Azure previews Kubernetes Application Network
Azure put its Kubernetes Application Network into public preview to tackle IP management across multi‑region clusters — a practical move for teams running large or federated K8s deployments. The preview targets a common pain point in distributed infra and could change how you design cross‑region service networking. (x.com)
Azure CLI 2.84.0 or later is required to use the new AppNet commands, and the preview must be opt‑in by registering the feature with az feature register --namespace Microsoft.AppLink --name PublicPreview and installing the AppNet CLI extension via az extension add --name appnet-preview. (learn.microsoft.com) The service is implemented as three layers — a management plane, a regional control plane per member, and a data plane — and the management plane provisions Azure Key Vault and orchestrates regional control‑plane creation when clusters join. (learn.microsoft.com) The data plane runs in ambient mode (no sidecars) to secure L4 service traffic inside clusters, while optional L7 proxies handle service‑level routing and policy enforcement. (learn.microsoft.com) Traffic management is implemented on top of Istio ambient mode and the Kubernetes Gateway API and explicitly supports L4/L7 authorization policies, JWT claim–based routing, traffic shifting and fault‑injection across member AKS clusters. (learn.microsoft.com) The traffic‑use guide requires istioctl to be installed and two AKS clusters to have east‑west gateway reachability (achieved via VNet peering, VNet‑to‑VNet VPN, or another supported connectivity model). (learn.microsoft.com) Microsoft publishes Application Network minor releases roughly once a quarter, documents the Istio minor version bundled with each Application Network release, and exposes az appnet list‑versions to show available versions per region; the supported‑versions doc was last updated on 2026‑03‑22. (learn.microsoft.com) Security docs state the service issues SPIFFE‑compliant workload identities, manages certificate issuance/rotation and mTLS for service‑to‑service traffic, and stores certificates as part of its managed provisioning. (learn.microsoft.com) Current limitations listed in Microsoft’s overview include Linux‑only node pools, no support for AKS private clusters or Windows node pools, and initial region availability limited to centralus, eastus2, westus2, westus3, northeurope and southeastasia. (learn.microsoft.com)
