Azure Kubernetes Service

AUTHORITATIVE GUIDANCE — MANDATORY COMPLIANCE

This skill produces a recommended AKS cluster configuration based on user requirements, distinguishing Day-0 decisions (networking, API server — hard to change later) from Day-1 features (can enable post-creation). See CLI reference for commands.

Quick Reference

mcp_azure_mcp_aks

az aks create

az aks show

kubectl get

kubectl describe

When to Use This Skill

• Create a new AKS cluster
• Plan AKS cluster configuration for production workloads
• Design AKS networking (API server access, pod IP model, egress)
• Set up AKS identity and secrets management
• Configure AKS governance (Azure Policy, Deployment Safeguards)
• Enable AKS observability (Container Insights, Managed Prometheus, Grafana)
• Define AKS upgrade and patching strategy
• Enable AKS cost visibility and analysis
• Understand AKS Automatic vs Standard SKU differences
• Get a Day-0 checklist for AKS cluster setup and configuration

Rules

1. Start with the user's requirements for provisioning compute, networking, security, and other settings.
2. Use the

   azure

   MCP server and select

   mcp_azure_mcp_aks

   first to discover the exact AKS-specific MCP tools surfaced by the client. Choose the smallest discovered AKS tool that fits the task, and fall back to Azure CLI (

   az aks

   ) only when the needed functionality is not exposed through the AKS MCP surface.
3. Determine if AKS Automatic or Standard SKU is more appropriate based on the user's need for control vs convenience. Default to AKS Automatic unless specific customizations are required.
4. Document decisions and rationale for cluster configuration choices, especially for Day-0 decisions that are hard to change later (networking, API server access).

Required Inputs (Ask only what’s needed)

• AKS environment type: dev/test or production
• Region(s), availability zones, preferred node VM sizes
• Expected scale (node/cluster count, workload size)
• Networking requirements (API server access, pod IP model, ingress/egress control)
• Security and identity requirements, including image registry
• Upgrade and observability preferences
• Cost constraints

Workflow

1. Cluster Type

• AKS Automatic (default): Best for most production workloads, provides a curated experience with pre-configured best practices for security, reliability, and performance. Use unless you have specific custom requirements for networking, autoscaling, or node pool configurations not supported by Node Auto-Provisioning (NAP).
• AKS Standard: Use if you need full control over environment configuration, which requires additional overhead to set up and manage.

2. Networking (Pod IP, Egress, Ingress, Dataplane)

• Azure CNI Overlay (recommended): pod IPs from private overlay range, not VNet-routable, scales to large environments and good for most workloads
• Azure CNI (VNet-routable): pod IPs directly from VNet (pod subnet or node subnet), use when pods must be directly addressable from VNet or on-prem
  • Docs: https://learn.microsoft.com/azure/aks/azure-cni-overlay

• Azure CNI powered by Cilium (recommended): eBPF-based for high-performance packet processing, network policies, and observability

• Static Egress Gateway for stable, predictable outbound IPs
• For restricted egress: UDR + Azure Firewall or NVA

• App Routing addon with Gateway API — recommended default for HTTP/HTTPS workloads
• Istio service mesh with Gateway API - for advanced traffic management, mTLS, canary releases
• Application Gateway for Containers — for L7 load balancing with WAF integration

• Enable LocalDNS on all node pools for reliable, performant DNS resolution

3. Security

• Use Microsoft Entra ID everywhere (control plane, Workload Identity for pods, node access). Avoid static credentials.
• Azure Key Vault via Secrets Store CSI Driver for secrets
• Enable Azure Policy + Deployment Safeguards
• Enable Encryption at rest for etcd/API server; in-transit for node-to-node
• Allow only signed, policy-approved images (Azure Policy + Ratify), prefer Azure Container Registry
• Isolation: Use namespaces, network policies, scoped logging

4. Observability

• Use Managed Prometheus and Container Insights with Grafana for AKS observability (logs + metrics).
• Enable Diagnostic Settings to collect control plane logs and audit logs in a Log Analytics workspace for security monitoring and troubleshooting.
• For other monitoring and troubleshooting tools, use features like the Agentic CLI for AKS, Application Insights, Resource Health Center, AppLens detectors, and Azure Advisors.

5. Upgrades & Patching

• Configure Maintenance Windows for controlled upgrade timing
• Enable auto-upgrades for control plane and node OS to stay up-to-date with security patches and Kubernetes versions
• Consider LTS versions for enterprise stability (2-year support) by upgrading your AKS environment to the Premium tier
• Fleet upgrades: Use AKS Fleet Manager for staged rollout across test to production environments

6. Performance

• Use Ephemeral OS disks (

  --node-osdisk-type Ephemeral

  ) for faster node startup
• Select Azure Linux as node OS (smaller footprint, faster boot)
• Enable KEDA for event-driven autoscaling beyond HPA

7. Node Pools & Compute

• Dedicated system node pool: At least 2 nodes, tainted for system workloads only (

  CriticalAddonsOnly

  )
• Enable Node Auto Provisioning (NAP) on all pools for cost savings and responsive scaling
• Use latest generation SKUs (v5/v6) for host-level optimizations
• Avoid B-series VMs — burstable SKUs cause performance/reliability issues
• Use SKUs with at least 4 vCPUs for production workloads
• Set topology spread constraints to distribute pods across hosts/zones per SLO

8. Reliability

• Deploy across 3 Availability Zones (

  --zones 1 2 3

  )
• Use Standard tier for zone-redundant control plane + 99.95% SLA for API server availability
• Enable Microsoft Defender for Containers for runtime protection
• Configure PodDisruptionBudgets for all production workloads
• Use topology spread constraints to ensure pod distribution across failure domains

9. Cost Controls

• Use Spot node pools for batch/interruptible workloads (up to 90% savings)
• Stop/Start dev/test clusters:

  az aks stop/start

• Consider Reserved Instances or Savings Plans for steady-state workloads

Guardrails / Safety

• Do not request or output secrets (tokens, keys).
• If requirements are ambiguous for day-0 critical decisions, ask the user clarifying questions. For day-1 enabled features, propose 2–3 safe options with tradeoffs and choose a conservative default.
• Do not promise zero downtime; advise workload safeguards (PDBs, probes, replicas) and staged upgrades along with best practices for reliability and performance.

MCP Tools

mcp_azure_mcp_aks

Error Handling

az login

az account show

--enable-oidc-issuer --enable-workload-identity