AKS Automatic: The newest way to run AKS, is it worth it?

The 3 Key Pillars of AKS Automatic

1. Production-ready by default 

• Optimal production settings are preconfigured, suitable for most applications. 
• You don’t have to worry about node autoscaling as it relies on KEDA and the Cluster Autoscaler to scale your nodes vertically and horizontally.  
• Automatically packs pods efficiently on nodes to maximise usage (bin packing). Meaning, you don’t have to think about how pods are distributed. 

2. Built-in best practices and safeguards 

• The security configuration is hardened using Microsoft’s recommended practices. 
• AKS handles node and component patching automatically, following your set maintenance schedule. 

3. Code to Kubernetes in minutes 

• You can deploy a container image to a live app in minutes. 
• You have full Kubernetes API access for when you need it. 

Default and Pre-configured Configurations 

Let’s look at some of the features AKS Automatic installs and preconfigures for you. 

Microsoft designed AKS Automatic around what they consider best practices, in several areas: 

• Security 
• Networking 
• (Auto) Scaling 
• Observability (Monitoring and Logging) 

These components allow you to run your workloads run efficiently and securely in AKS, almost from day one.

Security 

From a security perspective, we can split it into cluster security and workload security. 

Cluster security means securing access to the cluster and the supply chain. AKS Automatic enables various defaults for the cluster: 

• Azure Linux OS images 
• Automatic upgrades* 
• Azure Role-Based Access Control (RBAC) enabled (like for accessing Kubernetes API) 
• Local access to the cluster is disabled 
• SSH access to nodes is disabled 
• Image Cleaner add-on installed 
• Network Resource Lockdown (NRG) applies strict network rules to isolate your cluster, allowing outbound access only to approved internet resources. It also blocks traffic between tenants, which is critical if you’re hosting services for multiple clients on the same cluster. 

Workload security is about making sure your workloads are secure: 

• Workload identity is enabled (for authenticating to Azure resources using Microsoft Entra ID). 
• Deployment safeguards help enforce best practices so only trusted containers and safe images are used in deployments 
• Azure Key Vault provider is enabled to integrate secrets securely with your workloads 
• Azure Policy add-on enabled

Networking 

With regard to networking, we can think of how pods communicate with each other within the Virtual Network (Vnet), and how traffic ingresses and egresses from the cluster. 

Networking in AKS Automatic covers: 

• Pod networking using Azure CNI overlay with Cilium for the data plane 
• Ingress using AKS App Routing (a managed NGINX Ingress Controller) which integrates with Azure DNS and Azure Key Vault for an end-to-end application access setup 
• Egress using AKS NAT Gateway for scalable outbound connections 

Scaling 

AKS Automatic leverages several scaling options, which we can split between cluster autoscaling and workload autoscaling. Scaling options include: 

For Cluster Autoscaling, AKS Automatic automatically enables: 

• Node Autoprovision (NAP): NPA uses the open-source Karpenter project to scale nodes up/down based on workload demand automatically. This Cluster Autoscaler will enable the cluster to routinely check for underused nodes and binpack these workloads to maximise efficiency and ultimately save you money. 

For Workload Autoscaling, AKS Automatic enables: 

• KEDA: KEDA, Kubernetes Event-Driven Autoscaler, enables you to scale your workloads based on events or metrics. 
• Vertical Pod Autoscaler (VPA): AKS Automatic will also install the VPA add-on. It will help you automatically adjust resource requests for your workloads. 

Observability 

From the get-go, AKS Automatic covers multiple observability needs out of the box: 

• Azure Managed Prometheus for metrics 
• Container Insights for logs 
• Azure Managed Grafana for dashboards 

The managed Grafana instance includes pre-installed dashboards for both Kubernetes and Azure, so you can instantly view your cluster’s health through the Azure portal. 

Limitations of AKS Automatic

AKS Automatic simplifies AKS setup, as you don't have to configure everything manually.

However, in return, you give up some flexibility, and the default pre-configurations may not always be beneficial for every use case. Its current limitations include:

• Limited control over network plugins/custom CNI settings
• Restrictions on using custom node pools (which are predefined)
• Limited support for certain add-ons
• Scaling behaviour is opinionated: KEDA and VPA are enabled by default
• Pre-configured features cannot be disabled or changed

Closing thoughts

Overall, AKS Automatic is more automated and opinionated. You can still apply some security tweaks, but not as many as with AKS Standard. Besides, you still need expertise (like understanding cluster behaviour).

Offloading control to Azure also raises concerns for teams with strict compliance or security needs. You lose visibility and fine-grained configuration, which can be a problem if your policies require full oversight.

Therefore, be sure to consider carefully whether it would work for your organisation.

Coming back to the question: is AKS Automatic worth it? It depends.

• AKS Automatic works for those who want to a default, preconfigured, ready cluster quickly. 
• AKS Standard is a better fit when you need granular control, flexibility, or have non-standard workloads.

If AKS Automatic doesn’t suit your organisation, it doesn't mean you're stuck with the complexity and overhead of managing AKS.

Intercept offers you a fully managed solution to simplify your Kubernetes with AKS Control.