What is Azure Kubernetes Service?
Azure Kubernetes Service (AKS) simplifies deploying a managed Kubernetes cluster in Azure by offloading the operational overhead to Azure. As a hosted Kubernetes service, Azure handles critical tasks, like health monitoring and maintenance. When you create an AKS cluster, a control plane is automatically created and configured. This control plane is provided at no cost as a managed Azure resource abstracted from the user. You only pay for and manage the nodes attached to the AKS cluster.
You can create an AKS cluster using:
- Azure CLI
- Azure PowerShell
- Azure portal
- Template-driven deployment options, like Azure Resource Manager templates, Bicep, and Terraform.
When you deploy an AKS cluster, you specify the number and size of the nodes, and AKS deploys and configures the Kubernetes control plane and nodes. Advanced networking, Microsoft Entra integration, monitoring, and other features can be configured during the deployment process.
For more information on Kubernetes basics, see Kubernetes core concepts for AKS.
This service supports Azure Lighthouse, which lets service providers sign in to their own tenant to manage subscriptions and resource groups that customers have delegated.
AKS also supports Windows Server containers.
Access, security, and monitoring
For improved security and management, you can integrate with Microsoft Entra ID to:
- Use Kubernetes role-based access control (Kubernetes RBAC).
- Monitor the health of your cluster and resources.
Identity and security management
To limit access to cluster resources, AKS supports Kubernetes RBAC. Kubernetes RBAC controls access and permissions to Kubernetes resources and namespaces.
Microsoft Entra ID
You can configure an AKS cluster to integrate with Microsoft Entra ID. With Microsoft Entra integration, you can set up Kubernetes access based on existing identity and group membership. Your existing Microsoft Entra users and groups can be provided with an integrated sign-on experience and access to AKS resources.
For more information on identity, see Access and identity options for AKS.
To secure your AKS clusters, see Integrate Microsoft Entra ID with AKS.
Integrated logging and monitoring
Container Insights is a feature in Azure Monitor that monitors the health and performance of managed Kubernetes clusters hosted on AKS and provides interactive views and workbooks that analyze collected data for a variety of monitoring scenarios. It captures platform metrics and resource logs from containers, nodes, and controllers within your AKS clusters and deployed applications that are available in Kubernetes through the Metrics API.
Container Insights has native integration with AKS, like collecting critical metrics and logs, alerting on identified issues, and providing visualization with workbooks or integration with Grafana. It can also collect Prometheus metrics and send them to Azure Monitor managed service for Prometheus, and all together deliver end-to-end observability.
Clusters and nodes
AKS nodes run on Azure virtual machines (VMs). With AKS nodes, you can connect storage to nodes and pods, upgrade cluster components, and use GPUs. AKS supports Kubernetes clusters that run multiple node pools to support mixed operating systems and Windows Server containers.
For more information about Kubernetes cluster, node, and node pool capabilities, see Kubernetes core concepts for AKS.
Cluster node and pod scaling
As demand for resources change, the number of cluster nodes or pods that run your services automatically scales up or down. You can adjust both the horizontal pod autoscaler or the cluster autoscaler to adjust to demands and only run necessary resources.
For more information, see Scale an AKS cluster.
Cluster node upgrades
AKS offers multiple Kubernetes versions. As new versions become available in AKS, you can upgrade your cluster using the Azure portal, Azure CLI, or Azure PowerShell. During the upgrade process, nodes are carefully cordoned and drained to minimize disruption to running applications.
AKS supports the creation of GPU-enabled node pools. Azure currently provides single or multiple GPU-enabled VMs. GPU-enabled VMs are designed for compute-intensive, graphics-intensive, and visualization workloads.
For more information, see Using GPUs on AKS.
Confidential computing nodes (public preview)
AKS supports the creation of Intel SGX-based, confidential computing node pools (DCSv2 VMs). Confidential computing nodes allow containers to run in a hardware-based, trusted execution environment (enclaves). Isolation between containers, combined with code integrity through attestation, can help with your defense-in-depth container security strategy. Confidential computing nodes support both confidential containers (existing Docker apps) and enclave-aware containers.
For more information, see Confidential computing nodes on AKS.
Azure Linux nodes
The Azure Linux node pool is now generally available (GA). To learn about the benefits and deployment steps, see the Introduction to the Azure Linux Container Host for AKS.
The Azure Linux container host for AKS is an open-source Linux distribution created by Microsoft, and it’s available as a container host on Azure Kubernetes Service (AKS). The Azure Linux container host for AKS provides reliability and consistency from cloud to edge across the AKS, AKS-HCI, and Arc products. You can deploy Azure Linux node pools in a new cluster, add Azure Linux node pools to your existing Ubuntu clusters, or migrate your Ubuntu nodes to Azure Linux nodes.
For more information, see Use the Azure Linux container host for AKS.
Storage volume support
To support application workloads, you can mount static or dynamic storage volumes for persistent data. Depending on the number of connected pods expected to share the storage volumes, you can use storage backed by:
For more information, see Storage options for applications in AKS.
Virtual networks and ingress
An AKS cluster can be deployed into an existing virtual network. In this configuration, every pod in the cluster is assigned an IP address in the virtual network and can directly communicate with other pods in the cluster and other nodes in the virtual network.
Pods can also connect to other services in a peered virtual network and on-premises networks over ExpressRoute or site-to-site (S2S) VPN connections.
For more information, see the Network concepts for applications in AKS.
Ingress with application routing add-on
The application routing addon is the recommended way to configure an Ingress controller in AKS. The application routing addon is a fully managed, ingress controller for Azure Kubernetes Service (AKS) that provides the following features:
Easy configuration of managed NGINX Ingress controllers based on Kubernetes NGINX Ingress controller.
Integration with Azure DNS for public and private zone management.
SSL termination with certificates stored in Azure Key Vault.
For more information about the application routing add-on, see Managed NGINX ingress with the application routing add-on.
Development tooling integration
Azure provides several tools that help streamline Kubernetes.
Docker image support and private container registry
AKS supports the Docker image format. For private storage of your Docker images, you can integrate AKS with Azure Container Registry (ACR).
To create a private image store, see Azure Container Registry.
AKS has been CNCF-certified as Kubernetes conformant.
AKS is compliant with SOC, ISO, PCI DSS, and HIPAA. For more information, see Overview of Microsoft Azure compliance.
Learn more about deploying and managing AKS.