Tigera: Calico Egress Gateway: Assigning Static IPs to Dynamic Kubernetes Workloads

Connecting ephemeral Kubernetes pods to external resources (databases, APIs) protected by traditional firewalls is a known infrastructure challenge. Because pod IPs change frequently, security teams often refuse to update firewall rules dynamically or to allowlist the entire cluster CIDR because of risk.

This demo shows how to use Calico Egress Gateway to route traffic from specific namespaces or pods through a stable, static source IP, enabling integration with external firewalls without compromising security.

• The Architecture: How the Egress Gateway acts as a translation layer, mapping dynamic pod traffic to static egress IPs.
• Configuration: Step-by-step implementation of egress policies to assign specific IPs to specific namespaces.
• Security Controls: Avoiding the need to allowlist broad subnets on perimeter firewalls.
• Troubleshooting: Verifying source IP preservation and debugging connectivity flows.