Skip to main content
Calico Open Source 3.30 (latest) documentation

Microsoft Azure Kubernetes Service (AKS)

Enable Calico in AKS managed Kubernetes service.

Using Calico with AKS​

Azure Kubernetes Service (AKS) supports multiple configurations for networking and network policy using Calico. Your choice determines how networking is implemented, who manages Calico, and which features are available.

Option 1: Azure-managed Calico (built-in)​

With this option, AKS uses the Azure CNI plugin for networking and the Azure-managed Calico implementation for network policy.

  • Networking: Provided by Azure CNI
  • Network policy: Implemented by Azure-managed Calico
  • Management: Calico components are installed, upgraded, and supported by Azure
  • Features: Full Kubernetes Network Policy API (standard features only)

Option 2: Self-managed Calico for network policy​

In this setup, your cluster still uses Azure CNI for networking, but you install and manage Calico yourself to enable advanced policy and observability capabilities.

  • Networking: Provided by Azure CNI
  • Network policy: Implemented by self-managed Calico
  • Management: You install, configure, and upgrade Calico
  • Support:
    • Cluster supported by Azure
    • Calico features supported by the community or a commercial support plan
  • Features:
    • Advanced Calico policy and global network policy
    • Whisker observability and other enterprise-grade capabilities

This approach gives you more control and access to advanced Calico policy features while still benefiting from Azure’s managed networking infrastructure.

Option 3: Self-managed Calico for networking and network policy​

You can also use Calico CNI as the primary networking plugin in AKS, replacing Azure CNI entirely. This configuration provides the full Calico networking and policy feature set.

  • Networking: Provided by Calico CNI
  • Network policy: Implemented by Calico
  • Management: You install, configure, and upgrade Calico
  • Support:
    • Cluster supported by Azure
    • Calico features supported by the community or a commercial support plan
  • Features:
    • Full Calico networking stack
    • Advanced policy, global policy, and observability tools

This option gives you maximum flexibility and functionality, but requires you to manage Calico yourself.

Prerequisites​

  • You have an Azure account with permissions to create resource groups and AKS clusters.
  • You installed and configured the az command line tool.

Install AKS with Azure CNI for networking and Azure-managed Calico for network policy​

The geeky details of what you get:

PolicyIPAMCNIOverlayRoutingDatastore
  1. To create a cluster with Azure-managed Calico for policy, run the following command: 
    # Create a resource group
    az group create --name my-calico-rg --location westcentralus
    az aks create \
      --resource-group my-calico-rg \
      --name my-calico-cluster \
      --location westcentralus \
      --pod-cidr 192.168.0.0/16 \
      --network-plugin azure \
      --network-policy calico

Install AKS with Azure CNI for networking and self-managed Calico for network policy​

The geeky details of what you get:

PolicyIPAMCNIOverlayRoutingDatastore

  1. Create an Azure AKS cluster with Azure CNI for networking and no configuration for network policy:

    # Create a resource group
    az group create --name my-calico-rg --location westcentralus
    az aks create \
      --resource-group my-calico-rg \
      --name my-calico-cluster \
      --location westcentralus \
      --pod-cidr 192.168.0.0/16 \
      --network-plugin azure \
      --network-policy none

  2. Get credentials to allow you to access the cluster with kubectl:

    az aks get-credentials --resource-group my-calico-rg --name my-calico-cluster

    Now that you have a cluster configured, you can install Calico.

  3. Install the Tigera Operator and custom resource definitions:

    kubectl create -f https://raw.githubusercontent.com/projectcalico/calico/v3.30.3/manifests/operator-crds.yaml
    kubectl create -f https://raw.githubusercontent.com/projectcalico/calico/v3.30.3/manifests/tigera-operator.yaml

  4. Complete the installation by providing the configuration for Calico

    kubectl create -f - <<EOF
    kind: Installation
    apiVersion: operator.tigera.io/v1
    metadata:
      name: default
    spec:
      kubernetesProvider: AKS
      cni:
        type: AzureVNET

    ---

    # This section configures the Calico API server.
    # For more information, see: https://docs.tigera.io/calico/latest/reference/installation/api#operator.tigera.io/v1.APIServer
    apiVersion: operator.tigera.io/v1
    kind: APIServer
    metadata:
       name: default
    spec: {}

    ---

    # Configures the Calico Goldmane flow aggregator.
    apiVersion: operator.tigera.io/v1
    kind: Goldmane
    metadata:
      name: default

    ---

    # Configures the Calico Whisker observability UI.
    apiVersion: operator.tigera.io/v1
    kind: Whisker
    metadata:
      name: default
    EOF

  5. Confirm that Calico is up and running

    kubectl get tigerastatus
    Expected output
    NAME        AVAILABLE   PROGRESSING   DEGRADED   SINCE
    apiserver   True        False         False      100s
    calico      True        False         False      50s
    goldmane    True        False         False      55s
    ippools     True        False         False      105s
    whisker     True        False         False      80s

    Check that all components report AVAILABLE as True.

Install AKS with self-managed Calico for networking and network policy​

Limitations

The geeky details of what you get:

PolicyIPAMCNIOverlayRoutingDatastore

  1. Create an Azure AKS cluster with no Kubernetes CNI pre-installed. Please refer to Bring your own CNI with AKS for details.

    # Create a resource group
    az group create --name my-calico-rg --location westcentralus
    az aks create \
      --resource-group my-calico-rg \
      --name my-calico-cluster \
      --location westcentralus \
      --pod-cidr 192.168.0.0/16 \
      --network-plugin none

  2. Get credentials to allow you to access the cluster with kubectl:

    az aks get-credentials --resource-group my-calico-rg --name my-calico-cluster

  3. Now that you have a cluster configured, you can install Calico.

  4. Install the Tigera Operator and custom resource definitions.

    kubectl create -f https://raw.githubusercontent.com/projectcalico/calico/v3.30.3/manifests/operator-crds.yaml
    kubectl create -f https://raw.githubusercontent.com/projectcalico/calico/v3.30.3/manifests/tigera-operator.yaml

  5. Complete the installation by providing the configuration for Calico

    kubectl create -f - <<EOF
    kind: Installation
    apiVersion: operator.tigera.io/v1
    metadata:
      name: default
    spec:
      kubernetesProvider: AKS
      cni:
        type: Calico
      calicoNetwork:
        bgp: Disabled
        ipPools:
         - cidr: 192.168.0.0/16
           encapsulation: VXLAN
    ---

    # This section configures the Calico API server.
    # For more information, see: https://docs.tigera.io/calico/latest/reference/installation/api#operator.tigera.io/v1.APIServer
    apiVersion: operator.tigera.io/v1
    kind: APIServer
    metadata:
       name: default
    spec: {}

    ---

    # Configures the Calico Goldmane flow aggregator.
    apiVersion: operator.tigera.io/v1
    kind: Goldmane
    metadata:
      name: default

    ---

    # Configures the Calico Whisker observability UI.
    apiVersion: operator.tigera.io/v1
    kind: Whisker
    metadata:
      name: default
    EOF

  6. Confirm that Calico is up and running

    kubectl get tigerastatus
    Expected output
    NAME        AVAILABLE   PROGRESSING   DEGRADED   SINCE
    apiserver   True        False         False      100s
    calico      True        False         False      50s
    goldmane    True        False         False      55s
    ippools     True        False         False      105s
    whisker     True        False         False      80s

    Check that all components report AVAILABLE as True.

Next steps​

Recommended