This chapter covers Azure Kubernetes Service (AKS) from an Azure Developer's perspective, focusing on what you need to know for the AZ-204 exam. AKS is a managed Kubernetes service that simplifies deploying, managing, and scaling containerized applications. Approximately 15-20% of the exam questions touch on containerization and orchestration, with AKS being a core component. We'll explore how AKS works, its key components, how to deploy and manage clusters, and the integration with other Azure services.
Jump to a section
Imagine you are a tour operator organizing a large conference in a city. Instead of renting individual rooms at various hotels, you lease an entire hotel building (the Kubernetes cluster). The hotel has a manager (Azure) who handles all maintenance: cleaning (node patching), fixing broken elevators (hardware failures), and ensuring the lobby is secure (network security). You, the tour operator, focus only on booking rooms (deploying containers), arranging the conference schedule (orchestrating pods), and managing your guests (application logic). You do not worry about the hotel's plumbing, electricity, or structural repairs – that's the manager's job. However, you still have full access to the hotel's facilities: you can assign rooms to specific floors (node affinity), restrict access to certain areas (network policies), and even request extra amenities like a private dining room (persistent volumes). The hotel manager provides you with a master key (kubeconfig) to control room assignments, but you cannot change the building's foundation or replace the elevator cables yourself. This division of labor allows you to scale your conference from 10 attendees to 10,000 without hiring a construction crew – Azure handles the underlying infrastructure, while you focus on your application.
What is AKS and Why Does It Exist?
Azure Kubernetes Service (AKS) is a managed container orchestration service based on the open-source Kubernetes system. Kubernetes, often abbreviated as K8s, is a platform for automating the deployment, scaling, and management of containerized applications. AKS abstracts the complexity of managing the Kubernetes control plane, which is fully managed by Azure. This means you do not need to worry about the API server, etcd, scheduler, or controller manager – Azure handles their availability, scaling, and patching. You only manage the worker nodes (agent nodes) and your applications.
AKS exists because running a production-grade Kubernetes cluster is operationally intensive. You need to manage the control plane, handle upgrades, patch nodes, and ensure high availability. AKS reduces this burden by providing a managed control plane, automated node upgrades, self-healing (node repair), and integration with Azure Active Directory, Azure Policy, and Azure Monitor. For the AZ-204 exam, you need to understand how to create an AKS cluster, deploy applications, configure scaling, and integrate with other Azure services like Azure Container Registry (ACR) and Azure DevOps.
How AKS Works Internally
AKS deploys a Kubernetes cluster where Azure manages the control plane (master components) and you manage the worker nodes. The control plane is hosted in a separate Azure subscription and is not directly accessible to you. You interact with it through the Kubernetes API server endpoint, which is exposed over the internet or via a private endpoint. The worker nodes are virtual machines (VMs) that run the kubelet, kube-proxy, and container runtime (containerd).
When you create an AKS cluster, you specify the number and size of worker nodes. Azure deploys these VMs into a virtual network (VNet) that you can control. The nodes automatically register with the control plane. You then use kubectl to deploy your containerized applications as Kubernetes resources: pods, deployments, services, etc.
Key Components of AKS
Control Plane: Managed by Azure. Includes API server, etcd (distributed key-value store), scheduler, and controller manager. You do not have direct access to these components.
Worker Nodes: Azure VMs that run your containers. You can use VM sizes from the B-series (burstable) to the L-series (storage optimized). Default OS is Ubuntu Linux (or Windows Server 2019 for Windows containers).
Node Pools: A group of worker nodes with the same configuration. You can have multiple node pools (e.g., one for general workloads, one for GPU workloads). System node pools are required for critical system pods.
Pods: The smallest deployable unit in Kubernetes. A pod can contain one or more containers. Pods are scheduled on worker nodes.
Services: An abstraction that defines a logical set of pods and a policy to access them. Types include ClusterIP (internal only), NodePort (expose on node IP), LoadBalancer (Azure load balancer), and ExternalName.
Ingress: Manages external access to services, typically HTTP/HTTPS. AKS provides an Ingress controller add-on (e.g., NGINX, Azure Application Gateway).
Persistent Volumes (PV): Storage resources provisioned by administrators. In AKS, you can use Azure Disks (for ReadWriteOnce) or Azure Files (for ReadWriteMany).
Storage Classes: Define how PVs are provisioned. AKS includes built-in storage classes: default (Azure Disk), managed-premium, azurefile, etc.
Namespaces: Virtual clusters within a physical cluster. Used to organize resources.
Secrets and ConfigMaps: Store sensitive data (e.g., passwords) and configuration data.
Defaults and Important Values
Default VM size for node pools: Standard_DS2_v2 (2 vCPUs, 7 GB RAM) for Linux, Standard_D2s_v3 for Windows.
Maximum pods per node: 110 for standard networking (kubenet), 250 for Azure CNI.
Node OS: Ubuntu 18.04 LTS (Linux) or Windows Server 2019 (Windows).
Container runtime: containerd (as of Kubernetes 1.19+).
Kubernetes version: AKS supports multiple versions; you can choose the version during cluster creation. Azure typically supports the current version plus two previous minor versions.
Cluster upgrade: You can trigger upgrades via Azure CLI or portal. Azure automatically updates node images monthly.
Scaling: You can scale node pools manually or use cluster autoscaler (automatic scaling based on resource demands).
Networking: Two networking models – kubenet (basic, managed by Azure) and Azure CNI (advanced, integrates with Azure VNet). Azure CNI gives each pod an IP from the VNet, allowing direct connectivity to other Azure resources.
Configuration and Verification Commands
Create an AKS cluster (Azure CLI):
az aks create \
--resource-group myResourceGroup \
--name myAKSCluster \
--node-count 3 \
--enable-addons monitoring \
--generate-ssh-keysGet credentials to connect to the cluster:
az aks get-credentials --resource-group myResourceGroup --name myAKSClusterVerify nodes:
kubectl get nodesDeploy an application (using a deployment YAML):
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-deployment
spec:
replicas: 3
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: nginx:1.14.2
ports:
- containerPort: 80Expose the deployment as a service:
kubectl expose deployment nginx-deployment --type=LoadBalancer --name=nginx-service --port=80 --target-port=80Check service:
kubectl get service nginx-serviceScale the deployment:
kubectl scale deployment nginx-deployment --replicas=5Upgrade the cluster:
az aks upgrade --resource-group myResourceGroup --name myAKSCluster --kubernetes-version 1.21.2Integration with Related Technologies
Azure Container Registry (ACR): Store and manage container images. AKS can authenticate to ACR using Azure AD. To attach an ACR to an AKS cluster: az aks update -n myAKSCluster -g myResourceGroup --attach-acr myACR.
Azure Active Directory: AKS supports Azure AD integration for authentication. You can use Azure AD to control access to the Kubernetes API server via RBAC.
Azure Policy: Apply policies to AKS clusters using Azure Policy for Kubernetes (Gatekeeper).
Azure Monitor: Enable monitoring via Container Insights. Use az aks enable-addons --addons monitoring.
Azure Dev Spaces: (Deprecated) Use Bridge to Kubernetes instead for local development.
Virtual Nodes (ACI): Use Azure Container Instances as pods for burst scaling. Enabled via the virtual-node addon.
Azure Private Link: Expose the API server privately within a VNet.
Azure Key Vault: Store secrets via CSI driver (Secrets Store CSI Driver).
Security and RBAC
Kubernetes RBAC: You can define roles and role bindings to control access to resources within the cluster.
Azure RBAC: Integrate with Azure AD to control access to the cluster itself (e.g., who can run kubectl).
Network Policies: Use Calico or Azure Network Policies to control traffic between pods.
Pod Security Policies: (Deprecated in 1.21) Use Pod Security Standards or OPA/Gatekeeper.
Secrets: Store in Azure Key Vault and mount via CSI driver.
Monitoring and Logging
Container Insights: Provides performance metrics and logs. Enabled via the monitoring addon.
Log Analytics: Store and query logs.
Metrics: CPU, memory, disk, network.
Diagnostic settings: Stream logs to Event Hubs or Storage.
Common Pitfalls and Exam Traps
Networking model choice: kubenet vs. Azure CNI. kubenet uses NAT and is simpler but limited to 110 pods per node. Azure CNI gives each pod a VNet IP but requires more IP addresses. The exam may ask which to choose based on requirements.
Scaling: Manual scaling vs. cluster autoscaler. The autoscaler is not enabled by default; you must enable it.
Upgrades: You cannot skip minor versions. AKS supports upgrading only one minor version at a time.
Storage: Persistent volumes with Azure Disks are ReadWriteOnce (can only be mounted by one pod in one node). For multiple pods, use Azure Files (ReadWriteMany).
Security: By default, the API server is public. For private clusters, you must enable private cluster during creation.
Windows nodes: Windows containers have limitations (e.g., not all networking features).
Create an AKS cluster
Use the Azure CLI, portal, or ARM template to create an AKS cluster. Specify the resource group, cluster name, node count, VM size, Kubernetes version, and networking model. Azure provisions the control plane and worker nodes. The control plane is fully managed; you only manage the nodes. The cluster is created in a resource group automatically (MC_ prefix) that contains the node VMs, VNet, and other infrastructure resources. Do not modify this resource group manually.
Connect to the cluster
After creation, use `az aks get-credentials` to download the kubeconfig file and merge it into your local ~/.kube/config. This allows kubectl to authenticate to the cluster. The command uses Azure AD authentication if integrated. Verify connection with `kubectl get nodes`. You should see the list of worker nodes with status Ready.
Deploy an application
Create a Kubernetes manifest YAML file (e.g., deployment.yaml) defining the desired state: deployment with container image, replicas, labels, and ports. Use `kubectl apply -f deployment.yaml` to create the deployment. Kubernetes scheduler assigns pods to worker nodes. The kubelet on each node pulls the container image from the registry (e.g., ACR or Docker Hub) and starts the container.
Expose the application
Create a service of type LoadBalancer to expose the application externally. Azure provisions a standard load balancer with a public IP. The service maps the load balancer's frontend IP to the pods. Use `kubectl expose` or create a service YAML. For HTTP/HTTPS, consider an Ingress controller (e.g., NGINX) with TLS termination.
Scale the application
Use `kubectl scale deployment nginx-deployment --replicas=5` to increase the number of pod replicas. The scheduler places new pods on available nodes. If nodes are full, the cluster autoscaler (if enabled) adds new nodes. Alternatively, manually scale the node pool with `az aks scale --node-count 5`.
Monitor and troubleshoot
Enable Container Insights during cluster creation or via `az aks enable-addons --addons monitoring`. View metrics and logs in Azure Monitor. For pod-level logs, use `kubectl logs <pod-name>`. For events, `kubectl get events`. Use `kubectl describe pod` for detailed status. For node issues, check node status and conditions.
Upgrade the cluster
Check available versions with `az aks get-versions`. Upgrade using `az aks upgrade --kubernetes-version 1.21.2`. The upgrade process cordons and drains nodes one by one, moving pods to other nodes. After upgrade, verify with `kubectl get nodes`. You can also upgrade node pools separately.
Scenario 1: Microservices Migration
A financial services company migrated from a monolithic application to microservices using AKS. They had 50+ microservices, each deployed as a separate deployment in a dedicated namespace. They used Azure DevOps for CI/CD, building container images and pushing to ACR, then deploying to AKS via Helm charts. They configured cluster autoscaler to handle peak trading hours, scaling from 5 to 20 nodes. They used Azure Policy to enforce pod security standards (e.g., disallow privileged containers). Network policies restricted traffic between services. They used Azure CNI for direct pod-to-Azure SQL connectivity. A common issue was IP exhaustion – they had to plan the VNet CIDR carefully. They also set up pod disruption budgets to ensure high availability during upgrades.
Scenario 2: Batch Processing with ACI Virtual Nodes
A media processing company used AKS for batch video transcoding. They had a baseline cluster of 3 nodes for the control plane and management workloads. For burst processing, they enabled virtual nodes (ACI) which allowed pods to run on Azure Container Instances without provisioning new VMs. They used a node selector to schedule transcoding pods on virtual nodes. This saved costs because ACI charges per second. They used Azure Files for shared storage. The challenge was that virtual nodes have limitations (e.g., no host networking, no privileged containers). They also had to ensure the ACI subnet had enough IPs.
Scenario 3: Retail E-commerce Platform
A large e-commerce retailer used AKS for their web application and order processing. They had a multi-region deployment for disaster recovery. They used Azure Traffic Manager to route traffic to the closest region. Each region had an AKS cluster with Application Gateway Ingress Controller (AGIC) for SSL termination and WAF. They used Azure Redis Cache for session state and Azure SQL Database for persistent data. They used Helm for deployments and Azure Policy for compliance. They encountered issues with slow rolling updates due to health probe timeouts – they tuned liveness and readiness probes. They also used pod anti-affinity to spread pods across nodes for high availability.
What AZ-204 Tests on AKS
The AZ-204 exam objective 'Compute' includes 'Create and manage container images for solutions' and 'Create and manage container images using ACR'. For AKS, you need to know:
How to create an AKS cluster (CLI, portal, ARM)
How to deploy applications (kubectl, YAML)
How to configure scaling (manual, autoscaler, node pools)
How to configure networking (kubenet vs. Azure CNI, load balancer, ingress)
How to integrate with ACR (attach ACR, authentication)
How to configure storage (persistent volumes, Azure Disk vs. File)
How to secure the cluster (Azure AD, RBAC, network policies)
How to monitor (Container Insights)
Common Wrong Answers
Choosing kubenet when Azure CNI is required: Candidates often pick kubenet because it's simpler, but the scenario may require direct pod-to-VM connectivity (e.g., peering with on-premises). Azure CNI is needed.
Enabling cluster autoscaler by default: Many think it's on by default. It's not; you must enable it.
Using Azure Disks for ReadWriteMany workloads: Disks are ReadWriteOnce; for multiple pods, use Azure Files.
Assuming you can manage the control plane: You cannot SSH into control plane nodes; they are managed by Azure.
Upgrading multiple minor versions at once: You can only upgrade one minor version at a time.
Specific Numbers and Terms
Maximum pods per node: 110 (kubenet), 250 (Azure CNI)
Default node size: Standard_DS2_v2
Kubernetes version support: current + 2 previous minor versions
Container runtime: containerd (since K8s 1.19)
AKS SLA: 99.95% for control plane (with availability zones)
Cluster autoscaler scale up/down cooldown: 10 minutes (default)
Edge Cases
Windows containers: Cannot use Azure CNI with Windows nodes? Actually, Azure CNI supports Windows (preview). But kubenet does not support Windows.
Private clusters: Must be created with --enable-private-cluster. Cannot be changed later.
Spot node pools: Cheaper but can be evicted; not suitable for stateful workloads.
System node pools: Required; at least one node pool with --mode system.
How to Eliminate Wrong Answers
If the question mentions 'direct pod-to-VM connectivity' or 'network policies': Choose Azure CNI.
If the question says 'automatically scale based on demand': Enable cluster autoscaler.
If the question says 'shared storage for multiple pods': Use Azure Files.
If the question says 'minimize cost for development': Consider using a single node or spot instances.
If the question says 'integrate with on-premises network': Use Azure CNI with VNet peering or VPN.
AKS is a managed Kubernetes service; Azure manages the control plane, you manage worker nodes.
Two networking models: kubenet (simple, NAT) and Azure CNI (direct VNet IP, more features).
Cluster autoscaler is not enabled by default; must be explicitly enabled.
Default node size is Standard_DS2_v2; max pods per node is 110 (kubenet) or 250 (Azure CNI).
Azure Disks are ReadWriteOnce; use Azure Files for ReadWriteMany.
AKS supports up to 1000 node pools per cluster.
You can integrate AKS with ACR using `az aks update --attach-acr`.
Private clusters must be created with `--enable-private-cluster`; cannot be changed later.
Windows containers are supported but with limitations (e.g., no kubenet support).
Upgrade one minor version at a time; skip versions not allowed.
Use `kubectl` for deployment and management; Azure CLI for cluster operations.
Monitoring: enable Container Insights for metrics and logs.
These come up on the exam all the time. Here's how to tell them apart.
Kubenet (basic networking)
Pods get IPs from a private address space (10.0.0.0/16) and are NATed to the node IP.
Simpler to set up; no need to plan IP addresses for pods.
Limited to 110 pods per node.
Does not support network policies by default (requires Calico).
Pods cannot directly communicate with on-premises resources unless using node IP.
Azure CNI (advanced networking)
Pods get IPs directly from the VNet subnet, allowing direct connectivity to other Azure resources.
Requires careful IP address planning; each pod gets an IP from the VNet.
Supports up to 250 pods per node.
Supports Azure Network Policies (built-in) or Calico.
Pods can communicate directly with on-premises via VNet peering or VPN.
Mistake
AKS is just Kubernetes as a Service with no differences.
Correct
AKS is a managed Kubernetes service where Azure manages the control plane, but you still manage node pools, upgrades, and configurations. It is not just a hosted K8s; it includes Azure-specific features like Azure AD integration, managed ACR, and Azure Monitor.
Mistake
You can SSH into the master nodes.
Correct
The control plane is fully managed by Azure and is not accessible to you. You cannot SSH into the API server or etcd. Only worker nodes are accessible via SSH if you enable it.
Mistake
Kubenet is always better because it uses fewer IP addresses.
Correct
Kubenet is simpler and uses NAT, but it limits pod-to-pod connectivity and does not support network policies. Azure CNI gives each pod a VNet IP, enabling direct connectivity and network policies, but requires more IP space.
Mistake
Cluster autoscaler is enabled by default.
Correct
Cluster autoscaler is not enabled by default. You must enable it using `az aks update --enable-cluster-autoscaler` or during cluster creation with `--enable-cluster-autoscaler`.
Mistake
You can use Azure Disks for ReadWriteMany workloads.
Correct
Azure Disks support ReadWriteOnce (can be mounted by one pod on one node). For multiple pods accessing the same storage, use Azure Files (supports ReadWriteMany).
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Kubenet is the basic networking model where pods get IPs from a private address space and are NATed to the node's IP. It is simpler but does not support network policies by default and limits pod-to-pod connectivity. Azure CNI assigns each pod an IP from the VNet subnet, enabling direct connectivity, network policies, and up to 250 pods per node. Choose Azure CNI if you need direct pod-to-VM connectivity, network policies, or integration with on-premises networks.
Cluster autoscaler is not enabled by default. To enable it, use the Azure CLI: `az aks update --resource-group myResourceGroup --name myAKSCluster --enable-cluster-autoscaler`. You can also set min and max node counts: `--min-count 1 --max-count 10`. Alternatively, enable it during cluster creation with `az aks create --enable-cluster-autoscaler`.
No, Azure Disks support ReadWriteOnce access mode, meaning they can be mounted by only one pod on one node at a time. For multiple pods to access the same storage, use Azure Files, which supports ReadWriteMany. Azure Files can be mounted by multiple pods across different nodes.
Use the Azure CLI command: `az aks update --resource-group myResourceGroup --name myAKSCluster --attach-acr myACR`. This grants the AKS cluster's managed identity the AcrPull role on the ACR, allowing it to pull images without credentials.
The default VM size is Standard_DS2_v2 (2 vCPUs, 7 GB RAM) for Linux node pools. For Windows node pools, the default is Standard_D2s_v3. You can specify a different size using the `--node-vm-size` parameter.
You can secure the API server by enabling private cluster (API server endpoint is private within the VNet), using authorized IP ranges (firewall), integrating with Azure AD for authentication, and using Kubernetes RBAC for authorization. For private clusters, create with `--enable-private-cluster`.
With kubenet, the maximum is 110 pods per node. With Azure CNI, the maximum is 250 pods per node. These limits depend on the node VM size and available IP addresses.
You've just covered AKS for Azure Developers — now see how well it sticks with free AZ-204 practice questions. Full explanations included, no account needed.
Done with this chapter?