Set up Azure Kubernetes Services (AKS) with Advanced Networking and Application Routing

Kubernetes is an open-source system for orchestrating containerized applications. Kubernetes builds upon more than a decade of experience running workloads at Google and incorporates practices from the community.

This blog post is going to demonstrate “How to Get Started with Advanced Networking and AKS in Azure.” Throughout the blog post, we will be creating the following Azure artifacts,

For the blog post, Azure Portal is the primary tool choice for creating and provisioning Azure resources. For production and more serious implementations, I would recommend using ARM (Azure Resource Manager) and automation for provisioning and configuring these artifacts.

Create Azure AD Application & Service Principal

The term ‘Application’ can be misunderstood in this context. Azure Kubernetes Service (AKS) is a managed service, and the Kubernetes Master is the primary scope of the created Service Principal. It is not recommended to share the created Service Principal with other Azure applications. While Azure Portal allows for the implicit creation of Service Principals as part of Kubernetes deployment, I would not recommend it as a good practice.

Create a Service Principal

Create a new Application Registration Azure Portal > Active Directory (Instance) > App registration > New application registration. Please note that application type is set to Web app / APISign-on URL just for scope purpose in this context.

Create a Service Principal Token (or Key)

Once the application created, go to Application > Settings > Keys to create a new token (or key) for Kubernetes Master to manage underlying Azure Infrastructure for AKS. Keep Application ID and Key safe, and you will need them while configuring Azure Kubernetes Service.

Create a Azure Virtual Network (VNet)

Microsoft has an excellent step-by-step guide for creating an Azure Virtual Network. I recommend considering and validating your Azure Kubernetes Service’s network topology and CIDR ranges. The subnet (CIDR range) used to configure AKS should not overlap with internal Kubernetes CIDR ranges. In my case, I have used the following configuration.

  • Azure Virtual Network CIDR:
  • Azure AKS Subnet CIDR:
  • Kubernetes Service Address CIDR:
  • Kubernetes DNS Service IP Address:
  • Docker Bridge CIDR:

Please refer Microsoft’s step by step guide for creating a virtual network using the Azure portal  and networking in Kubernetes  . I will preferably come up with a separate blog post on the topic of Enterprise Networks with Kubernetes and Azure Kubernetes Services.

Add a Service Principal to the Subnet

Kubernetes Master need permission (Owner) to manage underlying and transparent configuration with network. Go to Azure Portal > Virtual Networks > [Select Your VNet] > Subnets > [Select Your Subnet] > Users > Add (+), add a previously created Service Principal to the Azure Subnet with Owner role.

Create a Azure Kubernetes Service (AKS) in Azure Portal

You can create an AKS Cluster using Azure CLI and Azure Portal. For this article, we will use Azure Portal.

Create AKS Cluster (Basic)

Azure Portal is self-explanatory and will be very easy for anyone with some familiarity beforehand. Make sure to configure the service principal with the Client ID (Application ID) and Client Secret (Key).

Create AKS Cluster (Networking)

The next configuration step is where everything we have created so far will come together. Enabling HTTP Application Routing is going to create a Custom DNS Zone for your Kubernetes (AKS) setup. The DNS Zone is transparently managed and updated by the AKS Master based on deployment definitions. You can use CNAME mapping with your custom domain to map it with the DNS Zone. This feature is not mandatory to enable Advanced Networking with AKS.

Select Advance Network Configuration to configure existing Azure Virtual Network and Subnet. Select previously created VNet ( and Subnet ( Configure values for Kubernetes Service Address Range (, Kubernetes DNS Service IP ( and Docker Bridge ( You can choose these value according to your Network Topology but need to ensure that they are unique across VNet and bridged networks. Prefer appropriate CIDR/ranges based on your estimated number of Kubernetes Pods and Kubernetes Nodes.

Create AKS Cluster (Monitoring & Tags)

Configuring monitoring and tags are optional, if you are configuring production or commercial environment, then it is highly recommended to configure Azure Log Analytics/OMS for AKS instance.

Create a AKS Cluster (Summary)

Verify the configuration and click create.

Verify & Test the Azure Kubernetes Service

It could take up to half hour for provisioning of all managed resources and get you up and run with AKSAzure Resources GroupMC_[Your Resource Group] is provisioned by Azure Kubernetes Services and Microsoft & Azure manages the Resource Group transparently but of course the subscription owner is responsible for the cost.

Connect using kubectl to Azure Kubernetes Cluster

  • Download Azure CLI  .
  • Run az aks install-cli to install kubectl.
  • Login to Azure Subscription using az login.
  • If you have more than one subscription, please make sure that you select correct subscription az account set --subscription SubscriptionID.
  • Run az aks get-credentials --resource-group ResourceGroupName --name AKSClusterName to add or merge your AKS credentials to local .kube profile.

Run kubectl get nodes to check Kubernetes Nodes’s status.

Congratulations, you should be up and running with Azure Kubernetes Service with Advance Networking and Application Routing. Run az aks browse --resource-group ResourceGroupName --name AKSClusterName to access your Kubernetes Web Console. You can verify the Cluster IP assigned from the provided Kubernetes Service Address CIDR range

Similarly, the Kubernetes and Azure deployment have deployed and configured addon-HTTP-application-routing-* pods.


The views expressed on this site are personal opinions only and have no affiliation. See full disclaimerterms & conditions, and privacy policy. No obligations assumed.