Microsoft Azure Kubernetes Service (AKS)

Big picture

Enable Calico in AKS managed Kubernetes service.

Value

AKS has built-in support for Calico, providing a robust implementation of the full Kubernetes Network Policy API. AKS users wanting to go beyond Kubernetes network policy capabilities can make full use of the Calico Network Policy API.

You can also use Calico for networking on AKS in place of the default Azure VPC networking. This allows you to take advantage of the full set of Calico networking features.

How to

Install AKS with Calico for network policy

The geeky details of what you get:

PolicyIPAMCNIOverlayRoutingDatastore

Alternatively you can run in Azure CNI overlay mode.

The geeky details of what you get:

PolicyIPAMCNIOverlayRoutingDatastore

To enable Calico network policy enforcement, follow these step-by-step instructions: Create an AKS cluster and enable network policy.

Install AKS with Calico networking

Limitations

The geeky details of what you get:

PolicyIPAMCNIOverlayRoutingDatastore
  1. Create an Azure AKS cluster with no Kubernetes CNI pre-installed. Please refer to Bring your own CNI with AKS for details.

    1. # Create a resource group
    2. az group create --name my-calico-rg --location westcentralus
    3. az aks create --resource-group my-calico-rg --name my-calico-cluster --location westcentralus --pod-cidr 192.168.0.0/16 --network-plugin none
  2. Get credentials to allow you to access the cluster with kubectl:

    1. az aks get-credentials --resource-group my-calico-rg --name my-calico-cluster
  3. Now that you have a cluster configured, you can install Calico.

  4. Install the operator.

    1. kubectl create -f https://raw.githubusercontent.com/projectcalico/calico/v3.27.4/manifests/tigera-operator.yaml
  5. Configure the Calico installation.

    1. kubectl create -f - <<EOF
    2. kind: Installation
    3. apiVersion: operator.tigera.io/v1
    4. metadata:
    5. name: default
    6. spec:
    7. kubernetesProvider: AKS
    8. cni:
    9. type: Calico
    10. calicoNetwork:
    11. bgp: Disabled
    12. ipPools:
    13. - cidr: 192.168.0.0/16
    14. encapsulation: VXLAN
    15. ---
    16. apiVersion: operator.tigera.io/v1
    17. kind: APIServer
    18. metadata:
    19. name: default
    20. spec: {}
    21. EOF
  6. Confirm that all of the pods are running with the following command.

    1. watch kubectl get pods -n calico-system

    Wait until each pod has the STATUS of Running.

Next steps

Recommended