Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Advanced Container Networking Services is a suite of services designed to enhance the networking capabilities of Azure Kubernetes Service (AKS) clusters. The suite addresses challenges in modern containerized applications, such as observability, security, and compliance.
With Advanced Container Networking Services, the focus is on delivering a seamless and integrated experience that enables you to maintain robust security postures and gain deep insights into your network traffic and application performance. This ensures that your containerized applications aren't only secure but also meet or exceed your performance and reliability goals, allowing you to confidently manage and scale your infrastructure.
What is included in Advanced Container Networking Services?
Advanced Container Networking Services contains features split into two pillars:
Observability: The inaugural feature of the Advanced Container Networking Services suite bringing the power of Hubble’s control plane to both Cilium and non-Cilium Linux data planes. These features aim to provide visibility into networking and performance.
Security: For clusters using Azure CNI Powered by Cilium, network policies include fully qualified domain name (FQDN) filtering for tackling the complexities of maintaining configuration.
Container Network Observability
Container Network Observability equips you with network related monitoring and diagnostics tools, providing visibility into your containerized workloads. It unlocks Hubble metrics, Hubble’s command line interface (CLI) and the Hubble user interface (UI) on your AKS clusters providing deep, actionable insights into your containerized workloads allowing you to detect and determine the root causes of network-related issues in AKS. These features ensure that your containerized applications are secure and compliant in order to enable you to confidently manage your infrastructure.
For more information about Container Network Observability, see What is Container Network Observability?.
Container Network Security
Securing your containerized applications is essential in today's dynamic cloud environments. Advanced Container Networking Services provides features to strengthen your cluster's network security.
FQDN based filtering
Enhance egress control with Azure CNI Powered by Cilium's DNS-based policies. Simplify configuration by using domain names (FQDNs) instead of managing dynamic IP addresses. To learn more, see FQDN Based Filtering Overview documentation.
Layer 7 (L7) policy (Preview)
Gain granular control over application-level traffic. Implement policies based on protocols like HTTP, gRPC and kafka, securing your applications with deep visibility and fine-grained access control. To learn more, see L7 Policy Overview documentation.
Pricing
Important
Advanced Container Networking Services is a paid offering. For more information about pricing, see Advanced Container Networking Services - Pricing.
Set up Advanced Container Networking Services on your cluster
Prerequisites
- An Azure account with an active subscription. If you don't have one, create a free account before you begin.
Use the Bash environment in Azure Cloud Shell. For more information, see Get started with Azure Cloud Shell.
If you prefer to run CLI reference commands locally, install the Azure CLI. If you're running on Windows or macOS, consider running Azure CLI in a Docker container. For more information, see How to run the Azure CLI in a Docker container.
If you're using a local installation, sign in to the Azure CLI by using the az login command. To finish the authentication process, follow the steps displayed in your terminal. For other sign-in options, see Authenticate to Azure using Azure CLI.
When you're prompted, install the Azure CLI extension on first use. For more information about extensions, see Use and manage extensions with the Azure CLI.
Run az version to find the version and dependent libraries that are installed. To upgrade to the latest version, run az upgrade.
- The minimum version of Azure CLI required for the steps in this article is 2.71.0. Run
az --versionto find the version. If you need to install or upgrade, see Install Azure CLI.
Install the aks-preview Azure CLI extension
Install or update the Azure CLI preview extension using the az extension add or az extension update command.
The minimum version of the aks-preview Azure CLI extension is 14.0.0b6
# Install the aks-preview extension
az extension add --name aks-preview
# Update the extension to make sure you have the latest version installed
az extension update --name aks-preview
Register the AdvancedNetworkingL7PolicyPreview feature flag
Note
Container Network Security features only supported on Azure CNI powered by Cilium based clusters.
Register the AdvancedNetworkingL7PolicyPreview feature flag using the az feature register command.
az feature register --namespace "Microsoft.ContainerService" --name "AdvancedNetworkingL7PolicyPreview"
Verify successful registration using the az feature show command. It takes a few minutes for the registration to complete.
az feature show --namespace "Microsoft.ContainerService" --name "AdvancedNetworkingL7PolicyPreview"
Create a resource group
A resource group is a logical container into which Azure resources are deployed and managed. Create a resource group using the az group create command.
# Set environment variables for the resource group name and location. Make sure to replace the placeholders with your own values.
export RESOURCE_GROUP="<resource-group-name>"
export LOCATION="<azure-region>"
# Create a resource group
az group create --name $RESOURCE_GROUP --location $LOCATION
Enable and Disable Advanced Container Networking Services in AKS cluster
Create an AKS cluster with Advanced Container Networking Services
The az aks create command with the Advanced Container Networking Services flag, --enable-acns, creates a new AKS cluster with all Advanced Container Networking Services features. These features encompass:
Container Network Observability: Provides insights into your network traffic. To learn more visit Container Network Observability.
Container Network Security: Offers security features like FQDN filtering. To learn more visit Container Network Security.
Note
Clusters with the Cilium data plane support Container Network Observability and Container Network security starting with Kubernetes version 1.29.
When the --acns-advanced-networkpolicies parameter is set to "L7", both L7 and FQDN filtering policies are enabled. If you only want to enable FQDN filtering, set the parameter to "FQDN". To disable both features, you can follow the instructions provided in Disable Container Network Security.
# Set an environment variable for the AKS cluster name. Make sure to replace the placeholder with your own value.
export CLUSTER_NAME="<aks-cluster-name>"
# Create an AKS cluster
az aks create \
--name $CLUSTER_NAME \
--resource-group $RESOURCE_GROUP \
--network-plugin azure \
--network-plugin-mode overlay \
--network-dataplane cilium \
--kubernetes-version 1.29 \
--enable-acns \
--acns-advanced-networkpolicies <L7/FQDN>
Enable Advanced Container Networking Services on an existing cluster
The az aks update command with the Advanced Container Networking Services flag, --enable-acns, updates an existing AKS cluster with all Advanced Container Networking Services features which includes Container Network Observability and the Container Network Security feature.
Note
Clusters with the Cilium data plane support Container Network Observability and Container Network security starting with Kubernetes version 1.29.
When the --acns-advanced-networkpolicies parameter is set to "L7", both L7 and FQDN filtering policies are enabled. If you only want to enable FQDN filtering, set the parameter to "FQDN". To disable both features, you can follow the instructions provided in Disable Container Network Security.
az aks update \
--resource-group $RESOURCE_GROUP \
--name $CLUSTER_NAME \
--enable-acns \
--acns-advanced-networkpolicies <L7/FQDN>
Disable Advanced Container Networking Services
The --disable-acns flag disables all Advanced Container Networking Services features on an existing AKS cluster which includes Container Network Observability and Container Network Security
az aks update \
--resource-group $RESOURCE_GROUP \
--name $CLUSTER_NAME \
--disable-acns
Disable select Advanced Container Networking Services features
Disable Container Network Observability
To disable Container Network Observability features without affecting other Advanced Container Networking Services features, use --enable-acns and --disable-acns-observability
az aks update \
--resource-group $RESOURCE_GROUP \
--name $CLUSTER_NAME \
--enable-acns \
--disable-acns-observability
Disable Container Network Security
To disable Container Network Security features without affecting other Advanced Container Networking Services features, use --enable-acns and --disable-acns-security
az aks update \
--resource-group $RESOURCE_GROUP \
--name $CLUSTER_NAME \
--enable-acns \
--disable-acns-security
Next steps
For more information about Container Network Observability and its capabilities, see What is Container Network Observability?.
For more information on Container Network Security and its capabilities, see What is Container Network Security?.
Collaborate with us on GitHub
The source for this content can be found on GitHub, where you can also create and review issues and pull requests. For more information, see our contributor guide.
Azure Kubernetes Service