AKS Networking

Networking is a foundational component of any Kubernetes cluster, and in Azure Kubernetes Service (AKS), it plays a critical role in how workloads communicate — both internally and externally. Whether you’re deploying microservices, exposing APIs, or integrating with on-premises systems, understanding AKS networking is essential for designing secure, scalable, and performant applications.

At its core, AKS networking is responsible for:

  • Assigning IP addresses to pods, nodes, and services
  • Routing traffic between workloads within the cluster
  • Enabling access to and from external systems
  • Enforcing network security and policies

AKS supports multiple networking models and plugins, each with different trade-offs in terms of scalability, complexity, and IP address management. These models determine how pod IPs are assigned, how traffic flows, and how easily your workloads can integrate with other Azure services or on-premises networks.

Core Networking Components in AKS

While you may already be familiar with Kubernetes primitives like pods, services, and nodes, AKS networking also involves several key components that work together to manage traffic flow:

  • Container Network Interface (CNI): A plugin that assigns IP addresses to pods and configures routing rules. AKS supports multiple CNI implementations, including Azure CNI (Overlay, Pod Subnet, and Cilium-powered) and the now-legacy Kubenet.

  • kube-proxy: A network proxy that runs on each node and manages network rules for service discovery and load balancing. It ensures that traffic to a Kubernetes service is routed to the appropriate backend pods.

  • Virtual Network (VNet): The Azure-managed network that underpins your AKS cluster. Depending on the CNI model, pods may receive IPs directly from the VNet or from a separate overlay range.

Managed Networks

When deploying an AKS cluster you have the option to provide an existing VNet for AKS to deploy into, or not define one and let AKS create a new VNet for you. If you choose to let AKS create the VNet, it will automatically create a managed network for your cluster. This network is managed by AKS, which will create the required subnets, network security groups (NSGs), and route tables. This simplifies the setup process, as you don’t need to manually configure the networking components, however, it does limit your control over the network configuration.