Skip to main content
Version: 3.27 (latest)

Microsoft Azure Kubernetes Service (AKS)

Big picture

Enable Calico in AKS managed Kubernetes service.

Value

AKS has built-in support for Calico, providing a robust implementation of the full Kubernetes Network Policy API. AKS users wanting to go beyond Kubernetes network policy capabilities can make full use of the Calico Network Policy API.

You can also use Calico for networking on AKS in place of the default Azure VPC networking. This allows you to take advantage of the full set of Calico networking features.

How to

Install AKS with Calico for network policy

The geeky details of what you get:

PolicyIPAMCNIOverlayRoutingDatastore

Alternatively you can run in Azure CNI overlay mode.

The geeky details of what you get:

PolicyIPAMCNIOverlayRoutingDatastore

To enable Calico network policy enforcement, follow these step-by-step instructions: Create an AKS cluster and enable network policy.

Install AKS with Calico networking

Limitations

The geeky details of what you get:

PolicyIPAMCNIOverlayRoutingDatastore
  1. Create an Azure AKS cluster with no Kubernetes CNI pre-installed. Please refer to Bring your own CNI with AKS for details.

     # Create a resource group
    az group create --name my-calico-rg --location westcentralus

    az aks create --resource-group my-calico-rg --name my-calico-cluster --location westcentralus --pod-cidr 192.168.0.0/16 --network-plugin none
  2. Get credentials to allow you to access the cluster with kubectl:

    az aks get-credentials --resource-group my-calico-rg --name my-calico-cluster
  3. Now that you have a cluster configured, you can install Calico.

  4. Install the operator.

    kubectl create -f https://raw.githubusercontent.com/projectcalico/calico/v3.27.2/manifests/tigera-operator.yaml
  5. Configure the Calico installation.

    kubectl create -f - <<EOF
    kind: Installation
    apiVersion: operator.tigera.io/v1
    metadata:
    name: default
    spec:
    kubernetesProvider: AKS
    cni:
    type: Calico
    calicoNetwork:
    bgp: Disabled
    ipPools:
    - cidr: 192.168.0.0/16
    encapsulation: VXLAN
    ---
    apiVersion: operator.tigera.io/v1
    kind: APIServer
    metadata:
    name: default
    spec: {}
    EOF
  6. Confirm that all of the pods are running with the following command.

    watch kubectl get pods -n calico-system

    Wait until each pod has the STATUS of Running.

Next steps

Recommended