Azure just made a major networking bet in AKS: Azure CNI Overlay is now generally available and explicitly compatible with Application Gateway for Containers and the Application Gateway Ingress Controller (AGIC). That single move removes a long-standing compatibility footgun for teams that wanted managed, Azure-native layer‑7 ingress with overlay networking.
On top of that, AKS published multiple patch releases (1.35.2, 1.35.3, 1.34.5, 1.34.6, 1.33.9, 1.33.10) and promoted Layer‑7 policies for AKS networking to GA. AKS also introduced node-image and access posture changes: there is a new option to disable port-based remote access (SSH for Linux, WinRM/RDP for Windows) on node pools, and Canonical Ubuntu 24.04 images are now the default for clusters running Kubernetes 1.34–1.38.
Why this matters
Overlay networking + managed ingress has been a rough corner of cloud Kubernetes: overlay CNIs (used to avoid IP exhaustion on very large clusters or noisy multi-tenant setups) often clashed with cloud-managed, path-aware load balancers and ingress controllers that assumed host-based CNI behavior. With Azure CNI Overlay GA and explicit AGIC compatibility, you can run overlay networks without losing the platform benefits of Application Gateway (WAF, TLS termination, path routing, native Azure logging). That’s operationally significant: fewer bespoke workarounds, fewer traffic hairpins, and a simpler bill-of-materials for platform teams.
The Layer‑7 policies GA is the other piece of the puzzle. Enforcing application-layer policies inside the cluster, natively supported by AKS networking, reduces reliance on sidecar-based enforcement for many common cases. For teams doing L7 filtering, request routing, and per-service policy at scale, this can mean less sidecar sprawl and more centralized policy.
Patches and servicing cadence
AKS published patch releases across three minor versions: 1.35.2/1.35.3, 1.34.5/1.34.6, and 1.33.9/1.33.10. AKS continues to deliver security and stability fixes to older supported minors, so patching plans need to account for minor-specific fixes rather than assuming everything funnels to the latest minor. Validate cluster-management automation and any admission/config hooks against these patches.
Operational impact and immediate actions
- If you use Application Gateway (including AGIC) and previously avoided Azure CNI Overlay because of compatibility worries, re-run tests — the supported path exists now and should reduce NAT/route workarounds.
- For teams using L7 policy enforcement via sidecars (Envoy, OPA + sidecar), evaluate whether AKS Layer‑7 policies can cover your needs; this can materially reduce resource and complexity overhead for simple allow/deny, header rewrites, and routing rules.
- Node hardening is getting opinionated: disabling port-based remote access on node pools is sensible for cloud-native security, but it will break any debugging playbooks that rely on SSH/WinRM/RDP. Update incident runbooks and automation to use privileged DaemonSets, ephemeral debug containers (kubectl debug), or platform-provided diagnostics instead.
- The shift to Ubuntu 24.04 images as the default for Kubernetes 1.34–1.38 changes the baseline image and kernel/security posture — verify custom node-image tooling, init scripts, and OS-level agents against the new image.
This feels like AKS choosing a direction: more managed network primitives, tighter defaults, and fewer escape hatches. That's the right call. Platform teams who have been deferring network design because of historical limitations will need to revisit assumptions — particularly around ingress, IP management, and how much application-layer policy they expect to implement themselves.
If you want a recent reference point for AKS node-image and LTS behavior, see our write-up on AKS 1.36 GA and its node-image refresh cadence (AKS 1.36 GA: commercial LTS, weekly node-image refreshes, and region-specific release visibility).
Final thought: Azure making overlay networking a first-class citizen while hardening node defaults signals that AKS is closing the gap between “flexible but fragile” and “opinionated and secure.” That will speed safe platform adoption — and bite teams that still treat networking and node image hygiene as optional.