Azurecloud~5 mins

AKS networking (kubenet, Azure CNI) - Commands & Configuration

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Time

Introduction

When you create a Kubernetes cluster in Azure, you need to decide how the network connects your containers and nodes. AKS offers two main ways: kubenet and Azure CNI. These control how your apps talk to each other and the outside world.

When you want a simple network setup with fewer IP addresses used, kubenet is a good choice.

When your app needs to have IP addresses from your Azure virtual network, use Azure CNI.

When you want your pods to communicate directly with other Azure resources using native IPs, choose Azure CNI.

When you want to save IP addresses and have a smaller network footprint, kubenet helps.

When you need your pods to be reachable from outside the cluster with their own IPs, Azure CNI is better.

Config File - aks-network-config.yaml

aks-network-config.yaml

apiVersion: azure.microsoft.com/v1
kind: AKSCluster
location: eastus
properties:
  dnsPrefix: myakscluster
  agentPoolProfiles:
  - name: nodepool1
    count: 3
    vmSize: Standard_DS2_v2
  networkProfile:
    networkPlugin: azure
    networkPolicy: azure
    serviceCidr: 10.0.0.0/16
    dnsServiceIP: 10.0.0.10
    dockerBridgeCidr: 172.17.0.0/16

This file shows a basic AKS cluster configuration using Azure CNI networking.

networkPlugin: azure means Azure CNI is used, giving pods IPs from the Azure VNet.

serviceCidr defines the IP range for Kubernetes services.

dnsServiceIP is the IP for the cluster DNS service.

dockerBridgeCidr is the IP range for Docker bridge network.

Commands

This command creates an AKS cluster using the kubenet network plugin. It sets up 3 nodes and generates SSH keys for access.

Terminal

az aks create --resource-group myResourceGroup --name myAKSCluster --node-count 3 --network-plugin kubenet --generate-ssh-keys

Expected OutputExpected

Waiting for AAD role to propagate Creating resource group 'myResourceGroup'... Creating AKS cluster 'myAKSCluster' with kubenet networking... Succeeded Kubernetes master is running at https://myakscluster-12345.hcp.eastus.azmk8s.io You can use kubectl to connect to the cluster.

→

--network-plugin - Specifies the network plugin to use (kubenet or azure)

→

--node-count - Number of nodes in the cluster

→

--generate-ssh-keys - Automatically creates SSH keys for node access

This command creates an AKS cluster using Azure CNI networking. It assigns pod IPs from the specified Azure subnet.

Terminal

az aks create --resource-group myResourceGroup --name myAKSClusterAzureCNI --node-count 3 --network-plugin azure --vnet-subnet-id /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myResourceGroup/providers/Microsoft.Network/virtualNetworks/myVnet/subnets/mySubnet --generate-ssh-keys

Expected OutputExpected

Waiting for AAD role to propagate Creating resource group 'myResourceGroup'... Creating AKS cluster 'myAKSClusterAzureCNI' with Azure CNI networking... Succeeded Kubernetes master is running at https://myaksclusterazurecni-12345.hcp.eastus.azmk8s.io You can use kubectl to connect to the cluster.

→

--network-plugin - Specifies the network plugin to use (kubenet or azure)

→

--vnet-subnet-id - Specifies the Azure subnet for pod IPs

→

--generate-ssh-keys - Automatically creates SSH keys for node access

This command lists all pods with their IP addresses and node assignments, helping verify the network plugin behavior.

Terminal

kubectl get pods -o wide

Expected OutputExpected

NAME READY STATUS RESTARTS AGE IP NODE nginx-deployment-5c689d4b7f-abcde 1/1 Running 0 5m 10.240.0.5 aks-nodepool1-12345678-vmss000000

→

-o wide - Shows extra details including pod IP and node

Key Concept

If you remember nothing else from this pattern, remember: kubenet uses a simple network with NAT and fewer IPs, while Azure CNI assigns real Azure IPs to pods for direct network access.

Common Mistakes

Using kubenet but expecting pods to have Azure VNet IPs.

Kubenet assigns pod IPs from a private range and uses NAT, so pods do not get Azure VNet IPs.

Use Azure CNI network plugin if you want pods to have Azure VNet IP addresses.

Not specifying the subnet ID when creating an Azure CNI cluster.

Azure CNI requires a subnet to assign IPs to pods; missing this causes cluster creation failure.

Always provide the --vnet-subnet-id flag with a valid subnet when using Azure CNI.

Trying to change network plugin after cluster creation.

Network plugin is set at cluster creation and cannot be changed later without recreating the cluster.

Decide on the network plugin before creating the cluster.

Summary

Create AKS clusters with either kubenet or Azure CNI network plugins using az aks create command.

Use kubenet for simpler networking with fewer IPs and NAT, Azure CNI for pods with Azure VNet IPs.

Verify pod IPs and node assignments with kubectl get pods -o wide to understand network behavior.