BYOCNI: Introducing Calico CNI for Microsoft AKS

Cloud-native applications running on Kubernetes rely on container network plugins to establish workload communication. While Azure Kubernetes Service (AKS) provides several supported networking options (kubenet and Azure CNI) that address the needs of most deployments, Microsoft recently introduced the ability to bring your own networking solution, called BYOCNI, to help users address more advanced networking requirements. This new feature enables AKS customers to run Calico networking on AKS.

This blog will walk you through some exciting capabilities you can unlock with Calico running in your AKS deployments.

Why use Calico networking on AKS?

Calico is the most widely adopted container networking and security solution for Kubernetes. Powering more than 100M containers across 2M+ nodes in 166 countries, Calico is supported across all major cloud providers and Kubernetes distributions. Calico gives you a choice of data planes, including eBPF, standard Linux networking, and Windows HNS-based workloads running in public clouds and/or on-prem, on a single node, or across a multi-thousand-node cluster. Whether you need to scale to thousands of microservices with eBPF, or add Windows workloads to your Kubernetes deployments, Calico has you covered.

Calico’s core design principles leverage cloud-native design best practices, combined with proven, standards-based network protocols trusted by the largest Internet providers worldwide. The result is a solution that runs at scale in some of the largest Kubernetes deployments amongst enterprises.

Features of Calico networking on AKS

Most networking requirements for AKS can be met with Kubenet and Azure CNI, but some AKS users may require additional, specific functionality available in other networking solutions for their containerized workloads. They may also want to utilize the same network plugin used in their on-premises Kubernetes environments to simplify their operations in a hybrid environment.

For example, with the Calico CNI, AKS users can have unified networking capabilities across disparate cloud environments, leveraging Calico IP address management (IPAM) capabilities for both self-managed and managed Microsoft AKS clusters.

Using Calico networking on AKS, users can:

  • Interoperate with legacy firewalls using IP ranges

When Kubernetes pods interact with external systems that make decisions based on IP ranges (for example, legacy firewalls), defining several IP ranges and explicitly assigning pods to those ranges can be useful. With Calico IPAM, you can restrict a pod to use an address within a specific range, or even to an exact IP address.

  • Dynamically grow and shrink their IP address space as needed

As the number of pods increases, you may need to increase the number of addresses available for pods to use. You may also need to consider moving pods from a CIDR that was used in error. Calico gives you the advantage to migrate from one IP pool to another on a running cluster without any network disruptions to your staging or production environments.

  • Configure floating IPs that can be used as additional IP addresses for reaching a Kubernetes pod

Like Kubernetes services, a floating IP provides a stable IP address to reach some network service that might be backed by different pods at different times. These IPs “float” in the sense that they can be moved around the cluster and front different workload endpoints at different times. The workload itself is generally unaware of the floating IP; the host uses network address translation (NAT) on incoming traffic to change the floating IP to the workload’s real IP before delivering packets to the workload. The primary advantage floating IPs have over Kubernetes services is that floating IPs work on all protocols—not just TCP, UDP, and SCTP.


We believe in enabling users to select the best tool for the job at hand. The new bring-your-own CNI capabilities in Microsoft AKS allow you to do just that, providing even more options to users who need them. We’re excited to leverage this new capability and announce support for the full suite of Calico networking and security capabilities on AKS. You can also evaluate advanced security and observability features built on the zero-trust foundation of Calico via the Microsoft Azure marketplace. Interested in a hands-on experience? Stay on the lookout for our AKS workshops.

Did you know you can become a certified Calico operator? Learn Kubernetes networking and security fundamentals using Calico in this free, self-paced certification course.

Join our mailing list

Get updates on blog posts, workshops, certification programs, new releases, and more!