Use planned maintenance to schedule upgrades for Azure Kubernetes Application Network members (preview)

Important

AKS preview features are available on a self-service, opt-in basis. Previews are provided "as is" and "as available," and they're excluded from the service-level agreements and limited warranty. AKS previews are partially covered by customer support on a best-effort basis. As such, these features aren't meant for production use. For more information, see the following support articles:

This article shows you how to use planned maintenance to schedule component upgrades for Azure Kubernetes Application Network members.

Overview of planned maintenance for Application Network

Maintenance operations refer to the upgrade of in-cluster data plane components and Application Network control plane components that run outside the cluster, such as Istiod.

Two of the key in-cluster components are the ztunnel node proxies and Istio CNI node agents. These resources are per-node DaemonSets, so their upgrades affect an entire node at a time and might cause disruptions of long-lived TCP connections. To isolate node-level disruptions to a common window, Application Network uses the same aksManagedNodeOSUpgradeSchedule maintenance schedule as Azure Kubernetes Service (AKS) node operating system (OS) automatic upgrades, if configured.

Note that while the maintenance window is the same, Application Network member upgrades and node OS upgrades are independent events within the window that occur for one or both components, depending on availability of upgrades. Neither upgrade impacts the timing or process of the other. If both components upgrade within the same window, there might be separate connection disruptions for each upgrade within that window.

Note

It's not required to opt in to node OS automatic upgrades to use planned maintenance for Application Network. Creating an aksManagedNodeOSUpgradeSchedule doesn't enable or disable node OS automatic upgrades.

Prerequisites

An existing AKS cluster onboarded as a member of an Application Network resource. If you don't have an Application Network resource or haven't onboarded your cluster yet, see Get started with Azure Kubernetes Application Network.
Azure CLI version is 2.84.0 or later. Check your version using the az --version command. To install or update, see Install Azure CLI.
We recommend reviewing the Maintenance window documentation to understand the configuration fields and how maintenance windows work in AKS.

Considerations

Keep the following considerations in mind when using planned maintenance to schedule Application Network upgrades:

Application Network reserves the right to break planned maintenance windows for unplanned, reactive maintenance operations that are urgent or critical. These maintenance operations might even run during the notAllowedTime or notAllowedDates periods defined in your configuration.
Maintenance operations are considered best effort only and aren't guaranteed to occur within a specified window.
If an attempted upgrade isn't completed when the window closes, it continues to attempt reconciliation until it completes.

Mode-specific behavior

You can use planned maintenance to schedule the timing of fully-managed upgrades and self-managed upgrades, but enabling or disabling planned maintenance doesn't impact your upgrade mode itself. Maintenance windows gate different types of upgrades depending on the upgrade mode of your cluster.

Fully-managed mode: Maintenance windows gate both minor and patch upgrades. However, if you initiate a release channel change, the associated version change takes effect immediately.
Self-managed mode: Maintenance windows apply only to patch upgrades. If you initiate a minor version change, it takes effect immediately.

Add a maintenance window

Add a aksManagedNodeOSUpgradeSchedule maintenance window configuration to an AKS cluster using the az aks maintenanceconfiguration add command. The following example adds a new aksManagedNodeOSUpgradeSchedule configuration that schedules maintenance to run every third Friday between 12:00 AM and 8:00 AM in the UTC+5:30 time zone:
```
az aks maintenanceconfiguration add --resource-group $RESOURCE_GROUP --cluster-name $CLUSTER_NAME --name aksManagedNodeOSUpgradeSchedule --schedule-type Weekly --day-of-week Friday --interval-weeks 3 --duration 8 --utc-offset +05:30 --start-time 00:00
```

Update an existing maintenance window

Update an existing maintenance configuration using the az aks maintenanceconfiguration update command. The following example updates the aksManagedNodeOSUpgradeSchedule configuration to schedule maintenance to run every Friday from 2:00 AM to 6:00 AM:

az aks maintenanceconfiguration update --resource-group $RESOURCE_GROUP --cluster-name $CLUSTER_NAME --name aksManagedNodeOSUpgradeSchedule --schedule-type Weekly --day-of-week Friday --interval-weeks 1 --duration 4 --utc-offset +00:00 --start-time 02:00

Show the maintenance configuration for a cluster

View a specific maintenance configuration window in your AKS cluster using the az aks maintenanceconfiguration show command with the --name parameter.

az aks maintenanceconfiguration show --resource-group $RESOURCE_GROUP --cluster-name $CLUSTER_NAME --name aksManagedNodeOSUpgradeSchedule

The following example output shows the maintenance window for aksManagedNodeOSUpgradeSchedule:

{
  "id": "/subscriptions/<subscription>/resourceGroups/myResourceGroup/providers/Microsoft.ContainerService/managedClusters/myAKSCluster/maintenanceConfigurations/aksManagedNodeOSUpgradeSchedule",
  "maintenanceWindow": {
    "durationHours": 4,
    "notAllowedDates": [
      {
        "end": "2024-01-05",
        "start": "2023-12-23"
      }
    ],
    "schedule": {
      "absoluteMonthly": {
        "dayOfMonth": 1,
        "intervalMonths": 3
      },
      "daily": null,
      "relativeMonthly": null,
      "weekly": null
    },
    "startDate": "2023-01-20",
    "startTime": "09:00",
    "utcOffset": "-08:00"
  },
  "name": "aksManagedNodeOSUpgradeSchedule",
  "notAllowedTime": null,
  "resourceGroup": "myResourceGroup",
  "systemData": null,
  "timeInWeek": null,
  "type": null
}

Delete a maintenance configuration for a cluster

Delete a maintenance configuration window in your AKS cluster using the az aks maintenanceconfiguration delete command.

az aks maintenanceconfiguration delete --resource-group $RESOURCE_GROUP --cluster-name $CLUSTER_NAME --name aksManagedNodeOSUpgradeSchedule

To learn more about Azure Kubernetes Application Network, see the following articles:

Feedback

Was this page helpful?

Last updated on 2026-03-23