Modern cloud-native architectures are rapidly shifting from single-cluster scale-out approaches to scalable, multi-cluster topologies that span regions and clouds. But managing network connectivity across many Azure Kubernetes Service (AKS) clusters has historically imposed a “networking tax” — complex VPNs, gateways, manual service discovery, and operational overhead slow teams down and add latency.

Today’s announcement of public preview for cross-cluster networking in Azure Kubernetes Fleet Manager introduces a managed, seamless network powered by Cilium, eBPF, and Azure’s Advanced Container Networking Services, enabling pod-to-pod communication across cluster boundaries with native performance and zero-touch management. This capability addresses the biggest challenges in building resilient, globally distributed Kubernetes workloads with operational simplicity.

In this post, we’ll explain the challenges of multi-cluster networking, how Fleet Manager’s cross-cluster networking solution works under the hood, and what it means for your Kubernetes fleets.

Image courtesy Microsoft Azure Blog

Architecture Overview

┌────────────────────────────────────────────┐
│Architecture                                │
├────────────────────────────────────────────┤
│• Enterprise data sources                   │
│• Foundry platform                          │
│• AI applications                           │
└────────────────────────────────────────────┘

Key Technical Observations

• eBPF-Powered High Performance Networking — Leveraging Cilium’s eBPF dataplane eliminates the overhead of proxies or gateways, enabling pods in different clusters to communicate with native-speed east-west traffic.

• Global Service Discovery via Kubernetes Annotations — Simply tagging services with service.cilium.io/global=true transforms them into globally discoverable, multi-cluster load balanced endpoints, simplifying cross-cluster access and failover.

• Unified Security and Governance — Network policies transcend cluster boundaries, enforcing identity-aware enterprise-grade security consistently across the entire fleet.

• Zero-Touch Lifecycle and Certificate Management — Fleet Manager automates deployment, certificate rotation, and configuration of network components, dramatically reducing manual operational burden.

• Open-Source Foundation with Cilium & Kubefleet — This solution builds on CNCF projects, ensuring transparency, portability, and alignment with Kubernetes ecosystem best practices.

• Comprehensive Observability Across Clusters — Aggregated Cilium telemetry provides a holistic view of network health, facilitating faster troubleshooting and proactive management.

Diagram source: Microsoft Azure Blog

How It Works

Seamless East-West Pod Connectivity Across Clusters

Cross-cluster networking extends the Kubernetes networking model by interconnecting pod networks across multiple AKS clusters in a fleet. Using eBPF-based routing implemented by Cilium’s dataplane, it enables direct pod-to-pod communication without traditional east-west network bottlenecks caused by proxies or overlays.

This is achieved through:

• Azure CNI powered by Cilium — Integrating deeply with Azure networking and providing powerful eBPF-based routing and network policy enforcement.

• Advanced Container Networking Services (ACNS) — The managed service that orchestrates the lifecycle and configuration of cross-cluster networking components.

This architecture lets clusters remain isolated from an administrative perspective, preserving governance, while workloads communicate transparently and efficiently.

Global Service Discovery & Load Balancing

To enable services to be accessible across cluster boundaries, Fleet Manager introduces a simple annotation:

apiVersion: v1
kind: Service
metadata:
  name: my-global-service
  annotations:
    service.cilium.io/global: "true"
spec:
  ports:
    - port: 80
  selector:
    app: my-app

Setting service.cilium.io/global=true flags the service as global. Fleet Manager’s control plane then propagates endpoint information across clusters in the fleet, enabling seamless discovery and automatic load balancing across healthy backends — all transparent to the client pods.

Security and Policy Enforcement Across the Fleet

Network policies traditionally operate at cluster scope, limiting control. With cross-cluster networking, identity-based and namespace-scoped policies extend seamlessly to cover workloads running anywhere in the fleet.

An example Cilium NetworkPolicy enforces strict egress controls on pods, but now applies regardless of the pod’s cluster location:

apiVersion: "cilium.io/v2"
kind: CiliumNetworkPolicy
metadata:
  name: "restrict-egress"
spec:
  endpointSelector:
    matchLabels:
      role: frontend
  egress:
  - toEndpoints:
    - matchLabels:
        role: backend

This holistic security posture simplifies governance for global applications.

Zero-Touch Operations

Fleet Manager automates critical operational tasks such as:

• Managing mutual TLS certificates between clusters
• Deploying and upgrading Cilium components fleet-wide
• Ensuring consistent network configurations and profiles

This reduces day-two network management complexity and frees teams to focus on application delivery rather than infrastructure plumbing.

Quick Tips & Tricks

1. Enable Advanced Container Networking Services (ACNS) Before Joining Clusters to a Fleet
   ACNS is required for cross-cluster networking features. Ensure it’s activated in your subscription to unlock seamless connectivity.

2. Annotate Only Services That Require Global Exposure
   Use service.cilium.io/global=true sparingly to avoid unnecessary cross-cluster traffic and keep network policies clean.

3. Leverage Fleet Manager for Staged Updates
   Use Fleet Manager’s rollout capabilities to safely upgrade your clusters and networking components with zero downtime.

4. Combine With Azure Arc for Hybrid Scenarios
   Extend cross-cluster networking to AKS clusters running outside Azure by integrating them via Azure Arc for consistent management.

5. Monitor Cross-Cluster Metrics Using Azure Monitor and Cilium Telemetry
   Setup aggregated observability dashboards for your fleets to detect anomalies or potential performance bottlenecks early.

6. Test Network Policies Locally Before Rolling Out Fleet-Wide
   Validate your Cilium Network Policies within a dev cluster to avoid accidental service disruptions at scale.

Conclusion

Azure Kubernetes Fleet Manager’s cross-cluster networking capability introduces a managed, eBPF-powered network that enables multi-cluster Kubernetes environments to communicate efficiently and securely. By leveraging global service discovery, unified security policies, and zero-touch operations, it simplifies managing scalable, resilient Kubernetes workloads across regions and fleets.

This feature supports organizations in building truly global Kubernetes architectures with reduced complexity and improved performance. As multi-cluster deployments become more common, seamless cross-cluster networking is an essential component of cloud-native infrastructure.

With ongoing innovation in open source and cloud-native technologies, solutions like Azure Kubernetes Fleet Manager will continue to evolve to meet the needs of modern Kubernetes operations.

References

1. Powering multi-cluster workloads with seamless cross-cluster networking for Azure Kubernetes Fleet Manager | Microsoft Azure Blog