You know what’s one of the real pains of cloud and container based computing? Networking. Workloads on a cloud come and go faster than you can read this story. Connecting those workloads, especially when they become even more ephemeral containers, is not easy. That’s where the open-source Software Defined Network (SDN) Calico comes in.

SDN enables you to centrally manage and monitor your network across not just routers and switches from a single vendor, but across any hardware that implements standardized SDN protocols. This enables network administrators to create efficient virtual networks independent of the infrastructure.

Calico takes these concepts to the cloud and simplifies them so they can work without a netadmin snapping a whip over the network. Calico does this with a simplified Layer 3 networking model designed for cloud-native applications. It also uses good old Internet Protocol, which makes it simpler than SDN overlay approaches. With it, you can set network policies for your virtual machines (VM)s and containers.

In an overlay network packets are encapsulated inside an extra IP header. This can add network overhead and slow performance and complicate troubleshooting. Since network speed is vital with cloud, this is a real disadvantage.

That’s not to say Calico doesn’t use overlays. It does whenz it routes packets to the underlying IP network, but when an overlay is needed, such as when crossing a public cloud’s availability zone (AZ) boundaries, it can use lightweight encapsulation such as IP-in-IP and VxLAN.

Calico also incorporates the raft consensus algorithm — also used by Kubernetes – to address fault-tolerant distributed systems problems. With it, Calico can converge distributed VMs and containers together within a few milliseconds.

Most importantly, Calico comes with security built-in. It uses a set of rules that implement and extend the Kubernetes Network Policy application programming interface (API). You don’t need to be running Kubernetes to get Calico’s security benefits. It works on all Calico platforms.

This security network policy creates what Calico calls a “micro-firewall for every workload.” In practice, this means it separates development from production workloads. It can also be used to limit access by a workload to a specific restricted service. This works using a distributed algorithm that determines which rules are needed on each node in a cluster. It then updates the security rules dynamically as workloads are created and terminated.

Another Calico advantage is it’s very easy to scale out. It’s been used with 99.9999% reliability on multi-exabyte sized Infrastructure-as-a-Service (IaaS) clouds.

Sound interesting to you? It should. Calico is great for cloud and container networking.

Calico, which is now a Cloud Native Computing Foundation (CNCF) project, can be used on many clouds. It supports such common cloud APIs as Container Network Interface (CNI), OpenStack Neutron, and libnetwork. Besides Kubernetes, it can also be used with Docker, Mesos, and Rkt. You can natively deploy Calico on Amazon Web Services (AWS), Google Compute Engine, and the IBM Cloud. You can’t use Calico directly on Azure, but you can use Calico policies with the right network setup.

You can get started with Calico today. If you need help and support to get Calico into production, Tigera, Calico’s corporate backer, offers service level agreements (SLAs).