AWS Marketplace

Automate Tigera Calico Cloud and EKS clusters integration using AWS Control Tower

Migrating to the cloud has enabled many organizations to reduce costs, innovate faster, and deliver business results more effectively. However, as businesses expand their cloud infrastructure, they must adopt robust monitoring strategies to keep an eye on operations, performance, reliability, security, and costs in their expanded environment.

Having a multi-account strategy is a best practice to achieve greater isolation of resources in an efficient way. It also helps to meet regulatory and compliance needs, track operational costs, and add an extra layer of security. AWS Control Tower uses AWS best practices to establish a well-architected, multi-account baseline and also enables governance across your AWS accounts. Many customers use AWS Control Tower to manage and govern multi-account AWS environments. For more information about managing multi-account AWS environments with AWS Control Tower, see Getting Started with AWS Control Tower.

Calico Cloud is a pay-as-you-go managed service. It deploys a standard set of cloud workload access controls to enforce security policies consistently, ensure compliance, get end-to-end observability, and troubleshoot applications across multi-cluster and multi-cloud Kubernetes environments. It scales automatically with managed clusters to ensure security, continuous compliance, and uninterrupted real-time observability. With Calico Cloud, users get security and observability as-a-service for containers, cloud, and Kubernetes in a usage-based pricing model and only pay for the services consumed. The service is up and running within minutes and works with any Kubernetes distribution across any cloud.

In this post, Joseph Yostos, Deepak Sihag and I will show how you can activate, deploy, and configure the Calico Cloud in your AWS Control Tower environment. You will take full advantage of the resources preconfigured by AWS Control Tower as part of the initialization.

Solution overview and features

This solution aims to automate the process of connecting an Amazon Elastic Kubernetes Service (Amazon EKS) cluster to Calico Cloud. It also provides an event-driven automation to connect an Amazon EKS cluster with Calico Cloud. It requires deployment of an AWS CloudFormation stack in the AWS Control Tower management account, which creates a CloudFormation StackSet in the management account. On every new account creation, a CloudFormation stack will be deployed in the new account via StackSets. The CloudFormation stack in individual account(s) will deploy the resources required for Calico Cloud automation. Refer to the following diagram.

Control Tower and Calico Cloud Integration Architecture Diagram - Management Account

As a part of this solution, the following resources will be created in Managed Account:

  • Kubernetes admin IAM role – This is the IAM role that needs to be updated in the aws-auth ConfigMap of the Kubernetes cluster. The Amazon Resource Number (ARN) for this role is available as the output of the CloudFormation template.
  • Event bridge rule – An event rule is created to capture an EKS CreateCluster event. This rule then triggers the state machine to initiate the automation.
  • State machine – This state machine will orchestrate the automation of connecting the EKS cluster to Calico Cloud. As part of this automation, a node group is added to the EKS cluster as pods will be deployed. Then it uses AWS Systems Manager to run command on EKS nodes to run the Calico script.
  • SNS Topic – This Amazon Simple Notification Service (Amazon SNS) topic will be used to send the success or failure notification of Calico Cloud connection by a state machine. Options to subscribe to one email address are available via CloudFormation parameters. Subscriptions can be added as needed after deployment as well.

Refer to the following architecture diagram.

Control Tower and Calico Cloud Integration Architecture Diagram - Managed Account

Calico Cloud integration: prerequisites

In order to be able to perform operations on Kubernetes that are required by the Calico script, this solution needs admin access on Kubernetes. This solution creates an Identity and Access Management (IAM) role that is used to perform operations on Kubernetes. Access to Kubernetes is managed via configmap. Currently, adding access for an additional IAM role is supported by creating an EKS cluster using Amazon quickstart EKS cluster CloudFormation resource or AWS Cloud Development Kit (AWS CDK). You must have an automated way of getting that IAM role added as system:masters in aws-auth ConfigMap at the time of EKS cluster creation. If you create an EKS cluster from the AWS console or through other ways where the required IAM role is not added to configmap with cluster creation, this solution will not work.

Solution walkthrough: Automate Tigera Calico Cloud and EKS clusters integration using AWS Control Tower

Step 1: Subscribe to Calico Cloud in AWS Marketplace

  1. Navigate to Calico Cloud in AWS Marketplace.
  2. Select the View purchase options button.
  3. On the new screen, Configure your Software Contract, in the How long do you want your contract to run? dialog box, select a duration. Under Renewal Settings, under Auto Renew, choose appropriate Yes or No radio button to select whether your contract automatically renews. Update Contract Options appropriately.
  4. Once you have configured your contract, select the Create contract You will be prompted to confirm the contract. If you agree to the pricing, select the Pay Now button.
  5. After successfully subscribing, on the net dialog box, select Set up your account. This will navigate to the Calico cloud registration page. Enter the appropriate information and select Complete Registration. Once the registration is complete, an email will be sent to the registered email with instructions to create Calico cloud account and setup credentials.

Step 2: Set up additional configuration

  1. Sign in to Calico Cloud with your credentials from step 1.5.
  2. In the Calico Cloud portal left sidebar, choose Managed clusters, then select connect cluster, then Amazon EKS and Next. Be sure to save the script URL.

Step 3: Deploy and test Calico AWS Control Tower integration solution

To deploy and test the integration, follow the implementation guide for Calico cloud integration with AWS Control Tower.

Congratulations! You have deployed the AWS Control Tower Integration with Calico Cloud. You now have better observability into your accounts as soon as new EKS clusters are launched, all without additional configuration.


Deploying this solution may incur costs on Tigera based on the subscrciption you choose and on AWS for provisioned resources such as EKS. To clean up and avoid these costs, delete the CloudFormation stacks deployed and EKS cluster created for testing.


In this post, we showed you how to automatically connect a new EKS cluster with Calico Cloud using AWS Control Tower. Tigera Calico Cloud integration with AWS Control Tower enables you to automatically connect EKS clusters with Calico Cloud during the EKS cluster creation. For more information about this solution, see Solutions for AWS Control Tower in AWS Marketplace.

Contents of this post were validated to work on the publishing date. The code and templates in this post are those of the third-party author, and AWS is not responsible for the content or accuracy of this post.

About the authors

Dathu Patil

Dathu is a Solutions Architect based out of Boston, MA. He helps customers architect scalable, highly available applications that leverage AWS services. He works as a technical leader alongside customer business, development and infrastructure teams providing deep software knowledge with respect to cloud architecture, design patterns and programming.


Joseph Yostos

My name is Joseph Yostos, and I am a Technical Marketing Engineer at Tigera. After many years of experience working on application/infrastructure virtualization, containers and cloud-native applications security have become my new interest for the last two years. I am very passionate about sharing knowledge through content such as technical blogs, workshops, and webinars.


Deepak Sihag

Deepak Sihag is a Sr. Cloud Application Architect with AWS Professional Services. He specializes in application modernization and platform engineering. He is helping customers in their digital transformation journey by implementing innovative cloud computing solutions and solving technical problems.