diff --git a/infrastructure/calico/kustomization.yaml b/infrastructure/calico/kustomization.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..d9e0d9152f9a161e3303d26f1e69b6b28c85d956
--- /dev/null
+++ b/infrastructure/calico/kustomization.yaml
@@ -0,0 +1,6 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: default
+resources:
+  - repository.yaml
+  - release.yaml
diff --git a/infrastructure/calico/release.yaml b/infrastructure/calico/release.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..f88de7db7a226a4fab1edb4d183c6cf368774ccb
--- /dev/null
+++ b/infrastructure/calico/release.yaml
@@ -0,0 +1,29 @@
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: calico
+  namespace: default
+spec:
+  releaseName: calico
+  chart:
+    spec:
+      chart: tigera-operator
+      sourceRef:
+        kind: HelmRepository
+        name: projectcalico
+      version: v3.20.2
+  interval: 15m
+  values:
+    installation:
+      enabled: true
+      kubernetesProvider: ""
+      calicoNetwork:
+        bgp: Disabled
+        hostPorts: Enabled
+        ipPools:
+          - blockSize: 26
+            cidr: 192.168.0.0/16
+            encapsulation: VXLAN
+            natOutgoing: Enabled
+            nodeSelector: all()
+
diff --git a/infrastructure/calico/repository.yaml b/infrastructure/calico/repository.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..65fde274e1e5484e2866847002acb341797f9e37
--- /dev/null
+++ b/infrastructure/calico/repository.yaml
@@ -0,0 +1,7 @@
+apiVersion: source.toolkit.fluxcd.io/v1beta1
+kind: HelmRepository
+metadata:
+  name: projectcalico
+spec:
+  interval: 30m
+  url: https://docs.projectcalico.org/charts
diff --git a/infrastructure/kustomization.yaml b/infrastructure/kustomization.yaml
index 8d3320ce61a30f8fd6d5a46290dace185f23a941..cd68e04ae9be219f4b5991f6cb80416700d92892 100644
--- a/infrastructure/kustomization.yaml
+++ b/infrastructure/kustomization.yaml
@@ -1,6 +1,7 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
+  - calico
   # kyverno
   - hcloud-csi
   - rook
diff --git a/terraform/firewall.tf b/terraform/firewall.tf
index 39e8b028ebaaccd37281e4a13382634ad9529c1b..667e9a447ae13e1b33649d7516cba52dce4ad0e5 100644
--- a/terraform/firewall.tf
+++ b/terraform/firewall.tf
@@ -38,6 +38,27 @@ resource "hcloud_firewall" "k8s-node" {
       port            = "30000-32767"
       source_ips      = [for s in concat(module.nodes.ipv4_addresses) : "${s}/32"]
   }
+  rule {
+      description     = "Calico BGP"
+      direction       = "in"
+      protocol        = "tcp"
+      port            = "179"
+      source_ips      = [for s in concat(module.nodes.ipv4_addresses) : "${s}/32"]
+  }
+  rule {
+      description     = "Calico VXLAN"
+      direction       = "in"
+      protocol        = "udp"
+      port            = "4789"
+      source_ips      = [for s in concat(module.nodes.ipv4_addresses) : "${s}/32"]
+  }
+  rule {
+      description     = "Calico Typha"
+      direction       = "in"
+      protocol        = "tcp"
+      port            = "5473"
+      source_ips      = [for s in concat(module.nodes.ipv4_addresses) : "${s}/32"]
+  }
   # Host level services, including the node exporter on ports 9100-9101.
   rule {
       description     = "Host level services"