Missing information on AKS with no network policy engine

[tnn-simon]

Please document whether users (AKS operators) can bring their own network policy engine when an AKS cluster is configured with networkProfile.networkPolicy: none. Currently, the only mention of AKS with no network policy engine, is in the context of uninstalling existing network policy engine.

Why am I missing this information? I'm currently running with Calico as network policy engine, but I'm considering to replace it with self-managed Antrea (in network policy engine mode). The plan is to run Antrea alongside a managed network plugin (Azure CNI in my case). Antrea offers capabilities otherwise only available in the enterprise editions of Calico and Cilium (e.g Network policy audit logging, FQDN-based network policies) - and even has a more advanced rule priority model.

---

Document Details

⚠ Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.

• ID: 13ac2648-7dce-c83c-0b14-79d5b091b1af
• Version Independent ID: 6aa0b306-6926-87cc-9b59-496ac91dfba6
• Content: Secure pod traffic with network policies - Azure Kubernetes Service
• Content Source: articles/aks/use-network-policies.md
• Service: azure-kubernetes-service
• GitHub Login: @schaffererin
• Microsoft Alias: schaffererin

[TPavanBalaji]

@tnn-simon Thanks for your feedback! We will investigate and update as appropriate.

[ManoharLakkoju-MSFT]

HI @tnn-simon The AKS documentation states that if you set the networkProfile.networkPolicy field to none, then no network policy engine is installed in the AKS cluster. This means that you can bring your own network policy engine to the cluster if you choose to do so. However, it is important to note that if you bring your own network policy engine, you will be responsible for managing and maintaining it yourself.

In your case, if you want to replace Calico with Antrea as the network policy engine, you can do so by setting networkProfile.networkPolicy to none and then installing and configuring Antrea in your AKS cluster. You can run Antrea alongside a managed network plugin like Azure CNI, as you mentioned.

It's worth noting that while AKS supports bringing your own network policy engine, Microsoft recommends using the built-in network policy engine for most use cases. This is because the built-in network policy engine is fully supported by Microsoft and is designed to work seamlessly with AKS. If you have any specific questions or concerns about bringing your own network policy engine to AKS, please let me know and I'll do my best to help you out.

[tnn-simon]

Thanks for the quick response, @ManoharLakkoju-MSFT.

... This means that you can bring your own network policy engine to the cluster if you choose to do so. However, it is important to note that if you bring your own network policy engine, you will be responsible for managing and maintaining it yourself.

This was exactly the information I needed from the documentation. I am conducting a proactive risk analysis before switching the network policy engine, and it would be beneficial to have a statement confirming whether AKS will maintain support for this path and its underlying assumptions.

[ManoharLakkoju-MSFT]

@tnn-simon I'm going to assign this to the document author so they can take a look at it accordingly

@schaffererin Can you please check and add your comments on this doc update request as applicable.