Support for Advanced Container Networking Services (ACNS)

[EppO]

Is there an existing issue for this?

• [X] I have searched the existing issues

Community Note

• Please vote on this issue by adding a :thumbsup: reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave comments along the lines of "+1", "me too" or "any updates", they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the contribution guide to help.

Description

Add support for ACNS that brings Advanced Network Observability and also support for FQDN-based network policies

New or Affected Resource(s)/Data Source(s)

azurerm_kubernetes_cluster

Potential Terraform Configuration

resource "azurerm_kubernetes_cluster" "test" {
  name                = "myAKS"
  location            = azurerm_resource_group.test.location
  resource_group_name = azurerm_resource_group.test.name

  default_node_pool {
    name           = "default"
    node_count     = 2
    vm_size        = "Standard_DS2_v2"
    vnet_subnet_id = azurerm_subnet.test.id
  }

  identity {
    type = "SystemAssigned"
  }

  network_profile {
    network_plugin = "azure"
    network_policy = "cilium"
    network_data_plane = "cilium"

    advanced_networking {
      observability_enabled = true

      security {
         fqdn_policy_enabled = true
      }
    }
  }
}

References

https://learn.microsoft.com/en-us/azure/aks/advanced-network-observability-cli

{
  "networkProfile": {
    "networkPlugin": "azure",
    "networkPolicy": "cilium",
    "networkDataplane": "cilium",
...
    "advancedNetworking": {
      "observability": {
        "enabled": true,
        "tlsManagement": "Managed"
      },
      "security": {
        "fqdnPolicy": {
          "enabled": true
        }
      }
    }
  }
}

[ms-henglu]

Hi @EppO,

Thank you for taking time to report this issue.

In 4.0 release, the AKS migrates to stable API, and only GA features will be supported in azurerm provider, more details please see: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/guides/4.0-upgrade-guide#aks-migration-to-stable-api

Here's an example of how to use azapi provider to manage this feature:

resource "azapi_resource" "cluster" {
  type      = "Microsoft.ContainerService/managedClusters@2024-06-02-preview"
  parent_id = "/subscriptions/00000/resourceGroups/example"
  name      = "example"
  location  = "westus"
  identity {
    type         = "SystemAssigned"
    identity_ids = []
  }
  body = {
    properties = {
      agentPoolProfiles = [
        {
          count  = 1
          mode   = "System"
          name   = "default"
          vmSize = "Standard_DS2_v2"
        },
      ]
      dnsPrefix = "example"

      networkProfile = {
        networkPlugin    = "azure"
        networkPolicy    = "cilium"
        networkDataplane = "cilium"

        advancedNetworking = {
          observability = {
            enabled       = true
            tlsManagement = "Managed"
          }
          security = {
            fqdnPolicy = {
              enabled = true
            }
          }
        }
      }
    }
  }

}

[EppO]

Oh I missed that, thank you for bringing that to my attention. That's unfortunate, I use AKS VNET integration and couple of other preview features that I was managing with azurerm_kubernetes_cluster in AzureRM 3.x. Is there a way to keep managing the AKS resource with azurerm_kubernetes_cluster and activate the AKS preview features with azapi_update_resource (and not azapi_resource)? If that works, ideally I would use one azapi_update_resource per preview feature that I would ditch once it goes GA and gets implemented in azurerm_kubernetes_cluster.

[rcskosir]

As mentioned above by @ms-henglu this is a preview feature in AKS, so I am going to close this for now as a feature request. If it gets added to the AKS Stable API, we can reopen this request or you can create a new one. Thanks!

[github-actions[bot]]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

[katbyte]

I'm going to re-open this as it is still a valid request even if we are not adding preview features at this time, presumably this will eventually be stable. @EppO i suggest reaching out the the AKS team/opening an issue on their repo and cross linking it here asking them to have this added to the stable or a timeline of when they will.