Solutions
Audit & Optimization Platform Design Automation Team Structure
Documentation Blog
Get Started

AKS Add-ons

AKS add-ons are Kubernetes software components that extend cluster functionality. AKS provides managed add-ons for essential components like HTTP application routing, monitoring, and virtual nodes, plus support for installing popular third-party add-ons for networking, security, and more.

AKS Add-ons Overview

AKS add-ons extend cluster functionality:

graph TB subgraph aks_addons[AKS Managed Add-ons] HTTP[HTTP Application Routing] MON[Monitoring] VN[Virtual Nodes] CNI[Azure CNI] end subgraph third_party[Third-Party Add-ons] PROMETHEUS[Prometheus] GRAFANA[Grafana] CALICO[Calico] EXTERNAL_SECRETS[External Secrets] end AKS_CLUSTER[AKS Cluster] --> HTTP AKS_CLUSTER --> MON AKS_CLUSTER --> VN AKS_CLUSTER --> PROMETHEUS AKS_CLUSTER --> GRAFANA style AKS_CLUSTER fill:#e1f5ff style HTTP fill:#fff4e1 style PROMETHEUS fill:#e8f5e9

AKS Managed Add-ons

HTTP Application Routing

HTTP Application Routing provides automatic DNS name resolution and Ingress controller:

# Enable HTTP application routing
az aks enable-addons \
  --resource-group myResourceGroup \
  --name myAKSCluster \
  --addons http_application_routing

Features:

  • Automatic DNS name resolution
  • Ingress controller
  • Simple HTTP routing
  • Good for development/testing

Usage:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: web-ingress
  annotations:
    kubernetes.io/ingress.class: addon-http-application-routing
spec:
  rules:
  - host: web.1234567890123456789012.eastus.aksapp.io
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: web-service
            port:
              number: 80

Monitoring (Azure Monitor)

Azure Monitor for Containers provides metrics and logs:

# Enable monitoring
az aks enable-addons \
  --resource-group myResourceGroup \
  --name myAKSCluster \
  --addons monitoring \
  --workspace-resource-id /subscriptions/.../resourcegroups/.../providers/Microsoft.OperationalInsights/workspaces/myWorkspace

Features:

  • Automatic metrics collection
  • Log aggregation
  • Container Insights dashboard
  • Alerting

Virtual Nodes

Virtual nodes provide serverless scaling with Azure Container Instances:

# Enable virtual nodes
az aks enable-addons \
  --resource-group myResourceGroup \
  --name myAKSCluster \
  --addons virtual-node \
  --subnet-name myVirtualNodeSubnet

Features:

  • Serverless container scaling
  • Pay-per-second billing
  • Rapid scaling
  • No node pool management

Azure CNI

Azure CNI is the advanced networking plugin for AKS:

Features:

  • Pods get real VNet IP addresses
  • Better performance and integration
  • Network Security Groups at pod level
  • Network policies support

Enabling:

# Create cluster with Azure CNI
az aks create \
  --resource-group myResourceGroup \
  --name myAKSCluster \
  --network-plugin azure

CoreDNS

CoreDNS provides DNS resolution for pods and services:

Features:

  • Service discovery
  • Pod DNS resolution
  • Custom DNS entries
  • Health checks

Configuration:

apiVersion: v1
kind: ConfigMap
metadata:
  name: coredns
  namespace: kube-system
data:
  Corefile: |
    .:53 {
        errors
        health {
           lameduck 5s
        }
        ready
        kubernetes cluster.local in-addr.arpa ip6.arpa {
           pods insecure
           fallthrough in-addr.arpa ip6.arpa
           ttl 30
        }
        prometheus :9153
        forward . /etc/resolv.conf
        cache 30
        loop
        reload
        loadbalance
    }

kube-proxy

kube-proxy maintains network rules for service networking:

Features:

  • Service IP management
  • Load balancing
  • Network rules
  • iptables/ipvs mode

Azure Network Policy

Azure Network Policy provides pod-to-pod network isolation:

Enabling:

# Enable Azure Network Policy (requires Azure CNI)
az aks update \
  --resource-group myResourceGroup \
  --name myAKSCluster \
  --network-policy azure

Features:

  • Pod-to-pod isolation
  • Namespace isolation
  • Ingress and egress rules
  • Policy enforcement

Prometheus and Grafana

Monitoring and alerting stack:

# Add Helm repository
helm repo add prometheus-community https://prometheus-community.github.io/helm-charts
helm repo update

# Install Prometheus and Grafana
helm install prometheus prometheus-community/kube-prometheus-stack \
  --namespace monitoring \
  --create-namespace

Calico

Advanced networking and network policies:

# Install Calico
kubectl apply -f https://raw.githubusercontent.com/projectcalico/calico/v3.26.1/manifests/calico.yaml

External Secrets Operator

Sync secrets from Azure Key Vault:

# Add Helm repository
helm repo add external-secrets https://charts.external-secrets.io
helm repo update

# Install External Secrets Operator
helm install external-secrets external-secrets/external-secrets \
  -n external-secrets-system \
  --create-namespace

Cert-Manager

Automatic TLS certificate management:

# Add Helm repository
helm repo add jetstack https://charts.jetstack.io
helm repo update

# Install cert-manager
helm install cert-manager jetstack/cert-manager \
  --namespace cert-manager \
  --create-namespace \
  --set installCRDs=true

Add-on Management

Installing Add-ons

Using Azure CLI:

# Enable AKS add-on
az aks enable-addons \
  --resource-group myResourceGroup \
  --name myAKSCluster \
  --addons <addon-name>

Using Helm:

# Add Helm repository
helm repo add <repo-name> <repo-url>
helm repo update

# Install add-on
helm install <release-name> <repo-name>/<chart-name> \
  --namespace <namespace> \
  --create-namespace

Using kubectl:

# Apply manifest
kubectl apply -f https://example.com/addon.yaml

Updating Add-ons

Using Azure CLI:

# Update AKS add-on
az aks update \
  --resource-group myResourceGroup \
  --name myAKSCluster \
  --addons <addon-name>

Using Helm:

# Update add-on
helm upgrade <release-name> <repo-name>/<chart-name> \
  --namespace <namespace>

Removing Add-ons

Using Azure CLI:

# Disable AKS add-on
az aks disable-addons \
  --resource-group myResourceGroup \
  --name myAKSCluster \
  --addons <addon-name>

Using Helm:

# Uninstall add-on
helm uninstall <release-name> \
  --namespace <namespace>

Best Practices

  1. Use AKS Managed Add-ons - For core components when possible

  2. Keep Add-ons Updated - Regularly update to latest versions

  3. Test Updates - Test add-on updates in non-production first

  4. Document Customizations - Keep track of configuration changes

  5. Use Workload Identity - For Azure integrations

  6. Monitor Add-on Health - Set up monitoring for add-on components

  7. Version Control - Store add-on configurations in Git

  8. Namespace Isolation - Install add-ons in appropriate namespaces

  9. Resource Limits - Set resource limits for add-on pods

  10. Backup Configurations - Backup add-on configurations before updates

Common Issues

Add-on Installation Fails

Problem: Add-on fails to install

Solutions:

  • Check service principal permissions
  • Verify resource group exists
  • Check subscription quotas
  • Review Azure Activity Log

Add-on Not Working

Problem: Add-on installed but not functioning

Solutions:

  • Check pod status
  • Review add-on logs
  • Verify configuration
  • Check service principal permissions
  • Review Azure Activity Log

See Also