Generally Available: AKS support for Advanced Container Networking: L7 Policies

Generally Available: AKS support for Advanced Container Networking: L7 Policies
AKS now supports Layer 7 (L7) network policies in Advanced Container Networking Services + Cilium clusters, enabling fine-grained control over application traffic. With L7 policies, customers can define security rules based on application-layer attributes, improving zero-trust security models within AKS.

Public Preview: Disable HTTP proxy
The HTTP proxy feature adds HTTP proxy support to AKS clusters, exposing a straightforward interface that you can use to secure AKS-required network traffic in proxy-dependent environments. With this feature, both AKS nodes and pods are configured to use the HTTP proxy. This feature also enables installation of a trusted certificate authority onto the nodes as part of bootstrapping a cluster.
You can now disable the HTTP proxy feature on existing AKS clusters. When creating a cluster, HTTP proxy is enabled by default. Once you disable HTTP proxy on a cluster, the proxy configuration is saved in the database but the proxy variables are removed from the pods and nodes.

Public Preview: Confidential VMs for Azure Linux
Confidential Virtual Machines (CVM) offer strong security and confidentiality for tenants. CVM for Azure Linux in AKS is now in public preview and enables node pools with CVM to target the migration of highly sensitive container workloads to AKS without any code refactoring while benefiting from the features of AKS.
You can create new node pools using supported CVM vm sizes with Azure Linux 3. The nodes in a node pool created with CVM use a customized Azure Linux 3 image specially configured for CVM.

Generally Available: Confidential VMs for Ubuntu 24.04 in AKS
Confidential Virtual Machines (CVM) offer strong security and confidentiality for tenants. Now generally available, CVM for Ubuntu 24.04 in AKS enables node pools with CVM to target the migration of highly sensitive container workloads to AKS without any code refactoring while benefiting from the features of AKS.
You can create new node pools using supported CVM vm sizes with Ubuntu 24.04. The nodes in a node pool created with CVM use a customized Ubuntu 24.04 image specially configured for CVM. Ubuntu 24.04 is not yet the default OS version on AKS, meaning you’ll need to specify Ubuntu2404 as the OsSku during node pool creation.

Public Preview: Encryption in Transit for Azure Files NFS shares in AKS
Azure Kubernetes Service (AKS) now supports Encryption in Transit (EiT) for Azure Files NFS v4.1 volumes via the Azure File CSI driver.

This builds on the recent General Availability (GA) of EiT for Azure Files NFS shares in June, which introduced TLS 1.3-based encryption to secure data in transit across supported regions.
Now, AKS customers can benefit from the same enterprise-grade security for their containerized workloads.

• What’s New in AKS
• Preview support for EiT in AKS 1.33+ clusters using the Azure File CSI driver.
• Built-in integration with the AZNFS mount helper and Stunnel for seamless TLS encryption.
• No application changes required—after enabling in storage class, EiT works transparently with your existing NFS workloads.Azure Kubernetes Service (AKS) now supports Encryption in Transit (EiT) for Azure Files NFS v4.1 volumes via the Azure File CSI driver.

This builds on the recent General Availability (GA) of EiT for Azure Files NFS shares in June, which introduced TLS 1.3-based encryption to secure data in transit across supported regions.

Now, AKS customers can benefit from the same enterprise-grade security for their containerized workloads.

What’s New in AKS

Preview support for EiT in AKS 1.33+ clusters using the Azure File CSI driver.
Built-in integration with the AZNFS mount helper and Stunnel for seamless TLS encryption.
No application changes required—after enabling in storage class, EiT works transparently with your existing NFS workloads. Azure Kubernetes Service (AKS) now supports Encryption in Transit (EiT) for Azure Files NFS v4.1 volumes via the Azure File CSI driver.

This builds on the recent General Availability (GA) of EiT for Azure Files NFS shares in June, which introduced TLS 1.3-based encryption to secure data in transit across supported regions.

Now, AKS customers can benefit from the same enterprise-grade security for their containerized workloads.

What’s New in AKS

Preview support for EiT in AKS 1.33+ clusters using the Azure File CSI driver.
Built-in integration with the AZNFS mount helper and Stunnel for seamless TLS encryption.
No application changes required—after enabling in storage class, EiT works transparently with your existing NFS workloads.

Generally Available: Deployment safeguards in AKS
Misconfigurations during Kubernetes development can lead to bugs and deployment issues. Azure Kubernetes Service (AKS) now offers generally available deployment safeguards to help prevent these problems by enforcing Kubernetes best practices.
These safeguards operate in two modes: Warning, which surfaces alerts for noncompliant configurations without blocking them, and Enforcement, which actively blocks or modifies deployments that don't meet best practices. This helps ensure more reliable and secure application deployments in your AKS clusters.

Public Preview: Web Application Firewall on Application Gateway for Containers
Application Gateway for Containers now supports Web Application Firewall (WAF) policy in public preview. Using WAF’s Default Ruleset, Azure Kubernetes Service (AKS) administrators and developers can protect their workloads against malicious attacks and exploits such as:

• Cross-site scripting
• Java attacks
• Local file inclusion
• PHP injection attacks
• Remote command execution
• Remote file inclusion
• Session fixation
• SQL injection protection
• Protocol attacks

Generally Available: Control Plane Improvements in AKS
We are making improvements to API server resiliency per Kubernetes Enhancement Proposal (KEP) 5116 – Streaming Encoding for LIST Responses.
This enhancement significantly reduces API server memory usage by approximately 10x during large LIST calls to the API server. By lowering memory pressure, it helps improve list call latency and improves the resiliency of the kube-apipserver by reducing the probability of Out-of-Memory (OOM) issues. AKS has backported this upstream feature to make it available to customers using versions below v1.33 with AKS

• This improvement is now available in AKS Kubernetes v1.31.9 and higher
• AKS Kubernetes v1.32.6 and higher will be available soon

Public Preview: AKS Model Context Protocol (MCP) server
Model Context Protocol (MCP) server for AKS is now available as an open source release. This foundational component enables AI agents to interact with AKS clusters and simplifies cluster management.

AKS MCP server offers a standardized interface to orchestrate complex workflows such as diagnostics, remediation, and cluster lifecycle operations for AKS clusters and attached Azure services. It abstracts the intricacies of Kubernetes and Azure APIs and provides a unified way to plug in reasoning agents, language models, and intelligent tools to drive operational efficiency across environments.

The AKS MCP server is fully open-source and includes tools to:

• Managed and perform operations (create, scaling, upgrade) on AKS clusters
• Retrieve monitoring data from AKS clusters such as metrics and logs
  Retrieve details on related Azure resources (VNets, Subnets, NSGs, Route Tables, etc.)

By open-sourcing the MCP Server, Microsoft is enabling the Kubernetes community to extend and customize agentic workflows across CLIs, portals, IDEs, and copilots; integrate domain-specific logic with a consistent interface for AI and automation; enable autonomous operations that adapt to user context and cluster state; and accelerate innovation in intelligent troubleshooting, self-healing, and fleet-wide orchestration.

Public Preview : Azure Bastion integration with AKS

Azure Bastion integration for AKS is now available in public preview. This integration enables continuous secure access to private AKS clusters and also applies to AKS public clusters with API server authorized IP ranges. This integration introduces a seamless way for customers to tunnel into their AKS clusters using Azure Bastion, eliminating the need for complex networking setups like VPNs or jump boxes.

With this integration, users can now connect to their clusters and easily use native Kubernetes tooling (e.g., kubectl) from their local machines—simplifying access, reducing setup time, and enhancing security by eliminating the need to expose public endpoints.

Public Preview: LocalDNS for AKS
LocalDNS for Azure Kubernetes Service (AKS) is now available in public preview.
With LocalDNS, a DNS proxy is deployed on each node, which enables faster, more reliable DNS resolution. It removes DNS bottlenecks in large clusters, lowers query latency via local handling, and ensures continued resolution during upstream outages with configurable serve-stale settings.
LocalDNS delivers instant performance gains without application level changes, plus advanced DNS customization for both internal and external domains.

**Public Preview: Increase ingestion quota for Azure Managed Prometheus with an ARM API
**
Azure Monitor workspaces have default limits and quotas for ingestion. Customers can now request for an increase in quota for ingestion of Managed Prometheus metrics into Azure Monitor Workspace using an Azure Resource Manager API. The API supports request for increase up to 20 M events per minute, or 20 M Active timeseries.

Generally Available: Static egress gateway public prefix support in AKS
Static egress gateway public prefix support in AKS is now generally available. This feature allows AKS customers to create a dedicated gateway node pool that routes outbound traffic from annotated pods through a static public IP prefix (/28 to /31). It enables customers to achieve consistent and predictable egress IPs for firewall whitelisting, compliance, and partner integration scenarios.

Public Preview: Multiple Standard Load Balancers support in AKS
AKS now supports multiple Standard Load Balancers (SLBs) per cluster in public preview. This feature allows customers to scale beyond the 300 inbound rule limit per node NIC and isolate traffic by assigning different SLBs to different agent pools and workloads.

AKS automatically manages node and Service placement based on configurable criteria like pool name, labels, and namespace selectors.

Public Preview: Azure Virtual Network Verifier for AKS (VNV) for AKS
Azure Virtual Network Verifier for AKS, now in public preview and available through the Azure Portal, is a tool which allows you to detect and troubleshoot outbound connectivity issues in your AKS cluster.

You can use the Virtual Network Verifier feature to run a connectivity analysis to check the traffic flow between your cluster and a public egress endpoint (for example, mcr.microsoft.com). The analysis results will detect any misconfigured Azure networking resources which may be blocking outbound traffic such as Azure firewall, network security groups (NSG), and load balancers.

Generally Available: AKS Security Dashboard
The AKS Security Dashboard provides a centralized view of security posture and runtime threat protection for your AKS cluster within the Azure Portal. It highlights software vulnerabilities, critical security issues, compliance gaps, and active threats, helping you prioritize remediation. Use this dashboard to monitor workload protection, cluster configuration, and threat detection in real time.

Public Preview: Managed Namespaces in AKS
Managed namespaces for AKS allows users to get a list of namespaces they have access to across a subscription, resource group, and cluster, and then retrieve credentials that will give them the ability to deploy to those namespaces. Users can configure managed namespaces via the Azure CLI, ARM/Bicep, REST API, or the Azure Portal, allowing a user to interact with managed namespaces where they’re most comfortable doing so.

Generally Available: Network security perimeter
Network security perimeter allows organizations to define a logical network isolation boundary for PaaS resources (for example, Azure Storage account and SQL Database server) that are deployed outside your organization’s virtual networks. It restricts public network access to PaaS resources within the perimeter; access can be exempted by using explicit access rules for public inbound and outbound.

Features of a network security perimeter include:
Resource to resource access communication within perimeter members, preventing data exfiltration to non-authorized destinations.
External public access management with explicit rules for PaaS resources associated with the perimeter.
Access logs for audit and compliance.
Unified experience across PaaS resources.

Public Preview: Azure Virtual Network Manager mesh now supports 5,000 virtual networks
Azure Virtual Network Manager mesh connectivity is now in public preview, enabling you to group up to 5,000 virtual networks in supported regions. A mesh topology creates bi‑directional connectivity between every virtual network in a mesh connectivity configuration, so selected Virtual networks communicate directly, eliminating manual peerings, avoiding extra hops, and delivering low‑latency traffic flows under a unified control plane.
A common scenario for mesh is to let spoke virtual networks in a hub‑and‑spoke topology talk to each other without traversing through the hub. This reduces latency by bypassing the hub router. You can still preserve security and oversight by implementing security admin rules in Azure Virtual Network Manager (evaluated before NSGs) or NSG rules per virtual network, and monitor all traffic with virtual network flow logs for comprehensive auditing and troubleshooting.