April was a big month for AKS. Ten features hit General Availability, two new previews landed, and the community shipped an impressive volume of practical content — from AI inference on Arc-enabled clusters to securing Argo CD with Entra ID. There was also a notable set of behavioral changes that platform teams should review before their next upgrade cycle.

This month brings 10 features reaching General Availability and 2 new Preview announcements. Here are some of the highlights:

• Disable HTTP proxy in AKS is now generally available
• Azure Monitor for Azure Arc-enabled Kubernetes with OpenShift and Azure Red Hat OpenShift is now generally available
• Configure AKS backup using a single Azure CLI command is now generally available
• StandardV2 NAT Gateway as an outbound type for AKS enters public preview
• NAT Gateway V2 enters public preview

Let's dive in.

🔎 Documentation Updates

• Create and Manage Persistent Volumes with Azure Files in Azure Kubernetes Service (AKS): This refresh consolidates guidance on provisioning Azure Files-backed persistent volumes through the CSI driver. It is especially useful for teams running shared storage workloads such as CMS platforms, shared config stores, or legacy applications that need ReadWriteMany access across pods.

• Troubleshoot Azure Kubernetes Service (AKS) Workloads with Natural Language in AKS Desktop (preview): This new documentation covers the AI-powered troubleshooting assistant built into AKS Desktop. It allows engineers to diagnose Kubernetes issues using natural language queries instead of manually parsing logs and events — a significant step toward reducing mean time to resolution for less experienced operators.

• Use Planned Maintenance to Schedule and Control Upgrades for Azure Kubernetes Service (AKS) Clusters: The planned maintenance documentation was refreshed to better explain how maintenance windows interact with cluster and node image upgrades. This is critical for production environments where unplanned upgrades during business hours can cause disruption.

• Cluster authentication concepts in Azure Kubernetes Service (AKS): This update clarifies how AKS authenticates Kubernetes API requests through Microsoft Entra ID and explains the implications of disabling local cluster admin accounts. Platform teams running hardened clusters should review this to ensure their authentication posture aligns with current best practices.

• Deploy an Azure Kubernetes Service (AKS) Cluster Using Azure CLI: The CLI quickstart was updated to reflect current defaults for networking, identity, and cluster configuration. This keeps the onboarding experience aligned with the latest recommended cluster creation paths.

• Support Policies for Azure Kubernetes Service (AKS): The support policy page was refreshed with updated versioning expectations, lifecycle boundaries, and clarification on preview vs. GA feature support. Understanding these boundaries is essential for platform teams planning long-lived cluster lifecycles.

• Use system node pools in Azure Kubernetes Service (AKS): This documentation was updated with current guidance on system node pool sizing, taint configuration, and workload isolation. Properly configuring system pools prevents resource contention between control-plane add-ons and application workloads.

• Quickstart: Get Started Deploying and Managing Applications using AKS Automatic with AKS Desktop: This new quickstart walks through deploying and managing containerized applications on AKS Automatic using AKS Desktop — no Kubernetes manifests required. It lowers the barrier to entry for teams evaluating AKS without deep Kubernetes expertise.

• Deploy an Application using AKS Desktop for Azure Kubernetes Service (AKS): Complementing the quickstart, this guide covers the full application deployment workflow through AKS Desktop. It demonstrates how the tool abstracts away YAML authoring while still giving teams visibility into what gets deployed.

• Create a managed or user-assigned NAT gateway for your Azure Kubernetes Service (AKS) cluster: The NAT gateway documentation was updated to include StandardV2 NAT Gateway support. This is directly relevant for teams designing egress architectures that need higher throughput and more predictable outbound IP behavior.

• Kubernetes Gateway API Ingress for Istio Service Mesh Add-on for Azure Kubernetes Service (AKS) (preview): This documentation explains how to configure ingresses using the Kubernetes Gateway API with the Istio service mesh add-on. For teams planning a migration from traditional Ingress controllers, this is the path forward — Gateway API offers role-oriented configuration and better multi-tenancy support.

• Use Microsoft Entra ID authorization for the Kubernetes API in AKS: This guide covers how to authorize Kubernetes API access using Microsoft Entra ID role assignments with optional ABAC conditions. It enables fine-grained, identity-driven access control that goes beyond basic Kubernetes RBAC.

• Quickstart: Create an Azure Kubernetes Service (AKS) Automatic cluster in a custom virtual network: This quickstart shows how to deploy AKS Automatic into a custom VNet — a common requirement for enterprises that cannot use default networking. It bridges the gap between the simplicity of AKS Automatic and the network isolation requirements of regulated environments.

• Cluster authorization concepts in Azure Kubernetes Service (AKS): This update explains the authorization model for the Kubernetes API in AKS, covering Kubernetes RBAC, Microsoft Entra ID authorization, and Azure ABAC. It helps platform teams decide which authorization model fits their organizational structure and compliance requirements.

• Configure External Identity Providers with AKS Structured Authentication (Preview): This documentation covers how to configure external identity providers using structured authentication and JWT authenticators. It is particularly important for organizations that federate identity across multiple platforms and need to integrate non-Entra identity systems with AKS.

• Limit access to kubeconfig in Azure Kubernetes Service (AKS): This guide explains how to control who can retrieve kubeconfig files for cluster administrators and cluster users. Restricting kubeconfig access is a fundamental security measure that many teams overlook when hardening their clusters.

• Control cluster and node access using Conditional Access with Microsoft Entra integration: This update covers how to apply Conditional Access policies to AKS clusters integrated with Microsoft Entra ID. It enables organizations to enforce location-based, device-based, or risk-based access controls for Kubernetes API access.

• Enable Microsoft Entra ID authentication for the AKS control plane: This guide documents how to enable and configure Microsoft Entra ID authentication for the Kubernetes API server. It is a foundational step for any production cluster that needs centralized identity management and audit trails.

• AKS service permissions reference: This reference documents the Azure permissions required by the identity creating an AKS cluster, the cluster identity at runtime, and AKS node access. It is essential reading when designing least-privilege RBAC assignments for cluster lifecycle automation.

• Concepts - Access and identity in Azure Kubernetes Service (AKS): This conceptual overview was refreshed to cover all five identity scenarios in AKS — control-plane authentication, authorization, cluster identity, node identity, and workload identity. It serves as the starting point for any identity architecture discussion around AKS.

• Best practices for Azure Kubernetes Service (AKS): The best practices collection was updated to reflect current recommendations across cluster operations, security, networking, and developer workflows. This is the single best reference hub for teams establishing or reviewing their AKS operational standards.

• AKS Regulated Cluster for PCI DSS 4.0.1 - Malware Protection: This documentation provides malware protection guidance specifically for AKS clusters under PCI DSS 4.0.1 compliance requirements. It is directly applicable for financial services and e-commerce platforms running payment workloads on Kubernetes.

• Center for Internet Security (CIS) Kubernetes benchmark: This update clarifies how AKS applies the CIS Kubernetes benchmark and which controls are handled by the platform versus the operator. Understanding this mapping is critical for security audits and compliance assessments.

• Performance and scaling best practices for large workloads in Azure Kubernetes Service (AKS): This guide consolidates performance and scaling best practices for large-scale AKS deployments. It covers node pool sizing, API server optimization, etcd considerations, and workload scheduling strategies that matter at scale.

• Troubleshoot an Application using Insights in AKS Desktop (preview): This documentation covers the Insights feature in AKS Desktop, powered by Inspektor Gadget. It allows engineers to troubleshoot running applications with deep kernel-level observability without deploying additional tooling into the cluster.

🧪 Preview Feature Announcements

• Public Preview: StandardV2 NAT Gateway as an outbound type for AKS: AKS now supports StandardV2 NAT Gateway as an outbound type for both managed and BYO VNets. This is a meaningful upgrade for egress-heavy workloads — StandardV2 offers higher throughput, improved reliability, and better scaling characteristics compared to the original NAT Gateway SKU. Teams designing new clusters with predictable outbound IP requirements should evaluate this option.

• NAT Gateway V2 (preview): NAT Gateway V2 support is now available in public preview across supported public Azure regions, with automatic exclusion in sovereign clouds and regions where StandardV2 is not yet available. This complements the outbound type preview and gives operators a next-generation NAT experience with improved performance characteristics.

✅ General Availability Announcements

• Generally Available: Disable HTTP proxy in AKS: Organizations that use HTTP proxies to control outbound traffic can now remove or modify those settings on running clusters without recreation. This was a long-standing pain point — previously, changing proxy configuration required rebuilding the cluster, which is disruptive and operationally expensive. This GA release directly reduces operational friction for enterprise environments with evolving network requirements.

• Generally Available: Azure Monitor for Azure Arc-enabled Kubernetes with OpenShift and Azure Red Hat OpenShift: Azure Monitor now fully supports monitoring Azure Arc-enabled Kubernetes clusters running OpenShift and Azure Red Hat OpenShift. This closes an observability gap for hybrid environments — teams running mixed AKS and OpenShift clusters can now use a single monitoring plane with consistent metrics, logs, and alerts across all their Kubernetes infrastructure.

• Generally Available: Configure AKS backup using a single Azure CLI command: Azure Backup now provides a one-command CLI experience for configuring AKS cluster backup. Previously, setting up backup required multiple steps across different Azure services. This simplification makes it much more likely that teams will actually enable backup as part of their standard cluster provisioning workflow rather than treating it as an afterthought.

• MIG (multi-instance GPU) profiles – now generally available: Multi-instance GPU partitioning is now GA on AKS agent pools, enabling H100 GPUs to be partitioned into smaller instances (MIG1g through MIG7g). This is a significant cost optimization for AI and ML workloads — instead of dedicating an entire H100 to a single workload, teams can now share GPU resources across multiple tenants or smaller inference jobs, dramatically improving GPU utilization.

• StorageClass – now generally available: AKS 1.35 clusters in supported regions now ship with built-in StorageClass definitions that provide sensible defaults for Premium SSD v2. This removes the need to create custom StorageClasses for common storage scenarios, reducing boilerplate and configuration drift across clusters.

• API Server VNET Integration – now generally available: API Server VNet Integration is now available in the Malaysia South region. This extends the regional footprint for teams that need the API server to be reachable only through their virtual network, eliminating public endpoint exposure.

• Vertical Pod Autoscaler (VPA) – now generally available: VPA now supports the Recreate update mode in GA. This allows VPA to automatically restart pods with updated resource requests and limits when it detects that current allocations do not match actual usage. It is a practical tool for right-sizing workloads that have unpredictable or evolving resource patterns.

• Istio-based service mesh – now generally available: Gateway proxy pods for the Istio-based service mesh add-on are now generally available. This means teams can now run full Istio gateway functionality — including ingress, egress, and east-west traffic management — as a fully supported, production-ready feature on AKS.

• Disable HTTP Proxy – now generally available: This is the companion GA announcement for the ability to disable HTTP proxy configuration on existing AKS clusters. Combined with the proxy configuration update, this provides full lifecycle management of proxy settings without requiring cluster recreation.

• AKS Managed API Server Guard – now generally available: AKS Managed API Server Guard is now GA. This feature protects the API server from excessive load by automatically throttling requests that could destabilize the control plane. It is an important safety net for clusters running workloads that generate high volumes of API calls — such as controllers, operators, or CI/CD pipelines.

🔁 Behavioral Changes

• Azure CNI Powered by Cilium: AKS now includes a new managed cilium-fluent-bit component in clusters running Azure CNI Powered by Cilium. This improves supportability by enabling better log collection and troubleshooting for the Cilium dataplane. Operators should be aware that this adds a new system component to the cluster that consumes a small amount of node resources.

• HTTP proxy configuration: The validation rules for HTTP proxy configuration have been relaxed, making it easier to update proxy settings on running clusters. This aligns with the new GA capability to disable and modify proxy configurations without cluster recreation.

• HTTP Proxy: AKS now enforces a limit of 20 Trusted CA Certificates for HTTP proxy configurations. Teams that manage a large number of custom CAs for outbound traffic inspection should consolidate their certificate chains to stay within this limit.

• Ubuntu 22.04 Retirement: Ubuntu 22.04 is being retired as a node OS image for AKS. Operators should plan their migration to Ubuntu 24.04, which is now the recommended LTS option. This is a routine lifecycle transition, but teams running custom node configurations or hardened images should validate their tooling against the newer OS before the retirement date.

• Kubelet Serving Certificate Rotation (KSCR): Kubelet Serving Certificate Rotation is now enabled by default, regardless of the node pool tag setting. This is a security improvement — it ensures that kubelet serving certificates are automatically rotated, reducing the risk of expired certificates causing node communication failures.

• Teleport (preview): The Teleport preview feature has been removed from both Azure Container Registry and AKS. Teams that were using Teleport for accelerated image pulling should migrate to standard pull mechanisms. This is a clean deprecation — the feature never reached GA and has been fully decommissioned.

• What's new with Microsoft in open source and Kubernetes at KubeCon + CloudNativeCon Europe 2026: This summary covers Microsoft's announcements at KubeCon Europe 2026, including several AKS features that are reflected in this month's preview and GA sections. It provides broader context for the platform direction and upstream Kubernetes contributions from Microsoft.

📚 Community Blogs

• Securing Argo CD with Microsoft Entra ID: A Step-by-Step Guide: With the Argo CD extension now in public preview on AKS and Azure Arc, this post walks through integrating Argo CD authentication with Microsoft Entra ID. This is essential reading for teams adopting Argo CD on AKS — centralizing GitOps authentication through Entra ID eliminates the need for separate credential management and aligns with enterprise identity policies.

• Control AI spend with per-application token rate limiting using Application Network and agentgateway: As AI workloads scale, controlling token consumption becomes a real operational challenge. This post shows how to use Application Network and agentgateway to enforce per-application token rate limits. It is highly relevant for platform teams managing shared AI inference infrastructure where cost attribution and blast radius control are critical.

• AI Inference on AKS enabled by Azure Arc: Generative AI using Triton and TensorRT‑LLM: Part 5 of the AI inference series covers deploying NVIDIA Triton Inference Server with TensorRT-LLM on Arc-enabled AKS clusters. This is the most advanced post in the series — it demonstrates how to serve generative AI models at the edge with production-grade inference infrastructure, bridging the gap between cloud and on-premises AI deployment.

• Azure Container Storage v2.1.0: Now GA with Elastic SAN: Azure Container Storage v2.1.0 reaches GA with Elastic SAN integration, providing higher performance and larger scale for stateful workloads. This release is significant for teams running databases, message queues, or other storage-intensive applications on AKS — Elastic SAN delivers consistent high-throughput storage without managing individual disks.

• Turn your agents into AKS experts: Agent Skills for AKS: Agent Skills bring production-grade AKS guidance, troubleshooting checklists, and guardrails directly into AI agents. This is a novel approach to operationalizing platform knowledge — instead of relying solely on documentation, teams can embed AKS best practices into their AI-assisted workflows for faster and more consistent troubleshooting.

• AI Inference on AKS enabled by Azure Arc: Predictive AI using Triton and ResNet-50: Part 4 of the series deploys Triton Inference Server with ResNet-50 in ONNX format on Arc-enabled AKS. It demonstrates how to run predictive AI at the edge for image classification scenarios — a practical reference for manufacturing, retail, and IoT use cases where low-latency inference on on-premises hardware is required.

• AI Inference on AKS enabled by Azure Arc: Generative AI with Open‑Source LLM Server: This post covers deploying open-source LLM servers on Arc-enabled AKS for generative AI inference. It is aimed at teams that want to run LLMs on their own infrastructure without depending on cloud-hosted model APIs — a growing requirement for data-sovereign and air-gapped environments.

• AI Inference on AKS enabled by Azure Arc: Series Introduction and Scope: This post sets the scope for the AI inference series, covering the architecture, prerequisites, and design decisions behind running AI workloads on Arc-enabled AKS clusters. It is the right starting point for teams evaluating edge AI deployment strategies.

• AI Inference on AKS enabled by Azure Arc: Bringing AI to the Edge and On‑Premises: The series opener explains why running AI inference at the edge matters — latency, data residency, and compliance often make cloud-based inference impractical. It frames the entire series around real-world constraints that drive organizations to bring AI to their own infrastructure rather than relying exclusively on cloud endpoints.

• Optimizing RDMA performance for AI workloads on AKS with DRANET: RDMA is critical for high-throughput GPU-to-GPU communication in distributed AI training. This post explains how DRANET optimizes RDMA performance on AKS, directly addressing the network bottlenecks that limit large-scale AI training workloads. It is required reading for teams running multi-node GPU clusters.

• Simplifying gMSA for Windows Containers on AKS: Open-Source Tooling Now Available: Group Managed Service Accounts (gMSA) have historically been painful to configure for Windows containers on AKS. This post introduces open-source tooling that simplifies the setup process. For teams running Active Directory-authenticated Windows workloads on Kubernetes, this removes one of the biggest operational barriers.

• Autonomous AKS Incident Response with Azure SRE Agent: From Alert to Verified Recovery in Minutes: This post demonstrates how the Azure SRE Agent can autonomously handle AKS incident response — from alert detection to verified recovery. It represents a significant shift in incident management, moving from reactive human-driven triage to AI-driven automated response for common failure scenarios.

• AKS App Routing's Next Chapter: Gateway API with Istio: With the deprecation of Ingress NGINX, this post explains how AKS App Routing is evolving to use Gateway API with Istio as the recommended ingress path. It provides the migration rationale and architectural context that teams need to plan their transition from traditional Ingress controllers.

• Introducing the Container Network Insights Agent for AKS: Now in Public Preview: The Container Network Insights Agent brings AI-powered network troubleshooting directly into AKS. Instead of manually correlating logs and metrics across tools, engineers can use natural language to diagnose networking issues. This is a meaningful step toward reducing the expertise barrier for Kubernetes networking operations.

• Announcing One‑Command Backup Configuration for AKS with Azure Backup: This companion blog explains the one-command AKS backup experience in detail. It covers the simplified CLI workflow, what gets backed up, and how to restore. The reduction from a multi-step process to a single command makes it realistic to include backup in standard cluster provisioning pipelines.

• Passwordless AKS Secrets: Sync Azure Key Vault with ESO + Workload Identity: This post shows how to sync Azure Key Vault secrets into Kubernetes using External Secrets Operator (ESO) with Workload Identity — no passwords or service principal credentials required. It is a clean, modern pattern for secret management that aligns with zero-trust principles and eliminates long-lived credentials from the cluster.

• Service Mesh-Aware Request Tracing in AKS with Istio and Application Insights: This article explains how to enable distributed request tracing that is aware of the Istio service mesh, using Application Insights as the backend. It bridges the observability gap between mesh-level traffic routing and application-level telemetry, providing end-to-end visibility for microservice architectures.

• Secure HTTP‑Only AKS Ingress with Azure Front Door Premium, Firewall DNAT, and Private AGIC: This post walks through a production-grade ingress architecture using Azure Front Door Premium, Azure Firewall DNAT, and a private Application Gateway Ingress Controller. It is one of the more complex but realistic enterprise patterns for securing inbound traffic to AKS clusters while maintaining end-to-end encryption and WAF protection.

• AKS cluster with AGIC hits the Azure Application Gateway backend pool limit (100): This post documents a real-world scaling issue where an AKS cluster using AGIC hit the 100 backend pool limit on Azure Application Gateway. It provides practical workarounds and architectural guidance for teams running large numbers of services behind AGIC — a common pain point that is poorly documented elsewhere.

• DevSecOps on AKS: Governance Gates That Actually Prevent Incidents: This post focuses on implementing governance gates in AKS that go beyond policy-as-code to actually prevent production incidents. It covers deployment safeguards, admission policies, and supply chain controls — practical DevSecOps patterns that move security from reactive detection to proactive prevention.

🔗 Releases and Roadmap

• AKS GitHub Releases: Track the latest AKS release notes, including Kubernetes version updates, component upgrades, CVE remediations, new features, behavioral changes, and bug fixes.
• AKS Public Roadmap: View upcoming features, planned improvements, and the delivery timeline for Azure Kubernetes Service on the official public roadmap.

Release Highlights

• Release 2026-04-02: This release includes Kubernetes patch versions 1.35.1 and 1.33.8, along with 3 component updates. It is a maintenance release focused on keeping supported Kubernetes versions current with upstream patches.

🎥 Watch & Learn

• Container Network Insights agent: Agentic AI network troubleshooting for Azure Kubernetes Service: This video demonstrates the Container Network Insights Agent in action, showing how it uses AI to diagnose Kubernetes networking issues in AKS. It is a practical walkthrough of the tool's capabilities for engineers who want to see the AI-driven troubleshooting experience before adopting it in their clusters.

• Building scalable, serverless search solution with Elastic: CN Partner Showcase: Azure Kubernetes: Part of the Cloud Native Partners Showcase, this video highlights how Elastic builds scalable, serverless search solutions on top of AKS. It provides insight into real partner architectures and how AKS serves as a foundation for complex stateful workloads.

• Diagnose & Solve with Andrew Scobie: AKS Troubleshooting Series: Azure Kubernetes Service: This episode of the AKS Troubleshooting Series dives into the Diagnose & Solve experience in the Azure portal. Andrew Scobie walks through how to use the built-in diagnostics to identify and resolve common AKS issues without leaving the portal — a useful tool for day-2 operations that many engineers underutilize.

• Scale Azure Storage: Ultra Disk, Blob Storage, Azure Container Storage: This video covers how to scale Azure Storage for Kubernetes workloads using Ultra Disk, Blob Storage, and Azure Container Storage. It is directly relevant for teams running stateful workloads on AKS that need to understand the trade-offs between different storage backends at scale.

🧠 Closing Thoughts

April 2026 was one of the more significant months for AKS in recent memory. Ten GA announcements in a single month signals strong platform maturation, particularly in areas that directly impact day-to-day operations.

The recurring themes are clear:

• Egress and networking are getting more flexible with StandardV2 NAT Gateway and relaxed proxy configuration
• Identity and security continue to deepen with Entra ID authorization, Conditional Access, and structured authentication for external identity providers
• AI and GPU workloads are expanding beyond cloud-only — the Arc-enabled inference series shows that edge AI on Kubernetes is becoming a first-class scenario
• Operational simplicity is a priority — from one-command backup to AKS Desktop to the SRE Agent, the platform is actively reducing the expertise barrier for common tasks
• Observability is evolving with AI-powered troubleshooting through the Container Network Insights Agent and AKS Desktop's natural language diagnostics

For platform teams, the message is clear: AKS is investing in making Kubernetes operations more accessible while simultaneously expanding the platform's capabilities for advanced workloads. The balance between simplicity and power is what makes this month's updates particularly valuable.

Stay tuned for next month's edition, and feel free to share feedback or suggestions for future coverage.