Calico the hard way


This tutorial walks you through setting up Calico the hard way.

  • If you are looking to get up and running quickly with Calico, to try things out, check out our quickstart guide.
  • If you are looking for the most direct path to a production-ready Calico install, check out our install guides.

Calico the hard way is optimized for learning about how Calico works and what the other guides do “under the hood.”

The name “Calico the hard way” is inspired by Kubernetes the hard way by Kelsey Hightower.

Target Audience

This guide is for someone

  • evaluating Kubernetes networking & security options looking to deep dive, or
  • planning to build and support a Calico cluster in production, wanting to understand how it works

This guide assumes proficiency with either AWS web console or CLI for provisioning and accessing nodes.

Cluster Details

Calico runs in many environments and supports many cluster types. To keep things reasonably prescriptive this guide focuses on Kubernetes running on AWS, but the lessons you learn apply to wherever you choose to run Calico. See Getting Started for a full list of cluster types (OpenShift, OpenStack, etc.).

The guide will help you install a cluster with the following Calico options

  • Kubernetes as the datastore
  • Calico CNI plugin, with BGP networking
  • Calico IP address management (IPAM)
  • No overlays
  • IPv4 addresses
  • Highly available Typha with mutually authenticated TLS


  1. Standing up Kubernetes
  2. The Calico datastore
  3. Configure IP pools
  4. Install CNI plugin
  5. Install Typha
  6. Install calico/node
  7. Configure BGP peering
  8. Test networking
  9. Test network policy
  10. End user RBAC
  11. Istio integration