How WireGuard Secures AKS Traffic: A Deep Dive into Calico’s Cloud‑Native VPN

In June last year Tigera announced open‑source VPN support on Kubernetes using WireGuard. We have added Azure Container Networking Interface (CNI) support for WireGuard on Azure Kubernetes Service (AKS).

WireGuard is a kernel‑based VPN introduced in Linux 5.6, positioned as a faster, simpler alternative to IPsec and OpenVPN. It intentionally reduces cryptographic configuration flexibility to minimise attack surface, consisting of about 4,000 lines of readable code.

Calico can use WireGuard in a peer‑to‑peer mesh, encrypting traffic between nodes that have WireGuard enabled while allowing mixed clusters of enabled and disabled nodes to communicate.

Enabling WireGuard in Calico automatically performs several tasks on each node:

Creates a WireGuard network interface.

Calculates the optimal MTU.

Generates a public/private key pair.

Distributes each node’s public key to peers.

Marks all nodes as peers.

Configures firewall marks (fwmark) and updates IP routes, iptables and routing tables.

Only the intent needs to be specified; the rest is handled by the cluster.

Packet flow with WireGuard

The diagram below shows how packets travel in a cluster with WireGuard enabled.

For pods on the same host, packets are routed to the WireGuard table, then a “throw” entry sends them back to the main routing table, reaching the destination pod’s veth interface without encryption (shown in green).

For pods on different nodes, packets are routed to the WireGuard table, matched to the peer’s public key, encrypted, encapsulated in UDP, marked with fwmark to avoid loops, sent over the network, and decrypted on the destination node. Encrypted traffic is shown in red.

Green indicates unencrypted traffic; red indicates encrypted traffic.

WireGuard on AKS with Azure CNI

Using Azure CNI means pod IPs are allocated from the underlying VNet rather than Calico IPAM, requiring Calico to set routeSource: workloadIPs so that WireGuard can route correctly without additional configuration.

The wg tool can list allowed IPs for each node, including pod and host IPs, enabling both pod‑to‑pod and host‑to‑host encryption.

interface: wireguard.cali
public key: bbcKpAY+Q9VpmIRLT+yPaaOALxqnonxBuk5LRlvKClA=
private key: (hidden)
listening port: 51820
fwmark: 0x100000

peer: /r0PzTX6F0ZrW9ExPQE8zou2rh1vb20IU6SrXMiKImw=
endpoint: 10.240.0.64:51820
allowed ips: 10.240.0.64/32, 10.240.0.65/32, 10.240.0.66/32
latest handshake: 11 seconds ago
transfer: 1.17 MiB received, 3.04 MiB sent

peer: QfUXYghyJWDcy+xLW0o+xJVsQhurVNdqtbstTsdOp20=
endpoint: 10.240.0.4:51820
allowed ips: 10.240.0.4/32, 10.240.0.5/32, 10.240.0.6/32
latest handshake: 46 seconds ago
transfer: 83.48 KiB received, 365.77 KiB sent

MTU handling is critical because Azure’s default MTU is 1500 and WireGuard adds a DF flag; Calico can automatically detect and set the appropriate MTU for WireGuard.

When Reverse Path Forwarding (RPF) occurs, packets are marked and the kernel’s sysctl settings ensure proper routing back through the WireGuard interface.

With these configurations, all inter‑node traffic and host‑to‑host communication in AKS are encrypted automatically.