Azure CNI

Palette supports Azure Container Network Interface (CNI) networking for Azure Kubernetes Service (AKS) clusters. Azure CNI enables each pod to have exclusive IP addresses from the subnet with direct accessibility.

To allocate unique IP addresses to individual pods, advanced forethought needs to be put in. As per the maximum pods supported by a node, IP addresses need to be reserved in advance. The default maximum number of pods per node varies between kubenet and Azure CNI networking and based on the method of cluster deployment.

Versions Supported

Azure CNI Policy Support

Network Policy is a Kubernetes specification that defines access policies for communication between pods. By default, AKS cluster pods can send and receive traffic without limitations. However, to ensure security, rules to control traffic flow can be defined. Network Policies define an ordered set of rules to send and receive traffic and applies them to a collection of pods that match one or more label selectors. Palette enables Network Policies to be included as part of a wider manifest that also creates a deployment or service. Palette leverages two (2) Network Policies from Azure CNI:


  • azure: Azure's own implementation, called Azure Network Policy.

  • calico: An open-source network and network security solution founded by Tigera.

Palette users can choose any one of the above Network Policies and provide it to the pack YAML file as networkPolicy as given below:



pack:
# The Network policy for ingress and egress traffic between pods in a cluster. Supported values are none, azure, calico
networkPolicy: "none"

Provide the networkPolicy value as none if no policy to be applied.

Azure and Calico Policies and their Capabilities

CapabilityAzureCalico
Supported platformsLinuxLinux, Windows Server 2019 and 2022
Supported networking optionsAzure CNIAzure CNI (Linux, Windows Server 2019 and 2022) and kubenet (Linux)
Compliance with Kubernetes specificationAll policy types supportedAll policy types supported
Additional featuresNoneExtended policy model consisting of Global Network Policy, Global Network Set, and Host Endpoint. For more information on using the calicoctl CLI to manage these extended features, see calicoctl user reference guide.
SupportSupported by Azure Support and Engineering teamCalico community support.
LoggingRules added or deleted in IP Tables are logged on every host under /var/log/azure-npm.logFor more information, see Calico component logs
Make sure to use Azure CNI with the Windows operating system as the kubenet is not available for the Windows environment.


References