Bird
Raised Fist0
Azurecloud~5 mins

AKS networking (kubenet, Azure CNI) - Commands & Configuration

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Introduction
When you create a Kubernetes cluster in Azure, you need to decide how the network connects your containers and nodes. AKS offers two main ways: kubenet and Azure CNI. These control how your apps talk to each other and the outside world.
When you want a simple network setup with fewer IP addresses used, kubenet is a good choice.
When your app needs to have IP addresses from your Azure virtual network, use Azure CNI.
When you want your pods to communicate directly with other Azure resources using native IPs, choose Azure CNI.
When you want to save IP addresses and have a smaller network footprint, kubenet helps.
When you need your pods to be reachable from outside the cluster with their own IPs, Azure CNI is better.
Config File - aks-network-config.yaml
aks-network-config.yaml
apiVersion: azure.microsoft.com/v1
kind: AKSCluster
location: eastus
properties:
  dnsPrefix: myakscluster
  agentPoolProfiles:
  - name: nodepool1
    count: 3
    vmSize: Standard_DS2_v2
  networkProfile:
    networkPlugin: azure
    networkPolicy: azure
    serviceCidr: 10.0.0.0/16
    dnsServiceIP: 10.0.0.10
    dockerBridgeCidr: 172.17.0.0/16

This file shows a basic AKS cluster configuration using Azure CNI networking.

networkPlugin: azure means Azure CNI is used, giving pods IPs from the Azure VNet.

serviceCidr defines the IP range for Kubernetes services.

dnsServiceIP is the IP for the cluster DNS service.

dockerBridgeCidr is the IP range for Docker bridge network.

Commands
This command creates an AKS cluster using the kubenet network plugin. It sets up 3 nodes and generates SSH keys for access.
Terminal
az aks create --resource-group myResourceGroup --name myAKSCluster --node-count 3 --network-plugin kubenet --generate-ssh-keys
Expected OutputExpected
Waiting for AAD role to propagate Creating resource group 'myResourceGroup'... Creating AKS cluster 'myAKSCluster' with kubenet networking... Succeeded Kubernetes master is running at https://myakscluster-12345.hcp.eastus.azmk8s.io You can use kubectl to connect to the cluster.
--network-plugin - Specifies the network plugin to use (kubenet or azure)
--node-count - Number of nodes in the cluster
--generate-ssh-keys - Automatically creates SSH keys for node access
This command creates an AKS cluster using Azure CNI networking. It assigns pod IPs from the specified Azure subnet.
Terminal
az aks create --resource-group myResourceGroup --name myAKSClusterAzureCNI --node-count 3 --network-plugin azure --vnet-subnet-id /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myResourceGroup/providers/Microsoft.Network/virtualNetworks/myVnet/subnets/mySubnet --generate-ssh-keys
Expected OutputExpected
Waiting for AAD role to propagate Creating resource group 'myResourceGroup'... Creating AKS cluster 'myAKSClusterAzureCNI' with Azure CNI networking... Succeeded Kubernetes master is running at https://myaksclusterazurecni-12345.hcp.eastus.azmk8s.io You can use kubectl to connect to the cluster.
--network-plugin - Specifies the network plugin to use (kubenet or azure)
--vnet-subnet-id - Specifies the Azure subnet for pod IPs
--generate-ssh-keys - Automatically creates SSH keys for node access
This command lists all pods with their IP addresses and node assignments, helping verify the network plugin behavior.
Terminal
kubectl get pods -o wide
Expected OutputExpected
NAME READY STATUS RESTARTS AGE IP NODE nginx-deployment-5c689d4b7f-abcde 1/1 Running 0 5m 10.240.0.5 aks-nodepool1-12345678-vmss000000
-o wide - Shows extra details including pod IP and node
Key Concept

If you remember nothing else from this pattern, remember: kubenet uses a simple network with NAT and fewer IPs, while Azure CNI assigns real Azure IPs to pods for direct network access.

Common Mistakes
Using kubenet but expecting pods to have Azure VNet IPs.
Kubenet assigns pod IPs from a private range and uses NAT, so pods do not get Azure VNet IPs.
Use Azure CNI network plugin if you want pods to have Azure VNet IP addresses.
Not specifying the subnet ID when creating an Azure CNI cluster.
Azure CNI requires a subnet to assign IPs to pods; missing this causes cluster creation failure.
Always provide the --vnet-subnet-id flag with a valid subnet when using Azure CNI.
Trying to change network plugin after cluster creation.
Network plugin is set at cluster creation and cannot be changed later without recreating the cluster.
Decide on the network plugin before creating the cluster.
Summary
Create AKS clusters with either kubenet or Azure CNI network plugins using az aks create command.
Use kubenet for simpler networking with fewer IPs and NAT, Azure CNI for pods with Azure VNet IPs.
Verify pod IPs and node assignments with kubectl get pods -o wide to understand network behavior.

Practice

(1/5)
1. What is the main difference between kubenet and Azure CNI networking in AKS?
easy
A. Both assign IPs from the Azure subnet but differ in routing protocols.
B. Kubenet uses NAT and assigns pod IPs from a private range, Azure CNI assigns IPs from the Azure subnet directly.
C. Kubenet assigns IPs from the Azure subnet, Azure CNI uses NAT for pod IPs.
D. Azure CNI uses NAT, while kubenet assigns IPs from the Azure subnet.

Solution

  1. Step 1: Understand kubenet networking

    Kubenet assigns pod IPs from a private IP range and uses NAT to allow pods to communicate outside the cluster.

  2. Step 2: Understand Azure CNI networking

    Azure CNI assigns pod IPs directly from the Azure virtual network subnet, allowing pods to have direct IP addresses visible in the Azure network.

  3. Final Answer:

    Kubenet uses NAT and assigns pod IPs from a private range, Azure CNI assigns IPs from the Azure subnet directly. -> Option B

  4. Quick Check:

    Kubenet = NAT, Azure CNI = Azure subnet IPs [OK]
Hint: Kubenet uses NAT; Azure CNI uses Azure subnet IPs [OK]
Common Mistakes:
  • Confusing which method uses NAT
  • Thinking both assign IPs from Azure subnet
  • Assuming Azure CNI uses private IP range
2. Which of the following is the correct way to specify Azure CNI networking when creating an AKS cluster using Azure CLI?
easy
A. az aks create --name myAKS --resource-group myRG --network-plugin azure
B. az aks create --name myAKS --resource-group myRG --network-plugin kubenet
C. az aks create --name myAKS --resource-group myRG --network-plugin azure-cni
D. az aks create --name myAKS --resource-group myRG --network-plugin azurecni

Solution

  1. Step 1: Identify the correct network plugin name for Azure CNI

    The Azure CLI uses the exact string azure to specify Azure CNI networking.

  2. Step 2: Check the command syntax

    The command must include --network-plugin azure to enable Azure CNI networking.

  3. Final Answer:

    az aks create --name myAKS --resource-group myRG --network-plugin azure -> Option A

  4. Quick Check:

    Azure CNI plugin = azure [OK]
Hint: Azure CNI plugin is exactly 'azure' in CLI [OK]
Common Mistakes:
  • Using 'azure-cni' instead of 'azure'
  • Confusing kubenet with Azure CNI plugin name
  • Typos in the network plugin parameter
3. Given an AKS cluster configured with kubenet, what will happen if a pod tries to communicate with another pod in a different node?
medium
A. Pods communicate directly using their Azure subnet IPs without NAT.
B. Pod traffic is blocked by default between nodes.
C. Pods cannot communicate across nodes in kubenet mode.
D. The pod-to-pod traffic will be routed through the node's NAT IP and may require additional routing setup.

Solution

  1. Step 1: Understand pod communication in kubenet mode

    In kubenet, pods get private IPs and use NAT on the node to communicate outside their node.

  2. Step 2: Analyze cross-node pod communication

    Traffic between pods on different nodes goes through the node's NAT IP, requiring routing rules to allow this traffic.

  3. Final Answer:

    The pod-to-pod traffic will be routed through the node's NAT IP and may require additional routing setup. -> Option D

  4. Quick Check:

    Kubenet cross-node uses NAT routing [OK]
Hint: Kubenet pods use NAT IPs for cross-node traffic [OK]
Common Mistakes:
  • Assuming direct pod IP communication in kubenet
  • Thinking pods cannot communicate across nodes
  • Believing pod traffic is blocked by default
4. You deployed an AKS cluster with Azure CNI but pods are not getting IP addresses from the Azure subnet. What is the likely cause?
medium
A. The Azure subnet does not have enough free IP addresses for pods.
B. The cluster was created with kubenet instead of Azure CNI.
C. The pods are configured to use host networking.
D. The Azure CNI plugin is not installed on the nodes.

Solution

  1. Step 1: Check IP availability in Azure subnet

    Azure CNI assigns pod IPs from the Azure subnet. If the subnet IP pool is exhausted, pods cannot get IPs.

  2. Step 2: Verify cluster network plugin and configuration

    Since the cluster is deployed with Azure CNI, the plugin is installed. Host networking would not prevent IP assignment.

  3. Final Answer:

    The Azure subnet does not have enough free IP addresses for pods. -> Option A

  4. Quick Check:

    Subnet IP exhaustion blocks pod IP assignment [OK]
Hint: Check subnet IP availability first for Azure CNI issues [OK]
Common Mistakes:
  • Assuming plugin is missing when cluster uses Azure CNI
  • Ignoring subnet IP exhaustion
  • Confusing host networking with IP assignment
5. You want to deploy an AKS cluster that allows pods to communicate directly with other Azure resources in the same virtual network using their pod IPs. Which networking option should you choose and why?
hard
A. Use kubenet with additional routing rules to enable pod IP visibility.
B. Use kubenet because it saves IP addresses and allows direct pod IP communication.
C. Use Azure CNI because it assigns pod IPs from the Azure subnet enabling direct communication with Azure resources.
D. Use Azure CNI but disable IP assignment to pods for better security.

Solution

  1. Step 1: Identify networking needs for direct pod-to-Azure resource communication

    Direct communication requires pods to have IPs visible in the Azure virtual network.

  2. Step 2: Compare kubenet and Azure CNI capabilities

    Kubenet uses NAT and private IPs, so pods are not directly reachable. Azure CNI assigns pod IPs from the Azure subnet, enabling direct communication.

  3. Final Answer:

    Use Azure CNI because it assigns pod IPs from the Azure subnet enabling direct communication with Azure resources. -> Option C

  4. Quick Check:

    Azure CNI = direct pod IPs in Azure subnet [OK]
Hint: Azure CNI enables direct pod IP communication with Azure resources [OK]
Common Mistakes:
  • Choosing kubenet for direct pod IP communication
  • Thinking kubenet allows direct pod IP visibility
  • Disabling IP assignment in Azure CNI disables communication