Protect host endpoints with Calico network policy.


Secure host network interfaces.

Creating policy for basic connectivity

Customize the Calico failsafe policy to protect host endpoints.

Creating host endpoint objects

To protect a host interface, start by creating a host endpoint object in etcd.

Selector-based policies

Apply ordered policies to endpoints that match specific label selectors.

Failsafe rules

Avoid cutting off connectivity to hosts because of incorrect network policies.

Pre-DNAT policy

Apply rules in a host endpoint policy before any DNAT.

Apply on forwarded traffic

Learn the subtleties using the applyOnForward option in host endpoint policies.


How different host endpoint rules affect packet flows.

Connection tracking

Workaround for Linux conntrack if Calico policy is not working as it should.