Azure just removed a long-standing design trade-off for large AKS installations: you can now run Azure CNI Overlay in GA and explicitly front those clusters with Application Gateway for Containers (and AGIC).
That sounds like a marketing bullet, but it alters how platform teams will design tenancy, IP planning, and ingress. Azure CNI Overlay decouples pod IP consumption from your VNet address space, letting you pack far more pods per node without exploding your subnet allocations. Previously, people who wanted L7 features from Application Gateway often accepted different networking constraints or bumped into compatibility footguns. With GA and explicit compatibility calls, running high-density, stateful workloads behind an L7 gateway is now a supported, first-class architecture on AKS.
Concretely: this AKS LTS release ships Azure CNI Overlay as GA, and the release notes call out compatibility with Application Gateway for Containers and the Application Gateway Ingress Controller. Combine that with Gateway API progress in AKS ingress add-ons, and you have a clear roadmap where Azure is steering customers: Gateway API for control-plane ingress primitives, overlay CNI for pod-density and address-space relief, and Application Gateway as the enterprise L7 front door for WAF, path-based routing, and managed TLS.
What this changes for platform teams
- IP planning: Move from subnet-choked designs to capacity-driven node sizing. Overlay removes the need to carve huge subnets per cluster just to avoid IP exhaustion. That doesn't mean you can ignore IP hygiene—route planning, egress SNAT behavior, and service fronting still require careful testing—but the immediate scaling friction is gone.
- Ingress model: You can stop choosing between CNI scalability and L7 features. Expect to standardize on Gateway API + Application Gateway for teams that need managed WAF and policy-driven ingress.
- Operational surface: Azure's release also enables kubelet serving certificate rotation and provides updated AKS CIS benchmark guidance. Shorter-lived node certs and refreshed benchmark mappings improve compliance posture for regulated workloads.
Identity and storage: Entra ID for SFTP
Not a footnote: Azure announced Microsoft Entra ID–based access for Azure Blob Storage SFTP. Instead of local storage account credentials or long-lived SFTP keys, clients can authenticate using Entra identities. This is the kind of nudge enterprises needed toward least-privilege, auditable SFTP workflows — and it unlocks role-based access and conditional access policies for file-transfer pipelines.
If you still rely on service credentials persisted in storage accounts for SFTP, this is the time to flip that architecture. Entra-based SFTP enables session-level control, audit trails, and integration with existing identity lifecycle processes; the old model is going to age poorly in audits.
Other bits worth noting
AKS engineering is also introducing a managed cluster quota per subscription per region and a deployment safeguards subresource to help enforce tenancy, guardrails, and capacity controls at scale. Expect these to become control points platform teams use for governance. There's also ongoing work to make AKS a better host for high-density stateful workloads and AI-native scenarios.
Opinion: this is the right move and overdue in different ways. Making overlay CNI GA while explicitly supporting Application Gateway removes a painful architectural fork that pushed teams into bespoke proxies or convoluted NAT setups. Likewise, Entra-backed SFTP is an overdue enforcement of identity-first access for a protocol that historically lives in credential-limbo. That said, platform teams who treat these as "drop-in" will be surprised: overlay networking changes troubleshooting signals (think pod IP vs. node IP flow visibility), and App Gateway integrations hide a lot of L7 behavior behind managed APIs — test your header, timeout, and client-IP propagation assumptions.
If you're mapping a migration: start by validating egress and service meshes with Azure CNI Overlay in a staging environment, update your CIS profiles to the updated mapping, and plan SFTP transitions around identity lifecycle windows.
Final thought: Azure is stitching networking, ingress, and identity into a coherent platform narrative for enterprise AKS — high-density clusters fronted by managed L7 gateways and tied to Entra identity. Teams that adapt will simplify infra and improve security; teams that ignore the changes will rebuild the same messy patterns they already know how to hate.