{"id":78102,"date":"2019-10-17T08:00:49","date_gmt":"2019-10-17T15:00:49","guid":{"rendered":""},"modified":"2025-06-27T04:51:47","modified_gmt":"2025-06-27T11:51:47","slug":"tutorial-calico-network-policies-with-azure-kubernetes-service","status":"publish","type":"post","link":"https:\/\/opensource.microsoft.com\/blog\/2019\/10\/17\/tutorial-calico-network-policies-with-azure-kubernetes-service\/","title":{"rendered":"Tutorial: Calico Network Policies with Azure Kubernetes Service"},"content":{"rendered":"\n<p>In May 2019,&nbsp;<a href=\"https:\/\/azure.microsoft.com\/en-us\/updates\/user-defined-network-policy-in-azure-kubernetes-service-aks-is-now-available\/\">Network Policies on Azure Kubernetes Service (AKS) became generally available<\/a> through the Azure native policy plug-in or through the community project Calico. This user-defined network policy feature enables secure network segmentation within Kubernetes and allows cluster operators to control which pods can communicate with each other and resources outside the cluster.<\/p>\n\n\n\n<p>In this tutorial, we\u2019ll practice building four different Network Policies:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>WEB is exposed and accessible publicly from the Internet.<\/li>\n\n\n\n<li>WEB talks to API.<\/li>\n\n\n\n<li>API talks to DB.<\/li>\n\n\n\n<li>No other exposures nor communications.<\/li>\n<\/ol>\n\n\n\n<p>For additional background, I encourage reading the article <a href=\"https:\/\/azure.microsoft.com\/blog\/integrating-azure-cni-and-calico-a-technical-deep-dive\/\">Integrating Azure CNI and Calico: A technical deep dive<\/a>, where you&#8217;ll see all the key concepts explained from a networking perspective with AKS. Furthermore, here is a <a href=\"https:\/\/kubernetes.io\/docs\/tasks\/administer-cluster\/declare-network-policy\/\">Kubernetes tutorial<\/a>, <a href=\"https:\/\/docs.projectcalico.org\/v3.9\/security\/calico-network-policy\">Calico tutorial<\/a> and <a href=\"https:\/\/docs.microsoft.com\/azure\/aks\/use-network-policies\">AKS tutorial<\/a>&nbsp;to help you get started.<\/p>\n\n\n\n<p>Some things to keep in mind before you jump into the tutorial:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\n<ul class=\"wp-block-list\">\n<li>By default, any pods could communicate with any other pods across namespaces within a Kubernetes cluster &#8212; it&#8217;s by design. However, <a href=\"https:\/\/kubernetes.io\/docs\/concepts\/services-networking\/network-policies\/\">Kubernetes Network Policies<\/a>\u00a0will guarantee the &#8220;Just Enough Access&#8221; principle of your Security posture.<\/li>\n\n\n\n<li>By default, there is no plugin pre-installed with Kubernetes to apply such Network Policies. You need to install this plugin, otherwise your Network Policies won&#8217;t have any effect.<\/li>\n\n\n\n<li>With AKS, you have the option between Azure or Calico as your Network Policy plugin. You can only define this at the cluster creation; update is not yet supported. With Calico Network Policy you could either use Kubenet or Azure CNI, but for the Azure Network Policy it\u2019s only with Azure CNI (not Kubenet). Network Policies are not yet supported for Windows nodes with AKS.<\/li>\n\n\n\n<li>Both Azure and Calico Network Policy plugins are open source: <a href=\"https:\/\/github.com\/Azure\/azure-container-networking\">Azure<\/a> and <a href=\"https:\/\/github.com\/projectcalico\/calico\">Calico<\/a>.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/cloudblogs.microsoft.com\/wp-content\/uploads\/2019\/10\/Network-policies-rules-diagram_image-1-1024x564.webp\" alt=\"Network policies rules diagram\" \/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>Let\u2019s do it!<\/p>\n\n\n\n<p>First, we need to provision an <a href=\"https:\/\/docs.microsoft.com\/azure\/aks\/use-network-policies\">AKS cluster with Network Policies enabled<\/a>, for the purpose of this demo below, we will use Calico:<\/p>\n\n\n\n<p><code>az aks create...&nbsp; <strong>--network-policy calico<\/strong><\/code><\/p>\n\n\n\n<p>To start and illustrate this we need to deploy those Pods and Services:<\/p>\n\n\n\n<p><code>ns=yournamespace<br>\nkubectl create ns $ns<br>\nkubectl config set-context --current --namespace $namespace<br>\nkubectl apply -f <a href=\"https:\/\/raw.githubusercontent.com\/mathieu-benoit\/k8s-netpol\/master\/db-api-web-deployments.yaml\">https:\/\/raw.githubusercontent.com\/mathieu-benoit\/k8s-netpol\/master\/db-api-web-deployments.yaml<\/a><\/code><\/p>\n\n\n\n<p>You now have three Pods and three Services:<\/p>\n\n\n\n<p><code>kubectl get pod,svc<\/code><\/p>\n\n\n\n<p>We could check that WEB is publicly accessible (you may need to wait for few seconds to get the Public IP provisioned):<\/p>\n\n\n\n<p><code><span style=\"color: #00ff00\"><span style=\"color: #339966\">curl $(kubectl&nbsp;get svc web -o jsonpath='{.status.loadBalancer.ingress[0].ip}')<\/span><\/span><\/code><\/p>\n\n\n\n<p>Our first test is to see that any pods could communicate with others even externally, let&#8217;s run few successful commands:<br><code>kubectl run curl-$RANDOM --image=radial\/busyboxplus:curl --rm -it --generator=run-pod\/v1<br>\n# <span style=\"color: #339966\">curl https:\/\/kubernetes.io<\/span><br>\n# <span style=\"color: #339966\">curl http:\/\/db:15984<\/span><br>\n# exit<\/code><\/p>\n\n\n\n<p>Let&#8217;s apply the first important Network Policy,&nbsp;<a href=\"https:\/\/aka.ms\/mabenoit\/deny-all-view\">Deny all ingress and egress<\/a>!<\/p>\n\n\n\n<p><code>kubectl apply -f <a href=\"https:\/\/raw.githubusercontent.com\/mathieu-benoit\/k8s-netpol\/master\/deny-all-netpol.yaml\">https:\/\/raw.githubusercontent.com\/mathieu-benoit\/k8s-netpol\/master\/deny-all-netpol.yaml<\/a><\/code><\/p>\n\n\n\n<p>We can check that WEB isn&#8217;t publicly accessible anymore:<\/p>\n\n\n\n<p><code><span style=\"color: #ff0000\">curl&nbsp;--connect-timeout 2&nbsp;$(kubectl&nbsp;get svc web -o jsonpath='{.status.loadBalancer.ingress[0].ip}')<\/span><\/code><\/p>\n\n\n\n<p>Let&#8217;s also rerun the two previous tests, which should fail now:<\/p>\n\n\n\n<p><code>kubectl run curl-$RANDOM --image=radial\/busyboxplus:curl --rm -it --generator=run-pod\/v1<\/code><\/p>\n\n\n\n<p><code>#&nbsp;<span style=\"color: #ff0000\">curl --connect-timeout 2 https:\/\/kubernetes.io<\/span><\/code><\/p>\n\n\n\n<p><code>#&nbsp;<span style=\"color: #ff0000\">curl&nbsp;--connect-timeout 2&nbsp;http:\/\/db:15984<\/span><\/code><\/p>\n\n\n\n<p><code># exit<\/code><\/p>\n\n\n\n<p>Actually, no one could communicate from\/to that namespace at this stage, that&#8217;s what we want. Now, let&#8217;s be more granular and illustrate the &#8220;Least Access&#8221; and &#8220;Just Enough Access&#8221; Security Principles.<\/p>\n\n\n\n<p>First, <a href=\"https:\/\/aka.ms\/mabenoit\/db-netpol-view\">DB is accessible only from API on port 5984 and doesn&#8217;t have access to anything<\/a>:<\/p>\n\n\n\n<p><code>kubectl apply -f&nbsp;<a href=\"https:\/\/raw.githubusercontent.com\/mathieu-benoit\/k8s-netpol\/master\/db-netpol.yaml\">https:\/\/raw.githubusercontent.com\/mathieu-benoit\/k8s-netpol\/master\/db-netpol.yaml<\/a><\/code><\/p>\n\n\n\n<p>Let&#8217;s validate that DB doesn&#8217;t have access to anything:<\/p>\n\n\n\n<p><code>kubectl run curl-$RANDOM --image=radial\/busyboxplus:curl&nbsp;--labels&nbsp;<strong>app=db<\/strong>&nbsp;--rm -it --generator=run-pod\/v1<\/code><\/p>\n\n\n\n<p><code>#&nbsp;<span style=\"color: #ff0000\">curl&nbsp;--connect-timeout 2&nbsp;http:\/\/web:80<\/span><\/code><\/p>\n\n\n\n<p><code>#&nbsp;<span style=\"color: #ff0000\">curl&nbsp;--connect-timeout 2&nbsp;https:\/\/kubernetes.io<\/span><\/code><\/p>\n\n\n\n<p><code># exit<\/code><\/p>\n\n\n\n<p>Now, <a href=\"https:\/\/aka.ms\/mabenoit\/api-netpol-view\">API has only access to DB on port 5984 and is accessible only from WEB on port 3000<\/a>:<\/p>\n\n\n\n<p><code>kubectl apply -f&nbsp;<a href=\"https:\/\/raw.githubusercontent.com\/mathieu-benoit\/k8s-netpol\/master\/api-netpol.yaml\">https:\/\/raw.githubusercontent.com\/mathieu-benoit\/k8s-netpol\/master\/api-netpol.yaml<\/a><\/code><\/p>\n\n\n\n<p>Actually, we also need to do an extra action here by adding a <code>Label<\/code> on the <code>kube-system<\/code> Namespace (<code>NetworkPolicies<\/code> are all about <code>Labels<\/code>):<\/p>\n\n\n\n<p><code>kubectl label ns kube-system name=kube-system<\/code><\/p>\n\n\n\n<p>Let&#8217;s validate that API has access to DB, but doesn&#8217;t have access to WEB or Internet:<\/p>\n\n\n\n<p><code>kubectl run curl-$RANDOM --image=radial\/busyboxplus:curl&nbsp;--labels&nbsp;<strong>app=api<\/strong>&nbsp;--rm -it --generator=run-pod\/v1<\/code><\/p>\n\n\n\n<p><code>#&nbsp;<span style=\"color: #339966\">curl&nbsp;http:\/\/db:15984<\/span><\/code><\/p>\n\n\n\n<p><code>#&nbsp;<span style=\"color: #ff0000\">curl&nbsp;--connect-timeout 2&nbsp;http:\/\/web:80<\/span><\/code><\/p>\n\n\n\n<p><code>#&nbsp;<span style=\"color: #ff0000\">curl&nbsp;--connect-timeout 2&nbsp;https:\/\/kubernetes.io<\/span><\/code><\/p>\n\n\n\n<p><code># exit<\/code><\/p>\n\n\n\n<p>Finally, <a href=\"https:\/\/aka.ms\/mabenoit\/web-netpol-view\">WEB only has access to API on port 3000 and is only accessible from the Internet on port 80<\/a>:<\/p>\n\n\n\n<p><code>kubectl apply -f <a href=\"https:\/\/raw.githubusercontent.com\/mathieu-benoit\/k8s-netpol\/master\/web-netpol.yaml\">https:\/\/raw.githubusercontent.com\/mathieu-benoit\/k8s-netpol\/master\/web-netpol.yaml<\/a><\/code><\/p>\n\n\n\n<p>Let&#8217;s validate that WEB has access to API, but doesn&#8217;t have access to DB or Internet:<\/p>\n\n\n\n<p><code>kubectl run curl-$RANDOM --image=radial\/busyboxplus:curl&nbsp;--labels&nbsp;<strong>app=web<\/strong>&nbsp;--rm -it --generator=run-pod\/v1<\/code><\/p>\n\n\n\n<p><code>#&nbsp;<span style=\"color: #339966\">curl&nbsp;http:\/\/api:8080<\/span><\/code><\/p>\n\n\n\n<p><code>#&nbsp;<span style=\"color: #ff0000\">curl&nbsp;--connect-timeout 2&nbsp;https:\/\/kubernetes.io<\/span><\/code><\/p>\n\n\n\n<p><code>#&nbsp;<span style=\"color: #ff0000\">curl&nbsp;--connect-timeout 2&nbsp;http:\/\/db:15984<\/span><\/code><\/p>\n\n\n\n<p><code># exit<\/code><\/p>\n\n\n\n<p>We could check that WEB is publicly accessible again:<\/p>\n\n\n\n<p><code><span style=\"color: #00ff00\"><span style=\"color: #339966\">curl $(kubectl&nbsp;get svc web -o jsonpath='{.status.loadBalancer.ingress[0].ip}')<\/span><\/span><\/code><\/p>\n\n\n\n<p>Here we are! We have secured communications for our three Pods: WEB, API, and DB by defining the very strict minimal requirements, nothing less and nothing more.<\/p>\n\n\n\n<p>Some gotchas:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>It&#8217;s all about\u00a0<code>Labels<\/code> on\u00a0<code>Pods<\/code> and\u00a0<code>Namespaces<\/code><\/li>\n\n\n\n<li>It&#8217;s not about\u00a0<code>Services <\/code>, nor the ports exposed there, it&#8217;s about\u00a0<code>Pods<\/code>&#8216; ports<\/li>\n\n\n\n<li>You could use\u00a0<code>podSelector<\/code> and\u00a0<code>namespaceSelector<\/code><\/li>\n\n\n\n<li>Again, the scope is per\u00a0<code>Namespace<\/code>, but via the\u00a0<code>namespaceSelector<\/code>\u00a0for Ingress or Egress you could reference external\u00a0<code>Namespaces<\/code>. You could use <a href=\"https:\/\/docs.projectcalico.org\/v3.9\/reference\/resources\/globalnetworkpolicy\">GlobalNetworkPolicy with Calico<\/a>\u00a0to apply rules across\u00a0<code>Namespaces<\/code><\/li>\n\n\n\n<li>To be able to reach out to another\u00a0<code>Pod<\/code>\u00a0via its\u00a0<code>Service<\/code>\u00a0name exposure you need to add an Egress rule for the DNS resolver (with the label\u00a0<code>k8s-app=kube-dns<\/code>) in the\u00a0<code>kube-system<\/code>\u00a0Namespace. We saw that we need to add a label\u00a0<code>name=kube-system<\/code>\u00a0on the\u00a0<code>kube-system<\/code>\u00a0Namespace.<\/li>\n\n\n\n<li>Network Policy Engine is doing the union of all the rules, Rule1 OR Rule2 OR&#8230;<\/li>\n\n\n\n<li>Default rules are for Ingress, as soon as you are adding Egress you need to specify this in the\u00a0<code>policyTypes<\/code>:\u00a0section<\/li>\n<\/ul>\n\n\n\n<p>Resources:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/www.cncf.io\/blog\/2019\/04\/19\/setting-up-kubernetes-network-policies-a-detailed-guide\/\">Setting up Kubernetes Network Policies \u2013 A Detailed Guide<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/info.microsoft.com\/ww-ondemand-help-deliver-applications-securely-with-devsecops-us.html\">Help Deliver Applications Securely with DevSecOps<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/www.youtube.com\/watch?v=131_TIa_ftI\">Secure traffic between pods using network policies in Azure Kubernetes Service (AKS) | Azure Friday<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/kubernetes.io\/blog\/2018\/07\/18\/11-ways-not-to-get-hacked\/\">11 Ways (Not) to Get Hacked with Kubernetes<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/medium.com\/@reuvenharrison\/an-introduction-to-kubernetes-network-policies-for-security-people-ba92dd4c809d\">An Introduction to Kubernetes Network Policies for Security People<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/kubernetes-security.info\/\">How to Build and Operate Applications Securely on Kubernetes<\/a><\/li>\n<\/ul>\n\n\n\n<p>Hope you enjoyed this blog article and the associated resources and are able to leverage this as a part of your own Security posture with Kubernetes.<\/p>\n\n\n\n<p>Questions or comments, please let me know in the comments below. Cheers!<\/p>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>In May 2019,&nbsp;Network Policies on Azure Kubernetes Service (AKS) became generally available through the Azure native policy plug-in or through the community project Calico. This user-defined network policy feature enables secure network segmentation within Kubernetes and allows cluster operators to control which pods can communicate with each other and resources outside the cluster.<\/p>\n","protected":false},"author":5562,"featured_media":95473,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"msxcm_post_with_no_image":false,"ep_exclude_from_search":false,"_classifai_error":"","_classifai_text_to_speech_error":"","footnotes":""},"post_tag":[2272],"content-type":[340],"topic":[2241,2242],"programming-languages":[],"coauthors":[394],"class_list":["post-78102","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","tag-microsoft","content-type-tutorials-and-demos","topic-cloud","topic-containers","review-flag-1593580428-734","review-flag-1593580771-946","review-flag-2-1593580437-411","review-flag-lever-1593580265-989"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.2 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Tutorial: Calico Network Policies with Azure Kubernetes Service | Microsoft Open Source Blog<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/opensource.microsoft.com\/blog\/2019\/10\/17\/tutorial-calico-network-policies-with-azure-kubernetes-service\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Tutorial: Calico Network Policies with Azure Kubernetes Service | Microsoft Open Source Blog\" \/>\n<meta property=\"og:description\" content=\"In May 2019,&nbsp;Network Policies on Azure Kubernetes Service (AKS) became generally available through the Azure native policy plug-in or through the community project Calico. This user-defined network policy feature enables secure network segmentation within Kubernetes and allows cluster operators to control which pods can communicate with each other and resources outside the cluster.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/opensource.microsoft.com\/blog\/2019\/10\/17\/tutorial-calico-network-policies-with-azure-kubernetes-service\/\" \/>\n<meta property=\"og:site_name\" content=\"Microsoft Open Source Blog\" \/>\n<meta property=\"article:published_time\" content=\"2019-10-17T15:00:49+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-06-27T11:51:47+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/opensource.microsoft.com\/blog\/wp-content\/uploads\/2024\/06\/CLO24-Azure-Fintech-006.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1170\" \/>\n\t<meta property=\"og:image:height\" content=\"640\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Mathieu Benoit\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@OpenAtMicrosoft\" \/>\n<meta name=\"twitter:site\" content=\"@OpenAtMicrosoft\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Mathieu Benoit\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"5 min read\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/opensource.microsoft.com\/blog\/2019\/10\/17\/tutorial-calico-network-policies-with-azure-kubernetes-service\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/opensource.microsoft.com\/blog\/2019\/10\/17\/tutorial-calico-network-policies-with-azure-kubernetes-service\/\"},\"author\":[{\"@id\":\"https:\/\/opensource.microsoft.com\/blog\/author\/mathieu-benoit\/\",\"@type\":\"Person\",\"@name\":\"Mathieu Benoit\"}],\"headline\":\"Tutorial: Calico Network Policies with Azure Kubernetes Service\",\"datePublished\":\"2019-10-17T15:00:49+00:00\",\"dateModified\":\"2025-06-27T11:51:47+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/opensource.microsoft.com\/blog\/2019\/10\/17\/tutorial-calico-network-policies-with-azure-kubernetes-service\/\"},\"wordCount\":833,\"commentCount\":1,\"publisher\":{\"@id\":\"https:\/\/opensource.microsoft.com\/blog\/#organization\"},\"image\":{\"@id\":\"https:\/\/opensource.microsoft.com\/blog\/2019\/10\/17\/tutorial-calico-network-policies-with-azure-kubernetes-service\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/opensource.microsoft.com\/blog\/wp-content\/uploads\/2024\/06\/CLO24-Azure-Fintech-006.webp\",\"keywords\":[\"Microsoft\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/opensource.microsoft.com\/blog\/2019\/10\/17\/tutorial-calico-network-policies-with-azure-kubernetes-service\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/opensource.microsoft.com\/blog\/2019\/10\/17\/tutorial-calico-network-policies-with-azure-kubernetes-service\/\",\"url\":\"https:\/\/opensource.microsoft.com\/blog\/2019\/10\/17\/tutorial-calico-network-policies-with-azure-kubernetes-service\/\",\"name\":\"Tutorial: Calico Network Policies with Azure Kubernetes Service | Microsoft Open Source Blog\",\"isPartOf\":{\"@id\":\"https:\/\/opensource.microsoft.com\/blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/opensource.microsoft.com\/blog\/2019\/10\/17\/tutorial-calico-network-policies-with-azure-kubernetes-service\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/opensource.microsoft.com\/blog\/2019\/10\/17\/tutorial-calico-network-policies-with-azure-kubernetes-service\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/opensource.microsoft.com\/blog\/wp-content\/uploads\/2024\/06\/CLO24-Azure-Fintech-006.webp\",\"datePublished\":\"2019-10-17T15:00:49+00:00\",\"dateModified\":\"2025-06-27T11:51:47+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/opensource.microsoft.com\/blog\/2019\/10\/17\/tutorial-calico-network-policies-with-azure-kubernetes-service\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/opensource.microsoft.com\/blog\/2019\/10\/17\/tutorial-calico-network-policies-with-azure-kubernetes-service\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/opensource.microsoft.com\/blog\/2019\/10\/17\/tutorial-calico-network-policies-with-azure-kubernetes-service\/#primaryimage\",\"url\":\"https:\/\/opensource.microsoft.com\/blog\/wp-content\/uploads\/2024\/06\/CLO24-Azure-Fintech-006.webp\",\"contentUrl\":\"https:\/\/opensource.microsoft.com\/blog\/wp-content\/uploads\/2024\/06\/CLO24-Azure-Fintech-006.webp\",\"width\":1170,\"height\":640},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/opensource.microsoft.com\/blog\/2019\/10\/17\/tutorial-calico-network-policies-with-azure-kubernetes-service\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/opensource.microsoft.com\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Tutorial: Calico Network Policies with Azure Kubernetes Service\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/opensource.microsoft.com\/blog\/#website\",\"url\":\"https:\/\/opensource.microsoft.com\/blog\/\",\"name\":\"Microsoft Open Source Blog\",\"description\":\"Open dialogue about openness at Microsoft \u2013 open source, standards, interoperability\",\"publisher\":{\"@id\":\"https:\/\/opensource.microsoft.com\/blog\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/opensource.microsoft.com\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/opensource.microsoft.com\/blog\/#organization\",\"name\":\"Microsoft Open Source Blog\",\"url\":\"https:\/\/opensource.microsoft.com\/blog\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/opensource.microsoft.com\/blog\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/opensource.microsoft.com\/blog\/wp-content\/uploads\/2019\/08\/Microsoft-Logo.png\",\"contentUrl\":\"https:\/\/opensource.microsoft.com\/blog\/wp-content\/uploads\/2019\/08\/Microsoft-Logo.png\",\"width\":259,\"height\":194,\"caption\":\"Microsoft Open Source Blog\"},\"image\":{\"@id\":\"https:\/\/opensource.microsoft.com\/blog\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/x.com\/OpenAtMicrosoft\"]}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Tutorial: Calico Network Policies with Azure Kubernetes Service | Microsoft Open Source Blog","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/opensource.microsoft.com\/blog\/2019\/10\/17\/tutorial-calico-network-policies-with-azure-kubernetes-service\/","og_locale":"en_US","og_type":"article","og_title":"Tutorial: Calico Network Policies with Azure Kubernetes Service | Microsoft Open Source Blog","og_description":"In May 2019,&nbsp;Network Policies on Azure Kubernetes Service (AKS) became generally available through the Azure native policy plug-in or through the community project Calico. This user-defined network policy feature enables secure network segmentation within Kubernetes and allows cluster operators to control which pods can communicate with each other and resources outside the cluster.","og_url":"https:\/\/opensource.microsoft.com\/blog\/2019\/10\/17\/tutorial-calico-network-policies-with-azure-kubernetes-service\/","og_site_name":"Microsoft Open Source Blog","article_published_time":"2019-10-17T15:00:49+00:00","article_modified_time":"2025-06-27T11:51:47+00:00","og_image":[{"width":1170,"height":640,"url":"https:\/\/opensource.microsoft.com\/blog\/wp-content\/uploads\/2024\/06\/CLO24-Azure-Fintech-006.png","type":"image\/png"}],"author":"Mathieu Benoit","twitter_card":"summary_large_image","twitter_creator":"@OpenAtMicrosoft","twitter_site":"@OpenAtMicrosoft","twitter_misc":{"Written by":"Mathieu Benoit","Est. reading time":"5 min read"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/opensource.microsoft.com\/blog\/2019\/10\/17\/tutorial-calico-network-policies-with-azure-kubernetes-service\/#article","isPartOf":{"@id":"https:\/\/opensource.microsoft.com\/blog\/2019\/10\/17\/tutorial-calico-network-policies-with-azure-kubernetes-service\/"},"author":[{"@id":"https:\/\/opensource.microsoft.com\/blog\/author\/mathieu-benoit\/","@type":"Person","@name":"Mathieu Benoit"}],"headline":"Tutorial: Calico Network Policies with Azure Kubernetes Service","datePublished":"2019-10-17T15:00:49+00:00","dateModified":"2025-06-27T11:51:47+00:00","mainEntityOfPage":{"@id":"https:\/\/opensource.microsoft.com\/blog\/2019\/10\/17\/tutorial-calico-network-policies-with-azure-kubernetes-service\/"},"wordCount":833,"commentCount":1,"publisher":{"@id":"https:\/\/opensource.microsoft.com\/blog\/#organization"},"image":{"@id":"https:\/\/opensource.microsoft.com\/blog\/2019\/10\/17\/tutorial-calico-network-policies-with-azure-kubernetes-service\/#primaryimage"},"thumbnailUrl":"https:\/\/opensource.microsoft.com\/blog\/wp-content\/uploads\/2024\/06\/CLO24-Azure-Fintech-006.webp","keywords":["Microsoft"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/opensource.microsoft.com\/blog\/2019\/10\/17\/tutorial-calico-network-policies-with-azure-kubernetes-service\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/opensource.microsoft.com\/blog\/2019\/10\/17\/tutorial-calico-network-policies-with-azure-kubernetes-service\/","url":"https:\/\/opensource.microsoft.com\/blog\/2019\/10\/17\/tutorial-calico-network-policies-with-azure-kubernetes-service\/","name":"Tutorial: Calico Network Policies with Azure Kubernetes Service | Microsoft Open Source Blog","isPartOf":{"@id":"https:\/\/opensource.microsoft.com\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/opensource.microsoft.com\/blog\/2019\/10\/17\/tutorial-calico-network-policies-with-azure-kubernetes-service\/#primaryimage"},"image":{"@id":"https:\/\/opensource.microsoft.com\/blog\/2019\/10\/17\/tutorial-calico-network-policies-with-azure-kubernetes-service\/#primaryimage"},"thumbnailUrl":"https:\/\/opensource.microsoft.com\/blog\/wp-content\/uploads\/2024\/06\/CLO24-Azure-Fintech-006.webp","datePublished":"2019-10-17T15:00:49+00:00","dateModified":"2025-06-27T11:51:47+00:00","breadcrumb":{"@id":"https:\/\/opensource.microsoft.com\/blog\/2019\/10\/17\/tutorial-calico-network-policies-with-azure-kubernetes-service\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/opensource.microsoft.com\/blog\/2019\/10\/17\/tutorial-calico-network-policies-with-azure-kubernetes-service\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/opensource.microsoft.com\/blog\/2019\/10\/17\/tutorial-calico-network-policies-with-azure-kubernetes-service\/#primaryimage","url":"https:\/\/opensource.microsoft.com\/blog\/wp-content\/uploads\/2024\/06\/CLO24-Azure-Fintech-006.webp","contentUrl":"https:\/\/opensource.microsoft.com\/blog\/wp-content\/uploads\/2024\/06\/CLO24-Azure-Fintech-006.webp","width":1170,"height":640},{"@type":"BreadcrumbList","@id":"https:\/\/opensource.microsoft.com\/blog\/2019\/10\/17\/tutorial-calico-network-policies-with-azure-kubernetes-service\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/opensource.microsoft.com\/blog\/"},{"@type":"ListItem","position":2,"name":"Tutorial: Calico Network Policies with Azure Kubernetes Service"}]},{"@type":"WebSite","@id":"https:\/\/opensource.microsoft.com\/blog\/#website","url":"https:\/\/opensource.microsoft.com\/blog\/","name":"Microsoft Open Source Blog","description":"Open dialogue about openness at Microsoft \u2013 open source, standards, interoperability","publisher":{"@id":"https:\/\/opensource.microsoft.com\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/opensource.microsoft.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/opensource.microsoft.com\/blog\/#organization","name":"Microsoft Open Source Blog","url":"https:\/\/opensource.microsoft.com\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/opensource.microsoft.com\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/opensource.microsoft.com\/blog\/wp-content\/uploads\/2019\/08\/Microsoft-Logo.png","contentUrl":"https:\/\/opensource.microsoft.com\/blog\/wp-content\/uploads\/2019\/08\/Microsoft-Logo.png","width":259,"height":194,"caption":"Microsoft Open Source Blog"},"image":{"@id":"https:\/\/opensource.microsoft.com\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/OpenAtMicrosoft"]}]}},"msxcm_display_generated_audio":false,"msxcm_animated_featured_image":null,"distributor_meta":false,"distributor_terms":false,"distributor_media":false,"distributor_original_site_name":"Microsoft Open Source Blog","distributor_original_site_url":"https:\/\/opensource.microsoft.com\/blog","push-errors":false,"_links":{"self":[{"href":"https:\/\/opensource.microsoft.com\/blog\/wp-json\/wp\/v2\/posts\/78102","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/opensource.microsoft.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/opensource.microsoft.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/opensource.microsoft.com\/blog\/wp-json\/wp\/v2\/users\/5562"}],"replies":[{"embeddable":true,"href":"https:\/\/opensource.microsoft.com\/blog\/wp-json\/wp\/v2\/comments?post=78102"}],"version-history":[{"count":1,"href":"https:\/\/opensource.microsoft.com\/blog\/wp-json\/wp\/v2\/posts\/78102\/revisions"}],"predecessor-version":[{"id":97721,"href":"https:\/\/opensource.microsoft.com\/blog\/wp-json\/wp\/v2\/posts\/78102\/revisions\/97721"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/opensource.microsoft.com\/blog\/wp-json\/wp\/v2\/media\/95473"}],"wp:attachment":[{"href":"https:\/\/opensource.microsoft.com\/blog\/wp-json\/wp\/v2\/media?parent=78102"}],"wp:term":[{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/opensource.microsoft.com\/blog\/wp-json\/wp\/v2\/post_tag?post=78102"},{"taxonomy":"content-type","embeddable":true,"href":"https:\/\/opensource.microsoft.com\/blog\/wp-json\/wp\/v2\/content-type?post=78102"},{"taxonomy":"topic","embeddable":true,"href":"https:\/\/opensource.microsoft.com\/blog\/wp-json\/wp\/v2\/topic?post=78102"},{"taxonomy":"programming-languages","embeddable":true,"href":"https:\/\/opensource.microsoft.com\/blog\/wp-json\/wp\/v2\/programming-languages?post=78102"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/opensource.microsoft.com\/blog\/wp-json\/wp\/v2\/coauthors?post=78102"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}