Changes to language about network policy for hosts and VMs

calico-cloud/about/product-comparison.mdx

@@ -62,7 +62,7 @@ What is the best fit for you? It depends on your needs. The following table prov
 | Data-in-transit encryption for pod traffic using WireGuard                  | <center><CheckIcon /></center>               | <center><CheckIcon /></center>         | <center><CheckIcon /></center>              |
 | SIEM integration                                                            |                                         | <center><CheckIcon /></center>         | <center><CheckIcon /></center>              |
 | **Non-cluster hosts**                                                       | <center><CheckIcon /></center>               | <center><CheckIcon /></center>         | <center><CheckIcon /></center>              |
-| Restrict traffic to/from hosts using network policy                         | <center><CheckIcon /></center>               |                                   | <center><CheckIcon /></center>              |
+| Restrict traffic to/from hosts and VMs using network policy                         | <center><CheckIcon /></center>               |                                   | <center><CheckIcon /></center>              |
 | Automatic host endpoints                                                    | <center><CheckIcon /></center>               |                                   | <center><CheckIcon /></center>              |
 | Secure Kubernetes nodes with host endpoints managed by Calico               | <center><CheckIcon /></center>               | <center><CheckIcon /></center>         | <center><CheckIcon /></center>              |
 | Apply policy to host-forwarded traffic                                      | <center><CheckIcon /></center>               | <center><CheckIcon /></center>         | <center><CheckIcon /></center>              |

calico-cloud_versioned_docs/version-20-1/about/product-comparison.mdx

@@ -62,7 +62,7 @@ What is the best fit for you? It depends on your needs. The following table prov
 | Data-in-transit encryption for pod traffic using WireGuard                  | <center><CheckIcon /></center>               | <center><CheckIcon /></center>         | <center><CheckIcon /></center>              |
 | SIEM integration                                                            |                                         | <center><CheckIcon /></center>         | <center><CheckIcon /></center>              |
 | **Non-cluster hosts**                                                       | <center><CheckIcon /></center>               | <center><CheckIcon /></center>         | <center><CheckIcon /></center>              |
-| Restrict traffic to/from hosts using network policy                         | <center><CheckIcon /></center>               |                                   | <center><CheckIcon /></center>              |
+| Restrict traffic to/from hosts and VMs using network policy                         | <center><CheckIcon /></center>               |                                   | <center><CheckIcon /></center>              |
 | Automatic host endpoints                                                    | <center><CheckIcon /></center>               |                                   | <center><CheckIcon /></center>              |
 | Secure Kubernetes nodes with host endpoints managed by Calico               | <center><CheckIcon /></center>               | <center><CheckIcon /></center>         | <center><CheckIcon /></center>              |
 | Apply policy to host-forwarded traffic                                      | <center><CheckIcon /></center>               | <center><CheckIcon /></center>         | <center><CheckIcon /></center>              |

calico-cloud_versioned_docs/version-20-2/about/product-comparison.mdx

@@ -62,7 +62,7 @@ What is the best fit for you? It depends on your needs. The following table prov
 | Data-in-transit encryption for pod traffic using WireGuard                  | <center><CheckIcon /></center>               | <center><CheckIcon /></center>         | <center><CheckIcon /></center>              |
 | SIEM integration                                                            |                                         | <center><CheckIcon /></center>         | <center><CheckIcon /></center>              |
 | **Non-cluster hosts**                                                       | <center><CheckIcon /></center>               | <center><CheckIcon /></center>         | <center><CheckIcon /></center>              |
-| Restrict traffic to/from hosts using network policy                         | <center><CheckIcon /></center>               |                                   | <center><CheckIcon /></center>              |
+| Restrict traffic to/from hosts and VMs using network policy                         | <center><CheckIcon /></center>               |                                   | <center><CheckIcon /></center>              |
 | Automatic host endpoints                                                    | <center><CheckIcon /></center>               |                                   | <center><CheckIcon /></center>              |
 | Secure Kubernetes nodes with host endpoints managed by Calico               | <center><CheckIcon /></center>               | <center><CheckIcon /></center>         | <center><CheckIcon /></center>              |
 | Apply policy to host-forwarded traffic                                      | <center><CheckIcon /></center>               | <center><CheckIcon /></center>         | <center><CheckIcon /></center>              |

calico-enterprise/about/product-comparison.mdx

@@ -64,7 +64,7 @@ What is the best fit for you? It depends on your needs. The following table prov
 | Data-in-transit encryption for pod traffic using WireGuard                  | <center><CheckIcon /></center>| <center><CheckIcon /></center>| <center><CheckIcon /></center>|
 | SIEM integration                                                            |                          | <center><CheckIcon /></center>| <center><CheckIcon /></center>|
 | **Non-cluster hosts**                                                       | <center><CheckIcon /></center>| <center><CheckIcon /></center>| <center><CheckIcon /></center>|
-| Restrict traffic to/from hosts using network policy                         | <center><CheckIcon /></center>|                          | <center><CheckIcon /></center>|
+| Restrict traffic to/from hosts and VMs using network policy                         | <center><CheckIcon /></center>|                          | <center><CheckIcon /></center>|
 | Automatic host endpoints                                                    | <center><CheckIcon /></center>|                          | <center><CheckIcon /></center>|
 | Secure Kubernetes nodes with host endpoints managed by Calico               | <center><CheckIcon /></center>| <center><CheckIcon /></center>| <center><CheckIcon /></center>|
 | Apply policy to host-forwarded traffic                                      | <center><CheckIcon /></center>| <center><CheckIcon /></center>| <center><CheckIcon /></center>|

calico-enterprise/getting-started/bare-metal/about.mdx

@@ -24,7 +24,7 @@ In the following diagram, a Kubernetes cluster is running $[prodname] with netwo
 
 For non-cluster hosts and VMs, you can secure host interfaces using **host endpoints**. Host endpoints can have labels that work the same as labels on pods/workload endpoints in Kubernetes. The advantage is that you can write network policy rules to apply to both workload endpoints and host endpoints using label selectors; where each selector can refer to the either type (or be a mix of the two). For example, you can easily write a global policy that applies to every host, VM, or pod that is running Calico.
 
-To learn how to restrict traffic to/from hosts using Calico network policy see, [Protect hosts and VMs](../../network-policy/hosts/protect-hosts.mdx).
+To learn how to restrict traffic to/from hosts and VMs using Calico network policy see, [Protect hosts and VMs](../../network-policy/hosts/protect-hosts.mdx).
 
 ## Before you begin
 

calico-enterprise/network-policy/hosts/index.mdx

@@ -3,7 +3,7 @@ description: Use the same Calico network policy for workloads to restrict traffi
 hide_table_of_contents: true
 ---
 
-# Policy for hosts
+# Policy for hosts and VMs
 
 import DocCardList from '@theme/DocCardList';
 import { useCurrentSidebarCategory } from '@docusaurus/theme-common';

calico-enterprise/network-policy/hosts/protect-hosts.mdx

@@ -2,11 +2,11 @@
 description: Create Calico Enterprise network policies to restrict traffic to/from hosts.
 ---
 
-# Protect hosts
+# Protect hosts and VMs
 
 ## Big picture
 
-Use $[prodname] network policy to restrict traffic to/from hosts.
+Use $[prodname] network policy to restrict traffic to/from hosts and VMs.
 
 ## Value
 
@@ -16,7 +16,9 @@ Restricting traffic between hosts and the outside world is not unique to $[prodn
 
 ### Hosts and workloads
 
-In the context of $[prodname] configuration, a **workload** is a virtualized compute instance, like a VM or container. A **host** is the computer that runs the hypervisor (for VMs), or container runtime (for containers). We say it “hosts” the workloads as guests.
+In the context of $[prodname] configuration, a *workload* is a containerized compute instance running in Kubernetes.
+A *host* is a computer or virtual machine (VM) that acts as a node in a Kubernetes cluster or that runs application workloads outside of Kubernetes.
+$[prodname] is unique in that it can enforce network policy and provide visibility in a consistent way for both workloads and hosts, even if those hosts are on-premises servers or VMs running in the public clou.
 
 ### Host endpoints
 

calico-enterprise/network-policy/index.mdx

@@ -32,7 +32,7 @@ $[prodname] extends the standard `NetworkPolicy` object to provide advanced netw
   <DocCardLink docId='network-policy/beginners/policy-rules/icmp-ping' />
 </DocCardLinkLayout>
 
-## Policy for hosts
+## Policy for hosts and VMs
 
 <DocCardLinkLayout>
   <DocCardLink docId='network-policy/hosts/protect-hosts' />

calico-enterprise_versioned_docs/version-3.17/about/product-comparison.mdx

@@ -63,7 +63,7 @@ What is the best fit for you? It depends on your needs. The following table prov
 | Data-in-transit encryption for pod traffic using WireGuard   | <center><CheckIcon /></center>| <center><CheckIcon /></center>| <center><CheckIcon /></center>|
 | SIEM integration                                             |                          | <center><CheckIcon /></center>| <center><CheckIcon /></center>|
 | **Non-cluster hosts**                                        | <center><CheckIcon /></center>| <center><CheckIcon /></center>| <center><CheckIcon /></center>|
-| Restrict traffic to/from hosts using network policy          | <center><CheckIcon /></center>|                          | <center><CheckIcon /></center>|
+| Restrict traffic to/from hosts and VMs using network policy          | <center><CheckIcon /></center>|                          | <center><CheckIcon /></center>|
 | Automatic host endpoints                                     | <center><CheckIcon /></center>|                          | <center><CheckIcon /></center>|
 | Secure Kubernetes nodes with host endpoints managed by Calico | <center><CheckIcon /></center>| <center><CheckIcon /></center>| <center><CheckIcon /></center>|
 | Apply policy to host-forwarded traffic                       | <center><CheckIcon /></center>| <center><CheckIcon /></center>| <center><CheckIcon /></center>|

calico-enterprise_versioned_docs/version-3.17/getting-started/bare-metal/about.mdx

@@ -1,8 +1,8 @@
 ---
-description: Install Calico network policy so you can secure hosts not in a cluster.
+description: Install Calico network policy so you can secure hosts and VMs that aren't part of a Kubernetes cluster.
 ---
 
-# Install network policy on non-cluster hosts
+# Install network policy on non-cluster hosts and VMs
 
 import DockerContainerService from '@site/calico-enterprise_versioned_docs/version-3.17/_includes/content/_docker-container-service.mdx';
 
@@ -13,7 +13,7 @@ import TabItem from '@theme/TabItem';
 
 ## Big picture
 
-Secure non-cluster hosts by installing $[prodname] network policy.
+Secure non-cluster hosts and VMs by installing $[prodname] network policy.
 
 ## Value
 
@@ -29,7 +29,7 @@ A non-cluster host is a computer that is running an application that is _not par
 
 For non-cluster hosts, you can secure host interfaces using **host endpoints**. Host endpoints can have labels, and work the same as labels on pods/workload endpoints. The advantage is that you can write network policy rules to apply to both workload endpoints and host endpoints using label selectors; where each selector can refer to the either type (or be a mix of the two). For example, you can write a cluster-wide policy for non-cluster hosts that is immediately applied to every host.
 
-To learn how to restrict traffic to/from hosts using $[prodname] network policy see, [Protect hosts](../../network-policy/hosts/protect-hosts.mdx).
+To learn how to restrict traffic to/from hosts and VMs using $[prodname] network policy see, [Protect hosts](../../network-policy/hosts/protect-hosts.mdx).
 
 ## Before you begin
 

calico-enterprise_versioned_docs/version-3.17/network-policy/hosts/index.mdx

@@ -3,7 +3,7 @@ description: Use the same Calico network policy for workloads to restrict traffi
 hide_table_of_contents: true
 ---
 
-# Policy for hosts
+# Policy for hosts and VMs
 
 import DocCardList from '@theme/DocCardList';
 import { useCurrentSidebarCategory } from '@docusaurus/theme-common';

calico-enterprise_versioned_docs/version-3.17/network-policy/hosts/protect-hosts.mdx

@@ -2,11 +2,11 @@
 description: Create Calico Enterprise network policies to restrict traffic to/from hosts.
 ---
 
-# Protect hosts
+# Protect hosts and VMs
 
 ## Big picture
 
-Use $[prodname] network policy to restrict traffic to/from hosts.
+Use $[prodname] network policy to restrict traffic to/from hosts and VMs.
 
 ## Value
 
@@ -16,7 +16,9 @@ Restricting traffic between hosts and the outside world is not unique to $[prodn
 
 ### Hosts and workloads
 
-In the context of $[prodname] configuration, a **workload** is a virtualized compute instance, like a VM or container. A **host** is the computer that runs the hypervisor (for VMs), or container runtime (for containers). We say it “hosts” the workloads as guests.
+In the context of $[prodname] configuration, a *workload* is a containerized compute instance running in Kubernetes.
+A *host* is a computer or virtual machine (VM) that acts as a node in a Kubernetes cluster or that runs application workloads outside of Kubernetes.
+$[prodname] is unique in that it can enforce network policy and provide visibility in a consistent way for both workloads and hosts, even if those hosts are on-premises servers or VMs running in the public clou.
 
 ### Host endpoints
 

calico-enterprise_versioned_docs/version-3.17/network-policy/index.mdx

@@ -31,7 +31,7 @@ $[prodname] extends the standard `NetworkPolicy` object to provide advanced netw
   <DocCardLink docId='network-policy/beginners/policy-rules/icmp-ping' />
 </DocCardLinkLayout>
 
-## Policy for hosts
+## Policy for hosts and VMs
 
 <DocCardLinkLayout>
   <DocCardLink docId='network-policy/hosts/protect-hosts' />

calico-enterprise_versioned_docs/version-3.18-2/about/product-comparison.mdx

@@ -62,7 +62,7 @@ What is the best fit for you? It depends on your needs. The following table prov
 | SIEM integration                                             |                          | <center><CheckIcon /></center>| <center><CheckIcon /></center>|
 |  | |  |  |
 | **Non-cluster host security**                               | **<center>Calico Open Source</center>** | <center>**Calico Cloud**</center> | <center>**Calico Enterprise**</center> |
-| Restrict traffic to/from hosts using network policy          | <center><CheckIcon /></center>|                          | <center><CheckIcon /></center>|
+| Restrict traffic to/from hosts and VMs using network policy          | <center><CheckIcon /></center>|                          | <center><CheckIcon /></center>|
 | Automatic host endpoints                                     | <center><CheckIcon /></center>|                          | <center><CheckIcon /></center>|
 | Secure Kubernetes nodes with host endpoints managed by Calico | <center><CheckIcon /></center>| <center><CheckIcon /></center>| <center><CheckIcon /></center>|
 | Apply policy to host-forwarded traffic                       | <center><CheckIcon /></center>| <center><CheckIcon /></center>| <center><CheckIcon /></center>|

calico-enterprise_versioned_docs/version-3.18-2/getting-started/bare-metal/about.mdx

@@ -1,8 +1,8 @@
 ---
-description: Install Calico network policy so you can secure hosts not in a cluster.
+description: Install Calico network policy so you can secure hosts and VMs that aren't part of a Kubernetes cluster.
 ---
 
-# Install network policy on non-cluster hosts
+# Install network policy on non-cluster hosts and VMs
 
 import DockerContainerService from '@site/calico-enterprise_versioned_docs/version-3.18-2/_includes/content/_docker-container-service.mdx';
 
@@ -13,7 +13,7 @@ import TabItem from '@theme/TabItem';
 
 ## Big picture
 
-Secure non-cluster hosts by installing $[prodname] network policy.
+Secure non-cluster hosts and VMs by installing $[prodname] network policy.
 
 ## Value
 
@@ -29,7 +29,7 @@ A non-cluster host is a computer that is running an application that is _not par
 
 For non-cluster hosts, you can secure host interfaces using **host endpoints**. Host endpoints can have labels, and work the same as labels on pods/workload endpoints. The advantage is that you can write network policy rules to apply to both workload endpoints and host endpoints using label selectors; where each selector can refer to the either type (or be a mix of the two). For example, you can write a cluster-wide policy for non-cluster hosts that is immediately applied to every host.
 
-To learn how to restrict traffic to/from hosts using $[prodname] network policy see, [Protect hosts](../../network-policy/hosts/protect-hosts.mdx).
+To learn how to restrict traffic to/from hosts and VMs using $[prodname] network policy see, [Protect hosts](../../network-policy/hosts/protect-hosts.mdx).
 
 ## Before you begin
 

calico-enterprise_versioned_docs/version-3.18-2/network-policy/hosts/index.mdx

@@ -3,7 +3,7 @@ description: Use the same Calico network policy for workloads to restrict traffi
 hide_table_of_contents: true
 ---
 
-# Policy for hosts
+# Policy for hosts and VMs
 
 import DocCardList from '@theme/DocCardList';
 import { useCurrentSidebarCategory } from '@docusaurus/theme-common';

calico-enterprise_versioned_docs/version-3.18-2/network-policy/hosts/protect-hosts.mdx

@@ -2,11 +2,11 @@
 description: Create Calico Enterprise network policies to restrict traffic to/from hosts.
 ---
 
-# Protect hosts
+# Protect hosts and VMs
 
 ## Big picture
 
-Use $[prodname] network policy to restrict traffic to/from hosts.
+Use $[prodname] network policy to restrict traffic to/from hosts and VMs.
 
 ## Value
 
@@ -16,7 +16,9 @@ Restricting traffic between hosts and the outside world is not unique to $[prodn
 
 ### Hosts and workloads
 
-In the context of $[prodname] configuration, a **workload** is a virtualized compute instance, like a VM or container. A **host** is the computer that runs the hypervisor (for VMs), or container runtime (for containers). We say it “hosts” the workloads as guests.
+In the context of $[prodname] configuration, a *workload* is a containerized compute instance running in Kubernetes.
+A *host* is a computer or virtual machine (VM) that acts as a node in a Kubernetes cluster or that runs application workloads outside of Kubernetes.
+$[prodname] is unique in that it can enforce network policy and provide visibility in a consistent way for both workloads and hosts, even if those hosts are on-premises servers or VMs running in the public clou.
 
 ### Host endpoints
 

calico-enterprise_versioned_docs/version-3.18-2/network-policy/index.mdx

@@ -31,7 +31,7 @@ $[prodname] extends the standard `NetworkPolicy` object to provide advanced netw
   <DocCardLink docId='network-policy/beginners/policy-rules/icmp-ping' />
 </DocCardLinkLayout>
 
-## Policy for hosts
+## Policy for hosts and VMs
 
 <DocCardLinkLayout>
   <DocCardLink docId='network-policy/hosts/protect-hosts' />