diff --git a/calico-cloud/about/product-comparison.mdx b/calico-cloud/about/product-comparison.mdx
index e70e455593..684c5d027f 100644
--- a/calico-cloud/about/product-comparison.mdx
+++ b/calico-cloud/about/product-comparison.mdx
@@ -62,7 +62,7 @@ What is the best fit for you? It depends on your needs. The following table prov
| Data-in-transit encryption for pod traffic using WireGuard | | | |
| SIEM integration | | | |
| **Non-cluster hosts** | | | |
-| Restrict traffic to/from hosts using network policy | | | |
+| Restrict traffic to/from hosts and VMs using network policy | | | |
| Automatic host endpoints | | | |
| Secure Kubernetes nodes with host endpoints managed by Calico | | | |
| Apply policy to host-forwarded traffic | | | |
diff --git a/calico-cloud/networking/configuring/advertise-service-ips.mdx b/calico-cloud/networking/configuring/advertise-service-ips.mdx
index a0b8b0a654..748840379c 100644
--- a/calico-cloud/networking/configuring/advertise-service-ips.mdx
+++ b/calico-cloud/networking/configuring/advertise-service-ips.mdx
@@ -116,7 +116,7 @@ If your $[prodname] deployment is configured to peer with BGP routers outside th
EOF
```
- For help see, [BGP configuration resource](../../reference/resources/bgpconfig.mdx).
+ For help, see [BGP configuration resource](../../reference/resources/bgpconfig.mdx).
:::note
@@ -179,7 +179,7 @@ You will still need to enable service cluster IP advertisement via BGP configura
EOF
```
- For help see, [BGP configuration resource](../../reference/resources/bgpconfig.mdx).
+ For help, see [BGP configuration resource](../../reference/resources/bgpconfig.mdx).
1. When configuring a Kubernetes service that you want to be reachable via an external IP, specify that external IP in the service's `externalIPs` field.
@@ -219,7 +219,7 @@ The following steps will configure $[prodname] to advertise Service `status.Load
EOF
```
- For help see, [BGP configuration resource](../../reference/resources/bgpconfig.mdx).
+ For help, see [BGP configuration resource](../../reference/resources/bgpconfig.mdx).
Service LoadBalancer address allocation is outside the current scope of $[prodname], but can be implemented with an external controller.
You can build your own, or use a third-party implementation like the MetalLB project.
diff --git a/calico-cloud/release-notes/index.mdx b/calico-cloud/release-notes/index.mdx
index 1352f246ba..5776d06d00 100644
--- a/calico-cloud/release-notes/index.mdx
+++ b/calico-cloud/release-notes/index.mdx
@@ -714,7 +714,7 @@ Release of Container Threat Detection
With Container Threat Detection, you can monitor container activity using eBPF. Enable this feature to receive alerts based on file and process activity for known malicious and suspicious behavior. Alert events can be viewed on the Alerts page in Manager UI.
-To get started see, [Container Threat Detection](../threat/container-threat-detection.mdx)
+To get started, see [Container Threat Detection](../threat/container-threat-detection.mdx)
## September 26, 2022
@@ -754,7 +754,7 @@ We've made it easier for platform operators to share Image Assurance scan result
* Export one row per image or one row per image and CVE.
* Export CSV or JSON files.
-To get started see, [Image Assurance](../image-assurance).
+To get started, see [Image Assurance](../image-assurance).
### Malware detection is GA
@@ -765,7 +765,7 @@ Calico Cloud uses eBPF-based monitoring to log file hashes of programs running i
If there's a match to known malware from our threat intelligence library, you receive an alert.
You can view your alerts on the _Alerts_ page on Manager UI.
-To get started see, [Malware Detection](../threat/container-threat-detection.mdx))
+To get started, see [Malware Detection](../threat/container-threat-detection.mdx))
## July 27, 2022
@@ -849,4 +849,4 @@ The $[prodname] installation process will now require running a `kubectl apply`
$[prodname] introduces Image Assurance in tech preview, enabling DevOps and platform teams to scan images in public and private registries, and images that are automatically discovered in connected clusters. Image Assurance provides a runtime view into risk, based on discovered vulnerabilities. It also offers admission controller policies to enforce how vulnerable images are used to create resources within Kubernetes.
-To get started see, [Image Assurance](../image-assurance).
+To get started, see [Image Assurance](../image-assurance).
diff --git a/calico-cloud/visibility/packetcapture.mdx b/calico-cloud/visibility/packetcapture.mdx
index bcf17b9511..c73d719379 100644
--- a/calico-cloud/visibility/packetcapture.mdx
+++ b/calico-cloud/visibility/packetcapture.mdx
@@ -36,7 +36,7 @@ Typically, when you troubleshoot microservices and applications for connectivity
1. Start/schedule a packet capture job in Service Graph (Manager UI) or the CLI.
1. After the capture is finished, download the packet capture files (known as `pcap` files), and import them into your analysis tool (for example, WireShark).
-For a simple use case workflow see, [Faster troubleshooting of microservices, containers, and Kubernetes with Dynamic Packet Capture](https://www.tigera.io/blog/faster-troubleshooting-of-microservices-containers-and-kubernetes-with-dynamic-packet-capture/).
+For a simple use case workflow, see [Faster troubleshooting of microservices, containers, and Kubernetes with Dynamic Packet Capture](https://www.tigera.io/blog/faster-troubleshooting-of-microservices-containers-and-kubernetes-with-dynamic-packet-capture/).
## Before you begin
diff --git a/calico-cloud_versioned_docs/version-20-1/about/product-comparison.mdx b/calico-cloud_versioned_docs/version-20-1/about/product-comparison.mdx
index 785e7a0e86..9d20aeb6a6 100644
--- a/calico-cloud_versioned_docs/version-20-1/about/product-comparison.mdx
+++ b/calico-cloud_versioned_docs/version-20-1/about/product-comparison.mdx
@@ -62,7 +62,7 @@ What is the best fit for you? It depends on your needs. The following table prov
| Data-in-transit encryption for pod traffic using WireGuard | | | |
| SIEM integration | | | |
| **Non-cluster hosts** | | | |
-| Restrict traffic to/from hosts using network policy | | | |
+| Restrict traffic to/from hosts and VMs using network policy | | | |
| Automatic host endpoints | | | |
| Secure Kubernetes nodes with host endpoints managed by Calico | | | |
| Apply policy to host-forwarded traffic | | | |
diff --git a/calico-cloud_versioned_docs/version-20-1/networking/configuring/advertise-service-ips.mdx b/calico-cloud_versioned_docs/version-20-1/networking/configuring/advertise-service-ips.mdx
index a0b8b0a654..748840379c 100644
--- a/calico-cloud_versioned_docs/version-20-1/networking/configuring/advertise-service-ips.mdx
+++ b/calico-cloud_versioned_docs/version-20-1/networking/configuring/advertise-service-ips.mdx
@@ -116,7 +116,7 @@ If your $[prodname] deployment is configured to peer with BGP routers outside th
EOF
```
- For help see, [BGP configuration resource](../../reference/resources/bgpconfig.mdx).
+ For help, see [BGP configuration resource](../../reference/resources/bgpconfig.mdx).
:::note
@@ -179,7 +179,7 @@ You will still need to enable service cluster IP advertisement via BGP configura
EOF
```
- For help see, [BGP configuration resource](../../reference/resources/bgpconfig.mdx).
+ For help, see [BGP configuration resource](../../reference/resources/bgpconfig.mdx).
1. When configuring a Kubernetes service that you want to be reachable via an external IP, specify that external IP in the service's `externalIPs` field.
@@ -219,7 +219,7 @@ The following steps will configure $[prodname] to advertise Service `status.Load
EOF
```
- For help see, [BGP configuration resource](../../reference/resources/bgpconfig.mdx).
+ For help, see [BGP configuration resource](../../reference/resources/bgpconfig.mdx).
Service LoadBalancer address allocation is outside the current scope of $[prodname], but can be implemented with an external controller.
You can build your own, or use a third-party implementation like the MetalLB project.
diff --git a/calico-cloud_versioned_docs/version-20-1/release-notes/index.mdx b/calico-cloud_versioned_docs/version-20-1/release-notes/index.mdx
index 3ac8d957de..13acdb3756 100644
--- a/calico-cloud_versioned_docs/version-20-1/release-notes/index.mdx
+++ b/calico-cloud_versioned_docs/version-20-1/release-notes/index.mdx
@@ -661,7 +661,7 @@ Release of Container Threat Detection
With Container Threat Detection, you can monitor container activity using eBPF. Enable this feature to receive alerts based on file and process activity for known malicious and suspicious behavior. Alert events can be viewed on the Alerts page in Manager UI.
-To get started see, [Container Threat Detection](../threat/container-threat-detection.mdx)
+To get started, see [Container Threat Detection](../threat/container-threat-detection.mdx)
## September 26, 2022
@@ -701,7 +701,7 @@ We've made it easier for platform operators to share Image Assurance scan result
* Export one row per image or one row per image and CVE.
* Export CSV or JSON files.
-To get started see, [Image Assurance](../image-assurance).
+To get started, see [Image Assurance](../image-assurance).
### Malware detection is GA
@@ -712,7 +712,7 @@ Calico Cloud uses eBPF-based monitoring to log file hashes of programs running i
If there's a match to known malware from our threat intelligence library, you receive an alert.
You can view your alerts on the _Alerts_ page on Manager UI.
-To get started see, [Malware Detection](../threat/container-threat-detection.mdx))
+To get started, see [Malware Detection](../threat/container-threat-detection.mdx))
## July 27, 2022
@@ -796,4 +796,4 @@ The $[prodname] installation process will now require running a `kubectl apply`
$[prodname] introduces Image Assurance in tech preview, enabling DevOps and platform teams to scan images in public and private registries, and images that are automatically discovered in connected clusters. Image Assurance provides a runtime view into risk, based on discovered vulnerabilities. It also offers admission controller policies to enforce how vulnerable images are used to create resources within Kubernetes.
-To get started see, [Image Assurance](../image-assurance).
+To get started, see [Image Assurance](../image-assurance).
diff --git a/calico-cloud_versioned_docs/version-20-1/visibility/packetcapture.mdx b/calico-cloud_versioned_docs/version-20-1/visibility/packetcapture.mdx
index bcf17b9511..c73d719379 100644
--- a/calico-cloud_versioned_docs/version-20-1/visibility/packetcapture.mdx
+++ b/calico-cloud_versioned_docs/version-20-1/visibility/packetcapture.mdx
@@ -36,7 +36,7 @@ Typically, when you troubleshoot microservices and applications for connectivity
1. Start/schedule a packet capture job in Service Graph (Manager UI) or the CLI.
1. After the capture is finished, download the packet capture files (known as `pcap` files), and import them into your analysis tool (for example, WireShark).
-For a simple use case workflow see, [Faster troubleshooting of microservices, containers, and Kubernetes with Dynamic Packet Capture](https://www.tigera.io/blog/faster-troubleshooting-of-microservices-containers-and-kubernetes-with-dynamic-packet-capture/).
+For a simple use case workflow, see [Faster troubleshooting of microservices, containers, and Kubernetes with Dynamic Packet Capture](https://www.tigera.io/blog/faster-troubleshooting-of-microservices-containers-and-kubernetes-with-dynamic-packet-capture/).
## Before you begin
diff --git a/calico-cloud_versioned_docs/version-20-2/about/product-comparison.mdx b/calico-cloud_versioned_docs/version-20-2/about/product-comparison.mdx
index e70e455593..684c5d027f 100644
--- a/calico-cloud_versioned_docs/version-20-2/about/product-comparison.mdx
+++ b/calico-cloud_versioned_docs/version-20-2/about/product-comparison.mdx
@@ -62,7 +62,7 @@ What is the best fit for you? It depends on your needs. The following table prov
| Data-in-transit encryption for pod traffic using WireGuard | | | |
| SIEM integration | | | |
| **Non-cluster hosts** | | | |
-| Restrict traffic to/from hosts using network policy | | | |
+| Restrict traffic to/from hosts and VMs using network policy | | | |
| Automatic host endpoints | | | |
| Secure Kubernetes nodes with host endpoints managed by Calico | | | |
| Apply policy to host-forwarded traffic | | | |
diff --git a/calico-cloud_versioned_docs/version-20-2/networking/configuring/advertise-service-ips.mdx b/calico-cloud_versioned_docs/version-20-2/networking/configuring/advertise-service-ips.mdx
index a0b8b0a654..748840379c 100644
--- a/calico-cloud_versioned_docs/version-20-2/networking/configuring/advertise-service-ips.mdx
+++ b/calico-cloud_versioned_docs/version-20-2/networking/configuring/advertise-service-ips.mdx
@@ -116,7 +116,7 @@ If your $[prodname] deployment is configured to peer with BGP routers outside th
EOF
```
- For help see, [BGP configuration resource](../../reference/resources/bgpconfig.mdx).
+ For help, see [BGP configuration resource](../../reference/resources/bgpconfig.mdx).
:::note
@@ -179,7 +179,7 @@ You will still need to enable service cluster IP advertisement via BGP configura
EOF
```
- For help see, [BGP configuration resource](../../reference/resources/bgpconfig.mdx).
+ For help, see [BGP configuration resource](../../reference/resources/bgpconfig.mdx).
1. When configuring a Kubernetes service that you want to be reachable via an external IP, specify that external IP in the service's `externalIPs` field.
@@ -219,7 +219,7 @@ The following steps will configure $[prodname] to advertise Service `status.Load
EOF
```
- For help see, [BGP configuration resource](../../reference/resources/bgpconfig.mdx).
+ For help, see [BGP configuration resource](../../reference/resources/bgpconfig.mdx).
Service LoadBalancer address allocation is outside the current scope of $[prodname], but can be implemented with an external controller.
You can build your own, or use a third-party implementation like the MetalLB project.
diff --git a/calico-cloud_versioned_docs/version-20-2/release-notes/index.mdx b/calico-cloud_versioned_docs/version-20-2/release-notes/index.mdx
index 79847caf44..f2747a7fbc 100644
--- a/calico-cloud_versioned_docs/version-20-2/release-notes/index.mdx
+++ b/calico-cloud_versioned_docs/version-20-2/release-notes/index.mdx
@@ -710,7 +710,7 @@ Release of Container Threat Detection
With Container Threat Detection, you can monitor container activity using eBPF. Enable this feature to receive alerts based on file and process activity for known malicious and suspicious behavior. Alert events can be viewed on the Alerts page in Manager UI.
-To get started see, [Container Threat Detection](../threat/container-threat-detection.mdx)
+To get started, see [Container Threat Detection](../threat/container-threat-detection.mdx)
## September 26, 2022
@@ -750,7 +750,7 @@ We've made it easier for platform operators to share Image Assurance scan result
* Export one row per image or one row per image and CVE.
* Export CSV or JSON files.
-To get started see, [Image Assurance](../image-assurance).
+To get started, see [Image Assurance](../image-assurance).
### Malware detection is GA
@@ -761,7 +761,7 @@ Calico Cloud uses eBPF-based monitoring to log file hashes of programs running i
If there's a match to known malware from our threat intelligence library, you receive an alert.
You can view your alerts on the _Alerts_ page on Manager UI.
-To get started see, [Malware Detection](../threat/container-threat-detection.mdx))
+To get started, see [Malware Detection](../threat/container-threat-detection.mdx))
## July 27, 2022
@@ -845,4 +845,4 @@ The $[prodname] installation process will now require running a `kubectl apply`
$[prodname] introduces Image Assurance in tech preview, enabling DevOps and platform teams to scan images in public and private registries, and images that are automatically discovered in connected clusters. Image Assurance provides a runtime view into risk, based on discovered vulnerabilities. It also offers admission controller policies to enforce how vulnerable images are used to create resources within Kubernetes.
-To get started see, [Image Assurance](../image-assurance).
+To get started, see [Image Assurance](../image-assurance).
diff --git a/calico-cloud_versioned_docs/version-20-2/visibility/packetcapture.mdx b/calico-cloud_versioned_docs/version-20-2/visibility/packetcapture.mdx
index bcf17b9511..c73d719379 100644
--- a/calico-cloud_versioned_docs/version-20-2/visibility/packetcapture.mdx
+++ b/calico-cloud_versioned_docs/version-20-2/visibility/packetcapture.mdx
@@ -36,7 +36,7 @@ Typically, when you troubleshoot microservices and applications for connectivity
1. Start/schedule a packet capture job in Service Graph (Manager UI) or the CLI.
1. After the capture is finished, download the packet capture files (known as `pcap` files), and import them into your analysis tool (for example, WireShark).
-For a simple use case workflow see, [Faster troubleshooting of microservices, containers, and Kubernetes with Dynamic Packet Capture](https://www.tigera.io/blog/faster-troubleshooting-of-microservices-containers-and-kubernetes-with-dynamic-packet-capture/).
+For a simple use case workflow, see [Faster troubleshooting of microservices, containers, and Kubernetes with Dynamic Packet Capture](https://www.tigera.io/blog/faster-troubleshooting-of-microservices-containers-and-kubernetes-with-dynamic-packet-capture/).
## Before you begin
diff --git a/calico-enterprise/about/product-comparison.mdx b/calico-enterprise/about/product-comparison.mdx
index 5fbb2acc1d..21d014c6f9 100644
--- a/calico-enterprise/about/product-comparison.mdx
+++ b/calico-enterprise/about/product-comparison.mdx
@@ -64,7 +64,7 @@ What is the best fit for you? It depends on your needs. The following table prov
| Data-in-transit encryption for pod traffic using WireGuard | | | |
| SIEM integration | | | |
| **Non-cluster hosts** | | | |
-| Restrict traffic to/from hosts using network policy | | | |
+| Restrict traffic to/from hosts and VMs using network policy | | | |
| Automatic host endpoints | | | |
| Secure Kubernetes nodes with host endpoints managed by Calico | | | |
| Apply policy to host-forwarded traffic | | | |
diff --git a/calico-enterprise/getting-started/bare-metal/about.mdx b/calico-enterprise/getting-started/bare-metal/about.mdx
index 31fad848db..7ebcbace70 100644
--- a/calico-enterprise/getting-started/bare-metal/about.mdx
+++ b/calico-enterprise/getting-started/bare-metal/about.mdx
@@ -24,7 +24,7 @@ In the following diagram, a Kubernetes cluster is running $[prodname] with netwo
For non-cluster hosts and VMs, you can secure host interfaces using **host endpoints**. Host endpoints can have labels that work the same as labels on pods/workload endpoints in Kubernetes. The advantage is that you can write network policy rules to apply to both workload endpoints and host endpoints using label selectors; where each selector can refer to the either type (or be a mix of the two). For example, you can easily write a global policy that applies to every host, VM, or pod that is running Calico.
-To learn how to restrict traffic to/from hosts using Calico network policy see, [Protect hosts and VMs](../../network-policy/hosts/protect-hosts.mdx).
+To learn how to restrict traffic to/from hosts and VMs using Calico network policy, see [Protect hosts and VMs](../../network-policy/hosts/protect-hosts.mdx).
## Before you begin
diff --git a/calico-enterprise/network-policy/hosts/index.mdx b/calico-enterprise/network-policy/hosts/index.mdx
index feee221042..64fc81e1f9 100644
--- a/calico-enterprise/network-policy/hosts/index.mdx
+++ b/calico-enterprise/network-policy/hosts/index.mdx
@@ -3,7 +3,7 @@ description: Use the same Calico network policy for workloads to restrict traffi
hide_table_of_contents: true
---
-# Policy for hosts
+# Policy for hosts and VMs
import DocCardList from '@theme/DocCardList';
import { useCurrentSidebarCategory } from '@docusaurus/theme-common';
diff --git a/calico-enterprise/network-policy/hosts/protect-hosts.mdx b/calico-enterprise/network-policy/hosts/protect-hosts.mdx
index 2405bb5b42..0925767424 100644
--- a/calico-enterprise/network-policy/hosts/protect-hosts.mdx
+++ b/calico-enterprise/network-policy/hosts/protect-hosts.mdx
@@ -2,11 +2,11 @@
description: Create Calico Enterprise network policies to restrict traffic to/from hosts.
---
-# Protect hosts
+# Protect hosts and VMs
## Big picture
-Use $[prodname] network policy to restrict traffic to/from hosts.
+Use $[prodname] network policy to restrict traffic to/from hosts and VMs.
## Value
@@ -16,7 +16,9 @@ Restricting traffic between hosts and the outside world is not unique to $[prodn
### Hosts and workloads
-In the context of $[prodname] configuration, a **workload** is a virtualized compute instance, like a VM or container. A **host** is the computer that runs the hypervisor (for VMs), or container runtime (for containers). We say it “hosts” the workloads as guests.
+In the context of $[prodname] configuration, a *workload* is a containerized compute instance running in Kubernetes.
+A *host* is a computer or virtual machine (VM) that acts as a node in a Kubernetes cluster or that runs application workloads outside of Kubernetes.
+$[prodname] is unique in that it can enforce network policy and provide visibility in a consistent way for both workloads and hosts, even if those hosts are on-premises servers or VMs running in the public clou.
### Host endpoints
diff --git a/calico-enterprise/network-policy/index.mdx b/calico-enterprise/network-policy/index.mdx
index fcf30993a6..2831201964 100644
--- a/calico-enterprise/network-policy/index.mdx
+++ b/calico-enterprise/network-policy/index.mdx
@@ -32,7 +32,7 @@ $[prodname] extends the standard `NetworkPolicy` object to provide advanced netw
-## Policy for hosts
+## Policy for hosts and VMs
diff --git a/calico-enterprise/networking/configuring/advertise-service-ips.mdx b/calico-enterprise/networking/configuring/advertise-service-ips.mdx
index ad01f3792e..618746530e 100644
--- a/calico-enterprise/networking/configuring/advertise-service-ips.mdx
+++ b/calico-enterprise/networking/configuring/advertise-service-ips.mdx
@@ -116,7 +116,7 @@ If your $[prodname] deployment is configured to peer with BGP routers outside th
EOF
```
- For help see, [BGP configuration resource](../../reference/resources/bgpconfig.mdx).
+ For help, see [BGP configuration resource](../../reference/resources/bgpconfig.mdx).
:::note
@@ -179,7 +179,7 @@ You will still need to enable service cluster IP advertisement via BGP configura
EOF
```
- For help see, [BGP configuration resource](../../reference/resources/bgpconfig.mdx).
+ For help, see [BGP configuration resource](../../reference/resources/bgpconfig.mdx).
1. When configuring a Kubernetes service that you want to be reachable via an external IP, specify that external IP in the service's `externalIPs` field.
@@ -219,7 +219,7 @@ The following steps will configure $[prodname] to advertise Service `status.Load
EOF
```
- For help see, [BGP configuration resource](../../reference/resources/bgpconfig.mdx).
+ For help, see [BGP configuration resource](../../reference/resources/bgpconfig.mdx).
Service LoadBalancer address allocation is outside the current scope of $[prodname], but can be implemented with an external controller.
You can build your own, or use a third-party implementation like the MetalLB project.
diff --git a/calico-enterprise/networking/determine-best-networking.mdx b/calico-enterprise/networking/determine-best-networking.mdx
index 33a5e165f6..9f7c50fe2c 100644
--- a/calico-enterprise/networking/determine-best-networking.mdx
+++ b/calico-enterprise/networking/determine-best-networking.mdx
@@ -126,7 +126,7 @@ The Amazon VPC CNI plugin allocates pod IPs from the underlying AWS VPC and uses
**Azure CNI**
-The Azure CNI plugin allocates pod IPs from the underlying Azure VNET configures the Azure virtual network to provide VNET native pod networking (pod IPs that are routable outside of the cluster). It is the default networking used in [Microsoft AKS](https://azure.microsoft.com/en-us/services/kubernetes-service/), with Calico for network policy enforcement.
+The Azure CNI plugin allocates pod IPs from the underlying Azure VNET configures the Azure virtual network to provide VNET native pod networking (pod IPs that are routable outside of the cluster). It is the default networking used in [Microsoft AKS](https://azure.microsoft.com/en-us/products/kubernetes-service/), with Calico for network policy enforcement.
**Azure cloud provider**
@@ -194,7 +194,7 @@ You can learn more about Kubernetes Networking on AWS, including how each of the
### Azure
-If you would like pod IP addresses to be routable outside of the cluster then you must use the Azure CNI plugin. This is supported by [AKS](https://azure.microsoft.com/en-us/services/kubernetes-service/), with Calico for network policy. Pod IP addresses are allocated from the underlying VNET.
+If you would like pod IP addresses to be routable outside of the cluster then you must use the Azure CNI plugin. This is supported by [AKS](https://azure.microsoft.com/en-us/products/kubernetes-service/), with Calico for network policy. Pod IP addresses are allocated from the underlying VNET.
| | |
| SIEM integration | | | |
| **Non-cluster hosts** | | | |
-| Restrict traffic to/from hosts using network policy | | | |
+| Restrict traffic to/from hosts and VMs using network policy | | | |
| Automatic host endpoints | | | |
| Secure Kubernetes nodes with host endpoints managed by Calico | | | |
| Apply policy to host-forwarded traffic | | | |
diff --git a/calico-enterprise_versioned_docs/version-3.17/getting-started/bare-metal/about.mdx b/calico-enterprise_versioned_docs/version-3.17/getting-started/bare-metal/about.mdx
index 2c959ba8db..352cc5afc6 100644
--- a/calico-enterprise_versioned_docs/version-3.17/getting-started/bare-metal/about.mdx
+++ b/calico-enterprise_versioned_docs/version-3.17/getting-started/bare-metal/about.mdx
@@ -1,8 +1,8 @@
---
-description: Install Calico network policy so you can secure hosts not in a cluster.
+description: Install Calico network policy so you can secure hosts and VMs that aren't part of a Kubernetes cluster.
---
-# Install network policy on non-cluster hosts
+# Install network policy on non-cluster hosts and VMs
import DockerContainerService from '@site/calico-enterprise_versioned_docs/version-3.17/_includes/content/_docker-container-service.mdx';
@@ -13,7 +13,7 @@ import TabItem from '@theme/TabItem';
## Big picture
-Secure non-cluster hosts by installing $[prodname] network policy.
+Secure non-cluster hosts and VMs by installing $[prodname] network policy.
## Value
@@ -29,7 +29,7 @@ A non-cluster host is a computer that is running an application that is _not par
For non-cluster hosts, you can secure host interfaces using **host endpoints**. Host endpoints can have labels, and work the same as labels on pods/workload endpoints. The advantage is that you can write network policy rules to apply to both workload endpoints and host endpoints using label selectors; where each selector can refer to the either type (or be a mix of the two). For example, you can write a cluster-wide policy for non-cluster hosts that is immediately applied to every host.
-To learn how to restrict traffic to/from hosts using $[prodname] network policy see, [Protect hosts](../../network-policy/hosts/protect-hosts.mdx).
+To learn how to restrict traffic to/from hosts and VMs using $[prodname] network policy, see [Protect hosts](../../network-policy/hosts/protect-hosts.mdx).
## Before you begin
diff --git a/calico-enterprise_versioned_docs/version-3.17/network-policy/hosts/index.mdx b/calico-enterprise_versioned_docs/version-3.17/network-policy/hosts/index.mdx
index feee221042..64fc81e1f9 100644
--- a/calico-enterprise_versioned_docs/version-3.17/network-policy/hosts/index.mdx
+++ b/calico-enterprise_versioned_docs/version-3.17/network-policy/hosts/index.mdx
@@ -3,7 +3,7 @@ description: Use the same Calico network policy for workloads to restrict traffi
hide_table_of_contents: true
---
-# Policy for hosts
+# Policy for hosts and VMs
import DocCardList from '@theme/DocCardList';
import { useCurrentSidebarCategory } from '@docusaurus/theme-common';
diff --git a/calico-enterprise_versioned_docs/version-3.17/network-policy/hosts/protect-hosts.mdx b/calico-enterprise_versioned_docs/version-3.17/network-policy/hosts/protect-hosts.mdx
index 2405bb5b42..0925767424 100644
--- a/calico-enterprise_versioned_docs/version-3.17/network-policy/hosts/protect-hosts.mdx
+++ b/calico-enterprise_versioned_docs/version-3.17/network-policy/hosts/protect-hosts.mdx
@@ -2,11 +2,11 @@
description: Create Calico Enterprise network policies to restrict traffic to/from hosts.
---
-# Protect hosts
+# Protect hosts and VMs
## Big picture
-Use $[prodname] network policy to restrict traffic to/from hosts.
+Use $[prodname] network policy to restrict traffic to/from hosts and VMs.
## Value
@@ -16,7 +16,9 @@ Restricting traffic between hosts and the outside world is not unique to $[prodn
### Hosts and workloads
-In the context of $[prodname] configuration, a **workload** is a virtualized compute instance, like a VM or container. A **host** is the computer that runs the hypervisor (for VMs), or container runtime (for containers). We say it “hosts” the workloads as guests.
+In the context of $[prodname] configuration, a *workload* is a containerized compute instance running in Kubernetes.
+A *host* is a computer or virtual machine (VM) that acts as a node in a Kubernetes cluster or that runs application workloads outside of Kubernetes.
+$[prodname] is unique in that it can enforce network policy and provide visibility in a consistent way for both workloads and hosts, even if those hosts are on-premises servers or VMs running in the public clou.
### Host endpoints
diff --git a/calico-enterprise_versioned_docs/version-3.17/network-policy/index.mdx b/calico-enterprise_versioned_docs/version-3.17/network-policy/index.mdx
index 5eb4c8fe29..aa56f4a85b 100644
--- a/calico-enterprise_versioned_docs/version-3.17/network-policy/index.mdx
+++ b/calico-enterprise_versioned_docs/version-3.17/network-policy/index.mdx
@@ -31,7 +31,7 @@ $[prodname] extends the standard `NetworkPolicy` object to provide advanced netw
-## Policy for hosts
+## Policy for hosts and VMs
diff --git a/calico-enterprise_versioned_docs/version-3.17/networking/configuring/advertise-service-ips.mdx b/calico-enterprise_versioned_docs/version-3.17/networking/configuring/advertise-service-ips.mdx
index ad01f3792e..618746530e 100644
--- a/calico-enterprise_versioned_docs/version-3.17/networking/configuring/advertise-service-ips.mdx
+++ b/calico-enterprise_versioned_docs/version-3.17/networking/configuring/advertise-service-ips.mdx
@@ -116,7 +116,7 @@ If your $[prodname] deployment is configured to peer with BGP routers outside th
EOF
```
- For help see, [BGP configuration resource](../../reference/resources/bgpconfig.mdx).
+ For help, see [BGP configuration resource](../../reference/resources/bgpconfig.mdx).
:::note
@@ -179,7 +179,7 @@ You will still need to enable service cluster IP advertisement via BGP configura
EOF
```
- For help see, [BGP configuration resource](../../reference/resources/bgpconfig.mdx).
+ For help, see [BGP configuration resource](../../reference/resources/bgpconfig.mdx).
1. When configuring a Kubernetes service that you want to be reachable via an external IP, specify that external IP in the service's `externalIPs` field.
@@ -219,7 +219,7 @@ The following steps will configure $[prodname] to advertise Service `status.Load
EOF
```
- For help see, [BGP configuration resource](../../reference/resources/bgpconfig.mdx).
+ For help, see [BGP configuration resource](../../reference/resources/bgpconfig.mdx).
Service LoadBalancer address allocation is outside the current scope of $[prodname], but can be implemented with an external controller.
You can build your own, or use a third-party implementation like the MetalLB project.
diff --git a/calico-enterprise_versioned_docs/version-3.17/networking/determine-best-networking.mdx b/calico-enterprise_versioned_docs/version-3.17/networking/determine-best-networking.mdx
index ed6e3ab6fb..41938f50df 100644
--- a/calico-enterprise_versioned_docs/version-3.17/networking/determine-best-networking.mdx
+++ b/calico-enterprise_versioned_docs/version-3.17/networking/determine-best-networking.mdx
@@ -126,7 +126,7 @@ The Amazon VPC CNI plugin allocates pod IPs from the underlying AWS VPC and uses
**Azure CNI**
-The Azure CNI plugin allocates pod IPs from the underlying Azure VNET configures the Azure virtual network to provide VNET native pod networking (pod IPs that are routable outside of the cluster). It is the default networking used in [Microsoft AKS](https://azure.microsoft.com/en-us/services/kubernetes-service/), with Calico for network policy enforcement.
+The Azure CNI plugin allocates pod IPs from the underlying Azure VNET configures the Azure virtual network to provide VNET native pod networking (pod IPs that are routable outside of the cluster). It is the default networking used in [Microsoft AKS](https://azure.microsoft.com/en-us/products/kubernetes-service/), with Calico for network policy enforcement.
**Azure cloud provider**
@@ -194,7 +194,7 @@ You can learn more about Kubernetes Networking on AWS, including how each of the
### Azure
-If you would like pod IP addresses to be routable outside of the cluster then you must use the Azure CNI plugin. This is supported by [AKS](https://azure.microsoft.com/en-us/services/kubernetes-service/), with Calico for network policy. Pod IP addresses are allocated from the underlying VNET.
+If you would like pod IP addresses to be routable outside of the cluster then you must use the Azure CNI plugin. This is supported by [AKS](https://azure.microsoft.com/en-us/products/kubernetes-service/), with Calico for network policy. Pod IP addresses are allocated from the underlying VNET.
| |
| | | | |
| **Non-cluster host security** | **Calico Open Source** | **Calico Cloud** | **Calico Enterprise** |
-| Restrict traffic to/from hosts using network policy | | | |
+| Restrict traffic to/from hosts and VMs using network policy | | | |
| Automatic host endpoints | | | |
| Secure Kubernetes nodes with host endpoints managed by Calico | | | |
| Apply policy to host-forwarded traffic | | | |
diff --git a/calico-enterprise_versioned_docs/version-3.18-2/getting-started/bare-metal/about.mdx b/calico-enterprise_versioned_docs/version-3.18-2/getting-started/bare-metal/about.mdx
index 8dab0c99cd..9387187423 100644
--- a/calico-enterprise_versioned_docs/version-3.18-2/getting-started/bare-metal/about.mdx
+++ b/calico-enterprise_versioned_docs/version-3.18-2/getting-started/bare-metal/about.mdx
@@ -1,8 +1,8 @@
---
-description: Install Calico network policy so you can secure hosts not in a cluster.
+description: Install Calico network policy so you can secure hosts and VMs that aren't part of a Kubernetes cluster.
---
-# Install network policy on non-cluster hosts
+# Install network policy on non-cluster hosts and VMs
import DockerContainerService from '@site/calico-enterprise_versioned_docs/version-3.18-2/_includes/content/_docker-container-service.mdx';
@@ -13,7 +13,7 @@ import TabItem from '@theme/TabItem';
## Big picture
-Secure non-cluster hosts by installing $[prodname] network policy.
+Secure non-cluster hosts and VMs by installing $[prodname] network policy.
## Value
@@ -29,7 +29,7 @@ A non-cluster host is a computer that is running an application that is _not par
For non-cluster hosts, you can secure host interfaces using **host endpoints**. Host endpoints can have labels, and work the same as labels on pods/workload endpoints. The advantage is that you can write network policy rules to apply to both workload endpoints and host endpoints using label selectors; where each selector can refer to the either type (or be a mix of the two). For example, you can write a cluster-wide policy for non-cluster hosts that is immediately applied to every host.
-To learn how to restrict traffic to/from hosts using $[prodname] network policy see, [Protect hosts](../../network-policy/hosts/protect-hosts.mdx).
+To learn how to restrict traffic to/from hosts and VMs using $[prodname] network policy, see [Protect hosts](../../network-policy/hosts/protect-hosts.mdx).
## Before you begin
diff --git a/calico-enterprise_versioned_docs/version-3.18-2/network-policy/hosts/index.mdx b/calico-enterprise_versioned_docs/version-3.18-2/network-policy/hosts/index.mdx
index feee221042..64fc81e1f9 100644
--- a/calico-enterprise_versioned_docs/version-3.18-2/network-policy/hosts/index.mdx
+++ b/calico-enterprise_versioned_docs/version-3.18-2/network-policy/hosts/index.mdx
@@ -3,7 +3,7 @@ description: Use the same Calico network policy for workloads to restrict traffi
hide_table_of_contents: true
---
-# Policy for hosts
+# Policy for hosts and VMs
import DocCardList from '@theme/DocCardList';
import { useCurrentSidebarCategory } from '@docusaurus/theme-common';
diff --git a/calico-enterprise_versioned_docs/version-3.18-2/network-policy/hosts/protect-hosts.mdx b/calico-enterprise_versioned_docs/version-3.18-2/network-policy/hosts/protect-hosts.mdx
index 2405bb5b42..0925767424 100644
--- a/calico-enterprise_versioned_docs/version-3.18-2/network-policy/hosts/protect-hosts.mdx
+++ b/calico-enterprise_versioned_docs/version-3.18-2/network-policy/hosts/protect-hosts.mdx
@@ -2,11 +2,11 @@
description: Create Calico Enterprise network policies to restrict traffic to/from hosts.
---
-# Protect hosts
+# Protect hosts and VMs
## Big picture
-Use $[prodname] network policy to restrict traffic to/from hosts.
+Use $[prodname] network policy to restrict traffic to/from hosts and VMs.
## Value
@@ -16,7 +16,9 @@ Restricting traffic between hosts and the outside world is not unique to $[prodn
### Hosts and workloads
-In the context of $[prodname] configuration, a **workload** is a virtualized compute instance, like a VM or container. A **host** is the computer that runs the hypervisor (for VMs), or container runtime (for containers). We say it “hosts” the workloads as guests.
+In the context of $[prodname] configuration, a *workload* is a containerized compute instance running in Kubernetes.
+A *host* is a computer or virtual machine (VM) that acts as a node in a Kubernetes cluster or that runs application workloads outside of Kubernetes.
+$[prodname] is unique in that it can enforce network policy and provide visibility in a consistent way for both workloads and hosts, even if those hosts are on-premises servers or VMs running in the public clou.
### Host endpoints
diff --git a/calico-enterprise_versioned_docs/version-3.18-2/network-policy/index.mdx b/calico-enterprise_versioned_docs/version-3.18-2/network-policy/index.mdx
index 5eb4c8fe29..aa56f4a85b 100644
--- a/calico-enterprise_versioned_docs/version-3.18-2/network-policy/index.mdx
+++ b/calico-enterprise_versioned_docs/version-3.18-2/network-policy/index.mdx
@@ -31,7 +31,7 @@ $[prodname] extends the standard `NetworkPolicy` object to provide advanced netw
-## Policy for hosts
+## Policy for hosts and VMs
diff --git a/calico-enterprise_versioned_docs/version-3.18-2/networking/configuring/advertise-service-ips.mdx b/calico-enterprise_versioned_docs/version-3.18-2/networking/configuring/advertise-service-ips.mdx
index ad01f3792e..618746530e 100644
--- a/calico-enterprise_versioned_docs/version-3.18-2/networking/configuring/advertise-service-ips.mdx
+++ b/calico-enterprise_versioned_docs/version-3.18-2/networking/configuring/advertise-service-ips.mdx
@@ -116,7 +116,7 @@ If your $[prodname] deployment is configured to peer with BGP routers outside th
EOF
```
- For help see, [BGP configuration resource](../../reference/resources/bgpconfig.mdx).
+ For help, see [BGP configuration resource](../../reference/resources/bgpconfig.mdx).
:::note
@@ -179,7 +179,7 @@ You will still need to enable service cluster IP advertisement via BGP configura
EOF
```
- For help see, [BGP configuration resource](../../reference/resources/bgpconfig.mdx).
+ For help, see [BGP configuration resource](../../reference/resources/bgpconfig.mdx).
1. When configuring a Kubernetes service that you want to be reachable via an external IP, specify that external IP in the service's `externalIPs` field.
@@ -219,7 +219,7 @@ The following steps will configure $[prodname] to advertise Service `status.Load
EOF
```
- For help see, [BGP configuration resource](../../reference/resources/bgpconfig.mdx).
+ For help, see [BGP configuration resource](../../reference/resources/bgpconfig.mdx).
Service LoadBalancer address allocation is outside the current scope of $[prodname], but can be implemented with an external controller.
You can build your own, or use a third-party implementation like the MetalLB project.
diff --git a/calico-enterprise_versioned_docs/version-3.18-2/networking/determine-best-networking.mdx b/calico-enterprise_versioned_docs/version-3.18-2/networking/determine-best-networking.mdx
index 33a5e165f6..9f7c50fe2c 100644
--- a/calico-enterprise_versioned_docs/version-3.18-2/networking/determine-best-networking.mdx
+++ b/calico-enterprise_versioned_docs/version-3.18-2/networking/determine-best-networking.mdx
@@ -126,7 +126,7 @@ The Amazon VPC CNI plugin allocates pod IPs from the underlying AWS VPC and uses
**Azure CNI**
-The Azure CNI plugin allocates pod IPs from the underlying Azure VNET configures the Azure virtual network to provide VNET native pod networking (pod IPs that are routable outside of the cluster). It is the default networking used in [Microsoft AKS](https://azure.microsoft.com/en-us/services/kubernetes-service/), with Calico for network policy enforcement.
+The Azure CNI plugin allocates pod IPs from the underlying Azure VNET configures the Azure virtual network to provide VNET native pod networking (pod IPs that are routable outside of the cluster). It is the default networking used in [Microsoft AKS](https://azure.microsoft.com/en-us/products/kubernetes-service/), with Calico for network policy enforcement.
**Azure cloud provider**
@@ -194,7 +194,7 @@ You can learn more about Kubernetes Networking on AWS, including how each of the
### Azure
-If you would like pod IP addresses to be routable outside of the cluster then you must use the Azure CNI plugin. This is supported by [AKS](https://azure.microsoft.com/en-us/services/kubernetes-service/), with Calico for network policy. Pod IP addresses are allocated from the underlying VNET.
+If you would like pod IP addresses to be routable outside of the cluster then you must use the Azure CNI plugin. This is supported by [AKS](https://azure.microsoft.com/en-us/products/kubernetes-service/), with Calico for network policy. Pod IP addresses are allocated from the underlying VNET.
| | |
| SIEM integration | | | |
| **Non-cluster hosts** | | | |
-| Restrict traffic to/from hosts using network policy | | | |
+| Restrict traffic to/from hosts and VMs using network policy | | | |
| Automatic host endpoints | | | |
| Secure Kubernetes nodes with host endpoints managed by Calico | | | |
| Apply policy to host-forwarded traffic | | | |
diff --git a/calico-enterprise_versioned_docs/version-3.19-2/getting-started/bare-metal/about.mdx b/calico-enterprise_versioned_docs/version-3.19-2/getting-started/bare-metal/about.mdx
index e8a9258a60..dcab1b2658 100644
--- a/calico-enterprise_versioned_docs/version-3.19-2/getting-started/bare-metal/about.mdx
+++ b/calico-enterprise_versioned_docs/version-3.19-2/getting-started/bare-metal/about.mdx
@@ -1,8 +1,8 @@
---
-description: Install Calico network policy so you can secure hosts not in a cluster.
+description: Install Calico network policy so you can secure hosts and VMs that aren't part of a Kubernetes cluster.
---
-# Install network policy on non-cluster hosts
+# Install network policy on non-cluster hosts and VMs
import DockerContainerService from '@site/calico-enterprise_versioned_docs/version-3.19-2/_includes/content/_docker-container-service.mdx';
@@ -13,7 +13,7 @@ import TabItem from '@theme/TabItem';
## Big picture
-Secure non-cluster hosts by installing $[prodname] network policy.
+Secure non-cluster hosts and VMs by installing $[prodname] network policy.
## Value
@@ -29,7 +29,7 @@ A non-cluster host is a computer that is running an application that is _not par
For non-cluster hosts, you can secure host interfaces using **host endpoints**. Host endpoints can have labels, and work the same as labels on pods/workload endpoints. The advantage is that you can write network policy rules to apply to both workload endpoints and host endpoints using label selectors; where each selector can refer to the either type (or be a mix of the two). For example, you can write a cluster-wide policy for non-cluster hosts that is immediately applied to every host.
-To learn how to restrict traffic to/from hosts using $[prodname] network policy see, [Protect hosts](../../network-policy/hosts/protect-hosts.mdx).
+To learn how to restrict traffic to/from hosts and VMs using $[prodname] network policy, see [Protect hosts](../../network-policy/hosts/protect-hosts.mdx).
## Before you begin
diff --git a/calico-enterprise_versioned_docs/version-3.19-2/network-policy/hosts/index.mdx b/calico-enterprise_versioned_docs/version-3.19-2/network-policy/hosts/index.mdx
index feee221042..64fc81e1f9 100644
--- a/calico-enterprise_versioned_docs/version-3.19-2/network-policy/hosts/index.mdx
+++ b/calico-enterprise_versioned_docs/version-3.19-2/network-policy/hosts/index.mdx
@@ -3,7 +3,7 @@ description: Use the same Calico network policy for workloads to restrict traffi
hide_table_of_contents: true
---
-# Policy for hosts
+# Policy for hosts and VMs
import DocCardList from '@theme/DocCardList';
import { useCurrentSidebarCategory } from '@docusaurus/theme-common';
diff --git a/calico-enterprise_versioned_docs/version-3.19-2/network-policy/hosts/protect-hosts.mdx b/calico-enterprise_versioned_docs/version-3.19-2/network-policy/hosts/protect-hosts.mdx
index 2405bb5b42..0925767424 100644
--- a/calico-enterprise_versioned_docs/version-3.19-2/network-policy/hosts/protect-hosts.mdx
+++ b/calico-enterprise_versioned_docs/version-3.19-2/network-policy/hosts/protect-hosts.mdx
@@ -2,11 +2,11 @@
description: Create Calico Enterprise network policies to restrict traffic to/from hosts.
---
-# Protect hosts
+# Protect hosts and VMs
## Big picture
-Use $[prodname] network policy to restrict traffic to/from hosts.
+Use $[prodname] network policy to restrict traffic to/from hosts and VMs.
## Value
@@ -16,7 +16,9 @@ Restricting traffic between hosts and the outside world is not unique to $[prodn
### Hosts and workloads
-In the context of $[prodname] configuration, a **workload** is a virtualized compute instance, like a VM or container. A **host** is the computer that runs the hypervisor (for VMs), or container runtime (for containers). We say it “hosts” the workloads as guests.
+In the context of $[prodname] configuration, a *workload* is a containerized compute instance running in Kubernetes.
+A *host* is a computer or virtual machine (VM) that acts as a node in a Kubernetes cluster or that runs application workloads outside of Kubernetes.
+$[prodname] is unique in that it can enforce network policy and provide visibility in a consistent way for both workloads and hosts, even if those hosts are on-premises servers or VMs running in the public clou.
### Host endpoints
diff --git a/calico-enterprise_versioned_docs/version-3.19-2/network-policy/index.mdx b/calico-enterprise_versioned_docs/version-3.19-2/network-policy/index.mdx
index fcf30993a6..2831201964 100644
--- a/calico-enterprise_versioned_docs/version-3.19-2/network-policy/index.mdx
+++ b/calico-enterprise_versioned_docs/version-3.19-2/network-policy/index.mdx
@@ -32,7 +32,7 @@ $[prodname] extends the standard `NetworkPolicy` object to provide advanced netw
-## Policy for hosts
+## Policy for hosts and VMs
diff --git a/calico-enterprise_versioned_docs/version-3.19-2/networking/configuring/advertise-service-ips.mdx b/calico-enterprise_versioned_docs/version-3.19-2/networking/configuring/advertise-service-ips.mdx
index ad01f3792e..618746530e 100644
--- a/calico-enterprise_versioned_docs/version-3.19-2/networking/configuring/advertise-service-ips.mdx
+++ b/calico-enterprise_versioned_docs/version-3.19-2/networking/configuring/advertise-service-ips.mdx
@@ -116,7 +116,7 @@ If your $[prodname] deployment is configured to peer with BGP routers outside th
EOF
```
- For help see, [BGP configuration resource](../../reference/resources/bgpconfig.mdx).
+ For help, see [BGP configuration resource](../../reference/resources/bgpconfig.mdx).
:::note
@@ -179,7 +179,7 @@ You will still need to enable service cluster IP advertisement via BGP configura
EOF
```
- For help see, [BGP configuration resource](../../reference/resources/bgpconfig.mdx).
+ For help, see [BGP configuration resource](../../reference/resources/bgpconfig.mdx).
1. When configuring a Kubernetes service that you want to be reachable via an external IP, specify that external IP in the service's `externalIPs` field.
@@ -219,7 +219,7 @@ The following steps will configure $[prodname] to advertise Service `status.Load
EOF
```
- For help see, [BGP configuration resource](../../reference/resources/bgpconfig.mdx).
+ For help, see [BGP configuration resource](../../reference/resources/bgpconfig.mdx).
Service LoadBalancer address allocation is outside the current scope of $[prodname], but can be implemented with an external controller.
You can build your own, or use a third-party implementation like the MetalLB project.
diff --git a/calico-enterprise_versioned_docs/version-3.19-2/networking/determine-best-networking.mdx b/calico-enterprise_versioned_docs/version-3.19-2/networking/determine-best-networking.mdx
index 33a5e165f6..9f7c50fe2c 100644
--- a/calico-enterprise_versioned_docs/version-3.19-2/networking/determine-best-networking.mdx
+++ b/calico-enterprise_versioned_docs/version-3.19-2/networking/determine-best-networking.mdx
@@ -126,7 +126,7 @@ The Amazon VPC CNI plugin allocates pod IPs from the underlying AWS VPC and uses
**Azure CNI**
-The Azure CNI plugin allocates pod IPs from the underlying Azure VNET configures the Azure virtual network to provide VNET native pod networking (pod IPs that are routable outside of the cluster). It is the default networking used in [Microsoft AKS](https://azure.microsoft.com/en-us/services/kubernetes-service/), with Calico for network policy enforcement.
+The Azure CNI plugin allocates pod IPs from the underlying Azure VNET configures the Azure virtual network to provide VNET native pod networking (pod IPs that are routable outside of the cluster). It is the default networking used in [Microsoft AKS](https://azure.microsoft.com/en-us/products/kubernetes-service/), with Calico for network policy enforcement.
**Azure cloud provider**
@@ -194,7 +194,7 @@ You can learn more about Kubernetes Networking on AWS, including how each of the
### Azure
-If you would like pod IP addresses to be routable outside of the cluster then you must use the Azure CNI plugin. This is supported by [AKS](https://azure.microsoft.com/en-us/services/kubernetes-service/), with Calico for network policy. Pod IP addresses are allocated from the underlying VNET.
+If you would like pod IP addresses to be routable outside of the cluster then you must use the Azure CNI plugin. This is supported by [AKS](https://azure.microsoft.com/en-us/products/kubernetes-service/), with Calico for network policy. Pod IP addresses are allocated from the underlying VNET.
| | |
| SIEM integration | | | |
| **Non-cluster hosts** | | | |
-| Restrict traffic to/from hosts using network policy | | | |
+| Restrict traffic to/from hosts and VMs using network policy | | | |
| Automatic host endpoints | | | |
| Secure Kubernetes nodes with host endpoints managed by Calico | | | |
| Apply policy to host-forwarded traffic | | | |
diff --git a/calico-enterprise_versioned_docs/version-3.20-1/getting-started/bare-metal/about.mdx b/calico-enterprise_versioned_docs/version-3.20-1/getting-started/bare-metal/about.mdx
index 87b0f3b8c0..68a7241124 100644
--- a/calico-enterprise_versioned_docs/version-3.20-1/getting-started/bare-metal/about.mdx
+++ b/calico-enterprise_versioned_docs/version-3.20-1/getting-started/bare-metal/about.mdx
@@ -1,8 +1,8 @@
---
-description: Install Calico network policy so you can secure hosts not in a cluster.
+description: Install Calico network policy so you can secure hosts and VMs that aren't part of a Kubernetes cluster.
---
-# Install network policy on non-cluster hosts
+# Install network policy on non-cluster hosts and VMs
import DockerContainerService from '@site/calico-enterprise_versioned_docs/version-3.20-1/_includes/content/_docker-container-service.mdx';
@@ -13,7 +13,7 @@ import TabItem from '@theme/TabItem';
## Big picture
-Secure non-cluster hosts by installing $[prodname] network policy.
+Secure non-cluster hosts and VMs by installing $[prodname] network policy.
## Value
@@ -29,7 +29,7 @@ A non-cluster host is a computer that is running an application that is _not par
For non-cluster hosts, you can secure host interfaces using **host endpoints**. Host endpoints can have labels, and work the same as labels on pods/workload endpoints. The advantage is that you can write network policy rules to apply to both workload endpoints and host endpoints using label selectors; where each selector can refer to the either type (or be a mix of the two). For example, you can write a cluster-wide policy for non-cluster hosts that is immediately applied to every host.
-To learn how to restrict traffic to/from hosts using $[prodname] network policy see, [Protect hosts](../../network-policy/hosts/protect-hosts.mdx).
+To learn how to restrict traffic to/from hosts and VMs using $[prodname] network policy, see [Protect hosts](../../network-policy/hosts/protect-hosts.mdx).
## Before you begin
diff --git a/calico-enterprise_versioned_docs/version-3.20-1/network-policy/hosts/index.mdx b/calico-enterprise_versioned_docs/version-3.20-1/network-policy/hosts/index.mdx
index feee221042..64fc81e1f9 100644
--- a/calico-enterprise_versioned_docs/version-3.20-1/network-policy/hosts/index.mdx
+++ b/calico-enterprise_versioned_docs/version-3.20-1/network-policy/hosts/index.mdx
@@ -3,7 +3,7 @@ description: Use the same Calico network policy for workloads to restrict traffi
hide_table_of_contents: true
---
-# Policy for hosts
+# Policy for hosts and VMs
import DocCardList from '@theme/DocCardList';
import { useCurrentSidebarCategory } from '@docusaurus/theme-common';
diff --git a/calico-enterprise_versioned_docs/version-3.20-1/network-policy/hosts/protect-hosts.mdx b/calico-enterprise_versioned_docs/version-3.20-1/network-policy/hosts/protect-hosts.mdx
index 2405bb5b42..0925767424 100644
--- a/calico-enterprise_versioned_docs/version-3.20-1/network-policy/hosts/protect-hosts.mdx
+++ b/calico-enterprise_versioned_docs/version-3.20-1/network-policy/hosts/protect-hosts.mdx
@@ -2,11 +2,11 @@
description: Create Calico Enterprise network policies to restrict traffic to/from hosts.
---
-# Protect hosts
+# Protect hosts and VMs
## Big picture
-Use $[prodname] network policy to restrict traffic to/from hosts.
+Use $[prodname] network policy to restrict traffic to/from hosts and VMs.
## Value
@@ -16,7 +16,9 @@ Restricting traffic between hosts and the outside world is not unique to $[prodn
### Hosts and workloads
-In the context of $[prodname] configuration, a **workload** is a virtualized compute instance, like a VM or container. A **host** is the computer that runs the hypervisor (for VMs), or container runtime (for containers). We say it “hosts” the workloads as guests.
+In the context of $[prodname] configuration, a *workload* is a containerized compute instance running in Kubernetes.
+A *host* is a computer or virtual machine (VM) that acts as a node in a Kubernetes cluster or that runs application workloads outside of Kubernetes.
+$[prodname] is unique in that it can enforce network policy and provide visibility in a consistent way for both workloads and hosts, even if those hosts are on-premises servers or VMs running in the public clou.
### Host endpoints
diff --git a/calico-enterprise_versioned_docs/version-3.20-1/network-policy/index.mdx b/calico-enterprise_versioned_docs/version-3.20-1/network-policy/index.mdx
index fcf30993a6..2831201964 100644
--- a/calico-enterprise_versioned_docs/version-3.20-1/network-policy/index.mdx
+++ b/calico-enterprise_versioned_docs/version-3.20-1/network-policy/index.mdx
@@ -32,7 +32,7 @@ $[prodname] extends the standard `NetworkPolicy` object to provide advanced netw
-## Policy for hosts
+## Policy for hosts and VMs
diff --git a/calico-enterprise_versioned_docs/version-3.20-1/networking/configuring/advertise-service-ips.mdx b/calico-enterprise_versioned_docs/version-3.20-1/networking/configuring/advertise-service-ips.mdx
index ad01f3792e..618746530e 100644
--- a/calico-enterprise_versioned_docs/version-3.20-1/networking/configuring/advertise-service-ips.mdx
+++ b/calico-enterprise_versioned_docs/version-3.20-1/networking/configuring/advertise-service-ips.mdx
@@ -116,7 +116,7 @@ If your $[prodname] deployment is configured to peer with BGP routers outside th
EOF
```
- For help see, [BGP configuration resource](../../reference/resources/bgpconfig.mdx).
+ For help, see [BGP configuration resource](../../reference/resources/bgpconfig.mdx).
:::note
@@ -179,7 +179,7 @@ You will still need to enable service cluster IP advertisement via BGP configura
EOF
```
- For help see, [BGP configuration resource](../../reference/resources/bgpconfig.mdx).
+ For help, see [BGP configuration resource](../../reference/resources/bgpconfig.mdx).
1. When configuring a Kubernetes service that you want to be reachable via an external IP, specify that external IP in the service's `externalIPs` field.
@@ -219,7 +219,7 @@ The following steps will configure $[prodname] to advertise Service `status.Load
EOF
```
- For help see, [BGP configuration resource](../../reference/resources/bgpconfig.mdx).
+ For help, see [BGP configuration resource](../../reference/resources/bgpconfig.mdx).
Service LoadBalancer address allocation is outside the current scope of $[prodname], but can be implemented with an external controller.
You can build your own, or use a third-party implementation like the MetalLB project.
diff --git a/calico-enterprise_versioned_docs/version-3.20-1/networking/determine-best-networking.mdx b/calico-enterprise_versioned_docs/version-3.20-1/networking/determine-best-networking.mdx
index 33a5e165f6..9f7c50fe2c 100644
--- a/calico-enterprise_versioned_docs/version-3.20-1/networking/determine-best-networking.mdx
+++ b/calico-enterprise_versioned_docs/version-3.20-1/networking/determine-best-networking.mdx
@@ -126,7 +126,7 @@ The Amazon VPC CNI plugin allocates pod IPs from the underlying AWS VPC and uses
**Azure CNI**
-The Azure CNI plugin allocates pod IPs from the underlying Azure VNET configures the Azure virtual network to provide VNET native pod networking (pod IPs that are routable outside of the cluster). It is the default networking used in [Microsoft AKS](https://azure.microsoft.com/en-us/services/kubernetes-service/), with Calico for network policy enforcement.
+The Azure CNI plugin allocates pod IPs from the underlying Azure VNET configures the Azure virtual network to provide VNET native pod networking (pod IPs that are routable outside of the cluster). It is the default networking used in [Microsoft AKS](https://azure.microsoft.com/en-us/products/kubernetes-service/), with Calico for network policy enforcement.
**Azure cloud provider**
@@ -194,7 +194,7 @@ You can learn more about Kubernetes Networking on AWS, including how each of the
### Azure
-If you would like pod IP addresses to be routable outside of the cluster then you must use the Azure CNI plugin. This is supported by [AKS](https://azure.microsoft.com/en-us/services/kubernetes-service/), with Calico for network policy. Pod IP addresses are allocated from the underlying VNET.
+If you would like pod IP addresses to be routable outside of the cluster then you must use the Azure CNI plugin. This is supported by [AKS](https://azure.microsoft.com/en-us/products/kubernetes-service/), with Calico for network policy. Pod IP addresses are allocated from the underlying VNET.
| | |
| SIEM integration | | | |
| **Non-cluster hosts** | | | |
-| Restrict traffic to/from hosts using network policy | | | |
+| Restrict traffic to/from hosts and VMs using network policy | | | |
| Automatic host endpoints | | | |
| Secure Kubernetes nodes with host endpoints managed by Calico | | | |
| Apply policy to host-forwarded traffic | | | |
diff --git a/calico-enterprise_versioned_docs/version-3.20-2/getting-started/bare-metal/about.mdx b/calico-enterprise_versioned_docs/version-3.20-2/getting-started/bare-metal/about.mdx
index 31fad848db..7ebcbace70 100644
--- a/calico-enterprise_versioned_docs/version-3.20-2/getting-started/bare-metal/about.mdx
+++ b/calico-enterprise_versioned_docs/version-3.20-2/getting-started/bare-metal/about.mdx
@@ -24,7 +24,7 @@ In the following diagram, a Kubernetes cluster is running $[prodname] with netwo
For non-cluster hosts and VMs, you can secure host interfaces using **host endpoints**. Host endpoints can have labels that work the same as labels on pods/workload endpoints in Kubernetes. The advantage is that you can write network policy rules to apply to both workload endpoints and host endpoints using label selectors; where each selector can refer to the either type (or be a mix of the two). For example, you can easily write a global policy that applies to every host, VM, or pod that is running Calico.
-To learn how to restrict traffic to/from hosts using Calico network policy see, [Protect hosts and VMs](../../network-policy/hosts/protect-hosts.mdx).
+To learn how to restrict traffic to/from hosts and VMs using Calico network policy, see [Protect hosts and VMs](../../network-policy/hosts/protect-hosts.mdx).
## Before you begin
diff --git a/calico-enterprise_versioned_docs/version-3.20-2/network-policy/hosts/index.mdx b/calico-enterprise_versioned_docs/version-3.20-2/network-policy/hosts/index.mdx
index feee221042..64fc81e1f9 100644
--- a/calico-enterprise_versioned_docs/version-3.20-2/network-policy/hosts/index.mdx
+++ b/calico-enterprise_versioned_docs/version-3.20-2/network-policy/hosts/index.mdx
@@ -3,7 +3,7 @@ description: Use the same Calico network policy for workloads to restrict traffi
hide_table_of_contents: true
---
-# Policy for hosts
+# Policy for hosts and VMs
import DocCardList from '@theme/DocCardList';
import { useCurrentSidebarCategory } from '@docusaurus/theme-common';
diff --git a/calico-enterprise_versioned_docs/version-3.20-2/network-policy/hosts/protect-hosts.mdx b/calico-enterprise_versioned_docs/version-3.20-2/network-policy/hosts/protect-hosts.mdx
index 2405bb5b42..0925767424 100644
--- a/calico-enterprise_versioned_docs/version-3.20-2/network-policy/hosts/protect-hosts.mdx
+++ b/calico-enterprise_versioned_docs/version-3.20-2/network-policy/hosts/protect-hosts.mdx
@@ -2,11 +2,11 @@
description: Create Calico Enterprise network policies to restrict traffic to/from hosts.
---
-# Protect hosts
+# Protect hosts and VMs
## Big picture
-Use $[prodname] network policy to restrict traffic to/from hosts.
+Use $[prodname] network policy to restrict traffic to/from hosts and VMs.
## Value
@@ -16,7 +16,9 @@ Restricting traffic between hosts and the outside world is not unique to $[prodn
### Hosts and workloads
-In the context of $[prodname] configuration, a **workload** is a virtualized compute instance, like a VM or container. A **host** is the computer that runs the hypervisor (for VMs), or container runtime (for containers). We say it “hosts” the workloads as guests.
+In the context of $[prodname] configuration, a *workload* is a containerized compute instance running in Kubernetes.
+A *host* is a computer or virtual machine (VM) that acts as a node in a Kubernetes cluster or that runs application workloads outside of Kubernetes.
+$[prodname] is unique in that it can enforce network policy and provide visibility in a consistent way for both workloads and hosts, even if those hosts are on-premises servers or VMs running in the public clou.
### Host endpoints
diff --git a/calico-enterprise_versioned_docs/version-3.20-2/network-policy/index.mdx b/calico-enterprise_versioned_docs/version-3.20-2/network-policy/index.mdx
index fcf30993a6..2831201964 100644
--- a/calico-enterprise_versioned_docs/version-3.20-2/network-policy/index.mdx
+++ b/calico-enterprise_versioned_docs/version-3.20-2/network-policy/index.mdx
@@ -32,7 +32,7 @@ $[prodname] extends the standard `NetworkPolicy` object to provide advanced netw
-## Policy for hosts
+## Policy for hosts and VMs
diff --git a/calico-enterprise_versioned_docs/version-3.20-2/networking/configuring/advertise-service-ips.mdx b/calico-enterprise_versioned_docs/version-3.20-2/networking/configuring/advertise-service-ips.mdx
index ad01f3792e..618746530e 100644
--- a/calico-enterprise_versioned_docs/version-3.20-2/networking/configuring/advertise-service-ips.mdx
+++ b/calico-enterprise_versioned_docs/version-3.20-2/networking/configuring/advertise-service-ips.mdx
@@ -116,7 +116,7 @@ If your $[prodname] deployment is configured to peer with BGP routers outside th
EOF
```
- For help see, [BGP configuration resource](../../reference/resources/bgpconfig.mdx).
+ For help, see [BGP configuration resource](../../reference/resources/bgpconfig.mdx).
:::note
@@ -179,7 +179,7 @@ You will still need to enable service cluster IP advertisement via BGP configura
EOF
```
- For help see, [BGP configuration resource](../../reference/resources/bgpconfig.mdx).
+ For help, see [BGP configuration resource](../../reference/resources/bgpconfig.mdx).
1. When configuring a Kubernetes service that you want to be reachable via an external IP, specify that external IP in the service's `externalIPs` field.
@@ -219,7 +219,7 @@ The following steps will configure $[prodname] to advertise Service `status.Load
EOF
```
- For help see, [BGP configuration resource](../../reference/resources/bgpconfig.mdx).
+ For help, see [BGP configuration resource](../../reference/resources/bgpconfig.mdx).
Service LoadBalancer address allocation is outside the current scope of $[prodname], but can be implemented with an external controller.
You can build your own, or use a third-party implementation like the MetalLB project.
diff --git a/calico-enterprise_versioned_docs/version-3.20-2/networking/determine-best-networking.mdx b/calico-enterprise_versioned_docs/version-3.20-2/networking/determine-best-networking.mdx
index 33a5e165f6..9f7c50fe2c 100644
--- a/calico-enterprise_versioned_docs/version-3.20-2/networking/determine-best-networking.mdx
+++ b/calico-enterprise_versioned_docs/version-3.20-2/networking/determine-best-networking.mdx
@@ -126,7 +126,7 @@ The Amazon VPC CNI plugin allocates pod IPs from the underlying AWS VPC and uses
**Azure CNI**
-The Azure CNI plugin allocates pod IPs from the underlying Azure VNET configures the Azure virtual network to provide VNET native pod networking (pod IPs that are routable outside of the cluster). It is the default networking used in [Microsoft AKS](https://azure.microsoft.com/en-us/services/kubernetes-service/), with Calico for network policy enforcement.
+The Azure CNI plugin allocates pod IPs from the underlying Azure VNET configures the Azure virtual network to provide VNET native pod networking (pod IPs that are routable outside of the cluster). It is the default networking used in [Microsoft AKS](https://azure.microsoft.com/en-us/products/kubernetes-service/), with Calico for network policy enforcement.
**Azure cloud provider**
@@ -194,7 +194,7 @@ You can learn more about Kubernetes Networking on AWS, including how each of the
### Azure
-If you would like pod IP addresses to be routable outside of the cluster then you must use the Azure CNI plugin. This is supported by [AKS](https://azure.microsoft.com/en-us/services/kubernetes-service/), with Calico for network policy. Pod IP addresses are allocated from the underlying VNET.
+If you would like pod IP addresses to be routable outside of the cluster then you must use the Azure CNI plugin. This is supported by [AKS](https://azure.microsoft.com/en-us/products/kubernetes-service/), with Calico for network policy. Pod IP addresses are allocated from the underlying VNET.
| | |
| SIEM integration | | | |
| **Non-cluster hosts** | | | |
-| Restrict traffic to/from hosts using network policy | | | |
+| Restrict traffic to/from hosts and VMs using network policy | | | |
| Automatic host endpoints | | | |
| Secure Kubernetes nodes with host endpoints managed by Calico | | | |
| Apply policy to host-forwarded traffic | | | |
diff --git a/calico/getting-started/bare-metal/about.mdx b/calico/getting-started/bare-metal/about.mdx
index 0d546eef82..6f91bc16d4 100644
--- a/calico/getting-started/bare-metal/about.mdx
+++ b/calico/getting-started/bare-metal/about.mdx
@@ -6,7 +6,7 @@ description: Install Calico on hosts not in a cluster with network policy, or ne
## Big picture
-Secure non-cluster hosts by installing $[prodname] for networking and/or networking policy.
+Secure non-cluster hosts and VMs by installing $[prodname] for networking and/or networking policy.
## Value
@@ -18,7 +18,7 @@ Not all hosts in your environment run pods/workloads. You may have physical mach
A **non-cluster host** is a computer that is running an application that is _not part of a Kubernetes cluster_. Using $[prodname] network policy, you can secure these host interfaces using **host endpoints**. Host endpoints can have labels, and work the same as labels on pods/workload endpoints.
-The advantage is, you can write network policy rules to apply to both workload endpoints and host endpoints using label selectors; where each selector can refer to the either type (or be a mix of the two). For example, you can write a cluster-wide policy for non-cluster hosts that is immediately applied to every host. To learn how to restrict traffic to/from hosts using $[prodname] network policy see, [Protect hosts](../../network-policy/hosts/protect-hosts.mdx).
+The advantage is, you can write network policy rules to apply to both workload endpoints and host endpoints using label selectors; where each selector can refer to the either type (or be a mix of the two). For example, you can write a cluster-wide policy for non-cluster hosts that is immediately applied to every host. To learn how to restrict traffic to/from hosts and VMs using $[prodname] network policy, see [Protect hosts](../../network-policy/hosts/protect-hosts.mdx).
If you are using the etcd3 database, you can also install $[prodname] with networking as described below.
diff --git a/calico/network-policy/hosts/index.mdx b/calico/network-policy/hosts/index.mdx
index feee221042..64fc81e1f9 100644
--- a/calico/network-policy/hosts/index.mdx
+++ b/calico/network-policy/hosts/index.mdx
@@ -3,7 +3,7 @@ description: Use the same Calico network policy for workloads to restrict traffi
hide_table_of_contents: true
---
-# Policy for hosts
+# Policy for hosts and VMs
import DocCardList from '@theme/DocCardList';
import { useCurrentSidebarCategory } from '@docusaurus/theme-common';
diff --git a/calico/network-policy/hosts/protect-hosts.mdx b/calico/network-policy/hosts/protect-hosts.mdx
index 8f7f7d46dc..1c66dd71ac 100644
--- a/calico/network-policy/hosts/protect-hosts.mdx
+++ b/calico/network-policy/hosts/protect-hosts.mdx
@@ -2,11 +2,11 @@
description: Calico network policy not only protects workloads, but also hosts. Create a Calico network policies to restrict traffic to/from hosts.
---
-# Protect hosts
+# Protect hosts and VMs
## Big picture
-Use $[prodname] network policy to restrict traffic to/from hosts.
+Use $[prodname] network policy to restrict traffic to/from hosts and VMs.
## Value
@@ -16,7 +16,9 @@ Restricting traffic between hosts and the outside world is not unique to $[prodn
### Hosts and workloads
-In the context of $[prodname] configuration, a **workload** is a virtualized compute instance, like a VM or container. A **host** is the computer that runs the hypervisor (for VMs), or container runtime (for containers). We say it “hosts” the workloads as guests.
+In the context of $[prodname] configuration, a *workload* is a containerized compute instance running in Kubernetes.
+A *host* is a computer or virtual machine (VM) that acts as a node in a Kubernetes cluster or that runs application workloads outside of Kubernetes.
+$[prodname] is unique in that it can enforce network policy and provide visibility in a consistent way for both workloads and hosts, even if those hosts are on-premises servers or VMs running in the public clou.
### Host endpoints
diff --git a/calico/network-policy/index.mdx b/calico/network-policy/index.mdx
index e423f18da3..4efca27c26 100644
--- a/calico/network-policy/index.mdx
+++ b/calico/network-policy/index.mdx
@@ -34,7 +34,7 @@ $[prodname] extends the standard `NetworkPolicy` object to provide advanced netw
-## Policy for hosts
+## Policy for hosts and VMs
diff --git a/calico/networking/configuring/advertise-service-ips.mdx b/calico/networking/configuring/advertise-service-ips.mdx
index f5860c256d..58d7693bd6 100644
--- a/calico/networking/configuring/advertise-service-ips.mdx
+++ b/calico/networking/configuring/advertise-service-ips.mdx
@@ -113,7 +113,7 @@ If your $[prodname] deployment is configured to peer with BGP routers outside th
EOF
```
- For help see, [BGP configuration resource](../../reference/resources/bgpconfig.mdx).
+ For help, see [BGP configuration resource](../../reference/resources/bgpconfig.mdx).
:::note
@@ -159,7 +159,7 @@ deprecated CALICO_ADVERTISE_CLUSTER_IPS with BGPConfiguration.
EOF
```
- For help see, [BGP configuration resource](../../reference/resources/bgpconfig.mdx).
+ For help, see [BGP configuration resource](../../reference/resources/bgpconfig.mdx).
### Advertise service load balancer IP addresses
@@ -197,7 +197,7 @@ The following steps will configure $[prodname] to advertise Service `status.Load
EOF
```
- For help see, [BGP configuration resource](../../reference/resources/bgpconfig.mdx).
+ For help, see [BGP configuration resource](../../reference/resources/bgpconfig.mdx).
Service LoadBalancer address allocation is outside the current scope of $[prodname], but can be implemented with an external controller.
You can build your own, or use a third-party implementation like the MetalLB project.
diff --git a/calico/networking/determine-best-networking.mdx b/calico/networking/determine-best-networking.mdx
index 5a82758107..57ae84c862 100644
--- a/calico/networking/determine-best-networking.mdx
+++ b/calico/networking/determine-best-networking.mdx
@@ -126,7 +126,7 @@ The Amazon VPC CNI plugin allocates pod IPs from the underlying AWS VPC and uses
**Azure CNI**
-The Azure CNI plugin allocates pod IPs from the underlying Azure VNET configures the Azure virtual network to provide VNET native pod networking (pod IPs that are routable outside of the cluster). It is the default networking used in [Microsoft AKS](https://azure.microsoft.com/en-us/services/kubernetes-service/), with Calico for network policy enforcement.
+The Azure CNI plugin allocates pod IPs from the underlying Azure VNET configures the Azure virtual network to provide VNET native pod networking (pod IPs that are routable outside of the cluster). It is the default networking used in [Microsoft AKS](https://azure.microsoft.com/en-us/products/kubernetes-service/), with Calico for network policy enforcement.
**Azure cloud provider**
@@ -204,7 +204,7 @@ You can learn more about Kubernetes Networking on AWS, including how each of the
### Azure
-If you would like pod IP addresses to be routable outside of the cluster then you must use the Azure CNI plugin. This is supported by [AKS](https://azure.microsoft.com/en-us/services/kubernetes-service/), with Calico for network policy. Pod IP addresses are allocated from the underlying VNET.
+If you would like pod IP addresses to be routable outside of the cluster then you must use the Azure CNI plugin. This is supported by [AKS](https://azure.microsoft.com/en-us/products/kubernetes-service/), with Calico for network policy. Pod IP addresses are allocated from the underlying VNET.
-## Policy for hosts
+## Policy for hosts and VMs
diff --git a/calico_versioned_docs/version-3.26/networking/configuring/advertise-service-ips.mdx b/calico_versioned_docs/version-3.26/networking/configuring/advertise-service-ips.mdx
index 8d93b1a5fb..05fe6e6d30 100644
--- a/calico_versioned_docs/version-3.26/networking/configuring/advertise-service-ips.mdx
+++ b/calico_versioned_docs/version-3.26/networking/configuring/advertise-service-ips.mdx
@@ -113,7 +113,7 @@ If your $[prodname] deployment is configured to peer with BGP routers outside th
EOF
```
- For help see, [BGP configuration resource](../../reference/resources/bgpconfig.mdx).
+ For help, see [BGP configuration resource](../../reference/resources/bgpconfig.mdx).
:::note
@@ -159,7 +159,7 @@ deprecated CALICO_ADVERTISE_CLUSTER_IPS with BGPConfiguration.
EOF
```
- For help see, [BGP configuration resource](../../reference/resources/bgpconfig.mdx).
+ For help, see [BGP configuration resource](../../reference/resources/bgpconfig.mdx).
### Advertise service load balancer IP addresses
@@ -197,7 +197,7 @@ The following steps will configure $[prodname] to advertise Service `status.Load
EOF
```
- For help see, [BGP configuration resource](../../reference/resources/bgpconfig.mdx).
+ For help, see [BGP configuration resource](../../reference/resources/bgpconfig.mdx).
Service LoadBalancer address allocation is outside the current scope of $[prodname], but can be implemented with an external controller.
You can build your own, or use a third-party implementation like the MetalLB project.
diff --git a/calico_versioned_docs/version-3.26/networking/determine-best-networking.mdx b/calico_versioned_docs/version-3.26/networking/determine-best-networking.mdx
index 3033730109..eafc38ba90 100644
--- a/calico_versioned_docs/version-3.26/networking/determine-best-networking.mdx
+++ b/calico_versioned_docs/version-3.26/networking/determine-best-networking.mdx
@@ -126,7 +126,7 @@ The Amazon VPC CNI plugin allocates pod IPs from the underlying AWS VPC and uses
**Azure CNI**
-The Azure CNI plugin allocates pod IPs from the underlying Azure VNET configures the Azure virtual network to provide VNET native pod networking (pod IPs that are routable outside of the cluster). It is the default networking used in [Microsoft AKS](https://azure.microsoft.com/en-us/services/kubernetes-service/), with Calico for network policy enforcement.
+The Azure CNI plugin allocates pod IPs from the underlying Azure VNET configures the Azure virtual network to provide VNET native pod networking (pod IPs that are routable outside of the cluster). It is the default networking used in [Microsoft AKS](https://azure.microsoft.com/en-us/products/kubernetes-service/), with Calico for network policy enforcement.
**Azure cloud provider**
@@ -204,7 +204,7 @@ You can learn more about Kubernetes Networking on AWS, including how each of the
### Azure
-If you would like pod IP addresses to be routable outside of the cluster then you must use the Azure CNI plugin. This is supported by [AKS](https://azure.microsoft.com/en-us/services/kubernetes-service/), with Calico for network policy. Pod IP addresses are allocated from the underlying VNET.
+If you would like pod IP addresses to be routable outside of the cluster then you must use the Azure CNI plugin. This is supported by [AKS](https://azure.microsoft.com/en-us/products/kubernetes-service/), with Calico for network policy. Pod IP addresses are allocated from the underlying VNET.
| |
| | | | |
| **Non-cluster hosts** | **Calico Open Source** | **Calico Cloud** | **Calico Enterprise** |
-| Restrict traffic to/from hosts using network policy | | | |
+| Restrict traffic to/from hosts and VMs using network policy | | | |
| Automatic host endpoints | | | |
| Secure Kubernetes nodes with host endpoints managed by Calico | | | |
| Apply policy to host-forwarded traffic | | | |
diff --git a/calico_versioned_docs/version-3.27/about/product-comparison.mdx b/calico_versioned_docs/version-3.27/about/product-comparison.mdx
index 3d7239351f..064546eada 100644
--- a/calico_versioned_docs/version-3.27/about/product-comparison.mdx
+++ b/calico_versioned_docs/version-3.27/about/product-comparison.mdx
@@ -62,7 +62,7 @@ What is the best fit for you? It depends on your needs. The following table prov
| SIEM integration | | | |
| | | | |
| **Non-cluster host security** | **Calico Open Source** | **Calico Cloud** | **Calico Enterprise** |
-| Restrict traffic to/from hosts using network policy | | | |
+| Restrict traffic to/from hosts and VMs using network policy | | | |
| Automatic host endpoints | | | |
| Secure Kubernetes nodes with host endpoints managed by Calico | | | |
| Apply policy to host-forwarded traffic | | | |
diff --git a/calico_versioned_docs/version-3.27/getting-started/bare-metal/about.mdx b/calico_versioned_docs/version-3.27/getting-started/bare-metal/about.mdx
index 0d546eef82..6f91bc16d4 100644
--- a/calico_versioned_docs/version-3.27/getting-started/bare-metal/about.mdx
+++ b/calico_versioned_docs/version-3.27/getting-started/bare-metal/about.mdx
@@ -6,7 +6,7 @@ description: Install Calico on hosts not in a cluster with network policy, or ne
## Big picture
-Secure non-cluster hosts by installing $[prodname] for networking and/or networking policy.
+Secure non-cluster hosts and VMs by installing $[prodname] for networking and/or networking policy.
## Value
@@ -18,7 +18,7 @@ Not all hosts in your environment run pods/workloads. You may have physical mach
A **non-cluster host** is a computer that is running an application that is _not part of a Kubernetes cluster_. Using $[prodname] network policy, you can secure these host interfaces using **host endpoints**. Host endpoints can have labels, and work the same as labels on pods/workload endpoints.
-The advantage is, you can write network policy rules to apply to both workload endpoints and host endpoints using label selectors; where each selector can refer to the either type (or be a mix of the two). For example, you can write a cluster-wide policy for non-cluster hosts that is immediately applied to every host. To learn how to restrict traffic to/from hosts using $[prodname] network policy see, [Protect hosts](../../network-policy/hosts/protect-hosts.mdx).
+The advantage is, you can write network policy rules to apply to both workload endpoints and host endpoints using label selectors; where each selector can refer to the either type (or be a mix of the two). For example, you can write a cluster-wide policy for non-cluster hosts that is immediately applied to every host. To learn how to restrict traffic to/from hosts and VMs using $[prodname] network policy, see [Protect hosts](../../network-policy/hosts/protect-hosts.mdx).
If you are using the etcd3 database, you can also install $[prodname] with networking as described below.
diff --git a/calico_versioned_docs/version-3.27/network-policy/hosts/index.mdx b/calico_versioned_docs/version-3.27/network-policy/hosts/index.mdx
index feee221042..64fc81e1f9 100644
--- a/calico_versioned_docs/version-3.27/network-policy/hosts/index.mdx
+++ b/calico_versioned_docs/version-3.27/network-policy/hosts/index.mdx
@@ -3,7 +3,7 @@ description: Use the same Calico network policy for workloads to restrict traffi
hide_table_of_contents: true
---
-# Policy for hosts
+# Policy for hosts and VMs
import DocCardList from '@theme/DocCardList';
import { useCurrentSidebarCategory } from '@docusaurus/theme-common';
diff --git a/calico_versioned_docs/version-3.27/network-policy/hosts/protect-hosts.mdx b/calico_versioned_docs/version-3.27/network-policy/hosts/protect-hosts.mdx
index 8f7f7d46dc..1c66dd71ac 100644
--- a/calico_versioned_docs/version-3.27/network-policy/hosts/protect-hosts.mdx
+++ b/calico_versioned_docs/version-3.27/network-policy/hosts/protect-hosts.mdx
@@ -2,11 +2,11 @@
description: Calico network policy not only protects workloads, but also hosts. Create a Calico network policies to restrict traffic to/from hosts.
---
-# Protect hosts
+# Protect hosts and VMs
## Big picture
-Use $[prodname] network policy to restrict traffic to/from hosts.
+Use $[prodname] network policy to restrict traffic to/from hosts and VMs.
## Value
@@ -16,7 +16,9 @@ Restricting traffic between hosts and the outside world is not unique to $[prodn
### Hosts and workloads
-In the context of $[prodname] configuration, a **workload** is a virtualized compute instance, like a VM or container. A **host** is the computer that runs the hypervisor (for VMs), or container runtime (for containers). We say it “hosts” the workloads as guests.
+In the context of $[prodname] configuration, a *workload* is a containerized compute instance running in Kubernetes.
+A *host* is a computer or virtual machine (VM) that acts as a node in a Kubernetes cluster or that runs application workloads outside of Kubernetes.
+$[prodname] is unique in that it can enforce network policy and provide visibility in a consistent way for both workloads and hosts, even if those hosts are on-premises servers or VMs running in the public clou.
### Host endpoints
diff --git a/calico_versioned_docs/version-3.27/network-policy/index.mdx b/calico_versioned_docs/version-3.27/network-policy/index.mdx
index e423f18da3..4efca27c26 100644
--- a/calico_versioned_docs/version-3.27/network-policy/index.mdx
+++ b/calico_versioned_docs/version-3.27/network-policy/index.mdx
@@ -34,7 +34,7 @@ $[prodname] extends the standard `NetworkPolicy` object to provide advanced netw
-## Policy for hosts
+## Policy for hosts and VMs
diff --git a/calico_versioned_docs/version-3.27/networking/configuring/advertise-service-ips.mdx b/calico_versioned_docs/version-3.27/networking/configuring/advertise-service-ips.mdx
index f5860c256d..58d7693bd6 100644
--- a/calico_versioned_docs/version-3.27/networking/configuring/advertise-service-ips.mdx
+++ b/calico_versioned_docs/version-3.27/networking/configuring/advertise-service-ips.mdx
@@ -113,7 +113,7 @@ If your $[prodname] deployment is configured to peer with BGP routers outside th
EOF
```
- For help see, [BGP configuration resource](../../reference/resources/bgpconfig.mdx).
+ For help, see [BGP configuration resource](../../reference/resources/bgpconfig.mdx).
:::note
@@ -159,7 +159,7 @@ deprecated CALICO_ADVERTISE_CLUSTER_IPS with BGPConfiguration.
EOF
```
- For help see, [BGP configuration resource](../../reference/resources/bgpconfig.mdx).
+ For help, see [BGP configuration resource](../../reference/resources/bgpconfig.mdx).
### Advertise service load balancer IP addresses
@@ -197,7 +197,7 @@ The following steps will configure $[prodname] to advertise Service `status.Load
EOF
```
- For help see, [BGP configuration resource](../../reference/resources/bgpconfig.mdx).
+ For help, see [BGP configuration resource](../../reference/resources/bgpconfig.mdx).
Service LoadBalancer address allocation is outside the current scope of $[prodname], but can be implemented with an external controller.
You can build your own, or use a third-party implementation like the MetalLB project.
diff --git a/calico_versioned_docs/version-3.27/networking/determine-best-networking.mdx b/calico_versioned_docs/version-3.27/networking/determine-best-networking.mdx
index 5a82758107..57ae84c862 100644
--- a/calico_versioned_docs/version-3.27/networking/determine-best-networking.mdx
+++ b/calico_versioned_docs/version-3.27/networking/determine-best-networking.mdx
@@ -126,7 +126,7 @@ The Amazon VPC CNI plugin allocates pod IPs from the underlying AWS VPC and uses
**Azure CNI**
-The Azure CNI plugin allocates pod IPs from the underlying Azure VNET configures the Azure virtual network to provide VNET native pod networking (pod IPs that are routable outside of the cluster). It is the default networking used in [Microsoft AKS](https://azure.microsoft.com/en-us/services/kubernetes-service/), with Calico for network policy enforcement.
+The Azure CNI plugin allocates pod IPs from the underlying Azure VNET configures the Azure virtual network to provide VNET native pod networking (pod IPs that are routable outside of the cluster). It is the default networking used in [Microsoft AKS](https://azure.microsoft.com/en-us/products/kubernetes-service/), with Calico for network policy enforcement.
**Azure cloud provider**
@@ -204,7 +204,7 @@ You can learn more about Kubernetes Networking on AWS, including how each of the
### Azure
-If you would like pod IP addresses to be routable outside of the cluster then you must use the Azure CNI plugin. This is supported by [AKS](https://azure.microsoft.com/en-us/services/kubernetes-service/), with Calico for network policy. Pod IP addresses are allocated from the underlying VNET.
+If you would like pod IP addresses to be routable outside of the cluster then you must use the Azure CNI plugin. This is supported by [AKS](https://azure.microsoft.com/en-us/products/kubernetes-service/), with Calico for network policy. Pod IP addresses are allocated from the underlying VNET.
| |
| | | | |
| **Non-cluster host security** | **Calico Open Source** | **Calico Cloud** | **Calico Enterprise** |
-| Restrict traffic to/from hosts using network policy | | | |
+| Restrict traffic to/from hosts and VMs using network policy | | | |
| Automatic host endpoints | | | |
| Secure Kubernetes nodes with host endpoints managed by Calico | | | |
| Apply policy to host-forwarded traffic | | | |
diff --git a/calico_versioned_docs/version-3.28/getting-started/bare-metal/about.mdx b/calico_versioned_docs/version-3.28/getting-started/bare-metal/about.mdx
index 0d546eef82..6f91bc16d4 100644
--- a/calico_versioned_docs/version-3.28/getting-started/bare-metal/about.mdx
+++ b/calico_versioned_docs/version-3.28/getting-started/bare-metal/about.mdx
@@ -6,7 +6,7 @@ description: Install Calico on hosts not in a cluster with network policy, or ne
## Big picture
-Secure non-cluster hosts by installing $[prodname] for networking and/or networking policy.
+Secure non-cluster hosts and VMs by installing $[prodname] for networking and/or networking policy.
## Value
@@ -18,7 +18,7 @@ Not all hosts in your environment run pods/workloads. You may have physical mach
A **non-cluster host** is a computer that is running an application that is _not part of a Kubernetes cluster_. Using $[prodname] network policy, you can secure these host interfaces using **host endpoints**. Host endpoints can have labels, and work the same as labels on pods/workload endpoints.
-The advantage is, you can write network policy rules to apply to both workload endpoints and host endpoints using label selectors; where each selector can refer to the either type (or be a mix of the two). For example, you can write a cluster-wide policy for non-cluster hosts that is immediately applied to every host. To learn how to restrict traffic to/from hosts using $[prodname] network policy see, [Protect hosts](../../network-policy/hosts/protect-hosts.mdx).
+The advantage is, you can write network policy rules to apply to both workload endpoints and host endpoints using label selectors; where each selector can refer to the either type (or be a mix of the two). For example, you can write a cluster-wide policy for non-cluster hosts that is immediately applied to every host. To learn how to restrict traffic to/from hosts and VMs using $[prodname] network policy, see [Protect hosts](../../network-policy/hosts/protect-hosts.mdx).
If you are using the etcd3 database, you can also install $[prodname] with networking as described below.
diff --git a/calico_versioned_docs/version-3.28/network-policy/hosts/index.mdx b/calico_versioned_docs/version-3.28/network-policy/hosts/index.mdx
index feee221042..64fc81e1f9 100644
--- a/calico_versioned_docs/version-3.28/network-policy/hosts/index.mdx
+++ b/calico_versioned_docs/version-3.28/network-policy/hosts/index.mdx
@@ -3,7 +3,7 @@ description: Use the same Calico network policy for workloads to restrict traffi
hide_table_of_contents: true
---
-# Policy for hosts
+# Policy for hosts and VMs
import DocCardList from '@theme/DocCardList';
import { useCurrentSidebarCategory } from '@docusaurus/theme-common';
diff --git a/calico_versioned_docs/version-3.28/network-policy/hosts/protect-hosts.mdx b/calico_versioned_docs/version-3.28/network-policy/hosts/protect-hosts.mdx
index 8f7f7d46dc..1c66dd71ac 100644
--- a/calico_versioned_docs/version-3.28/network-policy/hosts/protect-hosts.mdx
+++ b/calico_versioned_docs/version-3.28/network-policy/hosts/protect-hosts.mdx
@@ -2,11 +2,11 @@
description: Calico network policy not only protects workloads, but also hosts. Create a Calico network policies to restrict traffic to/from hosts.
---
-# Protect hosts
+# Protect hosts and VMs
## Big picture
-Use $[prodname] network policy to restrict traffic to/from hosts.
+Use $[prodname] network policy to restrict traffic to/from hosts and VMs.
## Value
@@ -16,7 +16,9 @@ Restricting traffic between hosts and the outside world is not unique to $[prodn
### Hosts and workloads
-In the context of $[prodname] configuration, a **workload** is a virtualized compute instance, like a VM or container. A **host** is the computer that runs the hypervisor (for VMs), or container runtime (for containers). We say it “hosts” the workloads as guests.
+In the context of $[prodname] configuration, a *workload* is a containerized compute instance running in Kubernetes.
+A *host* is a computer or virtual machine (VM) that acts as a node in a Kubernetes cluster or that runs application workloads outside of Kubernetes.
+$[prodname] is unique in that it can enforce network policy and provide visibility in a consistent way for both workloads and hosts, even if those hosts are on-premises servers or VMs running in the public clou.
### Host endpoints
diff --git a/calico_versioned_docs/version-3.28/network-policy/index.mdx b/calico_versioned_docs/version-3.28/network-policy/index.mdx
index 61905fd26d..624256b79c 100644
--- a/calico_versioned_docs/version-3.28/network-policy/index.mdx
+++ b/calico_versioned_docs/version-3.28/network-policy/index.mdx
@@ -34,7 +34,7 @@ $[prodname] extends the standard `NetworkPolicy` object to provide advanced netw
-## Policy for hosts
+## Policy for hosts and VMs
diff --git a/calico_versioned_docs/version-3.28/networking/configuring/advertise-service-ips.mdx b/calico_versioned_docs/version-3.28/networking/configuring/advertise-service-ips.mdx
index f5860c256d..58d7693bd6 100644
--- a/calico_versioned_docs/version-3.28/networking/configuring/advertise-service-ips.mdx
+++ b/calico_versioned_docs/version-3.28/networking/configuring/advertise-service-ips.mdx
@@ -113,7 +113,7 @@ If your $[prodname] deployment is configured to peer with BGP routers outside th
EOF
```
- For help see, [BGP configuration resource](../../reference/resources/bgpconfig.mdx).
+ For help, see [BGP configuration resource](../../reference/resources/bgpconfig.mdx).
:::note
@@ -159,7 +159,7 @@ deprecated CALICO_ADVERTISE_CLUSTER_IPS with BGPConfiguration.
EOF
```
- For help see, [BGP configuration resource](../../reference/resources/bgpconfig.mdx).
+ For help, see [BGP configuration resource](../../reference/resources/bgpconfig.mdx).
### Advertise service load balancer IP addresses
@@ -197,7 +197,7 @@ The following steps will configure $[prodname] to advertise Service `status.Load
EOF
```
- For help see, [BGP configuration resource](../../reference/resources/bgpconfig.mdx).
+ For help, see [BGP configuration resource](../../reference/resources/bgpconfig.mdx).
Service LoadBalancer address allocation is outside the current scope of $[prodname], but can be implemented with an external controller.
You can build your own, or use a third-party implementation like the MetalLB project.
diff --git a/calico_versioned_docs/version-3.28/networking/determine-best-networking.mdx b/calico_versioned_docs/version-3.28/networking/determine-best-networking.mdx
index 5a82758107..57ae84c862 100644
--- a/calico_versioned_docs/version-3.28/networking/determine-best-networking.mdx
+++ b/calico_versioned_docs/version-3.28/networking/determine-best-networking.mdx
@@ -126,7 +126,7 @@ The Amazon VPC CNI plugin allocates pod IPs from the underlying AWS VPC and uses
**Azure CNI**
-The Azure CNI plugin allocates pod IPs from the underlying Azure VNET configures the Azure virtual network to provide VNET native pod networking (pod IPs that are routable outside of the cluster). It is the default networking used in [Microsoft AKS](https://azure.microsoft.com/en-us/services/kubernetes-service/), with Calico for network policy enforcement.
+The Azure CNI plugin allocates pod IPs from the underlying Azure VNET configures the Azure virtual network to provide VNET native pod networking (pod IPs that are routable outside of the cluster). It is the default networking used in [Microsoft AKS](https://azure.microsoft.com/en-us/products/kubernetes-service/), with Calico for network policy enforcement.
**Azure cloud provider**
@@ -204,7 +204,7 @@ You can learn more about Kubernetes Networking on AWS, including how each of the
### Azure
-If you would like pod IP addresses to be routable outside of the cluster then you must use the Azure CNI plugin. This is supported by [AKS](https://azure.microsoft.com/en-us/services/kubernetes-service/), with Calico for network policy. Pod IP addresses are allocated from the underlying VNET.
+If you would like pod IP addresses to be routable outside of the cluster then you must use the Azure CNI plugin. This is supported by [AKS](https://azure.microsoft.com/en-us/products/kubernetes-service/), with Calico for network policy. Pod IP addresses are allocated from the underlying VNET.
| | |
| SIEM integration | | | |
| **Non-cluster hosts** | | | |
-| Restrict traffic to/from hosts using network policy | | | |
+| Restrict traffic to/from hosts and VMs using network policy | | | |
| Automatic host endpoints | | | |
| Secure Kubernetes nodes with host endpoints managed by Calico | | | |
| Apply policy to host-forwarded traffic | | | |
diff --git a/calico_versioned_docs/version-3.29/getting-started/bare-metal/about.mdx b/calico_versioned_docs/version-3.29/getting-started/bare-metal/about.mdx
index 0d546eef82..6f91bc16d4 100644
--- a/calico_versioned_docs/version-3.29/getting-started/bare-metal/about.mdx
+++ b/calico_versioned_docs/version-3.29/getting-started/bare-metal/about.mdx
@@ -6,7 +6,7 @@ description: Install Calico on hosts not in a cluster with network policy, or ne
## Big picture
-Secure non-cluster hosts by installing $[prodname] for networking and/or networking policy.
+Secure non-cluster hosts and VMs by installing $[prodname] for networking and/or networking policy.
## Value
@@ -18,7 +18,7 @@ Not all hosts in your environment run pods/workloads. You may have physical mach
A **non-cluster host** is a computer that is running an application that is _not part of a Kubernetes cluster_. Using $[prodname] network policy, you can secure these host interfaces using **host endpoints**. Host endpoints can have labels, and work the same as labels on pods/workload endpoints.
-The advantage is, you can write network policy rules to apply to both workload endpoints and host endpoints using label selectors; where each selector can refer to the either type (or be a mix of the two). For example, you can write a cluster-wide policy for non-cluster hosts that is immediately applied to every host. To learn how to restrict traffic to/from hosts using $[prodname] network policy see, [Protect hosts](../../network-policy/hosts/protect-hosts.mdx).
+The advantage is, you can write network policy rules to apply to both workload endpoints and host endpoints using label selectors; where each selector can refer to the either type (or be a mix of the two). For example, you can write a cluster-wide policy for non-cluster hosts that is immediately applied to every host. To learn how to restrict traffic to/from hosts and VMs using $[prodname] network policy, see [Protect hosts](../../network-policy/hosts/protect-hosts.mdx).
If you are using the etcd3 database, you can also install $[prodname] with networking as described below.
diff --git a/calico_versioned_docs/version-3.29/network-policy/hosts/index.mdx b/calico_versioned_docs/version-3.29/network-policy/hosts/index.mdx
index feee221042..64fc81e1f9 100644
--- a/calico_versioned_docs/version-3.29/network-policy/hosts/index.mdx
+++ b/calico_versioned_docs/version-3.29/network-policy/hosts/index.mdx
@@ -3,7 +3,7 @@ description: Use the same Calico network policy for workloads to restrict traffi
hide_table_of_contents: true
---
-# Policy for hosts
+# Policy for hosts and VMs
import DocCardList from '@theme/DocCardList';
import { useCurrentSidebarCategory } from '@docusaurus/theme-common';
diff --git a/calico_versioned_docs/version-3.29/network-policy/hosts/protect-hosts.mdx b/calico_versioned_docs/version-3.29/network-policy/hosts/protect-hosts.mdx
index 8f7f7d46dc..1c66dd71ac 100644
--- a/calico_versioned_docs/version-3.29/network-policy/hosts/protect-hosts.mdx
+++ b/calico_versioned_docs/version-3.29/network-policy/hosts/protect-hosts.mdx
@@ -2,11 +2,11 @@
description: Calico network policy not only protects workloads, but also hosts. Create a Calico network policies to restrict traffic to/from hosts.
---
-# Protect hosts
+# Protect hosts and VMs
## Big picture
-Use $[prodname] network policy to restrict traffic to/from hosts.
+Use $[prodname] network policy to restrict traffic to/from hosts and VMs.
## Value
@@ -16,7 +16,9 @@ Restricting traffic between hosts and the outside world is not unique to $[prodn
### Hosts and workloads
-In the context of $[prodname] configuration, a **workload** is a virtualized compute instance, like a VM or container. A **host** is the computer that runs the hypervisor (for VMs), or container runtime (for containers). We say it “hosts” the workloads as guests.
+In the context of $[prodname] configuration, a *workload* is a containerized compute instance running in Kubernetes.
+A *host* is a computer or virtual machine (VM) that acts as a node in a Kubernetes cluster or that runs application workloads outside of Kubernetes.
+$[prodname] is unique in that it can enforce network policy and provide visibility in a consistent way for both workloads and hosts, even if those hosts are on-premises servers or VMs running in the public clou.
### Host endpoints
diff --git a/calico_versioned_docs/version-3.29/network-policy/index.mdx b/calico_versioned_docs/version-3.29/network-policy/index.mdx
index e423f18da3..4efca27c26 100644
--- a/calico_versioned_docs/version-3.29/network-policy/index.mdx
+++ b/calico_versioned_docs/version-3.29/network-policy/index.mdx
@@ -34,7 +34,7 @@ $[prodname] extends the standard `NetworkPolicy` object to provide advanced netw
-## Policy for hosts
+## Policy for hosts and VMs
diff --git a/calico_versioned_docs/version-3.29/networking/configuring/advertise-service-ips.mdx b/calico_versioned_docs/version-3.29/networking/configuring/advertise-service-ips.mdx
index f5860c256d..58d7693bd6 100644
--- a/calico_versioned_docs/version-3.29/networking/configuring/advertise-service-ips.mdx
+++ b/calico_versioned_docs/version-3.29/networking/configuring/advertise-service-ips.mdx
@@ -113,7 +113,7 @@ If your $[prodname] deployment is configured to peer with BGP routers outside th
EOF
```
- For help see, [BGP configuration resource](../../reference/resources/bgpconfig.mdx).
+ For help, see [BGP configuration resource](../../reference/resources/bgpconfig.mdx).
:::note
@@ -159,7 +159,7 @@ deprecated CALICO_ADVERTISE_CLUSTER_IPS with BGPConfiguration.
EOF
```
- For help see, [BGP configuration resource](../../reference/resources/bgpconfig.mdx).
+ For help, see [BGP configuration resource](../../reference/resources/bgpconfig.mdx).
### Advertise service load balancer IP addresses
@@ -197,7 +197,7 @@ The following steps will configure $[prodname] to advertise Service `status.Load
EOF
```
- For help see, [BGP configuration resource](../../reference/resources/bgpconfig.mdx).
+ For help, see [BGP configuration resource](../../reference/resources/bgpconfig.mdx).
Service LoadBalancer address allocation is outside the current scope of $[prodname], but can be implemented with an external controller.
You can build your own, or use a third-party implementation like the MetalLB project.
diff --git a/calico_versioned_docs/version-3.29/networking/determine-best-networking.mdx b/calico_versioned_docs/version-3.29/networking/determine-best-networking.mdx
index 5a82758107..57ae84c862 100644
--- a/calico_versioned_docs/version-3.29/networking/determine-best-networking.mdx
+++ b/calico_versioned_docs/version-3.29/networking/determine-best-networking.mdx
@@ -126,7 +126,7 @@ The Amazon VPC CNI plugin allocates pod IPs from the underlying AWS VPC and uses
**Azure CNI**
-The Azure CNI plugin allocates pod IPs from the underlying Azure VNET configures the Azure virtual network to provide VNET native pod networking (pod IPs that are routable outside of the cluster). It is the default networking used in [Microsoft AKS](https://azure.microsoft.com/en-us/services/kubernetes-service/), with Calico for network policy enforcement.
+The Azure CNI plugin allocates pod IPs from the underlying Azure VNET configures the Azure virtual network to provide VNET native pod networking (pod IPs that are routable outside of the cluster). It is the default networking used in [Microsoft AKS](https://azure.microsoft.com/en-us/products/kubernetes-service/), with Calico for network policy enforcement.
**Azure cloud provider**
@@ -204,7 +204,7 @@ You can learn more about Kubernetes Networking on AWS, including how each of the
### Azure
-If you would like pod IP addresses to be routable outside of the cluster then you must use the Azure CNI plugin. This is supported by [AKS](https://azure.microsoft.com/en-us/services/kubernetes-service/), with Calico for network policy. Pod IP addresses are allocated from the underlying VNET.
+If you would like pod IP addresses to be routable outside of the cluster then you must use the Azure CNI plugin. This is supported by [AKS](https://azure.microsoft.com/en-us/products/kubernetes-service/), with Calico for network policy. Pod IP addresses are allocated from the underlying VNET.