Reading Time: 4 minutes
Follow by Email

Hey there Azure enthusiasts! I’ve got some cool news to share from the AKS front. If you’ve been looking for more flexibility with network policies in Azure Kubernetes Service (AKS), your prayers have been answered although it is currently still in preview. Let’s dive right in and see what this is all about.

So, What’s the Buzz About?

First off,  network policies in Kubernetes aren’t just another buzzword. These bad boys are crucial when it comes to defining how pods interact with each other. Think of them as the bouncers of the Kubernetes club, deciding who gets in and who doesn’t. And now, AKS has spiced things up a bit.

What AKS Has Brought to the Table

AKS now allows you to change or, dare I say, completely turn off the network policy of your cluster. You’ve got a few choices:

Azure: This is your standard Azure network policy manager.
Calico: The OG open-source network policy provider.
Cilium: The new kid on the block, representing the Azure CNI Overlay.

And if you decide to give no hoots about specifying a policy? You can simply disables the feature by passing in none. Neat, right?

Before You Get Started

Hold up! Before you dive in, let’s get the environment right.

1. Azure CLI: Make sure it’s the latest version. No compromises here!

2. AKS-Preview Extension: This one’s non-negotiable. You need version 0.5.172 or above.

And if you haven’t got around to updating or adding the AKS-Preview extension, here you go:

After the installation or update, you can check the extension’s version with:

Ensure that the version next to “aks-preview” is at least0.5.1.

Let’s give it a go

So, you’re ready to take the new AKS feature for a spin? Let’s get our hands dirty and see how to actually use the command to switch between these network policies. Remember, it’s all about that hands-on experience!

The starting block: Disabling Network Policy

You always need to start from having no network policies. So, if you are already have the any of the network policy providers installed you need to disable the network policy feature. Luckily AKS has made it pretty straightforward. Check this out:

Yep, just  make sure you swap out YOUR_RESOURCE_GROUP and YOUR_CLUSTER_NAME with your actual resource group and cluster name  and make sure network policy is set to none and you’re good to go!

As you can see we now have the network policy set to none.

Lets look at changing the network policy.

Choosing Azure as Your Network Policy

If you’re feeling a bit traditional and want to stick with Azure’s own network policy manager, here’s what you do:

Make sure to replace YOUR_RESOURCE_GROUP and YOUR_CLUSTER_NAME with your actual resource group and cluster name. Easy as pie!

Going the Calico Way

For those who have a soft spot for the OG, Calico, you’re just a command away:

Again, don’t forget to swap out YOUR_RESOURCE_GROUP and YOUR_CLUSTER_NAME with your specifics.

You can now see we have Calico running inside the cluster.

Embracing the New Kid: Cilium

Venturing into new horizons? Cilium might be the change you’re after. It’s not just about the Azure CNI Overlay here; Cilium brings its own flair to the AKS playground. To set it up, there’s a slight twist: besides the network policy, you also need to enable the Cilium dataplane, oh and you need to be using Azure CNI Overlay. Lets enable that first.

As my IP range of my cluster overlaps with the default Pod Cidr I am having to set one with the above commnad. You can change this value to one that works better for you.

Now we can switch to Cilium and get everything rolling, use:

Don’t forget to plug in your actual YOUR_RESOURCE_GROUP and YOUR_CLUSTER_NAME.

once it has finished you can now see we have Cilium installed.

Wrapping it Up

Azure never fails to surprise, right? With this new flexibility in AKS’s network policies, I’m definitely excited about the endless possibilities. Whether you’re Team Calico or rooting for Cilium, AKS has got something for you.

So, give it a whirl, play around with the new features, and let me know how it goes! Until next time, happy Kube-ing!

Follow by Email

Pixel Robots.

I’m Richard Hooper aka Pixel Robots. I started this blog in 2016 for a couple reasons. The first reason was basically just a place for me to store my step by step guides, troubleshooting guides and just plain ideas about being a sysadmin. The second reason was to share what I have learned and found out with other people like me. Hopefully, you can find something useful on the site.

1 Comment

Gaurav Sharma · April 4, 2024 at 1:27 pm


I tried to remove the network policy from aks cluster. but receiving below error with aks update command:

$ az aks update –resource-group rg-name –name cluster-name –network-policy none
ERROR: unrecognized arguments: –network-policy none

Examples from AI knowledge base:
az aks update –resource-group MyResourceGroup –name MyManagedCluster –load-balancer-managed-outbound-ip-count 2
Update a kubernetes cluster with standard SKU load balancer to use two AKS created IPs for the load balancer outbound connection usage.

az aks update –resource-group MyResourceGroup –name MyManagedCluster –api-server-authorized-ip-ranges
Restrict apiserver traffic in a kubernetes cluster to agentpool nodes.

az version
Show the versions of Azure CLI modules and extensions in JSON format by default or format configured by –output (autogenerated)
Read more about the command in reference docs

below are the az and extension versions

$ az version
“azure-cli”: “2.59.0”,
“azure-cli-core”: “2.59.0”,
“azure-cli-telemetry”: “1.1.0”,
“extensions”: {
“aks-preview”: “0.5.70”

Any help on mitigating this issue?

Leave a Reply

Avatar placeholder

Your email address will not be published. Required fields are marked *