Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Configure
kube-proxy is a component of Kubernetes that handles routing traffic for services within the cluster. There are three backends available for Layer 3/4 load balancing in upstream kube-proxy: iptables, IPVS, and nftables.
iptablesis the default backend used in many Kubernetes clusters. It's simple and well-supported, but not as efficient or intelligent asIPVS.IPVSuses the Linux Virtual Server, a Layer 3/4 load balancer built into the Linux kernel.IPVSprovides many advantages over the defaultiptablesconfiguration, including state awareness, connection tracking, and more intelligent load balancing.IPVSdoesn't support Azure Network Policy.nftablesis the successor to theiptablesAPI and is designed to provide better performance and scalability thaniptables. Thenftablesproxy mode is essentially a replacement for both theiptablesandIPVSmodes, with better performance than either of them, and is recommended as a replacement forIPVS.
For more information, see the Kubernetes documentation on kube-proxy.
Note
You can disable the AKS-managed kube-proxy DaemonSet to support bring-your-own CNI.
Important
AKS preview features are available on a self-service, opt-in basis. Previews are provided "as is" and "as available," and they're excluded from the service-level agreements and limited warranty. AKS previews are partially covered by customer support on a best-effort basis. As such, these features aren't meant for production use. For more information, see the following support articles:
Before you begin
- If you're using the Azure CLI, you need the
aks-previewextension. See Install theaks-previewAzure CLI extension. - If you're using Azure Resource Manager or the REST API, the AKS API version must be 2022-08-02-preview or later. Specifically for
nftablesmode, the version must be 2025-09-02-preview or later. - You need to register the
KubeProxyConfigurationPreviewfeature flag. See Register theKubeProxyConfigurationPreviewfeature flag.
Install the aks-preview Azure CLI extension
Install the
aks-previewextension using theaz extension addcommand.az extension add --name aks-previewUpdate to the latest version of the extension using the
az extension updatecommand.az extension update --name aks-preview
Register the KubeProxyConfigurationPreview feature flag
Register the
KubeProxyConfigurationPreviewfeature flag using theaz feature registercommand.az feature register --namespace "Microsoft.ContainerService" --name "KubeProxyConfigurationPreview"It takes a few minutes for the status to show Registered.
Verify the registration status using the
az feature showcommand.az feature show --namespace "Microsoft.ContainerService" --name "KubeProxyConfigurationPreview"When the status shows Registered, refresh the registration of the
Microsoft.ContainerServiceresource provider using theaz provider registercommand.az provider register --namespace Microsoft.ContainerService
kube-proxy configuration options
You can view the full kube-proxy configuration structure in the AKS Cluster Schema.
enabled: Determines deployment of thekube-proxyDaemonSet. Defaults totrue.mode: You can set to eitherIPTABLES,IPVSorNFTABLES. Defaults toIPTABLES.ipvsConfig: IfmodeisIPVS, this object contains IPVS-specific configuration properties.scheduler: Determines which connection scheduler to use. Supported values include:LeastConnection: Sends connections to the backend pod with the fewest connections.RoundRobin: Evenly distributes connections between backend pods.
tcpFinTimeoutSeconds: Sets the timeout length value after a TCP session receives a FIN.tcpTimeoutSeconds: Sets the timeout length value for idle TCP sessions.udpTimeoutSeconds: Sets the timeout length value for idle UDP sessions.
IPVS load balancing operates in each node independently and is only aware of connections that flow through the local node. This means that while LeastConnection results in a more even load under a higher number of connections, when a low number of connections occur (# connects < 2 * node count), traffic might be unbalanced.
Use kube-proxy in a new or existing AKS cluster
The kube-proxy configuration is a cluster-wide setting. You don't need to update your services.
A change to the kube-proxy configuration might cause a slight interruption in cluster service traffic flow.
Create a configuration file with the desired
kube-proxyconfiguration.IPVS: For example, the following configuration enablesIPVSwith theLeastConnectionscheduler and sets the TCP timeout to 900 seconds.{ "enabled": true, "mode": "IPVS", "ipvsConfig": { "scheduler": "LeastConnection", "tcpTimeoutSeconds": 900, "tcpFinTimeoutSeconds": 120, "udpTimeoutSeconds": 300 } }nftables: For example, the following configuration enablesnftablesmode.{ "enabled": true, "mode": "NFTABLES" }
Create a new cluster or update an existing cluster with the configuration file using the
az aks createoraz aks updatecommands. Use the--kube-proxy-configparameter to specify the configuration file.# Create a new cluster az aks create \ --resource-group <resourceGroup> \ --name <clusterName> \ --kube-proxy-config kube-proxy.json \ --generate-ssh-keys # Update an existing cluster az aks update \ --resource-group <resourceGroup> \ --name <clusterName> \ --kube-proxy-config kube-proxy.json
Next steps
This article described how to configure kube-proxy in Azure Kubernetes Service (AKS). To learn more about load balancing in AKS, see the following articles: