About Calico for Windows

Because the Kubernetes and Calico control components do not run on Windows yet, a hybrid Linux/Windows cluster is required. Calico for Windows standard installation is distributed as a .zip archive.

What’s supported in this release

✓ Install: Manifest install for Kubernetes clusters

✓ Platforms: Kubernetes, EKS

✓ Networking:

  • Kubernetes, on-premises: Calico CNI with BGP or VXLAN
  • EKS: VPC CNI, or Calico CNI with BGP or VXLAN


CNI and networking options

The following table summarizes the networking options and considerations.

Networking Components Value/Content
Calico BGP Windows CNI plugin:

calico.exeLinux: Calico for policy and networking
Calico’s native networking approach, supports:
- Auto-configured node-to-node BGP mesh over an L2 fabric
- Peering with external routers for an L3 fabric
- Calico IPAM and IP aggregation (with some limitations)
- Route reflectors (including the new in-cluster route reflector introduced in Calico v3.3). Note: Windows node cannot act as route reflectors.
- Kubernetes API datastore driver

AWS users: If running on AWS, you must disable the source/dest check on your EC2 instances so that hosts can forward traffic on behalf of pods.
Calico VXLAN Windows CNI plugin:

Linux: Calico for policy and networking
Calico’s VXLAN overlay, supports:

- VXLAN overlay, which can traverse most networks.
- Auto-configured node-to-node routing
- Calico IPAM and IP aggregation (with some limitations)
- Kubernetes API datastore driver
Note: VXLAN runs on UDP port 4789 (this is the only port supported by Windows), remember to open that port between your Calico hosts in any firewalls / security groups.
Cloud provider Windows CNI plugin: win-bridge.exe

Linux: Calico policy-only
A useful fallback, particularly if you have a Kubernetes cloud provider that automatically installs inter-host routes. Calico has been tested with the standard win-bridge.exe CNI plugin so it should work with any networking provider that ultimately uses win-bridge.exe to network the pod (such as the Azure CNI plugin and cloud provider).

Note: If Calico CNI with VXLAN is used, BGP must be disabled. See the installation reference.


Whether you use etcd or Kubernetes datastore (kdd), the datastore for the Windows node/Kubernetes cluster must be the same as the datastore for the Linux control node. (You cannot mix datastores in a Calico for Windows implementation.)

Kubernetes version

  • Versions 1.20, 1.19, or 1.18

Earlier versions may work, but we do not actively test Calico for Windows against them, and they may have known issues and incompatibilities.

Linux platform

  • At least one Linux Kubernetes worker node to run Calico’s cluster-wide components that meets Linux system requirements, and is installed with Calico v3.12.0+.
  • VXLAN or BGP without encapsulation is supported if using Calico CNI. IPIP (default encapsulation mode) is not supported. Use the following command to turn off IPIP.
    calicoctl patch felixconfiguration default -p '{"spec":{"ipipEnabled":false}}'
  • If using Calico IPAM, strict affinity of IPAM configuration must be set to true.
    calicoctl ipam configure --strictaffinity=true

Note: Calico for Windows requires four Linux worker nodes in order to meet high-availability requirements for Typha.

Windows platform

  • Windows versions:
    • Windows Server 1903 (AKA 19H1) build 18317 or greater
    • Windows Server 2019 / 1809 (RS5) or greater, with some limitations
    • Windows Server 2019 with DSR support:
      • OS 1809: Build 17763.1432, binary version: 10.0.17763.1432
      • OS 1903: Build 18362.1049, binary version: 10.0.18362.1049
      • OS 1909: Build 18363.1049, binary version: 10.0.18363.1049
  • Powershell for the installer
  • Make sure the Docker service is installed and running. Install Docker on Windows node.
  • If you are using Calico BGP networking, the RemoteAccess service must be installed for the Windows BGP Router.
  • Windows nodes support only a single IP pool type (so, if using a VXLAN pool, you should only use VXLAN throughout the cluster).
  • TLS v1.2 enabled. For example:
    [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12

Next steps

Install Calico for Windows