| Feature | Docker Overlay Network | Calico | Flannel | Weave Net | Canal (Calico + Flannel) |
Romana | Aporeto/Trireme | Cisco Contiv | Covalent Cilium | Kube-Router | OVS/OVN | NSX-T | Midokura | Nuage | Open Contrail |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Open Source | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | No | Yes/No | No | Yes |
| Network Model [Data Path Technique] |
VXLAN overlay | L3 with BGP Peering or IPIP Encapsulation | VXLAN or UDP overlay | VXLAN or UDP overlay; IP routed for AWS VPC | VXLAN or UDP overlay | Layer 3 | Layer 3 with TLS | Layer 2, Layer 3 (BGP) & VxLAN overlay | L3 with optional encapsulation | BGP Based | VxLAN | GENEVE | |||
| Network Policy API Support | No | Yes | Uses a custom mechanism for applying policy. | Yes | |||||||||||
| Application Isolation | CIDR Schema | Policy Schema based on labels, cidrs, ports and profiles | CIDR Schema | CIDR Schema, Network Policy API | Policy Schema based on labels, cidrs, ports and profiles | CIDR Schema | TLS-based | Both Label based as well as CIDR Schema | Policy based on labels | CIDR | |||||
| Isolation from Host Network NS | YES | Yes | Yes | Yes | Yes | ||||||||||
| Ingress Policy | Yes | Yes | Yes | Yes | Yes* | ||||||||||
| Egress policy | Yes | No | No | Yes | Yes | Yes | |||||||||
| Protocol Support | ALL except multicast | ALL | ALL | ALL | ALL | ALL | TCP only | All | Artifically limited to IPv4/IPv6 & TCP/UDP/ICMP[v6] | All IPv4 and IPv6. Multicast not supported | |||||
| Built-in Name Service | YES | No | No | Yes | No | No | No | Yes | No | No | |||||
| Built-in Service Load Balancer | YES | No | No | No | No | No | Yes | Yes | Yes | ||||||
| Cluster Store Requirements | None | etcd/k8s API | etcd/k8s API | None | etcd/k8s API | etcd/Consul Zookeeper |
None | etcd/Consul |
Yes (consul or etcd) |
Zookeeper | |||||
| Encryption | YES | No | No | NaCl Library | No | No | TLS | No | Yes (IPSec) | TLS | |||||
| Separate vNIC for Container | YES | Yes | No | Yes | No | No | No | Yes | Yes (shared logical routing table) | NA | |||||
| IP Overlap Support | YES | No | No | No | No | No | No | Yes, multiple VRFs | No | Yes | |||||
| Container Subnet Restriction | YES | No | No | Yes, configurable after start | No | No | No | No restriction | No | ||||||
| Multicast support | NO | No | No | Yes | No | No | No | Yes | No | ||||||
| Pods routable from outside cluster | N/A | Yes | No | Yes | No | Yes | Yes | ||||||||
| Container Networking Interface | N/A | Yes | Yes | Yes | Yes | Yes | ? | Yes | Yes | ||||||
| Container Networking Model | YES | Yes | No | Yes | No | No | ? | Yes | Yes | ||||||
| OpenStack Support | N/A | Yes | No | No | No | Yes | Yes | No | Yes | Yes | Yes | Yes | Yes | ||
| Kubernetes CNI | N/A | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | |||||
| Mesos Support | N/A | Yes | Yes | Yes | Yes | No | Yes | Yes | |||||||
| Docker Support | Yes | Yes | No | Yes | No | Yes | Yes | Yes | |||||||
| rkt Support | N/A | Yes | Yes | No | |||||||||||
| Cloud Foundry Support | NO | ? | Yes | ? | ? | No | No | Yes | |||||||
| Nomad Support | N/A | No | No | No | No | No | Yes | No | |||||||
| URL to Networking Architecture | Calico Reference Architecture | Flannel | Introducing Weave | tigera/canal | Romana Basics | Trireme Architecture | contiv.io | https://github.com/cilium/cilium | |||||||
| URL to Reference Architecture | Designing Scalable, Portable Docker Container Networks | Romana Details | |||||||||||||
| URL to Demo | Calico Demo | Cilium | |||||||||||||
| Troubleshooting | Calico | Weave |