Azure Kubernetes Service (AKS) Enterprise Guide 2026: Architecture, Security, and Operations
Azure Kubernetes Service is the dominant managed Kubernetes platform for enterprises running on Azure. This guide covers enterprise AKS cluster architecture, networking (Azure CNI, Kubenet, CNI Overlay), security hardening with Entra ID and pod identity, autoscaling strategies, monitoring with Prometheus and Grafana, and GitOps with Flux — based on EPC Group's 150+ enterprise AKS deployments.
Why AKS for Enterprise Container Workloads
Kubernetes has become the standard runtime for containerized enterprise applications. According to the 2025 CNCF Survey, 96% of organizations are either using or evaluating Kubernetes. Azure Kubernetes Service simplifies Kubernetes operations by managing the control plane, providing built-in integration with Azure services, and offering a 99.95% uptime SLA for the API server.
At EPC Group, our Azure cloud consulting practice has deployed AKS for over 150 enterprise organizations — from startups running a single microservice to Fortune 500 companies operating 100+ clusters across multiple regions. The organizations that succeed with AKS invest in three areas: networking architecture, security hardening, and operational maturity (monitoring, GitOps, incident response).
AKS vs. Other Azure Compute Options
| Platform | Best For | Complexity | Scaling |
|---|---|---|---|
| AKS | Microservices, multi-container apps, CI/CD pipelines | High (Kubernetes expertise required) | Granular (pod + node level) |
| Azure Container Apps | Event-driven microservices, APIs, background jobs | Low (serverless containers) | Auto (KEDA-based) |
| Azure App Service | Web apps, REST APIs, simple deployments | Low (PaaS) | Instance-based |
| Azure Functions | Event-driven, short-lived, serverless | Minimal | Per-invocation |
Enterprise Cluster Architecture
Enterprise AKS architecture integrates with your Azure Landing Zone and follows hub-spoke networking. The AKS cluster resides in a dedicated spoke VNet, peered to the hub for centralized firewall, DNS, and hybrid connectivity.
Enterprise AKS Architecture
┌─────────────────────────────────────────────────────┐
│ AKS Control Plane (Microsoft-managed, free) │
│ ├── API Server (private endpoint) │
│ ├── etcd (managed, encrypted at rest) │
│ ├── Controller Manager │
│ └── Scheduler │
└──────────────────┬──────────────────────────────────┘
│ Private Link
┌──────────────────▼──────────────────────────────────┐
│ Hub VNet (Connectivity Subscription) │
│ ├── Azure Firewall (egress filtering) │
│ ├── Azure DNS Private Resolver │
│ └── ExpressRoute / VPN Gateway │
└──────────────────┬──────────────────────────────────┘
│ VNet Peering
┌──────────────────▼──────────────────────────────────┐
│ AKS Spoke VNet │
│ ├── Subnet: System Node Pool (3+ nodes, no workloads)│
│ ├── Subnet: App Node Pool (user workloads, autoscale)│
│ ├── Subnet: GPU Node Pool (ML/AI workloads) │
│ ├── Subnet: Internal LB (services, ingress) │
│ └── Subnet: Private Endpoints (ACR, Key Vault, DB) │
├─────────────────────────────────────────────────────┤
│ Supporting Services │
│ ├── Azure Container Registry (Premium, geo-replicated)│
│ ├── Azure Key Vault (secrets, certificates) │
│ ├── Azure Monitor (Container Insights, Prometheus) │
│ └── Azure Policy (Kubernetes policy enforcement) │
└─────────────────────────────────────────────────────┘Node Pool Design
- System node pool: Dedicated to system pods (CoreDNS, metrics-server, konnectivity-agent). Use 3 nodes minimum across availability zones. Taint with
CriticalAddonsOnly=true:NoScheduleto prevent application workloads from scheduling on system nodes. Standard_D4s_v5 (4 vCPU, 16 GB RAM) is the recommended size. - Application node pool(s): Run user workloads. Create separate node pools for different workload profiles — general compute (D-series), memory-optimized (E-series), and GPU (N-series). Enable Cluster Autoscaler with min/max node counts based on workload requirements.
- Spot node pool: For fault-tolerant workloads (batch processing, CI/CD build agents), add a Spot node pool to save 60-90% on compute. Spot nodes can be evicted with 30-second notice, so only schedule workloads that handle interruptions gracefully.
- Availability zones: Spread node pools across 3 availability zones for high availability. Combined with pod topology spread constraints, this ensures workloads survive a full zone failure.
Networking: CNI, Kubenet, and CNI Overlay
AKS networking determines how pods communicate with each other, with Azure services, and with external networks. The networking plugin choice impacts IP address planning, security policy enforcement, and cluster scalability.
Networking Plugin Comparison
| Feature | Azure CNI | Azure CNI Overlay | Kubenet |
|---|---|---|---|
| Pod IP assignment | VNet IPs (one per pod) | Overlay IPs (private CIDR) | NAT overlay |
| IP address consumption | High (node + max pods) | Low (nodes only) | Low (nodes only) |
| Pod-to-VNet direct routing | Yes | No (via node NAT) | No (via node NAT) |
| Windows node pools | Yes | Yes | No |
| Network policies | Azure + Calico | Azure + Calico | Calico only |
| Max pods per node | 250 | 250 | 110 |
| EPC recommendation | Legacy direct-route needs | Default for new clusters | Dev/test only |
IP Address Planning
With traditional Azure CNI, a 100-node cluster running 30 pods per node requires 3,000 VNet IP addresses for pods alone (plus 100 for nodes and reserve IPs). This quickly exhausts /16 address spaces in enterprise environments with many VNets. Azure CNI Overlay solves this by assigning pods IPs from a separate overlay CIDR (e.g., 10.244.0.0/16) that does not consume VNet address space. The VNet only needs IPs for nodes (100 IPs in this example). EPC Group recommends Azure CNI Overlay for all new enterprise clusters.
Ingress Architecture
Enterprise AKS ingress typically uses one of two patterns, depending on the organization's networking requirements:
- NGINX Ingress Controller (internal): Deploy NGINX Ingress Controller with an internal Azure Load Balancer. Route external traffic through Azure Application Gateway or Azure Front Door to the internal LB. This provides WAF, SSL offloading, and DDoS protection at the edge before traffic reaches the cluster.
- Application Gateway Ingress Controller (AGIC): Use Azure Application Gateway as the ingress controller natively. AGIC watches Kubernetes Ingress resources and configures Application Gateway automatically. This integrates WAF v2, SSL termination, and path-based routing directly with AKS. Best for organizations that standardize on Azure-native networking.
Security Hardening
AKS security requires defense-in-depth across the cluster, node, pod, and container layers. Our Azure security best practices guide covers the broader Azure security model; here we focus on AKS-specific hardening.
Cluster Security
- Private cluster: API server accessible only via private endpoint (no public IP)
- Authorized IP ranges: If public API server is required, restrict to known corporate IP ranges
- AKS Automatic: Enable for auto-patching of node OS images within 24 hours of CVE release
- Kubernetes version: Use the latest stable N-1 version (not bleeding edge, not outdated)
- Azure Policy: Apply "Kubernetes cluster pod security restricted standards" built-in initiative
Node Security
- Node image: Use AKS Ubuntu or Azure Linux (Mariner) with FIPS-enabled images for compliance
- SSH access: Disable SSH to nodes in production. Use Azure Bastion + kubectl for troubleshooting
- Node OS disk encryption: Enable host-based encryption for OS and temp disks (EncryptionAtHost)
- Confidential VMs: For sensitive workloads, use DCasv5/ECasv5 confidential VMs with SEV-SNP
Pod Security
- Pod Security Standards: Enforce "restricted" profile (non-root, read-only root filesystem, no privilege escalation)
- Network policies: Default deny all ingress/egress; explicitly allow required communication paths
- Resource limits: Set CPU and memory requests/limits on all pods to prevent noisy neighbors
- Service mesh: Use Istio or Linkerd for mTLS between services, traffic management, and observability
Container Security
- Image scanning: Microsoft Defender for Containers scans ACR images for CVEs on push and continuously
- Image provenance: Enable Notation (Notary v2) for container image signing and verification
- Base images: Use Microsoft-maintained base images (mcr.microsoft.com) with regular updates
- ACR tasks: Automate base image rebuild when upstream images are updated
Identity: Entra ID and Workload Identity
AKS integrates with Entra ID for both cluster operator authentication (kubectl access) and application-level authentication (pods accessing Azure resources). This eliminates the need for static credentials in pods and provides audit trails for all cluster access.
Cluster Operator Authentication
- Entra ID integration: Enable AKS-managed Entra ID integration. Operators authenticate with their Entra ID identity via
az aks get-credentials. MFA and Conditional Access policies from your Entra ID configuration apply to cluster access. - Kubernetes RBAC: Map Entra ID groups to Kubernetes ClusterRoles and Roles. Example: "AKS-Cluster-Admins" group bound to cluster-admin ClusterRole, "AKS-App-Developers" group bound to namespace-scoped Role with create/read/update on pods, deployments, and services.
- Just-in-time access: Use Entra ID PIM for the AKS admin group. Operators activate their admin membership on demand with time-limited access, approval workflow, and justification.
Workload Identity (Pod Identity)
AKS Workload Identity is the recommended method for pods to authenticate to Azure services (Azure SQL, Cosmos DB, Key Vault, Storage) without storing credentials. It replaces the deprecated AAD Pod Identity v1.
- How it works: A Kubernetes service account is federated with an Entra ID managed identity. When a pod uses that service account, AKS exchanges a Kubernetes token for an Entra ID token via OIDC federation. The pod receives an Azure access token without any stored secrets.
- Configuration: Create a user-assigned managed identity, establish a federated credential pointing to the AKS OIDC issuer and Kubernetes service account, and annotate the service account with the client ID. Grant the managed identity permissions on target Azure resources using RBAC.
- Secret management: Use Azure Key Vault with the Secrets Store CSI Driver. Workload Identity authenticates to Key Vault, and the CSI driver mounts secrets as files in the pod. Never store secrets in Kubernetes Secrets objects — they are base64 encoded, not encrypted.
Autoscaling Strategies
AKS provides three autoscaling mechanisms that work together to handle variable workloads efficiently. Properly configured autoscaling eliminates both over-provisioning waste and under-provisioning performance degradation.
Three-Layer Autoscaling Stack
Autoscaling Layers ┌─────────────────────────────────────────────────────┐ │ Layer 3: Cluster Autoscaler │ │ ├── Scales nodes (add/remove VMs) │ │ ├── Triggers: pending pods that cannot be scheduled │ │ └── Config: min 3, max 50 nodes per pool │ ├─────────────────────────────────────────────────────┤ │ Layer 2: HPA (Horizontal Pod Autoscaler) │ │ ├── Scales pods (add/remove replicas) │ │ ├── Triggers: CPU > 70%, custom metrics │ │ └── Config: min 2, max 20 replicas per deployment │ ├─────────────────────────────────────────────────────┤ │ Layer 1: KEDA (Event-Driven Autoscaling) │ │ ├── Extends HPA with event triggers │ │ ├── Triggers: Queue depth, HTTP rate, cron schedule │ │ └── Scale-to-zero supported for event consumers │ └─────────────────────────────────────────────────────┘
Monitoring with Prometheus and Grafana
AKS monitoring requires both infrastructure-level metrics (node CPU, memory, disk) and application-level metrics (request latency, error rates, throughput). Azure Monitor Container Insights provides the infrastructure layer; Prometheus and Grafana provide the application layer.
Monitoring Stack Architecture
- Azure Monitor Container Insights: Enable by default on all AKS clusters. Provides node-level metrics, pod-level metrics, container logs (stdout/stderr), and Kubernetes events. Data stored in Log Analytics workspace with 30-90 day retention.
- Azure Managed Prometheus: Deploy Azure Managed Prometheus (Azure Monitor managed service for Prometheus) for application-level metrics. This provides a fully managed Prometheus-compatible metrics store without the operational overhead of self-hosted Prometheus. Pods expose /metrics endpoints scraped by the managed Prometheus agent.
- Azure Managed Grafana: Deploy Azure Managed Grafana for dashboarding. Pre-built dashboards for AKS, Kubernetes, and custom application metrics connect to both Azure Monitor and Managed Prometheus data sources. EPC Group provides standardized Grafana dashboard templates for enterprise AKS deployments.
- Alerting: Configure Azure Monitor alerts for critical conditions: node not ready, pod crash loop, high restart count, OOM kills, persistent volume claim errors, and certificate expiration. Integrate with PagerDuty, Opsgenie, or ServiceNow for incident management.
GitOps with Flux
GitOps is the operational model where the desired state of the cluster is declared in Git, and an in-cluster agent continuously reconciles the actual state to match. AKS natively supports Flux v2 through the Microsoft.KubernetesConfiguration extension.
GitOps Architecture
- Repository structure: Use a monorepo or multi-repo strategy. Monorepo places all cluster configuration in a single repository with directory-per-namespace structure. Multi-repo separates platform configuration (ingress, monitoring, policies) from application configuration. EPC Group recommends multi-repo for enterprises with separate platform and application teams.
- Flux configuration types: GitRepository (source), Kustomization (reconciliation), HelmRepository (Helm chart source), HelmRelease (Helm chart deployment). Each Flux resource specifies reconciliation interval, health checks, and remediation behavior.
- Secret management in GitOps: Never store secrets in Git repositories. Use Mozilla SOPS with Azure Key Vault for encrypting secrets in Git (Flux decrypts at reconciliation time) or use the External Secrets Operator to sync secrets from Azure Key Vault directly into Kubernetes.
- Progressive delivery: Implement Flagger (CNCF project) with Flux for automated canary deployments. Flagger gradually shifts traffic to new versions, monitors success metrics, and automatically rolls back if error rates exceed thresholds. This is particularly valuable for production workloads in our enterprise CI/CD pipelines.
Cost Optimization
AKS cost optimization focuses on right-sizing nodes, leveraging Spot VMs, scheduling optimization, and Azure Reservations. Our Azure cost optimization guide covers the broader Azure cost model.
Cost Optimization Strategies
- Right-size nodes: Monitor actual CPU and memory utilization. If nodes average 30% utilization, switch to smaller VM SKUs. Use Vertical Pod Autoscaler recommendations to right-size pod resource requests.
- Spot node pools: Add Spot node pools for fault-tolerant workloads. Spot pricing saves 60-90% on compute. Configure pod tolerations and node affinity to schedule appropriate workloads on Spot nodes.
- Cluster Autoscaler tuning: Set aggressive scale-down thresholds. Default scale-down utilization threshold is 50% — increase to 65% for more aggressive node removal. Set scale-down delay after add to 5 minutes (default 10 minutes) for faster cost recovery after traffic spikes.
- Azure Reservations: Purchase 1-year or 3-year reservations for baseline node VMs (the minimum node count you always run). Savings: 30-60% compared to pay-as-you-go.
- Dev/test cluster scheduling: Use start/stop cluster feature to shutdown non-production AKS clusters outside business hours. Saves 100% of compute costs during off-hours (60%+ of total dev/test cost).
Partner with EPC Group
EPC Group is a Microsoft Gold Partner with over 150 enterprise AKS deployments across healthcare, financial services, and government. Our Azure cloud consulting team delivers end-to-end AKS solutions — from cluster architecture design and networking planning through security hardening, GitOps implementation, and ongoing operations. We specialize in regulated environments where HIPAA, SOC 2, and FedRAMP compliance is non-negotiable.
Frequently Asked Questions
What is Azure Kubernetes Service (AKS)?
Azure Kubernetes Service (AKS) is a managed Kubernetes platform on Azure that handles control plane management, automatic upgrades, patching, and scaling. Microsoft manages the Kubernetes API server, etcd, controller manager, and scheduler at no cost — you only pay for the worker node VMs and associated resources (storage, networking, load balancers). AKS supports Kubernetes versions within the N-2 support window, provides integrated Azure AD (Entra ID) authentication, Azure Monitor Container Insights, and native integration with Azure Container Registry (ACR), Azure Key Vault, and Azure Policy.
How much does AKS cost?
The AKS control plane is free for the Standard tier (includes uptime SLA) and the managed Kubernetes API server. You pay for worker node VMs (compute), managed disks (storage), Azure Load Balancer or Application Gateway (networking), container registry (ACR), and egress bandwidth. A typical 3-node production cluster using Standard_D4s_v5 VMs (4 vCPU, 16 GB RAM) costs approximately $400-$600/month for compute. With Azure Reserved Instances (1-year), this drops to $250-$400/month. Add $100-$200/month for networking and storage. Enterprise clusters with autoscaling, monitoring, and multiple node pools typically cost $2,000-$10,000/month depending on workload scale.
Should I use Azure CNI or Kubenet networking for AKS?
Azure CNI assigns real VNet IP addresses to each pod, enabling direct pod-to-VNet communication without NAT. Use Azure CNI for production enterprise clusters that need Windows node pools, direct pod connectivity to Azure services via private endpoints, or advanced networking features (Network Policy, Azure Network Policy Manager). Kubenet uses a NAT overlay network where pods get IPs from a secondary CIDR range. Use Kubenet only for simple dev/test clusters or when VNet IP address space is extremely limited. For most enterprise deployments, EPC Group recommends Azure CNI Overlay — it provides CNI benefits with efficient IP address management using an overlay network.
How do I secure AKS for production workloads?
Production AKS security requires multiple layers: Entra ID integration with Kubernetes RBAC for authentication/authorization, Azure Policy with built-in AKS security initiatives, private cluster (API server not exposed to public internet), Azure Defender for Containers for runtime threat detection, network policies to restrict pod-to-pod traffic, pod security standards (restricted mode), Azure Key Vault provider for secrets management (never store secrets in Kubernetes Secrets directly), container image scanning in ACR with Microsoft Defender, and managed identities for pod-to-Azure-service authentication (workload identity). EPC Group deploys all production clusters with CIS Kubernetes Benchmark compliance validation.
What is GitOps for AKS and how does it work?
GitOps uses Git repositories as the single source of truth for Kubernetes cluster configuration and application deployments. With AKS, Microsoft supports Flux v2 as the built-in GitOps engine through the AKS GitOps extension. Flux continuously reconciles the cluster state with the desired state defined in Git. When a developer merges a pull request that updates a Kubernetes manifest or Helm chart, Flux automatically detects the change and applies it to the cluster. This eliminates kubectl apply from CI/CD pipelines, provides a complete audit trail via Git history, enables easy rollback (git revert), and enforces the principle that no manual changes are made to the cluster.
How does AKS autoscaling work?
AKS provides three levels of autoscaling: Horizontal Pod Autoscaler (HPA) scales the number of pod replicas based on CPU, memory, or custom metrics. Vertical Pod Autoscaler (VPA) adjusts pod resource requests and limits based on historical usage. Cluster Autoscaler adjusts the number of worker nodes based on pending pod scheduling requests. For production, EPC Group recommends HPA combined with Cluster Autoscaler — HPA scales pods to handle increased traffic, and when pods cannot be scheduled due to insufficient node resources, Cluster Autoscaler adds nodes to the node pool. KEDA (Kubernetes Event-Driven Autoscaling) extends HPA with event-driven triggers (Azure Service Bus queue depth, HTTP request rate) for more responsive scaling.