Azure
Azure CNI Powered by Cilium L7/CRD Network Policy
Public Preview ETA*: Q1 2025
*ETAs are estimations and subject to change.
This issue is to track support for Azure CNI Powered by Cilium Network Policy capability expansions.
Expansions Include:
- Layer 7 Network Policy support
- Cilium Custom Network Policies
- Currently, one of the most requisition options is DNS filtering based policy support
This feature has a some good support already tracked in this GitHub Issue.
@aanandr, @phealy would you be able to assist?
Issue Details
This issue is to track support for Azure CNI Powered by Cilium Network Policy capability expansions.
Expansions Include:
- Layer 7 Network Policy support
- Cilium Custom Network Policies
- Currently, one of the most requisition options is DNS filtering based policy support
This feature has a some good support already tracked in this GitHub Issue.
| Author: | chasewilson |
|---|---|
| Assignees: | - |
| Labels: |
|
| Milestone: | - |
Hey @Hanifff, thanks for commenting here. This Item is to track the request and interest for these features in Azure CNI Powered by Cilium. Right now there isn't a timeline but we are keeping an eye on what our customers want and would like it to build as needs arise.
Please feel free to provide feedback here about this and point others to add their reactions or feedback to make sure we're prioritizing our work correctly :)
This would be really good to have.
Which portion of this are you most interested in? The Cilium Specific policies or the L7 capabilities?
This would be really good to have.
Which portion of this are you most interested in? The Cilium Specific policies or the L7 capabilities?
My 2 cents here: both L3 DNS based rules and L7 policies, the former is actually a must-have. I guess both require Cilium Network Policies as the Kubernetes Network Policies don't support them.
My team is also missing this feature, DNS based network policies is a must have for us.
Not stale. Lack of CiliumNetworkPolicy L3 FQDN rules is one of the reasons why we still need to BYOCNI, just to even use the most basic features of Cilium.
Apparently, Azure will start supporting this in 1-2 months. Source: Talked to Isovalent employees at the KCD in Munich, Germany. Unfortunatley, Hubble UI integration etc. will take longer.
@lieberlois thanks for the input here. Would you mind clarifying in what scenario Isovalent was planning L7 support?
From our side, we currently have support for hubble relay with self-managed UI and we're not working on l7 quite yet but are working on supporting FQDN filtering hopefully by the end of this month.
@lieberlois sorry for the confusion 😆.
I was meaning, did they say specifically Azure CNI Powered by Cilum, The enterprise marketplace offering they have, or the OSS Cilium support?
@lieberlois thanks for the clarification.
As of right now, we're not on L7 yet as we've had more requests (though L7 is highly requested as well) for FQDN and will be aiming for L7 after we get that out. So, not in the next month or two but should have some updates on timelines within that period.
What exactly are you referring to then? Layer 7 network policies leverage FQDNs so what is missing then?
What exactly are you referring to then? Layer 7 network policies leverage FQDNs so what is missing then?
Good question.
Cilium L7 policies and FQDN policies both work at Layer 7, but they have different focuses. L7 policies give you detailed control over app-specific traffic, letting you set rules based on things like HTTP methods or gRPC services.
On the other hand, FQDN policies are about controlling outbound traffic based on domain names. This is helpful in dynamic environments where IP addresses of external services change, but domain names stay the same.
Okay you seem to have different naming than the typical Service Mesh terminology then 😄 I meant egress policies based on L7 Hostnames (FQDNs)
@lieberlois aaahhh gotcha ok and I'm referring to L7 as application operations traffic. PUTs, GETs, etc.
still relevant also, we await eagerly for a public preview with the FQDN policies.
still relevant also, we await eagerly for a public preview with the FQDN policies
Just a side note as some comments have asked for FQDN policies. This should be available as of last week, see https://github.com/Azure/AKS/issues/4205#issuecomment-2313389191 L7 policies (as in HTTP verb/path based filtering) aren't implemented yet.
Will L7 support will be added to the Advanced Container Network Services (ACNS) offering?
(Also keenly awaiting this feature! It's truly a game changer.)
Yes, and its live now ( in Public Preview). Learn more here : Introducing Layer 7 Network Policies with Advanced Container Networking Services for AKS Clusters! | Microsoft Community Hub.
Hi folks - just letting you know we aim to promote this to GA in mid-November, 2025.
@danbosscher and @chasewilson,
Hi team,
Quick question—I have a customer who deployed Datadog to their AKS clusters using a Helm chart. Everything was working fine with Cilium Network Policy until yesterday (Nov 8, 2025). After restarting Datadog, the cluster is now rejecting the Datadog Cilium Network Policy with the following error: Failed sync attempt to: one or more objects failed to apply, reason: ciliumnetworkpolicies.cilium.io 'datadog' is forbidden: ValidatingAdmissionPolicy 'advanced-networking-validating-policy' with binding 'advanced-networking-cilium-l7-binding' denied request: CiliumNetworkPolicy cannot use DNS L7 rules.
Is this related to a known issue (same as this this one) or any recent change in policy enforcement? The customer mentioned it was working previously without any issues. Is there a fix expected around mid-November 2025?
