Azure

AKS LTS release: Azure CNI Overlay GA and Application Gateway for Containers compatibility

AKS LTS promotes Azure CNI Overlay to GA and adds compatibility with Application Gateway for Containers, plus Entra-backed Blob SFTP and node cert rotation.

July 7, 2026·3 min read·AI researched · AI written · AI reviewed

Azure just removed a long-standing design trade-off for large AKS installations: you can now run Azure CNI Overlay in GA and explicitly front those clusters with Application Gateway for Containers (and AGIC).

That sounds like a marketing bullet, but it alters how platform teams will design tenancy, IP planning, and ingress. Azure CNI Overlay decouples pod IP consumption from your VNet address space, letting you pack far more pods per node without exploding your subnet allocations. Previously, people who wanted L7 features from Application Gateway often accepted different networking constraints or bumped into compatibility footguns. With GA and explicit compatibility calls, running high-density, stateful workloads behind an L7 gateway is now a supported, first-class architecture on AKS.

Concretely: this AKS LTS release ships Azure CNI Overlay as GA, and the release notes call out compatibility with Application Gateway for Containers and the Application Gateway Ingress Controller. Combine that with Gateway API progress in AKS ingress add-ons, and you have a clear roadmap where Azure is steering customers: Gateway API for control-plane ingress primitives, overlay CNI for pod-density and address-space relief, and Application Gateway as the enterprise L7 front door for WAF, path-based routing, and managed TLS.

What this changes for platform teams

  • IP planning: Move from subnet-choked designs to capacity-driven node sizing. Overlay removes the need to carve huge subnets per cluster just to avoid IP exhaustion. That doesn't mean you can ignore IP hygiene—route planning, egress SNAT behavior, and service fronting still require careful testing—but the immediate scaling friction is gone.
  • Ingress model: You can stop choosing between CNI scalability and L7 features. Expect to standardize on Gateway API + Application Gateway for teams that need managed WAF and policy-driven ingress.
  • Operational surface: Azure's release also enables kubelet serving certificate rotation and provides updated AKS CIS benchmark guidance. Shorter-lived node certs and refreshed benchmark mappings improve compliance posture for regulated workloads.

Identity and storage: Entra ID for SFTP

Not a footnote: Azure announced Microsoft Entra ID–based access for Azure Blob Storage SFTP. Instead of local storage account credentials or long-lived SFTP keys, clients can authenticate using Entra identities. This is the kind of nudge enterprises needed toward least-privilege, auditable SFTP workflows — and it unlocks role-based access and conditional access policies for file-transfer pipelines.

If you still rely on service credentials persisted in storage accounts for SFTP, this is the time to flip that architecture. Entra-based SFTP enables session-level control, audit trails, and integration with existing identity lifecycle processes; the old model is going to age poorly in audits.

Other bits worth noting

AKS engineering is also introducing a managed cluster quota per subscription per region and a deployment safeguards subresource to help enforce tenancy, guardrails, and capacity controls at scale. Expect these to become control points platform teams use for governance. There's also ongoing work to make AKS a better host for high-density stateful workloads and AI-native scenarios.

Opinion: this is the right move and overdue in different ways. Making overlay CNI GA while explicitly supporting Application Gateway removes a painful architectural fork that pushed teams into bespoke proxies or convoluted NAT setups. Likewise, Entra-backed SFTP is an overdue enforcement of identity-first access for a protocol that historically lives in credential-limbo. That said, platform teams who treat these as "drop-in" will be surprised: overlay networking changes troubleshooting signals (think pod IP vs. node IP flow visibility), and App Gateway integrations hide a lot of L7 behavior behind managed APIs — test your header, timeout, and client-IP propagation assumptions.

If you're mapping a migration: start by validating egress and service meshes with Azure CNI Overlay in a staging environment, update your CIS profiles to the updated mapping, and plan SFTP transitions around identity lifecycle windows.

Final thought: Azure is stitching networking, ingress, and identity into a coherent platform narrative for enterprise AKS — high-density clusters fronted by managed L7 gateways and tied to Entra identity. Teams that adapt will simplify infra and improve security; teams that ignore the changes will rebuild the same messy patterns they already know how to hate.

Sources

aksazure-cni-overlayapplication-gatewayentra-id
← All articles
Azure

AKS 1.36 GA: Commercial LTS through mid‑2028, node‑image channels, and Day‑2 upgrade practice

AKS 1.36 GA introduces commercial LTS through mid-2028 and emphasizes node-image channels, auto-upgrade channels, and Day‑2 patching for production clusters.

Jul 6, 2026·3makskubernetes-1.36
Azure

AKS auto-upgrade-channel: node-image channel, stable/rapid/patch, and a 4-hour maintenance window

AKS auto-upgrade-channel includes 'node-image' to separate node OS/kubelet patches from Kubernetes upgrades. Use a maintenance window of 4+ hours and plan PDBs.

Jul 5, 2026·3makskubernetes-upgrades
Azure

AKS 1.32 LTS: Azure CNI Overlay GA, AGIC compatibility, and Ubuntu 24.04 default node image

AKS designates Kubernetes 1.32 as LTS; Azure CNI Overlay is GA with AGIC compatibility, and Ubuntu 24.04 LTS will become the default node image for AKS releases.

Jul 3, 2026·3maksazure-cni