Secure and Scale VMware VKS with Calico Kubernetes Networking

#companyblog #technicalblog #partnerintegration #announcements

Co-authors

Abhishek Rao | Tigera

Ka Kit Wong, Charles Lee, & Christian Rauber | Broadcom

VMware vSphere Kubernetes Service (VKS) is the CNCF-certified Kubernetes runtime built directly into VMware Cloud Foundation (VCF), which delivers a single platform for both virtual machines and containers. VKS enables platform engineers to deploy, manage, and scale Kubernetes clusters while leveraging a comprehensive set of cloud services. And with VKS v3.6, that foundation just got significantly more powerful: VKS now natively supports Calico Enterprise — part of the Calico Unified Platform — as a validated, lifecycle-managed networking add-on through the new VKS Addon Framework.

Even better, VKS natively integrates Calico Open Source by Tigera as a supported, out-of-the-box Container Network Interface (CNI). This gives organizations a powerful open source baseline right from day one:

Pluggable Data Planes: The flexibility to run high-performance eBPF, standard Linux iptables, modern nftables, or Windows data planes based on specific workload needs.
Wire-Speed Routing: Direct BGP peering with the underlying VMware NSX infrastructure, eliminating the performance overhead of traditional overlay networks.
Foundational Zero-Trust: Global default-deny policies to instantly secure pod-to-pod traffic.
Observability: Includes Whisker, a visual UI tool that simplifies access to flow logs, making it easier to analyze network communication and debug policies.

VKS and Calico Open Source build the perfect house for your applications. However, as Kubernetes adoption explodes across the enterprise, platform engineering and security teams inevitably hit a new wall.

What happens when your security team mandates strict compliance audits across 50 different clusters? What happens when you need to route ephemeral Kubernetes traffic through your legacy physical firewalls? Or when a critical microservice drops traffic at 2 AM and you need to know exactly why?

To conquer the complex realities of production scale, organizations running VKS are supercharging their environments with the Calico Unified Platform (available via Calico Enterprise and Calico Cloud). Here is how Calico transforms your baseline VKS clusters into a fully observable, enterprise-grade networking and security platform.

The Calico Unified Platform Reference Architecture

As you scale your VKS environment, your architecture must evolve from providing basic pod connectivity to delivering a comprehensive security, routing, and observability mesh.

The reference architecture below illustrates how Calico Unified Platform wraps your VKS worker nodes in advanced Layer 7 protections, granular egress controls, and deep forensic logging capabilities—all while maintaining the high-performance eBPF and BGP foundation of your clusters.

Calico Unified Platform Architecture

Figure 1: Calico Unified Platform reference architecture for VKS – showing how Calico Enterprise wraps VKS worker nodes with Layer 7 security, egress controls, and deep observability while preserving the eBPF and BGP performance foundation.

1. Secure the Perimeter: Bridging Kubernetes with Legacy Firewalls

Traditional network security teams often struggle with Kubernetes because Pod IP addresses are ephemeral—they spin up and die in seconds. This makes it virtually impossible to write static firewall rules on your external Palo Alto or Fortinet appliances.

The Calico Unified Platform bridges this gap seamlessly for VKS environments:

Egress Gateway & Source NAT: Calico allows you to map dynamic Kubernetes namespaces to highly available, static IP Egress Gateways. When a pod talks to the outside world, your external firewall only sees the static IP. No more fighting with the NetSec team over IP tracking!
Native WAF and IDS/IPS: Secure your inbound traffic right at the Calico Ingress Gateway. Calico integrates a powerful Web Application Firewall (WAF) using the ModSecurity Core Rule Set. Coupled with native Intrusion Detection/Prevention (IDS/IPS) and DDoS protection, Calico detects and blocks malicious payloads before they impact performance.
DNS Policies & Threat Feeds: Do not just block IPs; block malicious domains. Calico dynamically ingests global threat intelligence feeds to automatically halt traffic to known bad actors.

2. Enforce Zero-Trust at Scale: Unified Policy Across Kubernetes, VMs, and Bare Metal

Open-source network policies are fantastic, but managing them across dozens of teams and clusters can quickly turn into the “Wild West” of YAML files. Calico brings true enterprise governance to your VKS environment—and extends it well beyond Kubernetes:

Network Policy Tiers & Staged Policies: A hierarchical, RBAC-driven approach to security. The Security team can create non-overrideable “Tier 1” guardrails, while Developers get full freedom to write microsegmentation rules for their specific namespaces. Even better, with Staged Policies, you can preview and test the impact of any rule on live traffic before fully enforcing it, ensuring zero downtime.
Unified Protection for Legacy VMs & Bare Metal: Your VKS clusters do not exist in a vacuum. Calico extends its policy engine beyond Kubernetes, allowing you to secure traditional VMware VMs and bare-metal servers using the exact same single-pane-of-glass dashboard—a headline differentiator of the Calico Unified Platform.
Sidecar-Less Service Mesh (Istio Ambient Mode): Get the deep L7 visibility and mTLS encryption of a service mesh without the crippling performance overhead. Calico seamlessly integrates with Istio Ambient Mesh, managed through a single Calico operator—no standalone Istio expertise required.

3. Total Visibility: One Management Plane for Every Traffic Flow

When a connection fails in a standard K8s cluster, troubleshooting usually involves blindly digging through kubectl logs. It is slow, frustrating, and drastically inflates your Mean Time to Resolution (MTTR).

Calico acts as the ultimate CCTV system for your VKS clusters—with a single console covering every traffic type, from ingress to egress to pod-to-pod:

Dynamic Service Graph & Alerts: Get a real-time visual map of all microservice traffic across your clusters. Instantly see performance metrics, blocked traffic, and active connections. You can even configure automated alerts and incident response to deploy mitigating policies the second an anomaly is detected.
Deep Forensic Logging: Calico goes far beyond basic flow logs. It provides granular DNS Logs, L7 Logs, and Ingress Logs, allowing you to pinpoint exactly which layer of the stack is failing.
On-Demand Packet Capture: Did a specific pod trigger an anomaly? Trigger a targeted packet capture (pcap) directly from the Calico UI for deep forensic analysis, without ever having to SSH into the vSphere worker nodes.

4. Scale Without Limits: Multi-Cluster Management and AI-Powered Operations

As your VMware footprint grows, managing clusters individually becomes impossible. Calico’s Multi-Cluster Management provides a single pane of glass to view, secure, and troubleshoot all your VKS clusters—and even your public cloud EKS/AKS clusters. You can seamlessly federate identities and extend resilient multi-cluster networking with Cluster Mesh.

And when things get truly complex? AI Assistant for Calico serves as your platform co-pilot. You can use natural language prompts to generate declarative Policy as Code, query flow logs, and diagnose active threats, drastically reducing the learning curve for new team members.

The Ultimate VKS Experience

VMware VKS gives you a world-class, CNCF-certified Kubernetes platform built directly into VCF. Calico Enterprise — part of the Calico Unified Platform — takes that foundation further, delivering a single management plane for networking, network security, and observability across every cluster, every workload type, and every environment. No stitching tools together. No integration tax. Just the enterprise-grade performance and security your most critical workloads demand.