Azure Kubernetes Service Documentation Update: Critical OS Retirements and Networking Enhancements
#Cloud

Azure Kubernetes Service Documentation Update: Critical OS Retirements and Networking Enhancements

Cloud Reporter
10 min read

Microsoft's latest weekly documentation update for Azure Container Services reveals significant strategic shifts, including the impending retirement of Azure Linux 2.0 and Ubuntu 18.04/20.04, alongside substantial networking improvements. The update covers 167 AKS changes, introducing advanced container networking features, enhanced security controls, and expanded GPU support while mandating migration paths for legacy operating systems.

Featured image

Executive Summary: A Week of Major Infrastructure Transitions

The Azure Kubernetes Service documentation update for January 4-11, 2026, represents one of the most significant weekly releases in recent memory, with 167 AKS changes, 9 ACR updates, 27 Fleet Manager modifications, and 1 Application Gateway for Containers enhancement. This update fundamentally shifts the operational landscape for Azure Kubernetes deployments, introducing mandatory migration timelines for legacy operating systems while delivering substantial improvements to networking, security, and GPU capabilities.

The most critical updates center on operating system lifecycle management, with Microsoft establishing firm retirement dates for Azure Linux 2.0 and multiple Ubuntu versions. Simultaneously, the platform is advancing its networking stack with enhanced CNI capabilities, improved observability features, and expanded support for modern protocols like dual-stack networking and nftables.

Operating System Retirement: The Azure Linux 2.0 Countdown

Azure Linux 2.0 End-of-Life Timeline

The documentation now prominently features a critical notice regarding Azure Linux 2.0 retirement that will fundamentally impact all AKS deployments:

  • November 30, 2025: Support and security updates cease for Azure Linux 2.0
  • March 31, 2026: Node images are removed, preventing scaling of existing node pools

This retirement affects all AKS clusters using Azure Linux 2.0 as their node OS. Microsoft explicitly advises users to migrate to supported Azure Linux versions by either:

  1. Upgrading existing node pools to Azure Linux 3.0
  2. Switching OS SKU to AzureLinux3 during cluster creation or node pool updates

The retirement notice appears across multiple documentation pages, including Core AKS Concepts, Node Images, and Best Practices, indicating this is a platform-wide strategic shift rather than a limited deprecation.

Ubuntu Version Retirements

In parallel, AKS is retiring multiple Ubuntu versions:

Ubuntu 18.04

  • Retirement date: June 17, 2025
  • Impact: No new node images, inability to scale existing node pools

Ubuntu 20.04

  • Retirement date: March 17, 2027
  • Impact: Similar to Ubuntu 18.04, with a longer migration window

Ubuntu 24.04 becomes the new default for Kubernetes versions 1.35 and above, representing a significant version jump that may require application compatibility testing.

Migration Strategy and Operational Impact

For enterprise customers, these retirements create immediate operational imperatives:

Immediate Actions Required:

  • Audit all AKS clusters for current OS SKU versions
  • Plan node pool upgrades before November 2025
  • Test applications on Azure Linux 3.0 and Ubuntu 24.04
  • Update Infrastructure as Code (IaC) templates to specify new OS versions

Cost and Capacity Planning:

  • Node pool upgrades may require temporary capacity surges
  • Consider using AKS Automatic with managed system node pools for simplified operations
  • Evaluate capacity reservation groups to ensure upgrade resources

Networking Evolution: Advanced Container Networking Services

Azure CNI Overlay Expansion

The Azure CNI Overlay networking model received substantial updates, particularly around pod CIDR expansion capabilities. The documentation now provides comprehensive guidance on expanding pod CIDR space without requiring cluster recreation—a critical capability for growing deployments.

Key Networking Enhancements:

Dual-Stack Support

  • Azure CNI Overlay now supports dual-stack networking (IPv4 + IPv6)
  • Requires Azure CLI 2.48.0+ and Kubernetes 1.26.3+
  • Enables modern application architectures requiring both IP versions

Cilium Integration

  • Azure CNI Powered by Cilium now requires --network-dataplane cilium flag
  • Replaces deprecated --enable-ebpf-dataplane flag
  • Provides enhanced network policy enforcement and observability

nftables Backend for kube-proxy

  • New nftables backend available alongside iptables and IPVS
  • Recommended for better performance and scalability
  • Requires AKS API version updates

Advanced Container Networking Services (ACNS)

The ACNS overview has been restructured to highlight three core capabilities:

  1. Container Network Observability: Enhanced traffic visibility and debugging
  2. Container Network Security: Advanced policy enforcement
  3. Container Network Performance: Optimization features

The documentation now includes detailed guidance on configuring container network logs, with a significant naming change effective November 11, 2025. Users must transition from RetinaNetworkFlowLogs to ContainerNetworkLog for custom resource definitions, CLI flags, and Log Analytics tables.

Static Egress Gateway Enhancements

The Static Egress Gateway now supports static private IP addresses in preview, requiring:

  • Kubernetes version 1.34 or later
  • Microsoft.ContainerService/StaticEgressGatewayPreview feature flag
  • Specific CLI parameters for private IP configuration

This feature enables organizations to maintain consistent egress IP addresses for firewall rules and external service whitelisting.

Security and Identity Management

Workload Identity Evolution

The Microsoft Entra Workload ID documentation has been expanded with:

New Capabilities:

  • Workload identity assignment for seamless Azure resource access
  • Clear prerequisites and limitations documentation
  • Maximum federated identity credential limits and propagation timing

Migration Path from Pod Identity: The documentation now provides three migration approaches for moving from pod-managed identities to Workload ID:

  1. Parallel deployment with latest Azure Identity SDK
  2. Migration sidecar for older SDK versions (Linux only)
  3. Application rewrite using latest SDK

Enhanced Access Controls

Privileged Identity Management (PIM) now supports node access in addition to cluster access:

  • Just-in-time SSH permissions for cluster nodes
  • Centralized identity management without SSH key overhead
  • Enhanced security posture for administrative access

Conditional Access Integration The Access Control documentation now includes detailed guidance for:

  • Configuring Conditional Access for SSH node access
  • Setting up policies for both control plane and node-level access
  • Verifying access configurations

Certificate Management

Custom Certificate Authorities now have clarified limitations:

  • Certificates added to AKS node trust store are NOT available to pod containers
  • Containers require separate certificate injection via image or runtime scripting
  • This separation enhances security but requires additional configuration steps

Certificate Rotation documentation now includes:

  • Manual rotation procedures
  • Automatic rotation enablement
  • Prerequisites including Azure CLI 2.0.77+
  • Component-specific expiration checks

GPU and Compute Enhancements

Multi-Instance GPU Expansion

The GPU Multi-Instance feature now supports:

  • Standard_ND96isr_H100_v5 VM size (new addition)
  • Previously supported: Standard_NC40ads_H100_v5 and A100 GPU VMs

This expansion enables more granular GPU partitioning for high-performance computing workloads.

GPU Health Monitoring

New GPU Health Monitoring capabilities include:

  • NVIDIA GRID Driver License Check: Verifies license status for supported NVIDIA VM SKUs
  • A10 SKU support: Health checks now include GRID driver license verification
  • Enhanced troubleshooting for GPU node issues

Confidential Containers

The Confidential Containers documentation maintains its focus on:

  • Trusted execution environments
  • Default policy deployment guidance
  • Integration with workload identity

Application Gateway for Containers

Component Architecture Clarifications

The Application Gateway for Containers documentation has been updated to clarify:

  • Child resource exclusivity: Resources are exclusive to parent gateway
  • Managed identity requirements: Each Azure Load Balancer Controller requires a user-assigned managed identity
  • Component definitions: Clearer separation of gateway, listener, and routing resources

Fleet Manager Updates

Multi-Cluster Management Capabilities

Resource Placement Enhancements:

  • Namespace-scoped propagation: Fine-grained control using ResourcePlacement API
  • Status reporting: Two methods for viewing placement status (cluster-scoped and namespace-scoped)
  • Staged deployment patterns: Three-stage deployment (staging → canary → production) with manual approval gates

Scale Improvements:

  • Cluster limit increase: From 100 to 200 member clusters
  • Arc-enabled Kubernetes support: Currently in preview
  • Managed Fleet Namespaces: Enhanced with Azure RBAC integration

Deployment Strategies

The Rollout Strategy documentation now includes:

  • Example deployment patterns with practical scenarios
  • Clarified resourceSnapshotIndex field usage
  • Manual approval workflows for production deployments

Container Registry (ACR) Updates

Authentication and Security

Cross-Tenant Authentication for AKS and ACR:

  • Multi-tenant app creation in Tenant A
  • Provisioning in Tenant B
  • Service principal configuration for AKS clusters

Artifact Streaming (Preview):

  • Repository and tag-level streaming initiation
  • Single registry storage with streaming capabilities
  • Currently in preview status

Content Trust Retirement:

  • Docker Content Trust cannot be enabled on new registries after May 31, 2026
  • Existing enabled registries are grandfathered
  • Migration planning required for affected organizations

Network Access Controls:

  • IP access rule limit increased from 100 to 200 per registry
  • Soft delete policy limitations clarified (no support for zone redundancy, geo-replication, or artifact cache)

Operational Excellence and Best Practices

Control Plane Scaling

New Control Plane Scaling documentation explains:

  • Resource scaling management within AKS clusters
  • Performance implications of scaling operations
  • Verification via large-cluster-control-plane-scaling-status ConfigMap

Performance Optimization

The Performance Best Practices documentation now emphasizes:

  • API Server Load: Response size matters more than object count
  • etcd Optimization: Keep overall size small through resource specification optimization
  • Retry Policies: Implement exponential backoffs to prevent API server overload

Monitoring and Observability

AKS Monitoring has been enhanced with:

  • Azure Copilot integration for monitoring configuration
  • Built-in health and performance insights
  • Enhanced metrics, logs, and observability integration

Migration and Upgrade Planning

Node Pool Upgrade Strategies

The documentation provides comprehensive guidance on rolling upgrades with:

  • Surge configuration options
  • Drain timeout settings
  • Soak time parameters

Capacity Planning for Upgrades:

  • Surge node requirements calculation
  • Quota management considerations
  • IP address planning for node pool expansions

OS Version Migration

Ubuntu Migration Path:

  • Default to Ubuntu 24.04 for Kubernetes 1.35+
  • Specify --os-sku Ubuntu2404 for explicit version control
  • Graceful migration from older versions

Azure Linux Migration Path:

  • Upgrade node pools to Azure Linux 3.0
  • Switch osSku to AzureLinux3
  • Test application compatibility before production migration

Key Technical Considerations

Networking Architecture Changes

Azure CNI Overlay vs. Flat Networking:

  • Overlay model: Fixed /24 pod CIDR, efficient IP utilization
  • Flat networking: Direct VNET integration, different IP planning requirements
  • Dual-stack support requires careful IP address space planning

API Server VNet Integration Limitations:

  • Virtual Network Encryption not supported
  • v3 or earlier SKUs: Can create clusters but no encrypted traffic
  • v4 or later SKUs: Blocked from using encrypted VNets

Security Posture Enhancements

Pod Security Standards:

  • Deployment Safeguards now support Pod Security Standards
  • Baseline level enabled by default in AKS Automatic
  • Cannot be disabled in AKS Automatic (enforced security)

KMS Encryption Evolution:

  • Legacy KMS experience vs. new KMS data encryption
  • Platform-managed keys with automatic rotation
  • Customer-managed keys support
  • Firewall configuration requirements for KMS

Storage and CSI Drivers

Azure Disk CSI Driver:

  • Performance improvements for concurrent disk operations
  • Zone-redundant storage (ZRS) disk support
  • Enhanced dynamic volume provisioning

Azure Files CSI Driver:

  • Managed identity-based authentication
  • NFS encryption in transit (encryptInTransit: "true")
  • Simplified access management

Action Items for Cloud Architects

Immediate Priorities (Next 30 Days)

  1. Inventory OS Versions: Document all AKS clusters using Azure Linux 2.0, Ubuntu 18.04, or Ubuntu 20.04
  2. Test Azure Linux 3.0: Deploy non-production clusters to validate application compatibility
  3. Review Networking: Assess current CNI configuration and plan for dual-stack if needed
  4. Security Audit: Evaluate PIM, Conditional Access, and Workload Identity implementation

Medium-term Planning (30-90 Days)

  1. Migration Execution: Begin upgrading node pools to supported OS versions
  2. Network Modernization: Implement ACNS features for enhanced observability
  3. GPU Workload Optimization: Evaluate multi-instance GPU support for HPC workloads
  4. Fleet Strategy: Consider Fleet Manager for multi-cluster management if managing 5+ clusters

Long-term Strategy (90+ Days)

  1. AKS Automatic Evaluation: Assess managed system node pools for operational efficiency
  2. Confidential Computing: Evaluate confidential containers for sensitive workloads
  3. Advanced Networking: Implement advanced container networking services for enterprise requirements
  4. Cost Optimization: Review pricing tiers (Free, Standard, Premium) and LTS plans

Conclusion

This documentation update represents a significant inflection point for Azure Kubernetes Service, balancing operational continuity with platform advancement. The mandatory OS migrations require immediate attention, while the networking and security enhancements provide substantial value for modern cloud-native architectures.

Organizations should prioritize OS migration planning while leveraging new capabilities like advanced container networking, enhanced GPU support, and improved multi-cluster management. The breadth of changes—from fundamental OS retirements to sophisticated networking features—demonstrates Microsoft's commitment to evolving AKS as an enterprise-grade Kubernetes platform.

For the most current information and detailed migration guides, refer to the official AKS documentation and the AKS Release Tracker.

This analysis is based on the weekly documentation update from January 4-11, 2026, covering 224 total changes across Azure Container Services.

#Azure#Kubernetes#Networking#Security#GPU

Comments

Loading comments...
Back to Home