Calico Enterprise L7 logs to monitor HTTP traffic patterns between application workloads in self-managed clusters. +- [L7 log data types](https://docs.tigera.io/calico-enterprise/latest/observability/elastic/l7/datatypes): Reference of key/value fields that Calico Enterprise sends to Elasticsearch for L7 logs, including durations, byte counts, and HTTP request metadata. +- [Troubleshoot logs](https://docs.tigera.io/calico-enterprise/latest/observability/elastic/troubleshoot): Troubleshooting guide for in-cluster Elasticsearch problems in Calico Enterprise covering LogStorage, storage classes, persistent volumes, and diagnostic logs. +- [Kubernetes audit logs](https://docs.tigera.io/calico-enterprise/latest/observability/kube-audit): Turn on Kubernetes API audit logging for Calico Enterprise so security teams can review changes to pods, namespaces, network policies, and other resources. +- [iptables logs](https://docs.tigera.io/calico-enterprise/latest/observability/iptables): Reference explaining how Calico Enterprise policy audit mode and the Log rule action affect iptables log volume on cluster nodes. ## Multi-cluster management @@ -442,4 +442,4 @@ ## Optional -- [Calico Enterprise 3.22 release notes](https://docs.tigera.io/calico-enterprise/latest/release-notes/): What's new, and why features provide value for upgrading. +- [Calico Enterprise 3.22 release notes](https://docs.tigera.io/calico-enterprise/latest/release-notes/): Release notes for the current Calico Enterprise release — new features, enhancements, technology previews, deprecations, and bug fixes. diff --git a/static/calico/llms-full.txt b/static/calico/llms-full.txt index b1c06847db..413c86e690 100644 --- a/static/calico/llms-full.txt +++ b/static/calico/llms-full.txt @@ -26,7 +26,7 @@ The Calico portfolio of products includes Calico Open Source, Calico Enterprise ##### [Determine best networking option](https://docs.tigera.io/calico/latest/networking/determine-best-networking) -[Learn about the different networking options Calico supports so you can choose the best option for your needs.](https://docs.tigera.io/calico/latest/networking/determine-best-networking) +[Compare networking options in Calico Open Source — overlay versus non-overlay, BGP routing, CNI choices, and IPAM modes — to pick the right combination for your environment.](https://docs.tigera.io/calico/latest/networking/determine-best-networking) ##### [Ingress Gateway](https://docs.tigera.io/calico/latest/networking/ingress-gateway/about-calico-ingress-gateway) @@ -6928,12 +6928,38 @@ Earlier versions may work, but we do not actively test Calico for Windows agains - At least one Linux Kubernetes worker node to run Calico's cluster-wide components that meets [Linux system requirements](https://docs.tigera.io/calico/latest/getting-started/kubernetes/requirements), and is installed with Calico. Calico v3.27+ is required for Operator installs. -- VXLAN or BGP without encapsulation is supported if using Calico CNI. IPIP (Calico's default encapsulation mode) is not supported. Use the following command to turn off IPIP on the default IP pool. +- VXLAN or BGP without encapsulation is supported if using Calico CNI. IPIP (Calico's default encapsulation mode) is not supported. Turn off IPIP on the default IP pool. + + + + **Tab: Operator managed IP pools** + + For IP pools managed through the `Installation` resource, patch the `Installation` to update the encapsulation. The operator reconciles these `IPPool` resources from the `Installation`, so direct edits to the `IPPool` are silently reverted. + + ```bash + kubectl patch installation default --type=json \ + + -p '[{"op":"replace","path":"/spec/calicoNetwork/ipPools/0/encapsulation","value":"VXLAN"}]' + ``` + + If your cluster has additional operator-managed IP pools, repeat the command for each, replacing `0` in `/spec/calicoNetwork/ipPools/0` with the index of the pool. Use `"None"` instead of `"VXLAN"` for BGP without encapsulation. + + **Tab: User managed IP pools** + + For `IPPool` resources created directly (not through the `Installation`), patch the `IPPool`. For VXLAN: ```bash kubectl patch ippool default-ipv4-ippool -p '{"spec":{"ipipMode":"Never","vxlanMode":"Always"}}' ``` + For BGP without encapsulation, set both modes to `Never`: + + ```bash + kubectl patch ippool default-ipv4-ippool -p '{"spec":{"ipipMode":"Never","vxlanMode":"Never"}}' + ``` + + + - If using Calico IPAM, strict affinity of IPAM configuration must be set to `true`. ```bash @@ -15971,7 +15997,7 @@ There are two sections to the install: adding Calico to OpenStack control nodes, - Ensure that you meet the [requirements](https://docs.tigera.io/calico/latest/getting-started/openstack/requirements). - Confirm that you have SSH access to and root privileges on one or more Ubuntu hosts (your OpenStack compute or control nodes). -- [Install OpenStack with Neutron and ML2 networking](http://docs.openstack.org) on the Ubuntu hosts. +- [Install OpenStack](http://docs.openstack.org) on the Ubuntu hosts. ## Common steps[​](#common-steps) @@ -16212,7 +16238,7 @@ There are two sections to the install: adding Calico to OpenStack control nodes, - Ensure that you meet the [requirements](https://docs.tigera.io/calico/latest/getting-started/openstack/requirements). - Confirm that you have SSH access to and root privileges on one or more Red Hat Enterprise Linux (RHEL) hosts. - Make sure you have working DNS between the RHEL hosts (use `/etc/hosts` if you don't have DNS on your network). -- [Install OpenStack with Neutron and ML2 networking](http://docs.openstack.org) on the RHEL hosts. +- [Install OpenStack](http://docs.openstack.org) on the RHEL hosts. ## Common steps[​](#common-steps) @@ -16685,7 +16711,7 @@ The Calico network plugins provide a range of networking options to fit your imp ##### [Determine best networking option](https://docs.tigera.io/calico/latest/networking/determine-best-networking) -[Learn about the different networking options Calico supports so you can choose the best option for your needs.](https://docs.tigera.io/calico/latest/networking/determine-best-networking) +[Compare networking options in Calico Open Source — overlay versus non-overlay, BGP routing, CNI choices, and IPAM modes — to pick the right combination for your environment.](https://docs.tigera.io/calico/latest/networking/determine-best-networking) ##### [About networking](https://docs.tigera.io/calico/latest/about/kubernetes-training/about-networking) @@ -16699,147 +16725,147 @@ The Calico network plugins provide a range of networking options to fit your imp ##### [Configure BGP peering](https://docs.tigera.io/calico/latest/networking/configuring/bgp) -[Configure BGP peering with full mesh, node-specific peering, ToR, and/or Calico route reflectors.](https://docs.tigera.io/calico/latest/networking/configuring/bgp) +[Configure BGP peering for Calico Open Source — full mesh, node-specific peers, top-of-rack switches, and Calico route reflectors — using BGPPeer and BGPConfiguration resources.](https://docs.tigera.io/calico/latest/networking/configuring/bgp) ##### [Overlay networking](https://docs.tigera.io/calico/latest/networking/configuring/vxlan-ipip) -[Configure Calico to use IP in IP or VXLAN overlay networking so the underlying network doesn’t need to understand pod addresses.](https://docs.tigera.io/calico/latest/networking/configuring/vxlan-ipip) +[Pick between VXLAN and IP-in-IP overlay modes in Calico Open Source so pod traffic crosses underlay networks that don't route pod CIDRs natively.](https://docs.tigera.io/calico/latest/networking/configuring/vxlan-ipip) ##### [Advertise Kubernetes service IP addresses](https://docs.tigera.io/calico/latest/networking/configuring/advertise-service-ips) -[Configure Calico to advertise Kubernetes service cluster IPs and external IPs outside the cluster using BGP.](https://docs.tigera.io/calico/latest/networking/configuring/advertise-service-ips) +[Advertise Kubernetes service cluster IPs and external IPs out of the cluster over BGP with Calico Open Source so external clients can route to them directly.](https://docs.tigera.io/calico/latest/networking/configuring/advertise-service-ips) ##### [Configure MTU to maximize network performance](https://docs.tigera.io/calico/latest/networking/configuring/mtu) -[Optimize network performance for workloads by configuring the MTU in Calico to best suit your underlying network.](https://docs.tigera.io/calico/latest/networking/configuring/mtu) +[Tune the Calico Open Source MTU on the FelixConfiguration resource so pod traffic matches the underlying network, including VXLAN, IP-in-IP, and WireGuard overheads.](https://docs.tigera.io/calico/latest/networking/configuring/mtu) ##### [Configure outgoing NAT](https://docs.tigera.io/calico/latest/networking/configuring/workloads-outside-cluster) -[Configure networking to perform outbound NAT for connections from pods to outside of the cluster.](https://docs.tigera.io/calico/latest/networking/configuring/workloads-outside-cluster) +[Set NAT outgoing on Calico Open Source IP pools so pod traffic to destinations outside the cluster is source-NATed to the node's IP.](https://docs.tigera.io/calico/latest/networking/configuring/workloads-outside-cluster) ##### [Use IPVS kube-proxy](https://docs.tigera.io/calico/latest/networking/configuring/use-ipvs) -[Use IPVS kube-proxy for performance improvements.](https://docs.tigera.io/calico/latest/networking/configuring/use-ipvs) +[Run kube-proxy in IPVS mode with Calico Open Source for constant-time service load balancing on clusters with thousands of services.](https://docs.tigera.io/calico/latest/networking/configuring/use-ipvs) ##### [Accelerate Istio network performance](https://docs.tigera.io/calico/latest/networking/configuring/sidecar-acceleration) -[Use Calico to accelerate network performance of traffic through the Istio Envoy sidecar using eBPF.](https://docs.tigera.io/calico/latest/networking/configuring/sidecar-acceleration) +[Accelerate Istio Envoy sidecar traffic on Calico Open Source by using eBPF SOCKMAP to bypass kernel networking layers between the sidecar and the application.](https://docs.tigera.io/calico/latest/networking/configuring/sidecar-acceleration) ##### [Use a specific MAC address for a pod](https://docs.tigera.io/calico/latest/networking/configuring/pod-mac-address) -[Specify the MAC address for a pod instead of allowing the operating system to assign one](https://docs.tigera.io/calico/latest/networking/configuring/pod-mac-address) +[Set a chosen MAC address on a Kubernetes pod interface with the Calico Open Source CNI plugin, useful for software licensing tied to MAC.](https://docs.tigera.io/calico/latest/networking/configuring/pod-mac-address) ##### [Use NodeLocal DNSCache in your cluster](https://docs.tigera.io/calico/latest/networking/configuring/node-local-dns-cache) -[Install NodeLocal DNSCache](https://docs.tigera.io/calico/latest/networking/configuring/node-local-dns-cache) +[Install NodeLocal DNSCache alongside Calico Open Source and configure network policy that lets pod DNS traffic reach the local cache.](https://docs.tigera.io/calico/latest/networking/configuring/node-local-dns-cache) ##### [Configure QoS Controls](https://docs.tigera.io/calico/latest/networking/configuring/qos-controls) -[Configure QoS (Quality of Service) Controls to limit ingress and/or egress bandwidth, packet rate and number of connections of Calico workloads.](https://docs.tigera.io/calico/latest/networking/configuring/qos-controls) +[Cap pod ingress and egress bandwidth, packet rate, and connection counts with Calico Open Source QoS controls, plus DiffServ marking on egress traffic.](https://docs.tigera.io/calico/latest/networking/configuring/qos-controls) ##### [Add Maglev load balancing to a service](https://docs.tigera.io/calico/latest/networking/configuring/add-maglev-load-balancing) -[Add Maglev load balancing to a Kubernetes service.](https://docs.tigera.io/calico/latest/networking/configuring/add-maglev-load-balancing) +[Switch a Kubernetes service to Maglev consistent-hash load balancing on the Calico Open Source eBPF data plane for resilient backend selection.](https://docs.tigera.io/calico/latest/networking/configuring/add-maglev-load-balancing) ## IP address management[​](#ip-address-management) ##### [Get started with IP address management](https://docs.tigera.io/calico/latest/networking/ipam/get-started-ip-addresses) -[Configure Calico to use Calico IPAM or host-local IPAM, and when to use one or the other.](https://docs.tigera.io/calico/latest/networking/ipam/get-started-ip-addresses) +[Decide between Calico Open Source IPAM and host-local IPAM, then configure IP pool allocation, NAT outgoing, and per-namespace assignment.](https://docs.tigera.io/calico/latest/networking/ipam/get-started-ip-addresses) ##### [Create multiple IP pools](https://docs.tigera.io/calico/latest/networking/ipam/ippools) -[Create multiple IP pools](https://docs.tigera.io/calico/latest/networking/ipam/ippools) +[Create additional Calico Open Source IPPool resources at install time or on a running cluster to serve disjoint ranges, IPv6, or per-topology pod address assignment.](https://docs.tigera.io/calico/latest/networking/ipam/ippools) ##### [Configure IP autodetection](https://docs.tigera.io/calico/latest/networking/ipam/ip-autodetection) -[Calico IP autodetection ensures the correct IP address is used for routing. Learn how to customize it.](https://docs.tigera.io/calico/latest/networking/ipam/ip-autodetection) +[Choose how Calico Open Source detects each node's primary IP address, with options for first-found, Kubernetes internal, interface regex, CIDR, and skip-interface.](https://docs.tigera.io/calico/latest/networking/ipam/ip-autodetection) ##### [Configure dual stack or IPv6 only](https://docs.tigera.io/calico/latest/networking/ipam/ipv6) -[Configure dual stack or IPv6 only for workloads.](https://docs.tigera.io/calico/latest/networking/ipam/ipv6) +[Set up dual-stack or IPv6-only pod networking on Calico Open Source by configuring IP pools, node IP autodetection, and the CNI plugin.](https://docs.tigera.io/calico/latest/networking/ipam/ipv6) ##### [Configure Kubernetes control plane to operate over IPv6](https://docs.tigera.io/calico/latest/networking/ipam/ipv6-control-plane) -[Configure the Kubernetes control plane to operate over IPv6 for dual stack or IPv6 only.](https://docs.tigera.io/calico/latest/networking/ipam/ipv6-control-plane) +[Run the Kubernetes control plane over IPv6 with Calico Open Source for dual-stack or IPv6-only clusters, including kubeadm flags and node configuration.](https://docs.tigera.io/calico/latest/networking/ipam/ipv6-control-plane) ##### [Add a floating IP to a pod](https://docs.tigera.io/calico/latest/networking/ipam/add-floating-ip) -[Configure one or more floating IPs to use as additional IP addresses for reaching a Kubernetes pod.](https://docs.tigera.io/calico/latest/networking/ipam/add-floating-ip) +[Attach one or more floating IPs to a Kubernetes pod with Calico Open Source IPAM so external clients can reach the workload over any IP protocol.](https://docs.tigera.io/calico/latest/networking/ipam/add-floating-ip) ##### [Use a specific IP address with a pod](https://docs.tigera.io/calico/latest/networking/ipam/use-specific-ip) -[Specify the IP address for a pod instead of allowing Calico to automatically choose one.](https://docs.tigera.io/calico/latest/networking/ipam/use-specific-ip) +[Pin a Kubernetes pod to a chosen IP address with Calico Open Source IPAM by setting a pod annotation that supplies the requested address.](https://docs.tigera.io/calico/latest/networking/ipam/use-specific-ip) ##### [Assign IP addresses based on topology](https://docs.tigera.io/calico/latest/networking/ipam/assign-ip-addresses-topology) -[Configure Calico to use specific IP pools for different topologies including zone, rack, or region.](https://docs.tigera.io/calico/latest/networking/ipam/assign-ip-addresses-topology) +[Bind Calico Open Source IP pools to specific zones, racks, or regions with node selectors so pods receive addresses that match the cluster topology.](https://docs.tigera.io/calico/latest/networking/ipam/assign-ip-addresses-topology) ##### [Migrate from one IP pool to another](https://docs.tigera.io/calico/latest/networking/ipam/migrate-pools) -[Migrate pods from one IP pool to another on a running cluster without network disruption.](https://docs.tigera.io/calico/latest/networking/ipam/migrate-pools) +[Migrate workloads from one Calico Open Source IPPool to another on a running cluster without disrupting existing pod connectivity.](https://docs.tigera.io/calico/latest/networking/ipam/migrate-pools) ##### [Change IP pool block size](https://docs.tigera.io/calico/latest/networking/ipam/change-block-size) -[Expand or shrink the IP pool block size to efficiently manage IP pool addresses.](https://docs.tigera.io/calico/latest/networking/ipam/change-block-size) +[Resize an IPPool block in Calico Open Source — by creating a replacement pool and migrating workloads — to use IP space more efficiently.](https://docs.tigera.io/calico/latest/networking/ipam/change-block-size) ##### [Restrict a pod to use an IP address in a specific range](https://docs.tigera.io/calico/latest/networking/ipam/legacy-firewalls) -[Restrict the IP address chosen for a pod to a specific range of IP addresses.](https://docs.tigera.io/calico/latest/networking/ipam/legacy-firewalls) +[Restrict pods to a defined IP address range with Calico Open Source so legacy firewalls and security appliances can recognize cluster workloads.](https://docs.tigera.io/calico/latest/networking/ipam/legacy-firewalls) ##### [LoadBalancer IP address management](https://docs.tigera.io/calico/latest/networking/ipam/service-loadbalancer) -[LoadBalancer IP address management](https://docs.tigera.io/calico/latest/networking/ipam/service-loadbalancer) +[Use the Calico Open Source LoadBalancer controller to allocate addresses to Kubernetes Service type LoadBalancer from configured IP pools.](https://docs.tigera.io/calico/latest/networking/ipam/service-loadbalancer) ## Networking for OpenStack[​](#networking-for-openstack) ##### [Set up a development machine](https://docs.tigera.io/calico/latest/networking/openstack/dev-machine-setup) -[Configure Calico networking for OpenStack VMs.](https://docs.tigera.io/calico/latest/networking/openstack/dev-machine-setup) +[Walk-through example of provisioning a developer VM on a Calico Open Source OpenStack cloud, with security groups, an external network attachment, and SSH access.](https://docs.tigera.io/calico/latest/networking/openstack/dev-machine-setup) ##### [Prepare a VM guest OS for IPv6](https://docs.tigera.io/calico/latest/networking/openstack/ipv6) -[Prepare a VM guest OS for IPv6.](https://docs.tigera.io/calico/latest/networking/openstack/ipv6) +[Prepare a guest OS image for IPv6 connectivity on Calico Open Source OpenStack VMs by configuring DHCPv6 client behavior and accepting router advertisements.](https://docs.tigera.io/calico/latest/networking/openstack/ipv6) ##### [IP addressing and connectivity](https://docs.tigera.io/calico/latest/networking/openstack/connectivity) -[Configure OpenStack networking for Calico.](https://docs.tigera.io/calico/latest/networking/openstack/connectivity) +[Plan IPv4 and IPv6 address ranges, gateway routing, and Neutron network setup to connect Calico Open Source OpenStack VMs with the data center fabric.](https://docs.tigera.io/calico/latest/networking/openstack/connectivity) ##### [Endpoint labels and operator policy](https://docs.tigera.io/calico/latest/networking/openstack/labels) -[Use Calico labels to define policy for OpenStack VMs.](https://docs.tigera.io/calico/latest/networking/openstack/labels) +[Reference for the project, network, security-group, and namespace labels that Calico Open Source places on WorkloadEndpoints for OpenStack VMs, plus how to use them in policy.](https://docs.tigera.io/calico/latest/networking/openstack/labels) ##### [Configure systems for use with Calico](https://docs.tigera.io/calico/latest/networking/openstack/configuration) -[Configure OpenStack components for Calico.](https://docs.tigera.io/calico/latest/networking/openstack/configuration) +[Configure Nova, Neutron, and DHCP agent settings on OpenStack compute hosts to run Calico Open Source as either a core plugin or an ML2 mechanism driver.](https://docs.tigera.io/calico/latest/networking/openstack/configuration) ##### [Detailed semantics](https://docs.tigera.io/calico/latest/networking/openstack/semantics) -[Calico provides connectivity that is different from traditional Neutron API semantics.](https://docs.tigera.io/calico/latest/networking/openstack/semantics) +[Reference for the IP-only connectivity model Calico Open Source provides between OpenStack instances, and how it differs from traditional Neutron L2 semantics.](https://docs.tigera.io/calico/latest/networking/openstack/semantics) ##### [Floating IPs](https://docs.tigera.io/calico/latest/networking/openstack/floating-ips) -[Configure floating IPs in Calico for OpenStack.](https://docs.tigera.io/calico/latest/networking/openstack/floating-ips) +[Allocate Neutron floating IPs against a Calico Open Source OpenStack tenant network, including router gateways, provider subnets, and core-plugin requirements.](https://docs.tigera.io/calico/latest/networking/openstack/floating-ips) ##### [Service IPs](https://docs.tigera.io/calico/latest/networking/openstack/service-ips) -[Use a floating or fixed IP for a Calico-networked VM.](https://docs.tigera.io/calico/latest/networking/openstack/service-ips) +[Assign a service IP to a Calico Open Source OpenStack VM by attaching either a Neutron floating IP or an additional fixed IP on the VM port.](https://docs.tigera.io/calico/latest/networking/openstack/service-ips) ##### [Host routes](https://docs.tigera.io/calico/latest/networking/openstack/host-routes) -[Options for host routing with Calico.](https://docs.tigera.io/calico/latest/networking/openstack/host-routes) +[Configure Neutron subnet host routes so the next-hop IP points at the local hypervisor in Calico Open Source OpenStack deployments and traffic flows correctly.](https://docs.tigera.io/calico/latest/networking/openstack/host-routes) ##### [Multiple regions](https://docs.tigera.io/calico/latest/networking/openstack/multiple-regions) -[Install a multi-region OpenStack deployment with Calico.](https://docs.tigera.io/calico/latest/networking/openstack/multiple-regions) +[Deploy Calico Open Source across multiple OpenStack regions sharing one etcd datastore, with per-region namespaces for inter-region policy.](https://docs.tigera.io/calico/latest/networking/openstack/multiple-regions) ##### [Kuryr](https://docs.tigera.io/calico/latest/networking/openstack/kuryr) -[Use Kuryr with Calico networking.](https://docs.tigera.io/calico/latest/networking/openstack/kuryr) +[Use Kuryr together with the networking-calico ML2 driver in Calico Open Source so Neutron provides networking for container workloads.](https://docs.tigera.io/calico/latest/networking/openstack/kuryr) ##### [Calico's interpretation of Neutron API calls](https://docs.tigera.io/calico/latest/networking/openstack/neutron-api) -[Effects of the Neutron API calls on the network.](https://docs.tigera.io/calico/latest/networking/openstack/neutron-api) +[Reference for how Calico Open Source interprets each Neutron API call — networks, subnets, ports, security groups, and Horizon actions — in an OpenStack deployment.](https://docs.tigera.io/calico/latest/networking/openstack/neutron-api) ## Networking options with Calico Cloud[​](#networking-options-with-calico-cloud) @@ -18527,51 +18553,51 @@ Ask on the [Calico Users Slack](https://calicousers.slack.com/) for community he ## [📄️Configure BGP peering](https://docs.tigera.io/calico/latest/networking/configuring/bgp) -[Configure BGP peering with full mesh, node-specific peering, ToR, and/or Calico route reflectors.](https://docs.tigera.io/calico/latest/networking/configuring/bgp) +[Configure BGP peering for Calico Open Source — full mesh, node-specific peers, top-of-rack switches, and Calico route reflectors — using BGPPeer and BGPConfiguration resources.](https://docs.tigera.io/calico/latest/networking/configuring/bgp) ## [📄️Configure BGP peering with nested clusters running on KubeVirt VMs](https://docs.tigera.io/calico/latest/networking/configuring/bgp-to-workload) -[Configure BGP peering with nested clusters running on KubeVirt VMs](https://docs.tigera.io/calico/latest/networking/configuring/bgp-to-workload) +[Peer Calico Open Source nodes with BGP speakers running inside KubeVirt VMs to support nested clusters and route announcements from workloads.](https://docs.tigera.io/calico/latest/networking/configuring/bgp-to-workload) ## [📄️Overlay networking](https://docs.tigera.io/calico/latest/networking/configuring/vxlan-ipip) -[Configure Calico to use IP in IP or VXLAN overlay networking so the underlying network doesn’t need to understand pod addresses.](https://docs.tigera.io/calico/latest/networking/configuring/vxlan-ipip) +[Pick between VXLAN and IP-in-IP overlay modes in Calico Open Source so pod traffic crosses underlay networks that don't route pod CIDRs natively.](https://docs.tigera.io/calico/latest/networking/configuring/vxlan-ipip) ## [📄️Advertise Kubernetes service IP addresses](https://docs.tigera.io/calico/latest/networking/configuring/advertise-service-ips) -[Configure Calico to advertise Kubernetes service cluster IPs and external IPs outside the cluster using BGP.](https://docs.tigera.io/calico/latest/networking/configuring/advertise-service-ips) +[Advertise Kubernetes service cluster IPs and external IPs out of the cluster over BGP with Calico Open Source so external clients can route to them directly.](https://docs.tigera.io/calico/latest/networking/configuring/advertise-service-ips) ## [📄️Configure MTU to maximize network performance](https://docs.tigera.io/calico/latest/networking/configuring/mtu) -[Optimize network performance for workloads by configuring the MTU in Calico to best suit your underlying network.](https://docs.tigera.io/calico/latest/networking/configuring/mtu) +[Tune the Calico Open Source MTU on the FelixConfiguration resource so pod traffic matches the underlying network, including VXLAN, IP-in-IP, and WireGuard overheads.](https://docs.tigera.io/calico/latest/networking/configuring/mtu) ## [📄️Configure outgoing NAT](https://docs.tigera.io/calico/latest/networking/configuring/workloads-outside-cluster) -[Configure networking to perform outbound NAT for connections from pods to outside of the cluster.](https://docs.tigera.io/calico/latest/networking/configuring/workloads-outside-cluster) +[Set NAT outgoing on Calico Open Source IP pools so pod traffic to destinations outside the cluster is source-NATed to the node's IP.](https://docs.tigera.io/calico/latest/networking/configuring/workloads-outside-cluster) ## [📄️Use IPVS kube-proxy](https://docs.tigera.io/calico/latest/networking/configuring/use-ipvs) -[Use IPVS kube-proxy for performance improvements.](https://docs.tigera.io/calico/latest/networking/configuring/use-ipvs) +[Run kube-proxy in IPVS mode with Calico Open Source for constant-time service load balancing on clusters with thousands of services.](https://docs.tigera.io/calico/latest/networking/configuring/use-ipvs) ## [📄️Accelerate Istio network performance](https://docs.tigera.io/calico/latest/networking/configuring/sidecar-acceleration) -[Use Calico to accelerate network performance of traffic through the Istio Envoy sidecar using eBPF.](https://docs.tigera.io/calico/latest/networking/configuring/sidecar-acceleration) +[Accelerate Istio Envoy sidecar traffic on Calico Open Source by using eBPF SOCKMAP to bypass kernel networking layers between the sidecar and the application.](https://docs.tigera.io/calico/latest/networking/configuring/sidecar-acceleration) ## [📄️Use a specific MAC address for a pod](https://docs.tigera.io/calico/latest/networking/configuring/pod-mac-address) -[Specify the MAC address for a pod instead of allowing the operating system to assign one](https://docs.tigera.io/calico/latest/networking/configuring/pod-mac-address) +[Set a chosen MAC address on a Kubernetes pod interface with the Calico Open Source CNI plugin, useful for software licensing tied to MAC.](https://docs.tigera.io/calico/latest/networking/configuring/pod-mac-address) ## [📄️Use NodeLocal DNSCache in your cluster](https://docs.tigera.io/calico/latest/networking/configuring/node-local-dns-cache) -[Install NodeLocal DNSCache](https://docs.tigera.io/calico/latest/networking/configuring/node-local-dns-cache) +[Install NodeLocal DNSCache alongside Calico Open Source and configure network policy that lets pod DNS traffic reach the local cache.](https://docs.tigera.io/calico/latest/networking/configuring/node-local-dns-cache) ## [📄️Configure QoS Controls](https://docs.tigera.io/calico/latest/networking/configuring/qos-controls) -[Configure QoS (Quality of Service) Controls to limit ingress and/or egress bandwidth, packet rate and number of connections of Calico workloads.](https://docs.tigera.io/calico/latest/networking/configuring/qos-controls) +[Cap pod ingress and egress bandwidth, packet rate, and connection counts with Calico Open Source QoS controls, plus DiffServ marking on egress traffic.](https://docs.tigera.io/calico/latest/networking/configuring/qos-controls) ## [📄️Add Maglev load balancing to a service](https://docs.tigera.io/calico/latest/networking/configuring/add-maglev-load-balancing) -[Add Maglev load balancing to a Kubernetes service.](https://docs.tigera.io/calico/latest/networking/configuring/add-maglev-load-balancing) +[Switch a Kubernetes service to Maglev consistent-hash load balancing on the Calico Open Source eBPF data plane for resilient backend selection.](https://docs.tigera.io/calico/latest/networking/configuring/add-maglev-load-balancing) ### Configure BGP peering @@ -20457,51 +20483,51 @@ In Calico, we program these LUTs to the eBPF data plane as maps which can grow u ## [📄️Get started with IP address management](https://docs.tigera.io/calico/latest/networking/ipam/get-started-ip-addresses) -[Configure Calico to use Calico IPAM or host-local IPAM, and when to use one or the other.](https://docs.tigera.io/calico/latest/networking/ipam/get-started-ip-addresses) +[Decide between Calico Open Source IPAM and host-local IPAM, then configure IP pool allocation, NAT outgoing, and per-namespace assignment.](https://docs.tigera.io/calico/latest/networking/ipam/get-started-ip-addresses) ## [📄️Create multiple IP pools](https://docs.tigera.io/calico/latest/networking/ipam/ippools) -[Create multiple IP pools](https://docs.tigera.io/calico/latest/networking/ipam/ippools) +[Create additional Calico Open Source IPPool resources at install time or on a running cluster to serve disjoint ranges, IPv6, or per-topology pod address assignment.](https://docs.tigera.io/calico/latest/networking/ipam/ippools) ## [📄️Configure IP autodetection](https://docs.tigera.io/calico/latest/networking/ipam/ip-autodetection) -[Calico IP autodetection ensures the correct IP address is used for routing. Learn how to customize it.](https://docs.tigera.io/calico/latest/networking/ipam/ip-autodetection) +[Choose how Calico Open Source detects each node's primary IP address, with options for first-found, Kubernetes internal, interface regex, CIDR, and skip-interface.](https://docs.tigera.io/calico/latest/networking/ipam/ip-autodetection) ## [📄️Configure dual stack or IPv6 only](https://docs.tigera.io/calico/latest/networking/ipam/ipv6) -[Configure dual stack or IPv6 only for workloads.](https://docs.tigera.io/calico/latest/networking/ipam/ipv6) +[Set up dual-stack or IPv6-only pod networking on Calico Open Source by configuring IP pools, node IP autodetection, and the CNI plugin.](https://docs.tigera.io/calico/latest/networking/ipam/ipv6) ## [📄️Configure Kubernetes control plane to operate over IPv6](https://docs.tigera.io/calico/latest/networking/ipam/ipv6-control-plane) -[Configure the Kubernetes control plane to operate over IPv6 for dual stack or IPv6 only.](https://docs.tigera.io/calico/latest/networking/ipam/ipv6-control-plane) +[Run the Kubernetes control plane over IPv6 with Calico Open Source for dual-stack or IPv6-only clusters, including kubeadm flags and node configuration.](https://docs.tigera.io/calico/latest/networking/ipam/ipv6-control-plane) ## [📄️Add a floating IP to a pod](https://docs.tigera.io/calico/latest/networking/ipam/add-floating-ip) -[Configure one or more floating IPs to use as additional IP addresses for reaching a Kubernetes pod.](https://docs.tigera.io/calico/latest/networking/ipam/add-floating-ip) +[Attach one or more floating IPs to a Kubernetes pod with Calico Open Source IPAM so external clients can reach the workload over any IP protocol.](https://docs.tigera.io/calico/latest/networking/ipam/add-floating-ip) ## [📄️Use a specific IP address with a pod](https://docs.tigera.io/calico/latest/networking/ipam/use-specific-ip) -[Specify the IP address for a pod instead of allowing Calico to automatically choose one.](https://docs.tigera.io/calico/latest/networking/ipam/use-specific-ip) +[Pin a Kubernetes pod to a chosen IP address with Calico Open Source IPAM by setting a pod annotation that supplies the requested address.](https://docs.tigera.io/calico/latest/networking/ipam/use-specific-ip) ## [📄️Assign IP addresses based on topology](https://docs.tigera.io/calico/latest/networking/ipam/assign-ip-addresses-topology) -[Configure Calico to use specific IP pools for different topologies including zone, rack, or region.](https://docs.tigera.io/calico/latest/networking/ipam/assign-ip-addresses-topology) +[Bind Calico Open Source IP pools to specific zones, racks, or regions with node selectors so pods receive addresses that match the cluster topology.](https://docs.tigera.io/calico/latest/networking/ipam/assign-ip-addresses-topology) ## [📄️Migrate from one IP pool to another](https://docs.tigera.io/calico/latest/networking/ipam/migrate-pools) -[Migrate pods from one IP pool to another on a running cluster without network disruption.](https://docs.tigera.io/calico/latest/networking/ipam/migrate-pools) +[Migrate workloads from one Calico Open Source IPPool to another on a running cluster without disrupting existing pod connectivity.](https://docs.tigera.io/calico/latest/networking/ipam/migrate-pools) ## [📄️Change IP pool block size](https://docs.tigera.io/calico/latest/networking/ipam/change-block-size) -[Expand or shrink the IP pool block size to efficiently manage IP pool addresses.](https://docs.tigera.io/calico/latest/networking/ipam/change-block-size) +[Resize an IPPool block in Calico Open Source — by creating a replacement pool and migrating workloads — to use IP space more efficiently.](https://docs.tigera.io/calico/latest/networking/ipam/change-block-size) ## [📄️Restrict a pod to use an IP address in a specific range](https://docs.tigera.io/calico/latest/networking/ipam/legacy-firewalls) -[Restrict the IP address chosen for a pod to a specific range of IP addresses.](https://docs.tigera.io/calico/latest/networking/ipam/legacy-firewalls) +[Restrict pods to a defined IP address range with Calico Open Source so legacy firewalls and security appliances can recognize cluster workloads.](https://docs.tigera.io/calico/latest/networking/ipam/legacy-firewalls) ## [📄️LoadBalancer IP address management](https://docs.tigera.io/calico/latest/networking/ipam/service-loadbalancer) -[LoadBalancer IP address management](https://docs.tigera.io/calico/latest/networking/ipam/service-loadbalancer) +[Use the Calico Open Source LoadBalancer controller to allocate addresses to Kubernetes Service type LoadBalancer from configured IP pools.](https://docs.tigera.io/calico/latest/networking/ipam/service-loadbalancer) ### Get started with IP address management @@ -22765,55 +22791,55 @@ Calico LoadBalancer IP address management works in conjunction with other Calico ## [📄️Set up a development machine](https://docs.tigera.io/calico/latest/networking/openstack/dev-machine-setup) -[Configure Calico networking for OpenStack VMs.](https://docs.tigera.io/calico/latest/networking/openstack/dev-machine-setup) +[Walk-through example of provisioning a developer VM on a Calico Open Source OpenStack cloud, with security groups, an external network attachment, and SSH access.](https://docs.tigera.io/calico/latest/networking/openstack/dev-machine-setup) ## [📄️Prepare a VM guest OS for IPv6](https://docs.tigera.io/calico/latest/networking/openstack/ipv6) -[Prepare a VM guest OS for IPv6.](https://docs.tigera.io/calico/latest/networking/openstack/ipv6) +[Prepare a guest OS image for IPv6 connectivity on Calico Open Source OpenStack VMs by configuring DHCPv6 client behavior and accepting router advertisements.](https://docs.tigera.io/calico/latest/networking/openstack/ipv6) ## [📄️IP addressing and connectivity](https://docs.tigera.io/calico/latest/networking/openstack/connectivity) -[Configure OpenStack networking for Calico.](https://docs.tigera.io/calico/latest/networking/openstack/connectivity) +[Plan IPv4 and IPv6 address ranges, gateway routing, and Neutron network setup to connect Calico Open Source OpenStack VMs with the data center fabric.](https://docs.tigera.io/calico/latest/networking/openstack/connectivity) ## [📄️Endpoint labels and operator policy](https://docs.tigera.io/calico/latest/networking/openstack/labels) -[Use Calico labels to define policy for OpenStack VMs.](https://docs.tigera.io/calico/latest/networking/openstack/labels) +[Reference for the project, network, security-group, and namespace labels that Calico Open Source places on WorkloadEndpoints for OpenStack VMs, plus how to use them in policy.](https://docs.tigera.io/calico/latest/networking/openstack/labels) ## [📄️Configure systems for use with Calico](https://docs.tigera.io/calico/latest/networking/openstack/configuration) -[Configure OpenStack components for Calico.](https://docs.tigera.io/calico/latest/networking/openstack/configuration) +[Configure Nova, Neutron, and DHCP agent settings on OpenStack compute hosts to run Calico Open Source as either a core plugin or an ML2 mechanism driver.](https://docs.tigera.io/calico/latest/networking/openstack/configuration) ## [📄️Detailed semantics](https://docs.tigera.io/calico/latest/networking/openstack/semantics) -[Calico provides connectivity that is different from traditional Neutron API semantics.](https://docs.tigera.io/calico/latest/networking/openstack/semantics) +[Reference for the IP-only connectivity model Calico Open Source provides between OpenStack instances, and how it differs from traditional Neutron L2 semantics.](https://docs.tigera.io/calico/latest/networking/openstack/semantics) ## [📄️Floating IPs](https://docs.tigera.io/calico/latest/networking/openstack/floating-ips) -[Configure floating IPs in Calico for OpenStack.](https://docs.tigera.io/calico/latest/networking/openstack/floating-ips) +[Allocate Neutron floating IPs against a Calico Open Source OpenStack tenant network, including router gateways, provider subnets, and core-plugin requirements.](https://docs.tigera.io/calico/latest/networking/openstack/floating-ips) ## [📄️Service IPs](https://docs.tigera.io/calico/latest/networking/openstack/service-ips) -[Use a floating or fixed IP for a Calico-networked VM.](https://docs.tigera.io/calico/latest/networking/openstack/service-ips) +[Assign a service IP to a Calico Open Source OpenStack VM by attaching either a Neutron floating IP or an additional fixed IP on the VM port.](https://docs.tigera.io/calico/latest/networking/openstack/service-ips) ## [📄️Host routes](https://docs.tigera.io/calico/latest/networking/openstack/host-routes) -[Options for host routing with Calico.](https://docs.tigera.io/calico/latest/networking/openstack/host-routes) +[Configure Neutron subnet host routes so the next-hop IP points at the local hypervisor in Calico Open Source OpenStack deployments and traffic flows correctly.](https://docs.tigera.io/calico/latest/networking/openstack/host-routes) ## [📄️Multiple regions](https://docs.tigera.io/calico/latest/networking/openstack/multiple-regions) -[Install a multi-region OpenStack deployment with Calico.](https://docs.tigera.io/calico/latest/networking/openstack/multiple-regions) +[Deploy Calico Open Source across multiple OpenStack regions sharing one etcd datastore, with per-region namespaces for inter-region policy.](https://docs.tigera.io/calico/latest/networking/openstack/multiple-regions) ## [📄️Live migration for OpenStack VMs](https://docs.tigera.io/calico/latest/networking/openstack/live-migration) -[Configure live migration support.](https://docs.tigera.io/calico/latest/networking/openstack/live-migration) +[Tune route priority and BGP propagation so Calico Open Source converges OpenStack VM traffic to the destination host quickly during live migration.](https://docs.tigera.io/calico/latest/networking/openstack/live-migration) ## [📄️Kuryr](https://docs.tigera.io/calico/latest/networking/openstack/kuryr) -[Use Kuryr with Calico networking.](https://docs.tigera.io/calico/latest/networking/openstack/kuryr) +[Use Kuryr together with the networking-calico ML2 driver in Calico Open Source so Neutron provides networking for container workloads.](https://docs.tigera.io/calico/latest/networking/openstack/kuryr) ## [📄️Calico's interpretation of Neutron API calls](https://docs.tigera.io/calico/latest/networking/openstack/neutron-api) -[Effects of the Neutron API calls on the network.](https://docs.tigera.io/calico/latest/networking/openstack/neutron-api) +[Reference for how Calico Open Source interprets each Neutron API call — networks, subnets, ports, security groups, and Horizon actions — in an OpenStack deployment.](https://docs.tigera.io/calico/latest/networking/openstack/neutron-api) ### Set up a development machine @@ -23408,17 +23434,7 @@ In `/etc/neutron/neutron.conf` you need the following settings to configure the | ------------ | ------ | -------------------------- | | core\_plugin | calico | Use the Calico core plugin | -Calico can operate either as a core plugin or as an ML2 mechanism driver. The function is the same both ways, except that floating IPs are only supported when operating as a core plugin; hence the recommended setting here. - -However, if you don't need floating IPs and have other reasons for using ML2, you can, instead, set - -| Setting | Value | Meaning | -| ------------ | ------------------------------------ | -------------- | -| core\_plugin | neutron.plugins.ml2.plugin.ML2Plugin | Use ML2 plugin | - -and then the further ML2-specific configuration as covered below. - -The following options in the `[calico]` section of `/etc/neutron/neutron.conf` govern how the Calico plugin/driver and DHCP agent connect to the Calico etcd datastore. You should set `etcd_host` to the IP of your etcd server, and `etcd_port` if that server is using a non-standard port. If the etcd server is TLS-secured, also set: +The following options in the `[calico]` section of `/etc/neutron/neutron.conf` govern how the Calico plugin and DHCP agent connect to the Calico etcd datastore. You should set `etcd_host` to the IP of your etcd server, and `etcd_port` if that server is using a non-standard port. If the etcd server is TLS-secured, also set: - `etcd_cert_file` to a client certificate, which must be signed by a Certificate Authority that the server trusts @@ -23442,19 +23458,9 @@ In a [multi-region deployment](https://docs.tigera.io/calico/latest/networking/o When specified, the value of `openstack_region` must be a string of lower case alphanumeric characters or '-', starting and ending with an alphanumeric character, and must match the value of [`OpenStackRegion`](https://docs.tigera.io/calico/latest/reference/felix/configuration#openstack-specific-configuration) configured for the Felixes in the same region. -## ML2 (.../ml2\_conf.ini)[​](#ml2-ml2_confini) - -In `/etc/neutron/plugins/ml2/ml2_conf.ini` you need the following settings to configure the ML2 plugin. - -| Setting | Value | Meaning | -| ---------------------- | ----------- | --------------------------------- | -| mechanism\_drivers | calico | Use Calico | -| type\_drivers | local, flat | Allow 'local' and 'flat' networks | -| tenant\_network\_types | local, flat | Allow 'local' and 'flat' networks | - ### Detailed semantics -A Calico network is a Neutron network (either provider or tenant) whose connectivity is implemented, on every compute host with instances attached to that network, by the `calico` plugin or ML2 mechanism driver. There can be just one Calico network, or any number of them. This page describes the connectivity that Calico provides between instances attached to the same network, and between instances attached to different Calico networks, and between instances and the Internet; and explains how and why this connectivity is in some details different from traditional Neutron API semantics. +A Calico network is a Neutron network (either provider or tenant) whose connectivity is implemented, on every compute host with instances attached to that network, by the `calico` plugin. There can be just one Calico network, or any number of them. This page describes the connectivity that Calico provides between instances attached to the same network, and between instances attached to different Calico networks, and between instances and the Internet; and explains how and why this connectivity is in some details different from traditional Neutron API semantics. ## Connectivity between instances on the same network[​](#connectivity-between-instances-on-the-same-network) @@ -23506,9 +23512,7 @@ Subject to those restrictions and understandings, we believe that networking-cal ### Floating IPs -networking-calico includes beta support for floating IPs. Currently this requires running Calico as a Neutron core plugin (i.e. `core_plugin = calico`) instead of as an ML2 mechanism driver. - -> **SECONDARY:** We would like it to work as an ML2 mechanism driver too—patches and/or advice welcome! +networking-calico includes support for floating IPs. To set up a floating IP, you need the same pattern of Neutron data model objects as you do for Neutron in general, which means: @@ -24878,7 +24882,7 @@ The timestamps on these transitions let you measure how long each phase takes. F ### Kuryr -networking-calico works with Kuryr; this means using Neutron, with the Calico ML2 driver, to provide networking for container workloads. +networking-calico works with Kuryr; this means using Neutron, with the Calico core plugin, to provide networking for container workloads. You can use DevStack to install a single node Calico/Kuryr system, with a `local.conf` file like this: @@ -24992,7 +24996,7 @@ All the attributes of security groups remain unchanged in Calico. ## Floating IPs[​](#floating-ips) -Floating IPs are supported at beta level. For more information, see [Floating IPs](https://docs.tigera.io/calico/latest/networking/openstack/floating-ips). +Floating IPs are supported. For more information, see [Floating IPs](https://docs.tigera.io/calico/latest/networking/openstack/floating-ips). ## Neutron Routers[​](#neutron-routers) @@ -25068,11 +25072,11 @@ Administrators should not create routers, as they serve no purpose in a Calico n ## [📄️KubeVirt networking](https://docs.tigera.io/calico/latest/networking/kubevirt/kubevirt-networking) -[Configure Calico to provide networking for KubeVirt virtual machines, including IP address persistence and live migration support.](https://docs.tigera.io/calico/latest/networking/kubevirt/kubevirt-networking) +[Configure Calico Open Source bridge-mode networking for KubeVirt VMs so each VM keeps the same IP across reboots, evictions, and live migrations.](https://docs.tigera.io/calico/latest/networking/kubevirt/kubevirt-networking) ## [📄️BGP routing for KubeVirt live migration](https://docs.tigera.io/calico/latest/networking/kubevirt/live-migration-bgp) -[Configure BGP routing to support KubeVirt live migration across racks and AS boundaries.](https://docs.tigera.io/calico/latest/networking/kubevirt/live-migration-bgp) +[Configure BGPFilter resources in Calico Open Source so elevated route priorities propagate across racks and AS boundaries during KubeVirt live migration.](https://docs.tigera.io/calico/latest/networking/kubevirt/live-migration-bgp) ### KubeVirt networking @@ -33268,7 +33272,7 @@ If you are using the etcd datastore, we recommend enabling mutual TLS authentica - [Kubernetes controllers](https://docs.tigera.io/calico/latest/reference/kube-controllers/configuration#configuring-datastore-access) (Kubernetes and OpenShift only) - [Felix](https://docs.tigera.io/calico/latest/reference/felix/configuration#etcd-datastore-configuration) - [Typha](https://docs.tigera.io/calico/latest/reference/typha/configuration#etcd-datastore-configuration) (often deployed in larger Kubernetes deployments) - - [Neutron plugin or ML2 driver](https://docs.tigera.io/calico/latest/networking/openstack/configuration#neutron-server-etcneutronneutronconf) (OpenStack only) + - [Neutron plugin](https://docs.tigera.io/calico/latest/networking/openstack/configuration#neutron-server-etcneutronneutronconf) (OpenStack only) - [DHCP agent](https://docs.tigera.io/calico/latest/networking/openstack/configuration#neutron-server-etcneutronneutronconf) (OpenStack only) @@ -34291,15 +34295,15 @@ View flow logs and policy metrics to better understand your network traffic. ##### [View flow logs](https://docs.tigera.io/calico/latest/observability/view-flow-logs) -[View flow logs in the Calico Whisker web console.](https://docs.tigera.io/calico/latest/observability/view-flow-logs) +[Inspect aggregated network flow logs in the Calico Whisker in-cluster web console for Calico Open Source. Filter by source, destination, and policy verdicts.](https://docs.tigera.io/calico/latest/observability/view-flow-logs) ##### [Enable flow logs](https://docs.tigera.io/calico/latest/observability/enable-whisker) -[Enable the flow logs API and Calico Whisker](https://docs.tigera.io/calico/latest/observability/enable-whisker) +[Activate the Goldmane flow logs API and the Calico Whisker web console in Calico Open Source clusters that were upgraded from earlier versions.](https://docs.tigera.io/calico/latest/observability/enable-whisker) ##### [Flow logs API](https://docs.tigera.io/calico/latest/observability/flow-logs-api) -[Learn about the flow logs API.](https://docs.tigera.io/calico/latest/observability/flow-logs-api) +[Reference for the Goldmane flow logs API in Calico Open Source. Retrieve aggregated traffic data, policy hits, and packet and byte counts over gRPC.](https://docs.tigera.io/calico/latest/observability/flow-logs-api) ### View flow logs in the Calico Whisker web console @@ -60429,7 +60433,7 @@ If Felix is restarted, it learns current local state by interrogating the kernel The bulk of global state is mastered in whatever component hosts the plugin. -- In the case of OpenStack, this means a Neutron database. Our OpenStack plugin (more strictly a Neutron ML2 driver) queries the Neutron database to find out state about the entire deployment. That state is then reflected to `etcd` and so to Felix. +- In the case of OpenStack, this means a Neutron database. Our OpenStack plugin queries the Neutron database to find out state about the entire deployment. That state is then reflected to `etcd` and so to Felix. - In certain cases, `etcd` itself contains the master copy of the data. This is because some Docker deployments have an `etcd` cluster that has the required resiliency characteristics, used to store all system configuration and so `etcd` is configured so as to be a suitable store for critical data. - In other orchestration systems, it may be stored in distributed databases, either owned directly by the plugin or by the orchestrator itself. diff --git a/static/calico/llms.txt b/static/calico/llms.txt index bc66374af0..a99a88ba10 100644 --- a/static/calico/llms.txt +++ b/static/calico/llms.txt @@ -104,56 +104,56 @@ ## Networking -- [Networking](https://docs.tigera.io/calico/latest/networking/): Calico's flexible networking options reduce the barriers to adopting a CaaS platform solution. Determine the best networking option for your implementation. -- [Determine best networking option](https://docs.tigera.io/calico/latest/networking/determine-best-networking): Learn about the different networking options Calico supports so you can choose the best option for your needs. -- [Calico Ingress Gateway](https://docs.tigera.io/calico/latest/networking/ingress-gateway/about-calico-ingress-gateway): Understand what Calico Ingress Gateway is and how it works. -- [Create an ingress gateway](https://docs.tigera.io/calico/latest/networking/ingress-gateway/create-ingress-gateway): Create an ingress gateway to manage ingress traffic with the Kubernetes Gateway API. -- [Customizing your ingress gateway](https://docs.tigera.io/calico/latest/networking/ingress-gateway/customize-ingress-gateway): Learn how to customize your ingress gateway. -- [Tutorial: Launch a canary deployment with Calico Ingress Gateway](https://docs.tigera.io/calico/latest/networking/ingress-gateway/tutorial-ingress-gateway-canary): Tutorial for ingress gateways and canary deployment -- [Migrating from NGINX Ingress](https://docs.tigera.io/calico/latest/networking/ingress-gateway/migrate-from-nginx): Migrate NGINX Ingress resources to Calico Ingress Gateway with a step-by-step workflow and an optional conversion tool. -- [Configure Networking](https://docs.tigera.io/calico/latest/networking/configuring/): Configure Calico networking options, including overlay, non-overlay, BGP, service advertisement, MTU, NAT, and using kube-proxy in IPVS mode. -- [Configure BGP peering](https://docs.tigera.io/calico/latest/networking/configuring/bgp): Configure BGP peering with full mesh, node-specific peering, ToR, and/or Calico route reflectors. -- [Configure BGP peering with nested clusters running on KubeVirt VMs](https://docs.tigera.io/calico/latest/networking/configuring/bgp-to-workload): Configure BGP peering with nested clusters running on KubeVirt VMs -- [Overlay networking](https://docs.tigera.io/calico/latest/networking/configuring/vxlan-ipip): Configure Calico to use IP in IP or VXLAN overlay networking so the underlying network doesn’t need to understand pod addresses. -- [Advertise Kubernetes service IP addresses](https://docs.tigera.io/calico/latest/networking/configuring/advertise-service-ips): Configure Calico to advertise Kubernetes service cluster IPs and external IPs outside the cluster using BGP. -- [Configure MTU to maximize network performance](https://docs.tigera.io/calico/latest/networking/configuring/mtu): Optimize network performance for workloads by configuring the MTU in Calico to best suit your underlying network. -- [Configure outgoing NAT](https://docs.tigera.io/calico/latest/networking/configuring/workloads-outside-cluster): Configure networking to perform outbound NAT for connections from pods to outside of the cluster. -- [Use IPVS kube-proxy](https://docs.tigera.io/calico/latest/networking/configuring/use-ipvs): Use IPVS kube-proxy for performance improvements. -- [Accelerate Istio network performance](https://docs.tigera.io/calico/latest/networking/configuring/sidecar-acceleration): Use Calico to accelerate network performance of traffic through the Istio Envoy sidecar using eBPF. -- [Use a specific MAC address for a pod](https://docs.tigera.io/calico/latest/networking/configuring/pod-mac-address): Specify the MAC address for a pod instead of allowing the operating system to assign one -- [Use NodeLocal DNSCache in your cluster](https://docs.tigera.io/calico/latest/networking/configuring/node-local-dns-cache): Install NodeLocal DNSCache -- [Configure QoS Controls](https://docs.tigera.io/calico/latest/networking/configuring/qos-controls): Configure QoS (Quality of Service) Controls to limit ingress and/or egress bandwidth, packet rate and number of connections of Calico workloads. -- [Add Maglev load balancing to a service](https://docs.tigera.io/calico/latest/networking/configuring/add-maglev-load-balancing): Add Maglev load balancing to a Kubernetes service. -- [IP address management](https://docs.tigera.io/calico/latest/networking/ipam/): Calico IPAM is flexible and efficient. Learn how to interoperate with legacy firewalls using IP address ranges, advertise Kubernetes service IPs, and more. -- [Get started with IP address management](https://docs.tigera.io/calico/latest/networking/ipam/get-started-ip-addresses): Configure Calico to use Calico IPAM or host-local IPAM, and when to use one or the other. -- [Create multiple IP pools](https://docs.tigera.io/calico/latest/networking/ipam/ippools): Create multiple IP pools -- [Configure IP autodetection](https://docs.tigera.io/calico/latest/networking/ipam/ip-autodetection): Calico IP autodetection ensures the correct IP address is used for routing. Learn how to customize it. -- [Configure dual stack or IPv6 only](https://docs.tigera.io/calico/latest/networking/ipam/ipv6): Configure dual stack or IPv6 only for workloads. -- [Configure Kubernetes control plane to operate over IPv6](https://docs.tigera.io/calico/latest/networking/ipam/ipv6-control-plane): Configure the Kubernetes control plane to operate over IPv6 for dual stack or IPv6 only. -- [Add a floating IP to a pod](https://docs.tigera.io/calico/latest/networking/ipam/add-floating-ip): Configure one or more floating IPs to use as additional IP addresses for reaching a Kubernetes pod. -- [Use a specific IP address with a pod](https://docs.tigera.io/calico/latest/networking/ipam/use-specific-ip): Specify the IP address for a pod instead of allowing Calico to automatically choose one. -- [Assign IP addresses based on topology](https://docs.tigera.io/calico/latest/networking/ipam/assign-ip-addresses-topology): Configure Calico to use specific IP pools for different topologies including zone, rack, or region. -- [Migrate from one IP pool to another](https://docs.tigera.io/calico/latest/networking/ipam/migrate-pools): Migrate pods from one IP pool to another on a running cluster without network disruption. -- [Change IP pool block size](https://docs.tigera.io/calico/latest/networking/ipam/change-block-size): Expand or shrink the IP pool block size to efficiently manage IP pool addresses. -- [Restrict a pod to use an IP address in a specific range](https://docs.tigera.io/calico/latest/networking/ipam/legacy-firewalls): Restrict the IP address chosen for a pod to a specific range of IP addresses. -- [LoadBalancer IP address management](https://docs.tigera.io/calico/latest/networking/ipam/service-loadbalancer): LoadBalancer IP address management -- [Calico networking for OpenStack](https://docs.tigera.io/calico/latest/networking/openstack/): Configure Calico networking in an OpenStack deployment. -- [Set up a development machine](https://docs.tigera.io/calico/latest/networking/openstack/dev-machine-setup): Configure Calico networking for OpenStack VMs. -- [Prepare a VM guest OS for IPv6](https://docs.tigera.io/calico/latest/networking/openstack/ipv6): Prepare a VM guest OS for IPv6. -- [IP addressing and connectivity](https://docs.tigera.io/calico/latest/networking/openstack/connectivity): Configure OpenStack networking for Calico. -- [Endpoint labels and operator policy](https://docs.tigera.io/calico/latest/networking/openstack/labels): Use Calico labels to define policy for OpenStack VMs. -- [Configure systems for use with Calico](https://docs.tigera.io/calico/latest/networking/openstack/configuration): Configure OpenStack components for Calico. -- [Detailed semantics](https://docs.tigera.io/calico/latest/networking/openstack/semantics): Calico provides connectivity that is different from traditional Neutron API semantics. -- [Floating IPs](https://docs.tigera.io/calico/latest/networking/openstack/floating-ips): Configure floating IPs in Calico for OpenStack. -- [Service IPs](https://docs.tigera.io/calico/latest/networking/openstack/service-ips): Use a floating or fixed IP for a Calico-networked VM. -- [Host routes](https://docs.tigera.io/calico/latest/networking/openstack/host-routes): Options for host routing with Calico. -- [Multiple regions](https://docs.tigera.io/calico/latest/networking/openstack/multiple-regions): Install a multi-region OpenStack deployment with Calico. -- [Live migration for OpenStack VMs](https://docs.tigera.io/calico/latest/networking/openstack/live-migration): Configure live migration support. -- [Kuryr](https://docs.tigera.io/calico/latest/networking/openstack/kuryr): Use Kuryr with Calico networking. -- [Calico's interpretation of Neutron API calls](https://docs.tigera.io/calico/latest/networking/openstack/neutron-api): Effects of the Neutron API calls on the network. -- [Calico networking for KubeVirt](https://docs.tigera.io/calico/latest/networking/kubevirt/): Configure Calico networking for KubeVirt virtual machines. -- [KubeVirt networking](https://docs.tigera.io/calico/latest/networking/kubevirt/kubevirt-networking): Configure Calico to provide networking for KubeVirt virtual machines, including IP address persistence and live migration support. -- [BGP routing for KubeVirt live migration](https://docs.tigera.io/calico/latest/networking/kubevirt/live-migration-bgp): Configure BGP routing to support KubeVirt live migration across racks and AS boundaries. +- [Networking](https://docs.tigera.io/calico/latest/networking/): Calico Open Source networking spans overlay and non-overlay data planes, BGP, IPAM, MTU tuning, and Kubernetes Gateway API ingress for flexible cluster connectivity. +- [Determine best networking option](https://docs.tigera.io/calico/latest/networking/determine-best-networking): Compare networking options in Calico Open Source — overlay versus non-overlay, BGP routing, CNI choices, and IPAM modes — to pick the right combination for your environment. +- [Calico Ingress Gateway](https://docs.tigera.io/calico/latest/networking/ingress-gateway/about-calico-ingress-gateway): Overview of Calico Ingress Gateway in Calico Open Source — a hardened Envoy Gateway distribution that uses the Kubernetes Gateway API for cluster ingress. +- [Create an ingress gateway](https://docs.tigera.io/calico/latest/networking/ingress-gateway/create-ingress-gateway): Deploy a Calico Ingress Gateway on Calico Open Source by applying a GatewayAPI resource and a Gateway that references the Tigera-managed gateway class. +- [Customizing your ingress gateway](https://docs.tigera.io/calico/latest/networking/ingress-gateway/customize-ingress-gateway): Customize a Calico Ingress Gateway in Calico Open Source through the GatewayAPI resource — node selectors, multiple gateway classes, pod metadata, and load balancer service options. +- [Tutorial: Launch a canary deployment with Calico Ingress Gateway](https://docs.tigera.io/calico/latest/networking/ingress-gateway/tutorial-ingress-gateway-canary): Step-by-step tutorial for shipping a canary deployment with Calico Ingress Gateway on Calico Open Source by splitting HTTPRoute traffic between stable and new versions. +- [Migrating from NGINX Ingress](https://docs.tigera.io/calico/latest/networking/ingress-gateway/migrate-from-nginx): Migrate from NGINX Ingress to Calico Ingress Gateway on Calico Open Source, covering the Gateway API mental model, an annotation conversion tool, and a step-by-step workflow. +- [Configure Networking](https://docs.tigera.io/calico/latest/networking/configuring/): Networking configuration tasks for Calico Open Source — BGP, overlay encapsulation, service advertisement, MTU, NAT, IPVS kube-proxy, and QoS controls. +- [Configure BGP peering](https://docs.tigera.io/calico/latest/networking/configuring/bgp): Configure BGP peering for Calico Open Source — full mesh, node-specific peers, top-of-rack switches, and Calico route reflectors — using BGPPeer and BGPConfiguration resources. +- [Configure BGP peering with nested clusters running on KubeVirt VMs](https://docs.tigera.io/calico/latest/networking/configuring/bgp-to-workload): Peer Calico Open Source nodes with BGP speakers running inside KubeVirt VMs to support nested clusters and route announcements from workloads. +- [Overlay networking](https://docs.tigera.io/calico/latest/networking/configuring/vxlan-ipip): Pick between VXLAN and IP-in-IP overlay modes in Calico Open Source so pod traffic crosses underlay networks that don't route pod CIDRs natively. +- [Advertise Kubernetes service IP addresses](https://docs.tigera.io/calico/latest/networking/configuring/advertise-service-ips): Advertise Kubernetes service cluster IPs and external IPs out of the cluster over BGP with Calico Open Source so external clients can route to them directly. +- [Configure MTU to maximize network performance](https://docs.tigera.io/calico/latest/networking/configuring/mtu): Tune the Calico Open Source MTU on the FelixConfiguration resource so pod traffic matches the underlying network, including VXLAN, IP-in-IP, and WireGuard overheads. +- [Configure outgoing NAT](https://docs.tigera.io/calico/latest/networking/configuring/workloads-outside-cluster): Set NAT outgoing on Calico Open Source IP pools so pod traffic to destinations outside the cluster is source-NATed to the node's IP. +- [Use IPVS kube-proxy](https://docs.tigera.io/calico/latest/networking/configuring/use-ipvs): Run kube-proxy in IPVS mode with Calico Open Source for constant-time service load balancing on clusters with thousands of services. +- [Accelerate Istio network performance](https://docs.tigera.io/calico/latest/networking/configuring/sidecar-acceleration): Accelerate Istio Envoy sidecar traffic on Calico Open Source by using eBPF SOCKMAP to bypass kernel networking layers between the sidecar and the application. +- [Use a specific MAC address for a pod](https://docs.tigera.io/calico/latest/networking/configuring/pod-mac-address): Set a chosen MAC address on a Kubernetes pod interface with the Calico Open Source CNI plugin, useful for software licensing tied to MAC. +- [Use NodeLocal DNSCache in your cluster](https://docs.tigera.io/calico/latest/networking/configuring/node-local-dns-cache): Install NodeLocal DNSCache alongside Calico Open Source and configure network policy that lets pod DNS traffic reach the local cache. +- [Configure QoS Controls](https://docs.tigera.io/calico/latest/networking/configuring/qos-controls): Cap pod ingress and egress bandwidth, packet rate, and connection counts with Calico Open Source QoS controls, plus DiffServ marking on egress traffic. +- [Add Maglev load balancing to a service](https://docs.tigera.io/calico/latest/networking/configuring/add-maglev-load-balancing): Switch a Kubernetes service to Maglev consistent-hash load balancing on the Calico Open Source eBPF data plane for resilient backend selection. +- [IP address management](https://docs.tigera.io/calico/latest/networking/ipam/): IP address management with Calico Open Source — IPPools, block sizes, dual-stack IPv6, service load balancer IPAM, topology-aware assignment, and pool migration. +- [Get started with IP address management](https://docs.tigera.io/calico/latest/networking/ipam/get-started-ip-addresses): Decide between Calico Open Source IPAM and host-local IPAM, then configure IP pool allocation, NAT outgoing, and per-namespace assignment. +- [Create multiple IP pools](https://docs.tigera.io/calico/latest/networking/ipam/ippools): Create additional Calico Open Source IPPool resources at install time or on a running cluster to serve disjoint ranges, IPv6, or per-topology pod address assignment. +- [Configure IP autodetection](https://docs.tigera.io/calico/latest/networking/ipam/ip-autodetection): Choose how Calico Open Source detects each node's primary IP address, with options for first-found, Kubernetes internal, interface regex, CIDR, and skip-interface. +- [Configure dual stack or IPv6 only](https://docs.tigera.io/calico/latest/networking/ipam/ipv6): Set up dual-stack or IPv6-only pod networking on Calico Open Source by configuring IP pools, node IP autodetection, and the CNI plugin. +- [Configure Kubernetes control plane to operate over IPv6](https://docs.tigera.io/calico/latest/networking/ipam/ipv6-control-plane): Run the Kubernetes control plane over IPv6 with Calico Open Source for dual-stack or IPv6-only clusters, including kubeadm flags and node configuration. +- [Add a floating IP to a pod](https://docs.tigera.io/calico/latest/networking/ipam/add-floating-ip): Attach one or more floating IPs to a Kubernetes pod with Calico Open Source IPAM so external clients can reach the workload over any IP protocol. +- [Use a specific IP address with a pod](https://docs.tigera.io/calico/latest/networking/ipam/use-specific-ip): Pin a Kubernetes pod to a chosen IP address with Calico Open Source IPAM by setting a pod annotation that supplies the requested address. +- [Assign IP addresses based on topology](https://docs.tigera.io/calico/latest/networking/ipam/assign-ip-addresses-topology): Bind Calico Open Source IP pools to specific zones, racks, or regions with node selectors so pods receive addresses that match the cluster topology. +- [Migrate from one IP pool to another](https://docs.tigera.io/calico/latest/networking/ipam/migrate-pools): Migrate workloads from one Calico Open Source IPPool to another on a running cluster without disrupting existing pod connectivity. +- [Change IP pool block size](https://docs.tigera.io/calico/latest/networking/ipam/change-block-size): Resize an IPPool block in Calico Open Source — by creating a replacement pool and migrating workloads — to use IP space more efficiently. +- [Restrict a pod to use an IP address in a specific range](https://docs.tigera.io/calico/latest/networking/ipam/legacy-firewalls): Restrict pods to a defined IP address range with Calico Open Source so legacy firewalls and security appliances can recognize cluster workloads. +- [LoadBalancer IP address management](https://docs.tigera.io/calico/latest/networking/ipam/service-loadbalancer): Use the Calico Open Source LoadBalancer controller to allocate addresses to Kubernetes Service type LoadBalancer from configured IP pools. +- [Calico networking for OpenStack](https://docs.tigera.io/calico/latest/networking/openstack/): Run Calico Open Source as the networking layer for an OpenStack cloud, covering Neutron integration, IP address ranges, floating IPs, and live migration. +- [Set up a development machine](https://docs.tigera.io/calico/latest/networking/openstack/dev-machine-setup): Walk-through example of provisioning a developer VM on a Calico Open Source OpenStack cloud, with security groups, an external network attachment, and SSH access. +- [Prepare a VM guest OS for IPv6](https://docs.tigera.io/calico/latest/networking/openstack/ipv6): Prepare a guest OS image for IPv6 connectivity on Calico Open Source OpenStack VMs by configuring DHCPv6 client behavior and accepting router advertisements. +- [IP addressing and connectivity](https://docs.tigera.io/calico/latest/networking/openstack/connectivity): Plan IPv4 and IPv6 address ranges, gateway routing, and Neutron network setup to connect Calico Open Source OpenStack VMs with the data center fabric. +- [Endpoint labels and operator policy](https://docs.tigera.io/calico/latest/networking/openstack/labels): Reference for the project, network, security-group, and namespace labels that Calico Open Source places on WorkloadEndpoints for OpenStack VMs, plus how to use them in policy. +- [Configure systems for use with Calico](https://docs.tigera.io/calico/latest/networking/openstack/configuration): Configure Nova, Neutron, and DHCP agent settings on OpenStack compute hosts to run Calico Open Source as either a core plugin or an ML2 mechanism driver. +- [Detailed semantics](https://docs.tigera.io/calico/latest/networking/openstack/semantics): Reference for the IP-only connectivity model Calico Open Source provides between OpenStack instances, and how it differs from traditional Neutron L2 semantics. +- [Floating IPs](https://docs.tigera.io/calico/latest/networking/openstack/floating-ips): Allocate Neutron floating IPs against a Calico Open Source OpenStack tenant network, including router gateways, provider subnets, and core-plugin requirements. +- [Service IPs](https://docs.tigera.io/calico/latest/networking/openstack/service-ips): Assign a service IP to a Calico Open Source OpenStack VM by attaching either a Neutron floating IP or an additional fixed IP on the VM port. +- [Host routes](https://docs.tigera.io/calico/latest/networking/openstack/host-routes): Configure Neutron subnet host routes so the next-hop IP points at the local hypervisor in Calico Open Source OpenStack deployments and traffic flows correctly. +- [Multiple regions](https://docs.tigera.io/calico/latest/networking/openstack/multiple-regions): Deploy Calico Open Source across multiple OpenStack regions sharing one etcd datastore, with per-region namespaces for inter-region policy. +- [Live migration for OpenStack VMs](https://docs.tigera.io/calico/latest/networking/openstack/live-migration): Tune route priority and BGP propagation so Calico Open Source converges OpenStack VM traffic to the destination host quickly during live migration. +- [Kuryr](https://docs.tigera.io/calico/latest/networking/openstack/kuryr): Use Kuryr together with the networking-calico ML2 driver in Calico Open Source so Neutron provides networking for container workloads. +- [Calico's interpretation of Neutron API calls](https://docs.tigera.io/calico/latest/networking/openstack/neutron-api): Reference for how Calico Open Source interprets each Neutron API call — networks, subnets, ports, security groups, and Horizon actions — in an OpenStack deployment. +- [Calico networking for KubeVirt](https://docs.tigera.io/calico/latest/networking/kubevirt/): Run Calico Open Source as the network for KubeVirt virtual machines on Kubernetes, with persistent IPs, BGP routing, and live migration support. +- [KubeVirt networking](https://docs.tigera.io/calico/latest/networking/kubevirt/kubevirt-networking): Configure Calico Open Source bridge-mode networking for KubeVirt VMs so each VM keeps the same IP across reboots, evictions, and live migrations. +- [BGP routing for KubeVirt live migration](https://docs.tigera.io/calico/latest/networking/kubevirt/live-migration-bgp): Configure BGPFilter resources in Calico Open Source so elevated route priorities propagate across racks and AS boundaries during KubeVirt live migration. ## Network policy @@ -207,10 +207,10 @@ ## Observability -- [Observability](https://docs.tigera.io/calico/latest/observability/): View flow logs and policy metrics to better understand your network traffic. -- [View flow logs in the Calico Whisker web console](https://docs.tigera.io/calico/latest/observability/view-flow-logs): View flow logs in the Calico Whisker web console. -- [Enable the flow logs API and Calico Whisker](https://docs.tigera.io/calico/latest/observability/enable-whisker): Enable the flow logs API and Calico Whisker -- [Flow logs API](https://docs.tigera.io/calico/latest/observability/flow-logs-api): Learn about the flow logs API. +- [Observability](https://docs.tigera.io/calico/latest/observability/): Observe Kubernetes network traffic in Calico Open Source with the Goldmane flow logs API and the Calico Whisker in-cluster web console. +- [View flow logs in the Calico Whisker web console](https://docs.tigera.io/calico/latest/observability/view-flow-logs): Inspect aggregated network flow logs in the Calico Whisker in-cluster web console for Calico Open Source. Filter by source, destination, and policy verdicts. +- [Enable the flow logs API and Calico Whisker](https://docs.tigera.io/calico/latest/observability/enable-whisker): Activate the Goldmane flow logs API and the Calico Whisker web console in Calico Open Source clusters that were upgraded from earlier versions. +- [Flow logs API](https://docs.tigera.io/calico/latest/observability/flow-logs-api): Reference for the Goldmane flow logs API in Calico Open Source. Retrieve aggregated traffic data, policy hits, and packet and byte counts over gRPC. ## Operations @@ -364,4 +364,4 @@ ## Optional -- [Calico Open Source 3.32 release notes](https://docs.tigera.io/calico/latest/release-notes/): Release notes for Calico Open Source +- [Calico Open Source 3.32 release notes](https://docs.tigera.io/calico/latest/release-notes/): Release notes for the current Calico Open Source release — new features, enhancements, technology previews, deprecations, bug fixes, and known issues. diff --git a/static/llms.txt b/static/llms.txt index cc483679a2..c5e0d8ecd3 100644 --- a/static/llms.txt +++ b/static/llms.txt @@ -7,12 +7,12 @@ - [Calico quickstart guide](https://docs.tigera.io/calico/latest/getting-started/kubernetes/quickstart): Install Calico Open Source on a single-host Kubernetes cluster in roughly 15 minutes — the standard starter path for trying Calico networking and network policy on a development machine. - [Quickstart for Calico Enterprise on Kubernetes](https://docs.tigera.io/calico-enterprise/latest/getting-started/install-on-clusters/kubernetes/quickstart): Stand up Calico Enterprise on a single-host Kubernetes cluster in about an hour for testing, demos, or development — not intended for production. - [What happens when you connect a cluster to Calico Cloud](https://docs.tigera.io/calico-cloud/get-started/connect-cluster): What happens when you connect a Kubernetes cluster to Calico Cloud — what is installed, what data leaves the cluster, and what changes in the cluster. -- [Determine best networking option](https://docs.tigera.io/calico/latest/networking/determine-best-networking): Learn about the different networking options Calico supports so you can choose the best option for your needs. +- [Determine best networking option](https://docs.tigera.io/calico/latest/networking/determine-best-networking): Compare networking options in Calico Open Source — overlay versus non-overlay, BGP routing, CNI choices, and IPAM modes — to pick the right combination for your environment. - [Get started with Calico network policy](https://docs.tigera.io/calico/latest/network-policy/get-started/calico-policy/calico-network-policy): Write your first Calico Open Source NetworkPolicy — sample policies that exercise the rich rule features that extend Kubernetes NetworkPolicy. - [Get started with policy tiers](https://docs.tigera.io/calico-enterprise/latest/network-policy/policy-tiers/tiered-policy): How tiered policy works in Calico Enterprise — evaluation order, pass actions, and using tiers to enforce microsegmentation across teams. - [Enabling the eBPF data plane](https://docs.tigera.io/calico/latest/operations/ebpf/enabling-ebpf): Step-by-step instructions for enabling the eBPF data plane. -- [Observability and troubleshooting](https://docs.tigera.io/calico-enterprise/latest/observability/): Use Elasticsearch logs for visibility into all network traffic with Kubernetes context. -- [Configure BGP peering](https://docs.tigera.io/calico/latest/networking/configuring/bgp): Configure BGP peering with full mesh, node-specific peering, ToR, and/or Calico route reflectors. +- [Observability and troubleshooting](https://docs.tigera.io/calico-enterprise/latest/observability/): Observe and troubleshoot self-managed Calico Enterprise clusters with Manager UI dashboards, Service Graph, packet capture, and Elasticsearch logs. +- [Configure BGP peering](https://docs.tigera.io/calico/latest/networking/configuring/bgp): Configure BGP peering for Calico Open Source — full mesh, node-specific peers, top-of-rack switches, and Calico route reflectors — using BGPPeer and BGPConfiguration resources. - [System requirements](https://docs.tigera.io/calico-cloud/get-started/system-requirements): Cluster, platform, and version requirements a Kubernetes cluster must meet before it can connect to Calico Cloud. ## Use Cases