Workload security is about making sure your workloads are secure:
- Workload identity is enabled (for authenticating to Azure resources using Microsoft Entra ID).
- Deployment safeguards help enforce best practices so only trusted containers and safe images are used in deployments
- Azure Key Vault provider is enabled to integrate secrets securely with your workloads
- Azure Policy add-on enabled
Networking
With regard to networking, we can think of how pods communicate with each other within the Virtual Network (Vnet), and how traffic ingresses and egresses from the cluster.
Networking in AKS Automatic covers:
- Pod networking using Azure CNI overlay with Cilium for the data plane
- Ingress using AKS App Routing (a managed NGINX Ingress Controller) which integrates with Azure DNS and Azure Key Vault for an end-to-end application access setup
- Egress using AKS NAT Gateway for scalable outbound connections
Scaling
AKS Automatic leverages several scaling options, which we can split between cluster autoscaling and workload autoscaling. Scaling options include:
For Cluster Autoscaling, AKS Automatic automatically enables:
- Node Autoprovision (NAP): NPA uses the open-source Karpenter project to scale nodes up/down based on workload demand automatically. This Cluster Autoscaler will enable the cluster to routinely check for underused nodes and binpack these workloads to maximise efficiency and ultimately save you money.
For Workload Autoscaling, AKS Automatic enables:
- KEDA: KEDA, Kubernetes Event-Driven Autoscaler, enables you to scale your workloads based on events or metrics.
- Vertical Pod Autoscaler (VPA): AKS Automatic will also install the VPA add-on. It will help you automatically adjust resource requests for your workloads.
Observability
From the get-go, AKS Automatic covers multiple observability needs out of the box:
- Azure Managed Prometheus for metrics
- Container Insights for logs
- Azure Managed Grafana for dashboards
The managed Grafana instance includes pre-installed dashboards for both Kubernetes and Azure, so you can instantly view your cluster’s health through the Azure portal.
Limitations of AKS Automatic
AKS Automatic simplifies AKS setup, as you don't have to configure everything manually.
However, in return, you give up some flexibility, and the default pre-configurations may not always be beneficial for every use case. Its current limitations include:
- Limited control over network plugins/custom CNI settings
- Restrictions on using custom node pools (which are predefined)
- Limited support for certain add-ons
- Scaling behaviour is opinionated: KEDA and VPA are enabled by default
- Pre-configured features cannot be disabled or changed
Closing thoughts
Overall, AKS Automatic is more automated and opinionated. You can still apply some security tweaks, but not as many as with AKS Standard. Besides, you still need expertise (like understanding cluster behaviour).
Offloading control to Azure also raises concerns for teams with strict compliance or security needs. You lose visibility and fine-grained configuration, which can be a problem if your policies require full oversight.
Therefore, be sure to consider carefully whether it would work for your organisation.
Coming back to the question: is AKS Automatic worth it? It depends.
- AKS Automatic works for those who want to a default, preconfigured, ready cluster quickly.
- AKS Standard is a better fit when you need granular control, flexibility, or have non-standard workloads.
If AKS Automatic doesn’t suit your organisation, it doesn't mean you're stuck with the complexity and overhead of managing AKS.
Intercept offers you a fully managed solution to simplify your Kubernetes with AKS Control.