Edit

Setup of Network Observability for Azure Kubernetes Service (AKS) - Azure managed Prometheus and Grafana

  • Article

AKS Network Observability is used to collect the network traffic data of your AKS cluster. Network Observability enables a centralized platform for monitoring application and network health. Prometheus collects AKS Network Observability metrics, and Grafana visualizes them. Both Cilium and non-Cilium data plane are supported. In this article, learn how to enable the Network Observability add-on and use Azure managed Prometheus and Grafana to visualize the scraped metrics.

Important

AKS Network Observability is currently in PREVIEW. See the Supplemental Terms of Use for Microsoft Azure Previews for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

For more information about AKS Network Observability, see What is Azure Kubernetes Service (AKS) Network Observability?.

Prerequisites

  • Minimum version of Azure CLI required for the steps in this article is 2.44.0. Run az --version to find the version. If you need to install or upgrade, see Install Azure CLI.

Install the aks-preview Azure CLI extension

Important

AKS preview features are available on a self-service, opt-in basis. Previews are provided "as is" and "as available," and they're excluded from the service-level agreements and limited warranty. AKS previews are partially covered by customer support on a best-effort basis. As such, these features aren't meant for production use. For more information, see the following support articles:

# Install the aks-preview extension
az extension add --name aks-preview

# Update the extension to make sure you have the latest version installed
az extension update --name aks-preview

Register the NetworkObservabilityPreview feature flag

az feature register --namespace "Microsoft.ContainerService" --name "NetworkObservabilityPreview"

Use az feature show to check the registration status of the feature flag:

az feature show --namespace "Microsoft.ContainerService" --name "NetworkObservabilityPreview"

Wait for the feature to say Registered before preceding with the article.

{
  "id": "/subscriptions/23250d6d-28f0-41dd-9776-61fc80805b6e/providers/Microsoft.Features/providers/Microsoft.ContainerService/features/NetworkObservabilityPreview",
  "name": "Microsoft.ContainerService/NetworkObservabilityPreview",
  "properties": {
    "state": "Registering"
  },
  "type": "Microsoft.Features/providers/features"
}

When the feature is registered, refresh the registration of the Microsoft.ContainerService resource provider with az provider register:

az provider register -n Microsoft.ContainerService

Create a resource group

A resource group is a logical container into which Azure resources are deployed and managed. Create a resource group with az group create command. The following example creates a resource group named myResourceGroup in the eastus location:

az group create \
    --name myResourceGroup \
    --location eastus

Note

For Kubernetes version 1.29 or higher, network observability is enabled with the AMA metrics profile and the AFEC flag (NetworkObservabilityPreview) until it reaches general availability.

Starting with Kubernetes version 1.29, the --enable-network-observability tag is no longer required when creating or updating an Azure Kubernetes Service (AKS) cluster.

For AKS clusters running Kubernetes version 1.28 or earlier, enabling network observability requires the --enable-network-observability tag during cluster creation or update.

Create AKS cluster

Create an AKS cluster with az aks create. The following example creates an AKS cluster named myAKSCluster in the myResourceGroup resource group:

Non-Cilium clusters support the enablement of Network Observability on an existing cluster or during the creation of a new cluster.

Use az aks create in the following example to create an AKS cluster with Network Observability and non-Cilium.

New cluster

az aks create \
    --name myAKSCluster \
    --resource-group myResourceGroup \
    --location eastus \
    --generate-ssh-keys \
    --network-plugin azure \
    --network-plugin-mode overlay \
    --pod-cidr 192.168.0.0/16 \
    --enable-network-observability

Existing cluster

Use az aks update to enable Network Observability for an existing cluster.

az aks update \
    --resource-group myResourceGroup \
    --name myAKSCluster \
    --enable-network-observability

Azure managed Prometheus and Grafana

Use the following example to install and enable Prometheus and Grafana for your AKS cluster.

Create Azure Monitor resource

az resource create \
    --resource-group myResourceGroup \
    --namespace microsoft.monitor \
    --resource-type accounts \
    --name myAzureMonitor \
    --location eastus \
    --properties '{}'

Create Grafana instance

Use az grafana create to create a Grafana instance. The name of the Grafana instance must be unique. Replace myGrafana with a unique name for your Grafana instance.

az grafana create \
    --name myGrafana \
    --resource-group myResourceGroup

Place the Grafana and Azure Monitor resource IDs in variables

Use az grafana show to place the Grafana resource ID in a variable. Use az resource show to place the Azure Monitor resource ID in a variable. Replace myGrafana with the name of your Grafana instance.

grafanaId=$(az grafana show \
                --name myGrafana \
                --resource-group myResourceGroup \
                --query id \
                --output tsv)

azuremonitorId=$(az resource show \
                    --resource-group myResourceGroup \
                    --name myAzureMonitor \
                    --resource-type "Microsoft.Monitor/accounts" \
                    --query id \
                    --output tsv)

Use az aks update to link the Azure Monitor and Grafana resources to your AKS cluster.

az aks update \
    --name myAKSCluster \
    --resource-group myResourceGroup \
    --enable-azure-monitor-metrics \
    --azure-monitor-workspace-resource-id $azuremonitorId \
    --grafana-resource-id $grafanaId

Get cluster credentials

az aks get-credentials --name myAKSCluster --resource-group myResourceGroup

Enable visualization on Grafana

Note

The following section requires deployments of Azure managed Prometheus and Grafana.

  1. Use the following example to verify the Azure Monitor pods are running.

    kubectl get po -owide -n kube-system | grep ama-

    ama-metrics-5bc6c6d948-zkgc9          2/2     Running   0 (21h ago)   26h
ama-metrics-ksm-556d86b5dc-2ndkv      1/1     Running   0 (26h ago)   26h
ama-metrics-node-lbwcj                2/2     Running   0 (21h ago)   26h
ama-metrics-node-rzkzn                2/2     Running   0 (21h ago)   26h
ama-metrics-win-node-gqnkw            2/2     Running   0 (26h ago)   26h
ama-metrics-win-node-tkrm8            2/2     Running   0 (26h ago)   26h

  2. Select Dashboards from the left navigation menu, open Kubernetes / Networking dashboard under Managed Prometheus folder.

  3. Check if the Metrics in Kubernetes / Networking Grafana dashboard are visible. If metrics aren't shown, change time range to last 15 minutes in top right dropdown box.

Clean up resources

If you're not going to continue to use this application, delete the AKS cluster and the other resources created in this article with the following example:

  az group delete \
    --name myResourceGroup

Next steps

In this how-to article, you learned how to install and enable AKS Network Observability for your AKS cluster.