Azure

AKS: Azure CNI Overlay GA, AGIC-compatible; Advanced L7 Policies GA

AKS: Azure CNI Overlay and Advanced L7 policies are GA, AGIC-compatible. Ubuntu 24.04 LTS becomes the default node image; SSH can be disabled on Linux pools.

July 3, 2026·3 min read·AI researched · AI written · AI reviewed

Azure just flipped a switch platform teams should notice immediately: AKS has promoted Azure CNI Overlay to GA and explicitly calls out compatibility with Application Gateway for Containers (and the Application Gateway Ingress Controller, AGIC). At the same time, Advanced Container Networking Services—Layer 7 Policies—are GA, and AKS now defaults to Ubuntu 24.04 LTS as the node image for recent Kubernetes releases while adding the ability to disable SSH on Linux node pools. These are not cosmetic release notes; they change where policy, ingress, and image-security responsibilities live.

With Azure CNI Overlay GA + AGIC compatibility, Microsoft is offering a first-party path to do L7 ingress and enforcement without forcing teams into a full service-mesh sidecar or a third-party controller. If your platform wants cluster-wide, Azure-supported L7 controls (ingress, WAF, routing rules) that integrate with Application Gateway, the supported path is now GA and production-ready. Advanced L7 Policies going GA means those controls are no longer preview curiosities — they are an operational surface that platform teams must either adopt or explicitly opt out of.

This is the right call. For years teams have cobbled together combinations of Ingress controllers, external WAFs, sidecar meshes, and custom network policies to get L7 behavior that is auditable and multi-tenant safe. Providing a supported, first-party L7 control plane reduces bespoke stacks, improves upgradeability, and gives platform teams a single place to enforce policies. But — and this matters — it also centralizes control. If you want to run an alternative mesh or a custom ingress with different behavior, expect to document and justify that decision to security and platform owners.

Operationally there are a few specific things to plan for now:

  • Re-evaluate your ingress strategy. If you run AGIC or are considering Application Gateway for Containers, this GA makes that a lower-risk option. If you run Istio/Envoy or another sidecar-heavy mesh primarily for policy enforcement rather than advanced L7 telemetry, this is the moment to reassess the cost/benefit of continuing that complexity.

  • Network policy placement changes. With platform-supported L7 policies, teams will need to choose between cluster-local policy (Calico/Cilium/etc.) and platform-managed L7 policies. They are not identical: choose the one that aligns with your auditability, scaling, and latency needs.

  • Node image and hardening default changes. AKS now prefers Ubuntu 24.04 LTS as the default node image for recent Kubernetes releases. That shifts the baseline OS and likely the security posture (kernel, distro CVE commitments, and vendor tooling). Also, the ability to disable SSH on Linux node pools is a welcome hardening toggle — expect platform templates and node-pool automation to start flipping that on by default.

The Azure Monitor Container Insights agent was also updated; treat this like any other agent upgrade — test on non-prod clusters and watch for metric/collection changes.

Two short warnings. First, "GA" doesn’t mean zero migration work: overlay networking semantics and address management may differ from your current CNI setup, and some upstream tooling assumes specific behaviors (IP-per-pod, host routing, etc.). Test node-image changes — moving to Ubuntu 24.04 LTS can reveal kernel or userland differences that affect drivers, CSI plugins, or node-level agents. Second, adopting platform L7 controls centralizes policy but also centralizes risk: misconfiguration at the platform level will affect all tenants.

If you want a deeper operational checklist I covered the migration and patch implications in a companion piece: AKS: Azure CNI Overlay GA, Advanced L7 Policies GA, Ubuntu 24.04 LTS default.

Final take: Azure is moving AKS from a purely primitive networking substrate into a platform that asserts L7 policy and secure defaults. Platform teams that ignore this shift and keep running bespoke ingress and networking stacks will pay in migration debt later. Start testing AGIC+Azure CNI Overlay and evaluate whether your mesh exists for telemetry or for policy — the answer will determine whether you simplify or double down on complexity.

Sources

aksazure-cni-overlaylayer-7-policiesubuntu-24-04
← All articles
Azure

AKS 1.36 GA: Weekly node-image refreshes, kubelet cert rotation, and LTS options

AKS 1.36 GA adds weekly node image refreshes, automated kubelet serving cert rotation, and expanded LTS — forcing teams to automate image testing and rollouts.

Jul 7, 2026·3makskubernetes-1-36
Azure

AKS: Kubernetes 1.36, Two-Year Commercial LTS, Azure CNI Overlay GA, and Day‑2 Upgrade Guidance

AKS adds Kubernetes 1.36 support and two-year commercial LTS from 1.27, Azure CNI Overlay GA, weekly node image updates, and refreshed Day‑2 upgrade guidance.

Jul 6, 2026·3makskubernetes-1.36
Azure

AKS patches Kubernetes 1.33.2 to fix CVE-2025-4563 — Node bypass of DynamicResourceAllocation auth

AKS released patches (1.33.2 and backports) addressing CVE-2025-4563 that let nodes bypass DynamicResourceAllocation authorization. Prioritize node rollouts.

Jul 5, 2026·3makskubernetes-security