What is Advanced Container Networking Services?

Advanced Container Networking Services is a suite of services designed to enhance the networking capabilities of Azure Kubernetes Service (AKS) clusters. The suite addresses challenges in modern containerized applications, such as observability, security, and compliance.

Advanced Container Networking Services focuses on delivering a seamless and integrated experience that helps you maintain robust security postures and gain deep insights into your network traffic and application performance. It helps ensure that your containerized applications aren't only secure, but also that they meet or exceed your performance and reliability goals. Advanced Container Networking Services helps you confidently manage and scale your infrastructure.

What is included in Advanced Container Networking Services?

Advanced Container Networking Services offers two key features:

• Container Network Observability: The inaugural feature of the Advanced Container Networking Services suite, bringing the power of Hubble’s control plane to both Cilium and non-Cilium Linux data planes. These features aim to provide visibility into networking and performance.

• Container Network Security: For clusters that use Azure CNI Powered by Cilium, network policies include Fully Qualified Domain Name (FQDN) filtering for tackling the complexities of maintaining configuration.

Container Network Observability

Container Network Observability in AKS is a comprehensive feature set within Advanced Container Networking Services, designed to provide deep insights into network traffic and performance across containerized environments. It works seamlessly across both Cilium and non-Cilium data planes, offering flexibility for diverse networking needs. The feature uses eBPF to enhance scalability and performance by identifying potential bottlenecks and network congestion before applications are affected.

Key benefits include compatibility with all Container Networking Interface (CNI) variants in Azure, detailed visibility into node-level metrics, and Hubble metrics for Domain Name System (DNS) resolution, pod-to-pod communication, and service interactions. Container network logs capture essential metadata such as IPs, ports, and traffic flow for troubleshooting, monitoring, and security enforcement.

It also integrates with the managed service for Prometheus in Azure Monitor and Azure Managed Grafana for simplified metrics storage and visualization. Whether you use managed services or your own infrastructure, this observability solution helps ensure a highly performant, secure, and compliant network environment for AKS workloads.

Container network metrics

This feature collects node-level metrics, including CPU, memory, and network performance, to monitor the health of cluster nodes. For deeper insights, Hubble metrics provide data on DNS resolution times, service-to-service communication, and pod-level network behavior. These metrics help you analyze application performance, detect anomalies, and optimize workloads.

For more information, see the metrics overview.

Container network logs

Container network logs give you detailed insight into traffic within and across clusters by capturing metadata like source and destination IP addresses, ports, protocols, and flow direction. These logs enable monitoring network behavior, troubleshooting connectivity issues, and enforcing security policies. Persistent and real-time logging options ensure comprehensive, actionable network observability.

To learn more, see the container network logs overview.

Container Network Security

Securing your containerized applications is essential in today's dynamic cloud environments. Advanced Container Networking Services provides features to strengthen your cluster's network security.

FQDN-based filtering

Enhance egress control with Azure CNI Powered by Cilium DNS-based policies. Simplify configuration by using FQDNs instead of by managing dynamic IP addresses.

To learn more, see the FQDN-based filtering overview.

Layer 7 policy (preview)

Gain granular control over application-level traffic. Implement policies based on protocols like HTTP, gRPC and kafka, securing your applications with deep visibility and fine-grained access control. To learn more, see the Layer 7 policy overview documentation.

Pricing

Important

Advanced Container Networking Services is a paid offering.

For information about pricing, see Advanced Container Networking Services - Pricing.

Set up Advanced Container Networking Services on your cluster

Prerequisites

• An Azure account with an active subscription. If you don't have one, create a free account before you begin.

• Use the Bash environment in Azure Cloud Shell. For more information, see Get started with Azure Cloud Shell.

  

• If you prefer to run CLI reference commands locally, install the Azure CLI. If you're running on Windows or macOS, consider running Azure CLI in a Docker container. For more information, see How to run the Azure CLI in a Docker container.

  • If you're using a local installation, sign in to the Azure CLI by using the az login command. To finish the authentication process, follow the steps displayed in your terminal. For other sign-in options, see Authenticate to Azure using Azure CLI.

  • When you're prompted, install the Azure CLI extension on first use. For more information about extensions, see Use and manage extensions with the Azure CLI.

  • Run az version to find the version and dependent libraries that are installed. To upgrade to the latest version, run az upgrade.

• The minimum version of Azure CLI required for the steps in this article is 2.71.0. To find your version, run az --version. To install or upgrade, see Install Azure CLI.

Install the aks-preview Azure CLI extension

Install or update the Azure CLI preview extension by using the az extension add or az extension update command.

The minimum version of the aks-preview Azure CLI extension is 14.0.0b6.

# Install the aks-preview extension
az extension add --name aks-preview
# Update the extension to make sure you have the latest version installed
az extension update --name aks-preview

Register the AdvancedNetworkingL7PolicyPreview feature flag

Note

Container Network Security features only supported on Azure CNI powered by Cilium-based clusters.

Register the AdvancedNetworkingL7PolicyPreview feature flag by using the az feature register command:

az feature register --namespace "Microsoft.ContainerService" --name "AdvancedNetworkingL7PolicyPreview"

Verify successful registration by using the az feature show command. Registration takes a few minutes to complete.

az feature show --namespace "Microsoft.ContainerService" --name "AdvancedNetworkingL7PolicyPreview"

Create a resource group

A resource group is a logical container in which Azure resources are deployed and managed. Create a resource group by using the az group create command:

# Set environment variables for the resource group name and location. Make sure to replace the placeholders with your own values.
export RESOURCE_GROUP="<resource-group-name>"
export LOCATION="<azure-region>"
# Create a resource group
az group create --name $RESOURCE_GROUP --location $LOCATION

Enable and disable Advanced Container Networking Services in an AKS cluster

Create an AKS cluster that has Advanced Container Networking Services

The az aks create command with the --enable-acns Advanced Container Networking Services flag creates a new AKS cluster that has all Advanced Container Networking Services features, including Container Network Observability and Container Network Security.

Cilium

Note

Clusters that have the Cilium data plane support Container Network Observability and Container Network security in Kubernetes version 1.29 and later.

When the --acns-advanced-networkpolicies parameter is set to L7, both L7 and FQDN filtering policies are enabled. If you want to enable only FQDN filtering, set the parameter to FQDN.

To disable both features, complete the steps described in Disable Container Network Security.

# Set an environment variable for the AKS cluster name. Make sure you replace the placeholder with your own value.
export CLUSTER_NAME="<aks-cluster-name>"

# Create an AKS cluster
az aks create \
    --name $CLUSTER_NAME \
    --resource-group $RESOURCE_GROUP \
    --network-plugin azure \
    --network-plugin-mode overlay \
    --network-dataplane cilium \
    --kubernetes-version 1.29 \
    --enable-acns \
    --acns-advanced-networkpolicies <L7/FQDN>

Non-Cilium

Note

The Container Network Security feature isn't available for non-Cilium clusters.

# Set an environment variable for the AKS cluster name. Make sure you replace the placeholder with your own value.
export CLUSTER_NAME="<aks-cluster-name>"

# Create an AKS cluster
az aks create \
    --name $CLUSTER_NAME \
    --resource-group $RESOURCE_GROUP \
    --network-plugin azure \
    --network-plugin-mode overlay \
    --enable-acns

Enable Advanced Container Networking Services on an existing cluster

The az aks update command with the --enable-acns flag updates an existing AKS cluster with all Advanced Container Networking Services features, including Container Network Observability and Container Network Security.

Cilium

Note

Clusters that have the Cilium data plane support Container Network Observability and Container Network Security in Kubernetes version 1.29 and later.

When the --acns-advanced-networkpolicies parameter is set to L7, both Layer 7 and FQDN filtering policies are enabled. If you want to enable only FQDN filtering, set the parameter to FQDN.

To disable both features, complete the steps described in Disable Container Network Security.

az aks update \
    --resource-group $RESOURCE_GROUP \
    --name $CLUSTER_NAME \
    --enable-acns \
    --acns-advanced-networkpolicies <L7/FQDN>

Non-Cilium

Note

Only clusters that have the Cilium data plane offer the Container Network Security feature of Advanced Container Networking Services.

az aks update \
    --resource-group $RESOURCE_GROUP \
    --name $CLUSTER_NAME \
    --enable-acns

Disable Advanced Container Networking Services

The --disable-acns flag disables all Advanced Container Networking Services features on an existing AKS cluster. Container Network Observability and Container Network Security are also disabled.

az aks update \
    --resource-group $RESOURCE_GROUP \
    --name $CLUSTER_NAME \
    --disable-acns

---

Disable Advanced Container Networking Services features

Disable Container Network Observability

Cilium

To disable the Container Network Observability feature without affecting other Advanced Container Networking Services features, run:

az aks update \
    --resource-group $RESOURCE_GROUP \
    --name $CLUSTER_NAME \
    --enable-acns \
    --disable-acns-observability 

Non-Cilium

Because Container Network Observability is the only feature available for non-Cilium clusters, you can use --disable-acns to disable the feature:

az aks update \
    --resource-group $RESOURCE_GROUP \
    --name $CLUSTER_NAME \
    --disable-acns 

Disable Container Network Security

To disable the Container Network Security feature without affecting other Advanced Container Networking Services features, run:

az aks update \
    --resource-group $RESOURCE_GROUP \
    --name $CLUSTER_NAME \
    --enable-acns \
    --disable-acns-security

---

Related content

• What is Container Network Observability?

• What is Container Network Security?