From Zero to Azure: Network Policy Comes to ACS Engine

When Microsoft announced availability of Kubernetes on Azure Container Service (ACS), we were very excited – finally, an officially blessed way to run Kubernetes on Azure! Interestingly, and uniquely among the major cloud operators, the underlying deployment technology — ACS Engine — was open sourced, enabling third parties to extend it.

Working with our friends at Microsoft and Jetstack, we got started on the integration to enable ACS Engine to deploy Project Calico along with Kubernetes. We’re pleased to announce that this has now been upstreamed into the core of ACS Engine.

“Network policy will be crucial for meeting the strict security requirements of many enterprises,” said Brendan Burns, Partner Architect at Microsoft. “We were excited to see Calico integration make it into upstream ACS Engine, and are looking forward to hearing from the community as they get their hands on this capability.”

As background, the default ACS Kubernetes configuration (without Calico) does not include support for Network Policy. This new Kubernetes API, currently in beta, provides the ability to restrict network traffic based on Kubernetes labels and/or namespaces, providing greater security for micro-services, regulatory compliance, or multi-tenant environments. Calico is one of the leading implementations of network policy and fully supports this API (as well as a few more powerful capabilities).

The upshot is that anyone using upstream ACS Engine can now easily deploy Calico with their Kubernetes clusters, in order to get the benefits of micro-segmentation via the Kubernetes built-in Network Policy API.

Check it out by installing ACS Engine, and including the `”networkPolicy”: { “value”: “calico” }` option (see: for details).

Join our mailing list

Get updates on blog posts, workshops, certification programs, new releases, and more!