What is Advanced Container Networking Services?
Advanced Container Networking Services is a suite of services designed to enhance the networking capabilities of Azure Kubernetes Service (AKS) clusters. The suite addresses challenges in modern containerized applications, such as observability, security, and compliance.
With Advanced Container Networking Services, the focus is on delivering a seamless and integrated experience that enables you to maintain robust security postures and gain deep insights into your network traffic and application performance. This ensures that your containerized applications are not only secure but also meet or exceed your performance and reliability goals, allowing you to confidently manage and scale your infrastructure.
What is included in Advanced Container Networking Services?
Advanced Container Networking Services contains features split into two pillars:
Observability: The inaugural feature of the Advanced Container Networking Services suite bringing the power of Hubble’s control plane to both Cilium and non-Cilium Linux data planes. These features aim to provide visibility into networking and performance.
Security: For clusters using Azure CNI Powered by Cilium, network policies include fully qualified domain name (FQDN) filtering for tackling the complexities of maintaining configuration.
Container Network Observability
Container Network Observability equips you with network related monitoring and diagnostics tools, providing visibility into your containerized workloads. It unlocks Hubble metrics, Hubble’s command line interface (CLI) and the Hubble user interface (UI) on your AKS clusters providing deep, actionable insights into your containerized workloads allowing you to detect and determine the root causes of network-related issues in AKS. These features ensure that your containerized applications are secure and compliant in order to enable you to confidently manage your infrastructure.
For more information about Container Network Observability, see What is Container Network Observability?.
Container Network Security
Container Network Security features within Advanced Container Networking Services enable greater control over network security policies for ease of use when implementing across clusters. Clusters using Azure CNI Powered by Cilium have access to DNS-based policies. The ease of use compared to IP-based policies allows restricting egress access to external services using domain names. Configuration management becomes simplified by using FQDN rather than dynamically changing IPs.
Pricing
Important
Advanced Container Networking Services is a paid offering. For more information about pricing, see Advanced Container Networking Services - Pricing
Set up Advanced Container Networking Services on your cluster
Prerequisites
- An Azure account with an active subscription. If you don't have one, create a free account before you begin.
Use the Bash environment in Azure Cloud Shell. For more information, see Quickstart for Bash in Azure Cloud Shell.
If you prefer to run CLI reference commands locally, install the Azure CLI. If you're running on Windows or macOS, consider running Azure CLI in a Docker container. For more information, see How to run the Azure CLI in a Docker container.
If you're using a local installation, sign in to the Azure CLI by using the az login command. To finish the authentication process, follow the steps displayed in your terminal. For other sign-in options, see Sign in with the Azure CLI.
When you're prompted, install the Azure CLI extension on first use. For more information about extensions, see Use extensions with the Azure CLI.
Run az version to find the version and dependent libraries that are installed. To upgrade to the latest version, run az upgrade.
- The minimum version of Azure CLI required for the steps in this article is 2.61.0. Run
az --version
to find the version. If you need to install or upgrade, see Install Azure CLI.
Install the aks-preview Azure CLI extension
Install or update the Azure CLI preview extension using the az extension add
or az extension update
command.
# Install the aks-preview extension
az extension add --name aks-preview
# Update the extension to make sure you have the latest version installed
az extension update --name aks-preview
Create a resource group
A resource group is a logical container into which Azure resources are deployed and managed. Create a resource group using the az group create
command.
# Set environment variables for the resource group name and location. Make sure to replace the placeholders with your own values.
export RESOURCE_GROUP="<resource-group-name>"
export LOCATION="<azure-region>"
# Create a resource group
az group create --name $RESOURCE_GROUP --location $LOCATION
Enable and Disable Advanced Container Networking Services in AKS cluster
Create an AKS cluster with Advanced Container Networking Services
The az aks create
command with the Advanced Container Networking Services flag, --enable-acns
, creates a new AKS cluster with all Advanced Container Networking Services features. These features encompass:
Container Network Observability: Provides insights into your network traffic. To learn more visit Container Network Observability.
Container Network Security: Offers security features like FQDN filtering. To learn more visit Container Network Security.
Note
Clusters with the Cilium data plane support Container Network Observability and Container Network security starting with Kubernetes version 1.29.
# Set an environment variable for the AKS cluster name. Make sure to replace the placeholder with your own value.
export CLUSTER_NAME="<aks-cluster-name>"
# Create an AKS cluster
az aks create \
--name $CLUSTER_NAME \
--resource-group $RESOURCE_GROUP \
--generate-ssh-keys \
--location eastus \
--max-pods 250 \
--network-plugin azure \
--network-plugin-mode overlay \
--network-dataplane cilium \
--node-count 2 \
--pod-cidr 192.168.0.0/16 \
--kubernetes-version 1.29 \
--enable-acns
Enable Advanced Container Networking Services on an existing cluster
The az aks update
command with the Advanced Container Networking Services flag, --enable-acns
, updates an existing AKS cluster with all Advanced Container Networking Services features which includes Container Network Observability and the Container Network Security feature.
Note
Only clusters with the Cilium data plane support Container Network Security features of Advanced Container Networking Services.
az aks update \
--resource-group $RESOURCE_GROUP \
--name $CLUSTER_NAME \
--enable-acns
Disable Advanced Container Networking Services
The --disable-acns
flag disables all Advanced Container Networking Services features on an existing AKS cluster which includes Container Network Observability and Container Network Security
az aks update \
--resource-group $RESOURCE_GROUP \
--name $CLUSTER_NAME \
--disable-acns
Disable select Advanced Container Networking Services features
Disable Container Network Observability
To disable Container Network Observability features without affecting other Advanced Container Networking Services features, use --enable-acns
and --disable-acns-observability
az aks update \
--resource-group $RESOURCE_GROUP \
--name $CLUSTER_NAME \
--enable-acns \
--disable-acns-observability
Disable Container Network Security
To disable Container Network Security features without affecting other Advanced Container Networking Services features, use --enable-acns
and --disable-acns-security
az aks update \
--resource-group $RESOURCE_GROUP \
--name $CLUSTER_NAME \
--enable-acns \
--disable-acns-security
Next steps
For more information about Container Network Observability and its capabilities, see What is Container Network Observability?.
For more information on Container Network Security and its capabilities, see What is Container Network Security?.
Azure Kubernetes Service