This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(284.8, 39%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ED%3C/text%3E%3C/svg%3E)
Hello,
We currently have a Platform Landing Zone with follows Microsoft's Cloud Adoption Framework with Identity, Management & Connectivity Subscriptions.
We are looking to implement a Shared Azure Kubernetes Service (AKS) module for all of our applications to live on.
Each application will have their own Landing Zone subscriptions where their own resources will sit, Key Vault, Service Bus, Storage Accounts, Redis Cache etc etc, however, the applications themselves we would like them to sit on Shared AKS Cluster's.
Would it be acceptable to have these AKS Clusters in the Management Subscription, what is the recommended approach for this pattern?
Many Thanks,
J
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(32, 3%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMG%3C/text%3E%3C/svg%3E)
Hi devopsfj,
Thank you for reaching out to the Microsoft Q&A platform.
The Shared Azure Kubernetes Service (AKS) Cluster in the context of a Platform Landing Zone aligned with Microsoft's (CAF) and having the AKS clusters in the Management Subscription.
The Management Subscription in CAF resources that are related to platform management, governance, monitoring, logging, and other cross-tenant concerns.
AKS Clusters in the Management Subscription is acceptable to have a shared AKS cluster in the Management Subscription, but you must apply strong isolation mechanisms, both at the cluster level (through namespaces) and the network level (via VNet Peering, Private Endpoints).
I would suggest using a Platform Subscription for such shared services like AKS to maintain clearer separation of duties between management and platform operations.
Please find the below document link for your reference:
Also, recommend you to please go through the below article for more detail information:
https://github.com/Azure/AKS-Landing-Zone-Accelerator
If it was helpful, please click "Upvote" on this post to let us know.
Thank You.
@Mahesh Goud Juvvadi Thank you for the response!
So something like this would be best practice?
Management Subscription
Connectivity Subscription
Identity Subscription
Platform Subscription (Shared AKS, Shared AzDo Agents etc)
App 1 Subscription
App 2 Subscription
App 3 Subscription
Hi devopsfj,
Just checking in to see if you had a chance to see my response to your question. Please tell us if it was helpful and feel free to reach out to us if you have any queries.
If it was helpful, please click "Upvote" on this post to let us know.
Thank You.
@Mahesh Goud Juvvadi Thanks for your help, makes perfect sense.
Hi devopsfj,
Thank you for your response, the structure implementing a shared Azure Kubernetes Service (AKS) within the Microsoft Cloud Adoption Framework (CAF).
Management Subscription: For centralized governance, monitoring, and security. It should not host workloads but can manage cross-tenant resources like Azure Monitor and Azure Policy.
Connectivity Subscription: Houses networking resources such as VNets, VPN Gateways, Private Endpoints, and VNet Peering for secure communication between applications and shared services.
Identity Subscription: Manages Azure Active Directory (Azure AD), RBAC, and identity-related resources centrally for consistent access control across subscriptions.
Platform Subscription: Hosts shared platform services like Azure Kubernetes Service (AKS), Azure DevOps agents, and other shared resources used by multiple applications. This keeps shared infrastructure separate from application-specific resources.
Application Subscriptions (App 1, App 2, App 3,): Each application has its own subscription for application-specific resources (e.g., Key Vault, Service Bus, etc.), ensuring isolation and autonomy for each app.
The Platform Subscription is recommended for hosting shared services like the Azure Kubernetes Service (AKS) clusters.
Thank you.
Hello devopsfj,
I am glad to know the answer has been helpful, we appreciate hearing from you and would love to help others who may have the same question. Accepting answers helps increase visibility of this question for other members of the Microsoft Q&A community.
Thank you for helping to improve Microsoft Q&A!
Thank you.
Hi devopsfj,
Just checking in to see if you had a chance to see my response to your question. Please tell us if it was helpful and feel free to reach out to us if you have any queries.
If you feel that your quires have been resolved, please accept the answer by clicking the "Upvote" and "Accept Answer" on the post.
Thank you.
Hi devopsfj,
I wanted to check if you had the opportunity to review the information which was provided in my previous posted answer.
If you feel that your quires have been resolved, please accept the answer by clicking the "Upvote" and "Accept Answer" on the post.
Thank you.