Microsoft Azure Kubernetes Service (AKS)

2 MINUTE READ

Big picture

Enable Calico in AKS managed Kubernetes service.

Value

AKS has built-in support for Calico, providing a robust implementation of the full Kubernetes Network Policy API. AKS users wanting to go beyond Kubernetes network policy capabilities can make full use of the Calico Network Policy API.

You can also use Calico for networking on AKS in place of the default Azure VPC networking. This allows you to take advantage of the full set of Calico networking features.

How to

Install AKS with Calico for network policy

The geeky details of what you get:

Policy
Calico
IPAM
Azure
CNI
Azure
Overlay
No
Routing
VPC Native
Datastore
Kubernetes
?

To enable Calico network policy enforcement, follow these step-by-step instructions: Create an AKS cluster and enable network policy.

Install AKS with Calico networking

Limitations

The geeky details of what you get:

Policy
Calico
IPAM
Calico
CNI
Calico
Overlay
VXLAN
Routing
Calico
Datastore
Kubernetes
?
  1. Create an Azure AKS cluster with no Kubernetes CNI pre-installed. Please refer to Bring your own CNI with AKS for details.
     # Create a resource group
     az group create --name my-calico-rg --location westcentralus
    
     az aks create --resource-group my-calico-rg --name my-calico-cluster --location westcentralus --pod-cidr 192.168.0.0/16 --network-plugin none
    
  2. Get credentials to allow you to access the cluster with kubectl:
     az aks get-credentials --resource-group my-calico-rg --name my-calico-cluster
    
  3. Now that you have a cluster configured, you can install Calico.

  4. Install the operator.

    kubectl create -f https://raw.githubusercontent.com/projectcalico/calico/v3.24.1/manifests/tigera-operator.yaml
    
  5. Configure the Calico installation.

    kubectl create -f - <<EOF
    kind: Installation
    apiVersion: operator.tigera.io/v1
    metadata:
      name: default
    spec:
      kubernetesProvider: AKS
      cni:
        type: Calico
      calicoNetwork:
        bgp: Disabled
        ipPools:
         - cidr: 192.168.0.0/16
           encapsulation: VXLAN
    ---
    apiVersion: operator.tigera.io/v1
    kind: APIServer
    metadata:
       name: default
    spec: {}
    EOF
    
  6. Confirm that all of the pods are running with the following command.

    watch kubectl get pods -n calico-system
    

    Wait until each pod has the STATUS of Running.

Next steps

Recommended