Fix Azure AKS Network Policy Errors
When working with Azure AKS, you may encounter a configuration error that prevents your deployment from working. This guide explains the most common mistake with network policy and shows the exact fix.
A Common Mistake
Not enabling Network Policy on an AKS cluster, allowing all pods to communicate without restriction.
The incorrect command:
az aks create --name my-aks --resource-group my-rg --node-count 3 --network-plugin azure --network-policy ""
Error output:
Cluster created without network policy.
All pods can communicate with all other pods. A compromised frontend pod can directly access the database pod. There is no network segmentation between application tiers.
The Correct Approach
The right way to configure network policy in Azure AKS:
az aks create --name my-aks --resource-group my-rg --node-count 3 --network-plugin azure --network-policy calico
# Or: --network-policy azure
Successful result:
Cluster created with Calico network policy.
kubectl apply -f - <<EOF
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: deny-all
namespace: default
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
EOF
networkpolicy.networking.k8s.io/deny-all created
How to Prevent This
Enable Network Policy on all production clusters. Options: Azure Network Policy (native) or Calico (more features). Use default-deny policy then allow required traffic. Calico supports: global network policies, egress policies, DNS-based policies. Monitor policy hits with flow logs.
FAQ
Built by the developers of Doda Browser, DodaZIP, and Durga Antivirus Pro. Secure your cloud with DodaTech.
Built by the developers of DodaTech
Doda Browser, DodaZIP & Durga Antivirus Pro