{"id":403,"date":"2026-04-13T22:45:16","date_gmt":"2026-04-13T22:45:16","guid":{"rendered":"https:\/\/www.devopsschool.com\/tutorials\/azure-kubernetes-fleet-manager-tutorial-architecture-pricing-use-cases-and-hands-on-guide-for-containers\/"},"modified":"2026-04-13T22:45:16","modified_gmt":"2026-04-13T22:45:16","slug":"azure-kubernetes-fleet-manager-tutorial-architecture-pricing-use-cases-and-hands-on-guide-for-containers","status":"publish","type":"post","link":"https:\/\/www.devopsschool.com\/tutorials\/azure-kubernetes-fleet-manager-tutorial-architecture-pricing-use-cases-and-hands-on-guide-for-containers\/","title":{"rendered":"Azure Kubernetes Fleet Manager Tutorial: Architecture, Pricing, Use Cases, and Hands-On Guide for Containers"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\">Category<\/h2>\n\n\n\n<p>Containers<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">1. Introduction<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">What this service is<\/h3>\n\n\n\n<p>Azure Kubernetes Fleet Manager is an Azure service for managing <strong>multiple Kubernetes clusters (typically multiple AKS clusters)<\/strong> as a single \u201cfleet\u201d so platform teams can apply consistent configuration and orchestrate operations across many clusters.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Simple explanation (one paragraph)<\/h3>\n\n\n\n<p>If you run more than one AKS cluster\u2014across regions, environments (dev\/test\/prod), or tenants\u2014Azure Kubernetes Fleet Manager helps you treat them as one logical group. Instead of repeating the same deployment or operational action per cluster, you manage at the fleet level and let the service coordinate across member clusters.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Technical explanation (one paragraph)<\/h3>\n\n\n\n<p>Technically, Azure Kubernetes Fleet Manager introduces an Azure <strong>Fleet<\/strong> resource that can register multiple Kubernetes clusters as <strong>fleet members<\/strong> and, depending on enabled capabilities, provide mechanisms for <strong>multi-cluster resource placement\/propagation<\/strong> and <strong>orchestrated operations<\/strong> across those member clusters. Some features use a dedicated \u201chub\u201d concept (often implemented as a Kubernetes API surface you interact with using <code>kubectl<\/code>) to define placement policies and observe propagation status.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">What problem it solves<\/h3>\n\n\n\n<p>Organizations adopting Kubernetes at scale quickly run into a \u201cmulti-cluster tax\u201d:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Repeating deployments and policy changes across clusters<\/li>\n<li>Maintaining consistency between environments and regions<\/li>\n<li>Coordinating staged rollouts\/upgrades safely<\/li>\n<li>Reducing operational overhead while still keeping clusters separated for isolation, compliance, and blast-radius control<\/li>\n<\/ul>\n\n\n\n<p>Azure Kubernetes Fleet Manager targets these pain points by adding a <strong>fleet-level management plane<\/strong> for many clusters.<\/p>\n\n\n\n<blockquote>\n<p>Service status note: Azure features and command surfaces evolve quickly. Verify the latest feature availability, API versions, and CLI extension requirements in the official documentation before production use: https:\/\/learn.microsoft.com\/azure\/kubernetes-fleet\/<\/p>\n<\/blockquote>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">2. What is Azure Kubernetes Fleet Manager?<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Official purpose<\/h3>\n\n\n\n<p>Azure Kubernetes Fleet Manager is designed to help you <strong>manage multiple Kubernetes clusters<\/strong> (commonly multiple <strong>Azure Kubernetes Service (AKS)<\/strong> clusters) through a single fleet abstraction, improving consistency and reducing repetitive operational work.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Core capabilities (high level)<\/h3>\n\n\n\n<p>Commonly documented capabilities include:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Fleet resource<\/strong> to represent a logical group of clusters<\/li>\n<li><strong>Membership<\/strong>: add\/remove clusters as fleet members<\/li>\n<li><strong>Multi-cluster resource placement\/propagation<\/strong> (often via fleet \u201chub\u201d APIs) so Kubernetes objects can be applied across selected member clusters<\/li>\n<li><strong>Orchestrated operations across clusters<\/strong> (for example, coordinated workflows across a set of clusters\u2014verify the current supported operations in official docs)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Major components<\/h3>\n\n\n\n<p>While exact implementation details and naming can evolve, you should expect the following conceptual components:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Fleet (Azure resource)<\/strong>: the management object in Azure<\/li>\n<li><strong>Fleet members<\/strong>: the clusters registered into the fleet<\/li>\n<li><strong>Fleet hub (capability-dependent)<\/strong>: a Kubernetes API endpoint used to define placements and view status (when enabled\/required)<\/li>\n<li><strong>Placement and scheduling constructs<\/strong>: Kubernetes custom resources (CRDs) used to select clusters and propagate resources (API group\/version can change\u2014verify on your hub cluster)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Service type<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Type<\/strong>: Azure managed control-plane service for multi-cluster management (integrates with Kubernetes APIs and Azure ARM)<\/li>\n<li><strong>Client interfaces<\/strong>: Azure Portal, Azure CLI (often via an extension), ARM\/Bicep\/Terraform (provider support varies by maturity\u2014verify), and <code>kubectl<\/code> for hub-side CRDs<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Scope: regional\/global and resource scope<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Typically created as an <strong>Azure resource<\/strong> in a <strong>resource group<\/strong> within a subscription.<\/li>\n<li>The fleet resource is created in a specific Azure region, but it can logically manage clusters across regions (capabilities and support matrix may vary\u2014verify).<\/li>\n<li>Fleet membership is generally <strong>subscription-scoped<\/strong> by RBAC and permissions; cross-subscription or cross-tenant scenarios may be possible but require explicit permissions and are subject to product support boundaries\u2014verify in docs.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">How it fits into the Azure ecosystem<\/h3>\n\n\n\n<p>Azure Kubernetes Fleet Manager typically complements:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>AKS<\/strong> for cluster hosting<\/li>\n<li><strong>Azure RBAC \/ Microsoft Entra ID<\/strong> for access control<\/li>\n<li><strong>Azure Policy for Kubernetes \/ Gatekeeper<\/strong> for governance (depending on your approach)<\/li>\n<li><strong>Azure Monitor (Container insights)<\/strong> for monitoring<\/li>\n<li><strong>GitOps tooling (Flux\/Argo CD)<\/strong> as an alternative or companion to fleet placement, depending on operational model<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">3. Why use Azure Kubernetes Fleet Manager?<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Business reasons<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Lower operational overhead<\/strong>: fewer manual, repeated cluster-by-cluster actions<\/li>\n<li><strong>Standardization<\/strong>: enforce baseline configurations and reduce configuration drift<\/li>\n<li><strong>Faster delivery<\/strong>: push platform changes or common apps to many clusters with less friction<\/li>\n<li><strong>Risk reduction<\/strong>: staged rollouts and consistent practices reduce outages caused by \u201cone-off\u201d changes<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Technical reasons<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Multi-cluster application placement<\/strong>: define where Kubernetes objects should run using selectors\/labels rather than hard-coding cluster lists<\/li>\n<li><strong>Separation with central control<\/strong>: maintain multiple clusters for isolation (regional, environment, compliance) while managing them consistently<\/li>\n<li><strong>Declarative workflows<\/strong>: use Kubernetes-style APIs (on the hub) to express intent and observe status<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Operational reasons<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Fleet-wide visibility<\/strong> (capability-dependent): status of placement\/propagation and membership from one place<\/li>\n<li><strong>Repeatability<\/strong>: fewer \u201crunbook forks\u201d per cluster<\/li>\n<li><strong>Scalability of operations<\/strong>: patterns that work for 2 clusters can extend to 20+ clusters<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Security\/compliance reasons<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Reduced human access<\/strong>: instead of logging into every cluster, you can centralize certain management actions<\/li>\n<li><strong>Consistent policy distribution<\/strong>: distribute baseline policies\/guardrails across clusters (when used with policy tooling)<\/li>\n<li><strong>Auditability<\/strong>: leverage Azure activity logs + Kubernetes audit logs (if enabled) for change tracking<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Scalability\/performance reasons<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Helps you scale Kubernetes operations without building your own multi-cluster control plane.<\/li>\n<li>Supports architectures where workloads are intentionally spread across multiple clusters to meet latency, availability, or compliance goals.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">When teams should choose it<\/h3>\n\n\n\n<p>Choose Azure Kubernetes Fleet Manager when you have:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Multiple AKS clusters (now or soon)<\/li>\n<li>A platform team responsible for consistent baseline capabilities across clusters<\/li>\n<li>The need to deploy shared components (ingress controllers, policies, agents, namespaces, config) to multiple clusters<\/li>\n<li>A desire for staged, controlled changes across environments\/regions<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">When teams should not choose it<\/h3>\n\n\n\n<p>Avoid or defer Azure Kubernetes Fleet Manager when:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>You only have a single AKS cluster and don\u2019t expect to grow soon<\/li>\n<li>You require an advanced multi-cluster service mesh or global traffic routing (Fleet Manager is not a service mesh or global load balancer)<\/li>\n<li>Your org already standardized on another multi-cluster platform (Anthos, Rancher, Open Cluster Management, Karmada) and migration cost outweighs benefits<\/li>\n<li>You need to manage many non-AKS clusters and the service support matrix doesn\u2019t match your estate (verify supported cluster types)<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">4. Where is Azure Kubernetes Fleet Manager used?<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Industries<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>SaaS and software companies running multi-region services<\/li>\n<li>Financial services and healthcare (environment isolation, compliance boundaries)<\/li>\n<li>Retail and media (spiky traffic, regional presence)<\/li>\n<li>Manufacturing\/IoT (regional plants, edge-ish patterns\u2014often hybrid with Arc; verify fit)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Team types<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Platform engineering teams<\/li>\n<li>SRE\/operations teams<\/li>\n<li>DevOps and release engineering teams<\/li>\n<li>Security engineering and compliance teams (baseline controls)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Workloads<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Microservices deployed across multiple clusters<\/li>\n<li>Shared platform add-ons (ingress, cert-manager, external-dns, monitoring agents)<\/li>\n<li>Regionalized workloads (data residency, latency)<\/li>\n<li>Multi-environment deployments (dev\/test\/stage\/prod)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Architectures<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Multi-region active\/active<\/strong>: same app stack in multiple regions<\/li>\n<li><strong>Multi-cluster per environment<\/strong>: strict separation for compliance<\/li>\n<li><strong>Cell-based architecture<\/strong>: many similar clusters (\u201ccells\u201d) for scale-out and blast-radius control<\/li>\n<li><strong>Tenant isolation<\/strong>: separate clusters per customer\/tenant for higher isolation<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Real-world deployment contexts<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Central platform team curates cluster baselines; app teams deploy workloads to namespaces<\/li>\n<li>Shared add-ons pushed to many clusters with controlled placement rules<\/li>\n<li>DR strategy where identical stacks exist in secondary regions<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Production vs dev\/test usage<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Dev\/test<\/strong>: distribute \u201cgolden\u201d namespaces, RBAC, and toolchains; validate placement behavior<\/li>\n<li><strong>Production<\/strong>: carefully controlled rollouts with strong governance and change management, plus strict RBAC boundaries<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">5. Top Use Cases and Scenarios<\/h2>\n\n\n\n<p>Below are realistic scenarios where Azure Kubernetes Fleet Manager is commonly considered. Exact feature support can vary; verify the specific capability in official docs.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">1) Deploy a shared baseline namespace to every cluster<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem<\/strong>: You need standard namespaces (<code>platform-system<\/code>, <code>observability<\/code>, <code>security<\/code>) across clusters.<\/li>\n<li><strong>Why this service fits<\/strong>: Fleet-level placement can propagate namespace objects consistently.<\/li>\n<li><strong>Example<\/strong>: Automatically ensure <code>observability<\/code> namespace exists on all prod clusters in all regions.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">2) Roll out a cluster-wide ConfigMap or Secret <em>pattern<\/em> (with external secret storage)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem<\/strong>: Repeating \u201csame config everywhere\u201d changes causes drift.<\/li>\n<li><strong>Why it fits<\/strong>: Fleet placement supports consistent distribution (secrets should be handled carefully\u2014see Security).<\/li>\n<li><strong>Example<\/strong>: Distribute a non-sensitive ConfigMap containing organization-wide proxy settings.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">3) Publish a common ingress controller configuration across clusters<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem<\/strong>: Each cluster ends up with slightly different ingress annotations and defaults.<\/li>\n<li><strong>Why it fits<\/strong>: Place ingress-related Kubernetes resources to selected clusters using labels (e.g., <code>env=prod<\/code>).<\/li>\n<li><strong>Example<\/strong>: Ensure all internet-facing clusters share the same ingress class defaults.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">4) Multi-region \u201ccell\u201d deployment of a stateless microservice<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem<\/strong>: You run the same service in many clusters and need consistent deployment manifests.<\/li>\n<li><strong>Why it fits<\/strong>: Define the deployment once and place it to multiple member clusters.<\/li>\n<li><strong>Example<\/strong>: A public API service runs in 6 regional clusters; fleet placement selects them by label <code>tier=api<\/code>.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">5) Progressive rollout across environments<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem<\/strong>: You want dev \u2192 staging \u2192 prod promotion without re-authoring per cluster.<\/li>\n<li><strong>Why it fits<\/strong>: Use cluster labels and multiple placement objects (or selectors) per environment.<\/li>\n<li><strong>Example<\/strong>: A new sidecar configuration rolls to <code>env=dev<\/code> first, then <code>env=stage<\/code>, then <code>env=prod<\/code>.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">6) Disaster recovery readiness validation<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem<\/strong>: DR clusters lag behind and are missing key objects until failover day.<\/li>\n<li><strong>Why it fits<\/strong>: Keep DR clusters as fleet members and continuously place baseline resources.<\/li>\n<li><strong>Example<\/strong>: Ensure DR clusters always have the same namespace, RBAC, and service accounts as primary.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">7) Standardize cluster add-ons (observability, security agents)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem<\/strong>: Monitoring\/logging agents vary across clusters, breaking dashboards and alerts.<\/li>\n<li><strong>Why it fits<\/strong>: Place add-on manifests to selected clusters (or all).<\/li>\n<li><strong>Example<\/strong>: Standardize Azure Monitor agents or Prometheus exporters across all clusters.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">8) Run a centralized policy bundle to enforce guardrails everywhere<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem<\/strong>: Policies are applied inconsistently, leading to non-compliant workloads.<\/li>\n<li><strong>Why it fits<\/strong>: Fleet placement can distribute policy-related manifests (actual enforcement depends on the policy engine).<\/li>\n<li><strong>Example<\/strong>: Distribute Gatekeeper constraints and templates (if you use Gatekeeper) across clusters.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">9) Manage clusters by \u201ccapability groups\u201d<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem<\/strong>: Not every cluster should receive every component (GPU, PCI workloads, internet-facing).<\/li>\n<li><strong>Why it fits<\/strong>: Use labels\/selectors to target only capable clusters.<\/li>\n<li><strong>Example<\/strong>: Place GPU device plugin only to clusters labeled <code>hardware=gpu<\/code>.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">10) Reduce toil for many small AKS clusters<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem<\/strong>: You intentionally run many smaller clusters for blast radius, but operations don\u2019t scale.<\/li>\n<li><strong>Why it fits<\/strong>: Fleet abstractions help you scale repeated actions and baseline configuration.<\/li>\n<li><strong>Example<\/strong>: A SaaS provider with 30 clusters uses fleet placement to keep them consistent.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">11) Separation of duties (platform vs app teams)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem<\/strong>: Platform team needs to manage shared components without full admin access everywhere.<\/li>\n<li><strong>Why it fits<\/strong>: Centralize specific changes through fleet processes with tight RBAC.<\/li>\n<li><strong>Example<\/strong>: Platform engineers can manage baseline manifests via hub access; app teams only touch their namespaces.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">12) Standardize environment bootstrapping for new clusters<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem<\/strong>: New clusters take days to become \u201cready\u201d due to manual setup.<\/li>\n<li><strong>Why it fits<\/strong>: Add the cluster to the fleet and let baseline placements populate required objects.<\/li>\n<li><strong>Example<\/strong>: New regional cluster joins fleet, automatically receives namespaces, network policies, and observability.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">6. Core Features<\/h2>\n\n\n\n<blockquote>\n<p>Note: Feature names, API versions, and required components can differ by release wave. Confirm the latest capabilities at https:\/\/learn.microsoft.com\/azure\/kubernetes-fleet\/<\/p>\n<\/blockquote>\n\n\n\n<h3 class=\"wp-block-heading\">Fleet resource (logical grouping)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does<\/strong>: Represents a collection of Kubernetes clusters as one fleet.<\/li>\n<li><strong>Why it matters<\/strong>: It becomes the anchor point for membership and fleet-level operations.<\/li>\n<li><strong>Practical benefit<\/strong>: A single inventory of clusters for platform workflows.<\/li>\n<li><strong>Caveats<\/strong>: Cross-subscription\/tenant use cases may require additional configuration and may not be supported in all scenarios\u2014verify.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Fleet membership management<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does<\/strong>: Adds\/removes member clusters to\/from the fleet.<\/li>\n<li><strong>Why it matters<\/strong>: Membership is the foundation for any multi-cluster operation.<\/li>\n<li><strong>Practical benefit<\/strong>: Standard onboarding\/offboarding flow for clusters.<\/li>\n<li><strong>Caveats<\/strong>: Requires permissions both in Azure (ARM) and within the cluster (Kubernetes RBAC), depending on operation.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Fleet hub (capability-dependent)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does<\/strong>: Provides a Kubernetes API surface to define placements and view status (implemented as a \u201chub\u201d control plane that you can interact with via <code>kubectl<\/code>).<\/li>\n<li><strong>Why it matters<\/strong>: Enables Kubernetes-native declarative multi-cluster placement patterns.<\/li>\n<li><strong>Practical benefit<\/strong>: You can define \u201cplace this object onto clusters matching these labels.\u201d<\/li>\n<li><strong>Caveats<\/strong>: The hub may be implemented using an AKS cluster or a managed hub component depending on current design. This can introduce <strong>additional cost and operational considerations<\/strong>. Verify how hub is realized in your chosen mode.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Multi-cluster resource placement \/ propagation<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does<\/strong>: Lets you define placement policies so Kubernetes objects are propagated to selected member clusters.<\/li>\n<li><strong>Why it matters<\/strong>: This is often the core \u201cfleet\u201d capability for day-2 operations.<\/li>\n<li><strong>Practical benefit<\/strong>: Define once, deploy to many\u2014reduces drift.<\/li>\n<li><strong>Caveats<\/strong>:<\/li>\n<li>Not all Kubernetes object types or edge cases are equally suitable (e.g., cluster-scoped resources need careful governance).<\/li>\n<li>Conflicts can occur if app teams also manage the same objects through other pipelines (GitOps, Helm) without clear ownership.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Cluster selection via labels\/selectors<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does<\/strong>: Targets clusters based on metadata (e.g., <code>env=prod<\/code>, <code>region=eastus<\/code>, <code>tier=frontend<\/code>).<\/li>\n<li><strong>Why it matters<\/strong>: Enables scalable targeting without enumerating cluster names.<\/li>\n<li><strong>Practical benefit<\/strong>: Simple progressive rollout patterns.<\/li>\n<li><strong>Caveats<\/strong>: Label taxonomy must be standardized or selection becomes fragile.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Status, health, and rollout visibility (capability-dependent)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does<\/strong>: Surfaces whether resources were successfully placed and applied across clusters.<\/li>\n<li><strong>Why it matters<\/strong>: Multi-cluster operations without feedback quickly become unsafe.<\/li>\n<li><strong>Practical benefit<\/strong>: Easier troubleshooting of \u201cwhy didn\u2019t cluster X receive this deployment?\u201d<\/li>\n<li><strong>Caveats<\/strong>: The depth of status\/telemetry varies; you may still rely heavily on per-cluster logs and events.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Integration with Azure identity and governance<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does<\/strong>: Uses Azure RBAC and resource-level permissions for fleet and membership operations; integrates into Azure activity logs.<\/li>\n<li><strong>Why it matters<\/strong>: Helps align multi-cluster control with enterprise access models.<\/li>\n<li><strong>Practical benefit<\/strong>: Centralized access control and audit trail at Azure resource level.<\/li>\n<li><strong>Caveats<\/strong>: You still need strong Kubernetes RBAC and namespace boundaries inside each cluster.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">7. Architecture and How It Works<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">High-level architecture<\/h3>\n\n\n\n<p>At a high level, Azure Kubernetes Fleet Manager introduces a <strong>fleet management plane<\/strong>:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>You create a <strong>Fleet<\/strong> resource in Azure.<\/li>\n<li>You register <strong>AKS clusters<\/strong> as fleet members (membership is tracked as Azure resources).<\/li>\n<li>If using hub-based placement, you connect to the <strong>fleet hub Kubernetes API<\/strong> (via kubeconfig) and apply placement resources.<\/li>\n<li>Agents\/controllers coordinate propagation to member clusters.<\/li>\n<li>You monitor placement status centrally and validate results on each member cluster.<\/li>\n<\/ol>\n\n\n\n<h3 class=\"wp-block-heading\">Request\/data\/control flow (typical hub-based placement)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Control plane (Azure)<\/strong>: You manage the Fleet resource and membership via ARM (Portal\/CLI\/SDK).<\/li>\n<li><strong>Control plane (Kubernetes)<\/strong>: You apply placement and workload manifests to the hub API.<\/li>\n<li><strong>Controllers\/agents<\/strong>: Reconcile desired state and apply objects to selected member clusters.<\/li>\n<li><strong>Data plane<\/strong>: Your applications run on the member clusters; Fleet Manager is not in your request path.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Integrations with related services<\/h3>\n\n\n\n<p>Common integrations in Azure environments include:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>AKS<\/strong>: the managed Kubernetes clusters being orchestrated<\/li>\n<li><strong>Microsoft Entra ID \/ Azure RBAC<\/strong>: authentication and authorization (for Azure and sometimes for Kubernetes API access)<\/li>\n<li><strong>Azure Monitor<\/strong>: logs\/metrics (Container insights), activity logs<\/li>\n<li><strong>Azure Policy<\/strong>: governance of Azure resources and potentially Kubernetes policies (depending on your chosen policy stack)<\/li>\n<li><strong>Key Vault + CSI driver \/ External Secrets<\/strong>: secrets management (recommended over distributing raw Kubernetes Secrets)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Dependency services<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>AKS clusters<\/strong> as members<\/li>\n<li>Potentially an additional <strong>hub<\/strong> cluster (depending on how hub is implemented in the current service mode)<\/li>\n<li>Azure networking, identity, and logging services typically used with AKS<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Security\/authentication model (overview)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Azure-side<\/strong>: ARM calls secured by Azure AD (Entra) and Azure RBAC.<\/li>\n<li><strong>Kubernetes-side<\/strong>: Hub API access uses kubeconfig credentials (often integrated with Entra\/AKS auth). Member cluster access is performed by controllers\/agents with their own identities\/credentials.<\/li>\n<li><strong>Best practice<\/strong>: Use least privilege, separate roles for fleet administration vs application deployment.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Networking model (overview)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Member clusters usually need outbound connectivity to Azure control plane endpoints and any fleet-specific endpoints used by the service.<\/li>\n<li>Hub-to-member traffic patterns depend on the architecture mode and may rely on agents initiating outbound connections, reducing the need for inbound connectivity between clusters.<\/li>\n<li>For private clusters, additional DNS\/firewall\/endpoint planning may be required\u2014verify the official networking requirements.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Monitoring\/logging\/governance<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Use <strong>Azure Activity Log<\/strong> for fleet resource operations.<\/li>\n<li>Use per-cluster Kubernetes events\/logs for applied resources.<\/li>\n<li>Consider centralized log aggregation (Azure Monitor \/ Log Analytics) across clusters with consistent workspace design.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Simple architecture diagram (Mermaid)<\/h3>\n\n\n\n<pre><code class=\"language-mermaid\">flowchart LR\n  A[Platform engineer] --&gt;|Azure CLI\/Portal| ARM[Azure Resource Manager]\n  ARM --&gt; F[Azure Kubernetes Fleet Manager&lt;br\/&gt;Fleet resource]\n  F --&gt; M1[AKS Cluster A&lt;br\/&gt;(member)]\n  F --&gt; M2[AKS Cluster B&lt;br\/&gt;(member)]\n  A --&gt;|kubectl (hub mode)| HUB[Fleet hub Kubernetes API]\n  HUB --&gt;|placement\/propagation| M1\n  HUB --&gt;|placement\/propagation| M2\n<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Production-style architecture diagram (Mermaid)<\/h3>\n\n\n\n<pre><code class=\"language-mermaid\">flowchart TB\n  subgraph Mgmt[Management Subscription]\n    ARM[Azure Resource Manager]\n    FLEET[Azure Kubernetes Fleet Manager&lt;br\/&gt;Fleet]\n    LOG[Azure Monitor \/ Log Analytics]\n    KV[Azure Key Vault]\n  end\n\n  subgraph Region1[Region 1]\n    AKS1[AKS Prod Cluster - eastus]\n    ACR1[Azure Container Registry]\n  end\n\n  subgraph Region2[Region 2]\n    AKS2[AKS Prod Cluster - westeurope]\n    ACR2[Azure Container Registry (optional)]\n  end\n\n  subgraph Shared[Shared Controls]\n    ENTRA[Microsoft Entra ID]\n    POLICY[Azure Policy \/ Policy-as-code]\n    CICD[CI\/CD or GitOps (optional)]\n  end\n\n  ADMIN[Platform\/SRE Team] --&gt; ENTRA\n  ADMIN --&gt;|ARM| ARM\n  ARM --&gt; FLEET\n  FLEET --&gt; AKS1\n  FLEET --&gt; AKS2\n\n  CICD --&gt;|Push manifests to hub or repos| FLEET\n\n  AKS1 --&gt;|Pull images| ACR1\n  AKS2 --&gt;|Pull images| ACR1\n\n  AKS1 --&gt; LOG\n  AKS2 --&gt; LOG\n\n  AKS1 --&gt;|CSI\/Secrets| KV\n  AKS2 --&gt;|CSI\/Secrets| KV\n\n  POLICY --&gt; AKS1\n  POLICY --&gt; AKS2\n<\/code><\/pre>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">8. Prerequisites<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Account\/subscription requirements<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>An Azure subscription where you can create:<\/li>\n<li>Resource groups<\/li>\n<li>AKS clusters<\/li>\n<li>Fleet resources (Azure Kubernetes Fleet Manager)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Permissions \/ IAM roles<\/h3>\n\n\n\n<p>You typically need:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>At Azure scope<\/strong> (subscription\/resource group):<\/li>\n<li><code>Owner<\/code> or <code>Contributor<\/code> to create resources<\/li>\n<li>Plus the ability to assign roles if needed (for managed identities\/service principals)<\/li>\n<li><strong>At AKS\/Kubernetes scope<\/strong>:<\/li>\n<li>Cluster admin or appropriate RBAC to install\/operate any fleet agents\/controllers (often handled automatically, but permissions still matter)<\/li>\n<\/ul>\n\n\n\n<p>For least privilege in production, split roles:\n&#8211; Fleet administrators (create\/manage fleet + membership)\n&#8211; Cluster operators (AKS ops)\n&#8211; Application operators (namespace-scoped)<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Billing requirements<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>A valid payment method is required because AKS and any associated resources (node pools, load balancers, public IPs, log analytics) incur cost.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">CLI\/SDK\/tools needed<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Azure CLI: https:\/\/learn.microsoft.com\/cli\/azure\/install-azure-cli<\/li>\n<li><code>kubectl<\/code>: https:\/\/kubernetes.io\/docs\/tasks\/tools\/<\/li>\n<li>Optional: <code>helm<\/code> if you standardize packaging (not required for Fleet Manager itself)<\/li>\n<\/ul>\n\n\n\n<p>Azure CLI extensions:\n&#8211; Fleet-related commands may require an Azure CLI extension (name and installation can change).\n&#8211; Verify with:\n  &#8211; <code>az extension list-available --output table | findstr -i fleet<\/code> (Windows)\n  &#8211; <code>az extension list-available --output table | grep -i fleet<\/code> (macOS\/Linux)\n&#8211; Also verify current docs for the correct extension and minimum Azure CLI version.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Region availability<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Fleet Manager availability can be region- and feature-dependent.<\/li>\n<li>Verify supported regions and feature status in official docs: https:\/\/learn.microsoft.com\/azure\/kubernetes-fleet\/<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Quotas\/limits<\/h3>\n\n\n\n<p>Plan for:\n&#8211; AKS core quotas (vCPU per region, node limits)\n&#8211; IP address capacity if using Azure CNI\n&#8211; Potential fleet-specific limits (number of member clusters, placements, objects)\u2014verify in official docs<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Prerequisite services<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>AKS<\/strong> clusters to manage (for this tutorial, you\u2019ll create two small clusters)<\/li>\n<li>Optional but common:<\/li>\n<li>Azure Container Registry (ACR)<\/li>\n<li>Log Analytics workspace (Azure Monitor)<\/li>\n<li>Key Vault (secrets)<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">9. Pricing \/ Cost<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Current pricing model (what to expect)<\/h3>\n\n\n\n<p>Azure Kubernetes Fleet Manager pricing is typically described as:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Fleet management plane<\/strong>: often no separate line-item cost (verify in official pricing\/docs).<\/li>\n<li><strong>Underlying resources<\/strong>: you pay for what Fleet Manager uses or touches:<\/li>\n<li>AKS clusters (node pools\/VMs, load balancers, disks)<\/li>\n<li>If a <strong>hub<\/strong> cluster is created\/required for your chosen features, that hub\u2019s AKS cost applies<\/li>\n<li>Log Analytics ingestion and retention (if using Azure Monitor \/ Container insights)<\/li>\n<li>Networking egress between regions (if clusters are cross-region and data moves)<\/li>\n<\/ul>\n\n\n\n<p>Because Azure pricing and feature packaging can change, validate with:\n&#8211; AKS pricing page: https:\/\/azure.microsoft.com\/pricing\/details\/kubernetes-service\/\n&#8211; Azure Pricing Calculator: https:\/\/azure.microsoft.com\/pricing\/calculator\/\n&#8211; Fleet docs (pricing notes): https:\/\/learn.microsoft.com\/azure\/kubernetes-fleet\/ (verify current guidance)<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Pricing dimensions (cost drivers)<\/h3>\n\n\n\n<p>Even if the fleet control plane is \u201cfree,\u201d real costs come from:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li><strong>Compute<\/strong>: VM sizes and node counts in member clusters (and hub if applicable)<\/li>\n<li><strong>Networking<\/strong>:\n   &#8211; Inter-region data transfer\n   &#8211; Load balancer and public IP usage\n   &#8211; NAT Gateway (if used)<\/li>\n<li><strong>Observability<\/strong>:\n   &#8211; Log Analytics data ingestion\n   &#8211; Metrics retention<\/li>\n<li><strong>Storage<\/strong>:\n   &#8211; Managed disks for workloads\n   &#8211; Container registry storage (ACR)<\/li>\n<li><strong>Operational tooling<\/strong>:\n   &#8211; Security scanning, policy tooling, backup tooling<\/li>\n<\/ol>\n\n\n\n<h3 class=\"wp-block-heading\">Free tier<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>AKS has a pricing model where the <strong>Kubernetes control plane<\/strong> is typically managed by Azure; charges are primarily for worker nodes and attached resources. The exact free\/paid breakdown depends on AKS tier\/feature choices\u2014verify current AKS pricing details.<\/li>\n<li>Fleet Manager itself may not have a distinct free tier; instead it may be priced implicitly (or not billed separately). <strong>Verify in official docs<\/strong>.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Hidden or indirect costs<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Hub cluster cost<\/strong> (if hub mode requires an AKS cluster)<\/li>\n<li><strong>Log volume explosion<\/strong> when rolling out agents or changing logging configurations across many clusters at once<\/li>\n<li><strong>Data egress<\/strong> if you centrally aggregate logs across regions or replicate images cross-region<\/li>\n<li><strong>Management overhead<\/strong>: more clusters = more upgrade testing, more policy review, more incident surface area<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Network\/data transfer implications<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Propagating Kubernetes objects is usually control-plane traffic (small), but cross-region operations and observability pipelines can create sustained data transfer.<\/li>\n<li>If your architecture pulls images from a registry in a different region, egress charges can appear.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">How to optimize cost<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Start with <strong>hubless<\/strong> or minimal capability mode if possible (verify feature requirements).<\/li>\n<li>Use the smallest practical node sizes for non-production clusters.<\/li>\n<li>Centralize ACR per geography; use geo-replication if needed.<\/li>\n<li>Right-size Log Analytics:<\/li>\n<li>Set retention to what you need<\/li>\n<li>Filter noisy logs<\/li>\n<li>Use metrics where possible<\/li>\n<li>Use labels\/selectors to avoid deploying heavy add-ons to every cluster by default.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Example low-cost starter estimate (no fabricated numbers)<\/h3>\n\n\n\n<p>A low-cost lab typically includes:\n&#8211; Two small AKS clusters (single node pool, 1\u20132 nodes each)\n&#8211; Minimal load balancers (or none if not exposing services)\n&#8211; No Log Analytics (or minimal ingestion)<\/p>\n\n\n\n<p>Exact cost depends on:\n&#8211; Region\n&#8211; VM size (e.g., B-series vs D-series)\n&#8211; Node count and uptime<\/p>\n\n\n\n<p>Use the calculator with:\n&#8211; \u201cKubernetes Service\u201d (AKS worker nodes)\n&#8211; \u201cVirtual Machines\u201d\n&#8211; \u201cLoad Balancer\u201d\n&#8211; \u201cPublic IP\u201d\n&#8211; \u201cLog Analytics\u201d<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Example production cost considerations<\/h3>\n\n\n\n<p>In production, expect cost growth from:\n&#8211; Multiple node pools (system + user + spot)\n&#8211; Higher availability (multiple zones)\n&#8211; Multiple clusters per region\n&#8211; A hub cluster (if used)\n&#8211; Centralized logging at scale\n&#8211; Security tooling and backups<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">10. Step-by-Step Hands-On Tutorial<\/h2>\n\n\n\n<p>This lab builds a small, realistic multi-cluster setup on Azure and demonstrates hub-based multi-cluster placement concepts. The exact CRD API versions and CLI command groups can change\u2014this tutorial includes verification steps so you can adapt safely.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Objective<\/h3>\n\n\n\n<p>Create two AKS clusters, register them into <strong>Azure Kubernetes Fleet Manager<\/strong>, connect to the fleet hub Kubernetes API, and propagate a sample namespace + deployment to selected member clusters.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Lab Overview<\/h3>\n\n\n\n<p>You will:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Create an Azure resource group<\/li>\n<li>Create two small AKS clusters (<code>aks-a<\/code>, <code>aks-b<\/code>)<\/li>\n<li>Create an Azure Kubernetes Fleet Manager fleet (<code>demo-fleet<\/code>) with hub capability (if required for placement)<\/li>\n<li>Add both AKS clusters as fleet members<\/li>\n<li>Connect to the fleet hub using <code>kubectl<\/code><\/li>\n<li>Discover fleet CRDs and apply a placement policy to deploy a sample app to both clusters<\/li>\n<li>Validate results by checking each member cluster<\/li>\n<li>Clean up everything<\/li>\n<\/ol>\n\n\n\n<blockquote>\n<p>Cost note: If hub mode creates an additional AKS cluster (or similar billable resource), your cost increases. If you want the lowest-cost lab, verify whether you can run the features you need without hub mode, and prefer a single cluster lab for learning.<\/p>\n<\/blockquote>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 1: Set variables and sign in<\/h3>\n\n\n\n<h4 class=\"wp-block-heading\">Actions<\/h4>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Open a terminal (Cloud Shell is fine).<\/li>\n<li>Sign in and select your subscription.<\/li>\n<\/ol>\n\n\n\n<pre><code class=\"language-bash\">az login\naz account show --output table\naz account set --subscription \"&lt;YOUR_SUBSCRIPTION_ID&gt;\"\n<\/code><\/pre>\n\n\n\n<ol class=\"wp-block-list\" start=\"3\">\n<li>Set environment variables:<\/li>\n<\/ol>\n\n\n\n<pre><code class=\"language-bash\">export LOCATION=\"eastus\"\nexport RG=\"rg-fleet-lab\"\nexport AKS_A=\"aks-a-fleetlab\"\nexport AKS_B=\"aks-b-fleetlab\"\nexport FLEET=\"demo-fleet\"\n<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\">Expected outcome<\/h4>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Your Azure CLI context points to the correct subscription.<\/li>\n<li>Variables are set for repeatable commands.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 2: Create a resource group<\/h3>\n\n\n\n<pre><code class=\"language-bash\">az group create --name \"$RG\" --location \"$LOCATION\"\n<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\">Expected outcome<\/h4>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Resource group <code>$RG<\/code> exists in <code>$LOCATION<\/code>.<\/li>\n<\/ul>\n\n\n\n<p>Verify:<\/p>\n\n\n\n<pre><code class=\"language-bash\">az group show -n \"$RG\" --query \"{name:name,location:location,provisioningState:properties.provisioningState}\"\n<\/code><\/pre>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 3: Create two small AKS clusters<\/h3>\n\n\n\n<blockquote>\n<p>AKS cluster creation can take 5\u201315+ minutes per cluster. The exact flags you need may vary based on your org policies (private cluster, Azure CNI, etc.).<\/p>\n<\/blockquote>\n\n\n\n<h4 class=\"wp-block-heading\">Actions<\/h4>\n\n\n\n<p>Create AKS cluster A:<\/p>\n\n\n\n<pre><code class=\"language-bash\">az aks create \\\n  --resource-group \"$RG\" \\\n  --name \"$AKS_A\" \\\n  --location \"$LOCATION\" \\\n  --enable-managed-identity \\\n  --node-count 1 \\\n  --generate-ssh-keys\n<\/code><\/pre>\n\n\n\n<p>Create AKS cluster B:<\/p>\n\n\n\n<pre><code class=\"language-bash\">az aks create \\\n  --resource-group \"$RG\" \\\n  --name \"$AKS_B\" \\\n  --location \"$LOCATION\" \\\n  --enable-managed-identity \\\n  --node-count 1 \\\n  --generate-ssh-keys\n<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\">Expected outcome<\/h4>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Two running AKS clusters.<\/li>\n<\/ul>\n\n\n\n<p>Verify:<\/p>\n\n\n\n<pre><code class=\"language-bash\">az aks list -g \"$RG\" --query \"[].{name:name, location:location, provisioningState:provisioningState}\" -o table\n<\/code><\/pre>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 4: Install\/enable Azure CLI fleet commands (if required)<\/h3>\n\n\n\n<p>Fleet commands may require an extension. Because extension naming can change, follow a discover-first approach.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Actions<\/h4>\n\n\n\n<p>List available extensions containing \u201cfleet\u201d:<\/p>\n\n\n\n<pre><code class=\"language-bash\">az extension list-available --output table | grep -i fleet || true\n<\/code><\/pre>\n\n\n\n<p>If documentation instructs a specific extension (for example, <code>fleet<\/code>), install it:<\/p>\n\n\n\n<pre><code class=\"language-bash\"># Example only \u2014 verify the correct extension name in official docs\naz extension add --name fleet\n<\/code><\/pre>\n\n\n\n<p>If the extension is already installed, update it:<\/p>\n\n\n\n<pre><code class=\"language-bash\"># Example only \u2014 verify the correct extension name in official docs\naz extension update --name fleet\n<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\">Expected outcome<\/h4>\n\n\n\n<ul class=\"wp-block-list\">\n<li>You can run <code>az fleet -h<\/code> successfully.<\/li>\n<\/ul>\n\n\n\n<p>Verify:<\/p>\n\n\n\n<pre><code class=\"language-bash\">az fleet -h\n<\/code><\/pre>\n\n\n\n<p>If <code>az fleet<\/code> is not found:\n&#8211; Check the official getting started guide for the current CLI requirement: https:\/\/learn.microsoft.com\/azure\/kubernetes-fleet\/<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 5: Create an Azure Kubernetes Fleet Manager fleet<\/h3>\n\n\n\n<p>Fleet creation can support multiple modes. For multi-cluster placement, you may need to enable a hub capability.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Actions<\/h4>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Review help for the exact required flags:<\/li>\n<\/ol>\n\n\n\n<pre><code class=\"language-bash\">az fleet create -h\n<\/code><\/pre>\n\n\n\n<ol class=\"wp-block-list\" start=\"2\">\n<li>Create the fleet (example pattern):<\/li>\n<\/ol>\n\n\n\n<pre><code class=\"language-bash\"># Example: create a fleet in a resource group\/region\n# Add hub-related flags if required by your scenario (verify in help\/docs).\naz fleet create \\\n  --resource-group \"$RG\" \\\n  --name \"$FLEET\" \\\n  --location \"$LOCATION\"\n<\/code><\/pre>\n\n\n\n<p>If docs require hub enablement for placement, you may need something like <code>--enable-hub<\/code> (flag name may differ). Use the CLI help output to confirm.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Expected outcome<\/h4>\n\n\n\n<ul class=\"wp-block-list\">\n<li>A fleet resource exists.<\/li>\n<\/ul>\n\n\n\n<p>Verify:<\/p>\n\n\n\n<pre><code class=\"language-bash\">az fleet show -g \"$RG\" -n \"$FLEET\" --query \"{name:name, location:location, provisioningState:provisioningState}\" -o table\n<\/code><\/pre>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 6: Add both AKS clusters as fleet members<\/h3>\n\n\n\n<h4 class=\"wp-block-heading\">Actions<\/h4>\n\n\n\n<p>Get the AKS resource IDs:<\/p>\n\n\n\n<pre><code class=\"language-bash\">AKS_A_ID=$(az aks show -g \"$RG\" -n \"$AKS_A\" --query id -o tsv)\nAKS_B_ID=$(az aks show -g \"$RG\" -n \"$AKS_B\" --query id -o tsv)\n\necho \"$AKS_A_ID\"\necho \"$AKS_B_ID\"\n<\/code><\/pre>\n\n\n\n<p>Add cluster A as a member:<\/p>\n\n\n\n<pre><code class=\"language-bash\">az fleet member create \\\n  --resource-group \"$RG\" \\\n  --fleet-name \"$FLEET\" \\\n  --name \"member-a\" \\\n  --member-cluster-id \"$AKS_A_ID\"\n<\/code><\/pre>\n\n\n\n<p>Add cluster B as a member:<\/p>\n\n\n\n<pre><code class=\"language-bash\">az fleet member create \\\n  --resource-group \"$RG\" \\\n  --fleet-name \"$FLEET\" \\\n  --name \"member-b\" \\\n  --member-cluster-id \"$AKS_B_ID\"\n<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\">Expected outcome<\/h4>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Two fleet members are registered.<\/li>\n<\/ul>\n\n\n\n<p>Verify:<\/p>\n\n\n\n<pre><code class=\"language-bash\">az fleet member list -g \"$RG\" --fleet-name \"$FLEET\" -o table\n<\/code><\/pre>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 7: Connect to the fleet hub Kubernetes API (hub mode)<\/h3>\n\n\n\n<p>If your fleet supports hub access, you typically fetch kubeconfig credentials similar to AKS.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Actions<\/h4>\n\n\n\n<p>Check whether a hub exists and how to get credentials:<\/p>\n\n\n\n<pre><code class=\"language-bash\">az fleet get-credentials -h\n<\/code><\/pre>\n\n\n\n<p>Then run:<\/p>\n\n\n\n<pre><code class=\"language-bash\">az fleet get-credentials \\\n  --resource-group \"$RG\" \\\n  --name \"$FLEET\"\n<\/code><\/pre>\n\n\n\n<p>List contexts:<\/p>\n\n\n\n<pre><code class=\"language-bash\">kubectl config get-contexts\nkubectl config current-context\n<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\">Expected outcome<\/h4>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Your kubeconfig now includes a context for the fleet hub.<\/li>\n<li><code>kubectl<\/code> can talk to the hub API.<\/li>\n<\/ul>\n\n\n\n<p>Verify:<\/p>\n\n\n\n<pre><code class=\"language-bash\">kubectl get nodes 2&gt;\/dev\/null || true\nkubectl cluster-info\n<\/code><\/pre>\n\n\n\n<blockquote>\n<p>If the hub is not implemented as a typical node-based AKS cluster, <code>kubectl get nodes<\/code> may not be meaningful. The safer verification is <code>kubectl cluster-info<\/code> and CRD discovery below.<\/p>\n<\/blockquote>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 8: Discover fleet CRDs and member cluster objects<\/h3>\n\n\n\n<p>Because API group names\/versions can change between previews and GA, discover what the hub currently exposes.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Actions<\/h4>\n\n\n\n<p>List CRDs related to fleet\/placement:<\/p>\n\n\n\n<pre><code class=\"language-bash\">kubectl get crds | grep -i -E \"fleet|placement|member|cluster\" || true\n<\/code><\/pre>\n\n\n\n<p>List API resources containing \u201cfleet\u201d:<\/p>\n\n\n\n<pre><code class=\"language-bash\">kubectl api-resources | grep -i fleet || true\nkubectl api-resources | grep -i placement || true\nkubectl api-resources | grep -i member || true\n<\/code><\/pre>\n\n\n\n<p>Try listing member clusters (resource name can vary; commonly something like <code>memberclusters<\/code>):<\/p>\n\n\n\n<pre><code class=\"language-bash\">kubectl get memberclusters -A 2&gt;\/dev\/null || true\n<\/code><\/pre>\n\n\n\n<p>If that fails, locate the exact resource name from <code>kubectl api-resources<\/code> output and use it.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Expected outcome<\/h4>\n\n\n\n<ul class=\"wp-block-list\">\n<li>You can identify:<\/li>\n<li>The member cluster resource type<\/li>\n<li>The placement resource type (for example, something like <code>clusterresourceplacements<\/code>)<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 9: Create a sample workload on the hub and a placement policy<\/h3>\n\n\n\n<p>This step demonstrates the workflow pattern:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Create Kubernetes objects (namespace + deployment) in the hub.<\/li>\n<li>Create a placement object that selects the target clusters.<\/li>\n<li>The system propagates objects to member clusters.<\/li>\n<\/ol>\n\n\n\n<h4 class=\"wp-block-heading\">Actions<\/h4>\n\n\n\n<p>Create a namespace and deployment manifest:<\/p>\n\n\n\n<pre><code class=\"language-bash\">cat &gt; fleet-demo-workload.yaml &lt;&lt;'EOF'\napiVersion: v1\nkind: Namespace\nmetadata:\n  name: fleet-demo\n---\napiVersion: apps\/v1\nkind: Deployment\nmetadata:\n  name: nginx\n  namespace: fleet-demo\nspec:\n  replicas: 1\n  selector:\n    matchLabels:\n      app: nginx\n  template:\n    metadata:\n      labels:\n        app: nginx\n    spec:\n      containers:\n      - name: nginx\n        image: nginx:stable\n        ports:\n        - containerPort: 80\nEOF\n<\/code><\/pre>\n\n\n\n<p>Apply it to the hub:<\/p>\n\n\n\n<pre><code class=\"language-bash\">kubectl apply -f fleet-demo-workload.yaml\n<\/code><\/pre>\n\n\n\n<p>Now create a placement policy.<\/p>\n\n\n\n<p>Because the exact API version and kind can vary, do this safely:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Identify the placement kind:<\/li>\n<\/ol>\n\n\n\n<pre><code class=\"language-bash\">kubectl api-resources | grep -i -E \"clusterresourceplacement|placement\"\n<\/code><\/pre>\n\n\n\n<ol class=\"wp-block-list\" start=\"2\">\n<li>Inspect a sample schema (if supported):<\/li>\n<\/ol>\n\n\n\n<pre><code class=\"language-bash\"># Replace &lt;resource&gt; with what you found, e.g. clusterresourceplacements\nkubectl explain clusterresourceplacement --recursive 2&gt;\/dev\/null || true\n<\/code><\/pre>\n\n\n\n<p>If your hub supports a <code>ClusterResourcePlacement<\/code> kind, the manifest often follows this conceptual structure:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Select clusters by name or by labels<\/li>\n<li>Select resources to propagate (namespace-scoped and\/or cluster-scoped)<\/li>\n<li>Observe status fields<\/li>\n<\/ul>\n\n\n\n<p>Create a placement manifest template and <strong>adjust apiVersion\/kind\/fields<\/strong> to match what <code>kubectl explain<\/code> shows in your environment:<\/p>\n\n\n\n<pre><code class=\"language-bash\">cat &gt; fleet-demo-placement.yaml &lt;&lt;'EOF'\n# VERIFY apiVersion\/kind\/fields using:\n# kubectl explain &lt;kind&gt; --recursive\napiVersion: placement.kubernetes-fleet.io\/v1beta1\nkind: ClusterResourcePlacement\nmetadata:\n  name: place-fleet-demo\nspec:\n  # The exact selector structure depends on the CRD version.\n  # Common intent: target all member clusters.\n  clusterSelector: {}\n  # The exact \"resourceSelectors\" shape may vary.\n  resourceSelectors:\n  - group: \"\"\n    version: \"v1\"\n    kind: Namespace\n    name: fleet-demo\n  - group: \"apps\"\n    version: \"v1\"\n    kind: Deployment\n    namespace: fleet-demo\n    name: nginx\nEOF\n<\/code><\/pre>\n\n\n\n<p>Apply:<\/p>\n\n\n\n<pre><code class=\"language-bash\">kubectl apply -f fleet-demo-placement.yaml\n<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\">Expected outcome<\/h4>\n\n\n\n<ul class=\"wp-block-list\">\n<li>The hub accepts the workload objects.<\/li>\n<li>The hub accepts the placement object.<\/li>\n<li>Placement status begins reflecting scheduling\/propagation to member clusters.<\/li>\n<\/ul>\n\n\n\n<p>Verify placement status (resource name may differ):<\/p>\n\n\n\n<pre><code class=\"language-bash\">kubectl get clusterresourceplacements 2&gt;\/dev\/null || true\nkubectl describe clusterresourceplacement place-fleet-demo 2&gt;\/dev\/null || true\n<\/code><\/pre>\n\n\n\n<p>If resource names differ, use what <code>kubectl api-resources<\/code> reported.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 10: Validate on each member cluster<\/h3>\n\n\n\n<p>Now verify that the namespace and deployment exist on <code>aks-a<\/code> and <code>aks-b<\/code>.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Actions<\/h4>\n\n\n\n<p>Get kubeconfig contexts for each AKS cluster:<\/p>\n\n\n\n<pre><code class=\"language-bash\">az aks get-credentials -g \"$RG\" -n \"$AKS_A\" --overwrite-existing\naz aks get-credentials -g \"$RG\" -n \"$AKS_B\" --overwrite-existing\nkubectl config get-contexts\n<\/code><\/pre>\n\n\n\n<p>Switch to cluster A context (name varies; pick it from the output):<\/p>\n\n\n\n<pre><code class=\"language-bash\">kubectl config use-context \"$AKS_A\"\nkubectl get ns | grep fleet-demo\nkubectl -n fleet-demo get deploy nginx\nkubectl -n fleet-demo get pods -l app=nginx -o wide\n<\/code><\/pre>\n\n\n\n<p>Switch to cluster B:<\/p>\n\n\n\n<pre><code class=\"language-bash\">kubectl config use-context \"$AKS_B\"\nkubectl get ns | grep fleet-demo\nkubectl -n fleet-demo get deploy nginx\nkubectl -n fleet-demo get pods -l app=nginx -o wide\n<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\">Expected outcome<\/h4>\n\n\n\n<ul class=\"wp-block-list\">\n<li><code>fleet-demo<\/code> namespace exists on both clusters.<\/li>\n<li><code>nginx<\/code> deployment exists and a pod is Running (or Pending briefly during image pull).<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Validation<\/h3>\n\n\n\n<p>Use this checklist:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Azure:<\/li>\n<li><code>az fleet show<\/code> returns provisioningState <code>Succeeded<\/code> (or equivalent)<\/li>\n<li><code>az fleet member list<\/code> shows both members registered<\/li>\n<li>Hub:<\/li>\n<li><code>kubectl get crds<\/code> shows fleet\/placement CRDs<\/li>\n<li><code>kubectl get &lt;placement&gt;<\/code> shows placement object and status progressing to placed\/applied<\/li>\n<li>Member clusters:<\/li>\n<li>Namespace and deployment appear and pods are running<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Troubleshooting<\/h3>\n\n\n\n<h4 class=\"wp-block-heading\">Problem: <code>az fleet<\/code> command not found<\/h4>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Install\/update the correct Azure CLI extension.<\/li>\n<li>Verify the official docs for current CLI guidance: https:\/\/learn.microsoft.com\/azure\/kubernetes-fleet\/<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\">Problem: Membership creation fails with authorization errors<\/h4>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Ensure you have Azure RBAC permissions on:<\/li>\n<li>Fleet resource group<\/li>\n<li>AKS cluster resources<\/li>\n<li>If your org uses Azure Policy, creation of identities\/role assignments may be blocked.<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\">Problem: <code>az fleet get-credentials<\/code> fails<\/h4>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Hub might not be enabled or might require additional flags at creation time.<\/li>\n<li>Verify whether your fleet was created with hub capability (and how the hub is exposed).<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\">Problem: Placement CRD apiVersion mismatch<\/h4>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Don\u2019t guess versions.<\/li>\n<li>Use:<\/li>\n<li><code>kubectl api-resources | grep -i placement<\/code><\/li>\n<li><code>kubectl explain &lt;kind&gt; --recursive<\/code><\/li>\n<li>Adjust <code>apiVersion<\/code>, <code>spec<\/code> fields accordingly.<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\">Problem: Objects appear on one cluster but not the other<\/h4>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Check placement status on hub:<\/li>\n<li><code>kubectl describe &lt;placement&gt; &lt;name&gt;<\/code><\/li>\n<li>Confirm member cluster labels\/selectors if your placement uses label selection.<\/li>\n<li>Ensure both member clusters are healthy and reachable by the fleet controllers\/agents.<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\">Problem: Pods stuck in Pending<\/h4>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Likely node capacity constraints (1-node clusters are tight).<\/li>\n<li>Check:<\/li>\n<li><code>kubectl describe pod &lt;pod&gt;<\/code><\/li>\n<li><code>kubectl get events -n fleet-demo --sort-by=.lastTimestamp<\/code><\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Cleanup<\/h3>\n\n\n\n<p>To avoid ongoing charges, delete resources.<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Delete placement and hub objects (optional but cleaner):<\/li>\n<\/ol>\n\n\n\n<pre><code class=\"language-bash\"># Run against hub context\nkubectl delete -f fleet-demo-placement.yaml 2&gt;\/dev\/null || true\nkubectl delete -f fleet-demo-workload.yaml 2&gt;\/dev\/null || true\n<\/code><\/pre>\n\n\n\n<ol class=\"wp-block-list\" start=\"2\">\n<li>Delete fleet members and fleet (optional; if you delete the RG this is not required):<\/li>\n<\/ol>\n\n\n\n<pre><code class=\"language-bash\"># Optional explicit deletion (commands may vary)\naz fleet member delete -g \"$RG\" --fleet-name \"$FLEET\" -n member-a --yes || true\naz fleet member delete -g \"$RG\" --fleet-name \"$FLEET\" -n member-b --yes || true\naz fleet delete -g \"$RG\" -n \"$FLEET\" --yes || true\n<\/code><\/pre>\n\n\n\n<ol class=\"wp-block-list\" start=\"3\">\n<li>Delete the resource group (recommended for full cleanup):<\/li>\n<\/ol>\n\n\n\n<pre><code class=\"language-bash\">az group delete --name \"$RG\" --yes --no-wait\n<\/code><\/pre>\n\n\n\n<p>Expected outcome:\n&#8211; All resources in <code>$RG<\/code> are deleted, stopping compute charges.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">11. Best Practices<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Architecture best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Prefer multiple clusters for isolation<\/strong>, not as a substitute for namespaces when hard boundaries are required (compliance, tenancy, blast radius).<\/li>\n<li><strong>Standardize cluster \u201cprofiles\u201d<\/strong> (e.g., <code>prod-standard<\/code>, <code>prod-internet<\/code>, <code>gpu<\/code>) and label clusters accordingly for clean placement rules.<\/li>\n<li>Keep a clear separation between:<\/li>\n<li><strong>Platform baseline<\/strong> resources (managed by platform team)<\/li>\n<li><strong>Application<\/strong> resources (managed by app teams)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">IAM\/security best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Use <strong>least privilege<\/strong>:<\/li>\n<li>Separate roles for fleet administration vs cluster administration vs application deployment.<\/li>\n<li>Use Entra ID-backed access where possible.<\/li>\n<li>Treat hub access as highly privileged and secure it like a production admin endpoint.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Cost best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Don\u2019t enable hub mode or additional features unless required.<\/li>\n<li>In early phases, use fewer clusters and smaller node pools; scale out once workflows are proven.<\/li>\n<li>Watch Log Analytics ingestion when rolling out agents\/fleet-propagated telemetry changes.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Performance best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Use selectors to avoid pushing heavy add-ons everywhere.<\/li>\n<li>Keep placement objects focused (smaller blast radius, easier debugging).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Reliability best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Use progressive rollouts:<\/li>\n<li>Start with dev clusters, then staging, then production clusters.<\/li>\n<li>Maintain environment parity but allow for regional differences (instance types, zones) through controlled overlays (not ad hoc edits).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Operations best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Maintain a runbook:<\/li>\n<li>How to add a cluster to the fleet<\/li>\n<li>How to label clusters<\/li>\n<li>How to troubleshoot failed placement<\/li>\n<li>Use consistent observability:<\/li>\n<li>Same metrics\/logging agents across member clusters<\/li>\n<li>Tag resources:<\/li>\n<li><code>env<\/code>, <code>owner<\/code>, <code>costCenter<\/code>, <code>service<\/code>, <code>dataClassification<\/code><\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Governance\/tagging\/naming best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Adopt naming standards:<\/li>\n<li>Fleet: <code>fleet-&lt;org&gt;-&lt;platform&gt;-&lt;scope&gt;<\/code><\/li>\n<li>Members: <code>member-&lt;region&gt;-&lt;env&gt;-&lt;cluster&gt;<\/code><\/li>\n<li>Standardize labels used for selection:<\/li>\n<li><code>env=dev|stage|prod<\/code><\/li>\n<li><code>region=eastus|westeurope<\/code><\/li>\n<li><code>tier=frontend|backend|platform<\/code><\/li>\n<li><code>exposure=internal|internet<\/code><\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">12. Security Considerations<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Identity and access model<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Azure RBAC<\/strong> controls who can create\/manage fleets and membership.<\/li>\n<li><strong>Kubernetes RBAC<\/strong> controls what identities can do on hub and member clusters.<\/li>\n<li>Prefer Entra-integrated authentication to AKS APIs where feasible and align roles with job functions.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Encryption<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>AKS provides encryption at rest for managed disks; etcd encryption and customer-managed keys depend on AKS features\u2014verify AKS security options.<\/li>\n<li>For hub components, confirm how data is stored and whether you can use CMK\u2014verify in official docs.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Network exposure<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Treat the hub endpoint as sensitive:<\/li>\n<li>Restrict access using private networking where supported<\/li>\n<li>Use conditional access and MFA for admin identities<\/li>\n<li>For private AKS clusters:<\/li>\n<li>Ensure required control-plane and outbound endpoints are reachable for fleet operations.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Secrets handling<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Avoid propagating raw Kubernetes <code>Secret<\/code> objects across clusters unless you have a very clear security model.<\/li>\n<li>Prefer:<\/li>\n<li><strong>Azure Key Vault<\/strong> + CSI driver<\/li>\n<li>External Secrets Operator patterns (evaluate governance carefully)<\/li>\n<li>If you must distribute secrets, ensure:<\/li>\n<li>Encryption in transit<\/li>\n<li>Least-privilege access<\/li>\n<li>Strong audit logging<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Audit\/logging<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Enable and centralize:<\/li>\n<li>Azure Activity Logs for fleet operations<\/li>\n<li>AKS audit logs (if enabled in your configuration)<\/li>\n<li>Kubernetes events and controller logs for troubleshooting placement<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Compliance considerations<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Multi-region fleets can implicate data residency requirements (logs, metadata).<\/li>\n<li>Ensure that placement doesn\u2019t unintentionally push resources into restricted regions\/environments.<\/li>\n<li>Use policy-as-code and approvals for changes that affect production clusters.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Common security mistakes<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Giving broad \u201ccluster-admin everywhere\u201d to too many humans<\/li>\n<li>Allowing app teams to modify baseline resources that the platform team expects to own<\/li>\n<li>Mixing multiple deployment controllers (GitOps + fleet placement + Helm runbooks) with no ownership boundaries<\/li>\n<li>Distributing secrets through manifests instead of external secret stores<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Secure deployment recommendations<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Start with non-sensitive, non-critical objects (namespaces, configmaps, service accounts) and build confidence.<\/li>\n<li>Use layered controls:<\/li>\n<li>Azure RBAC + Kubernetes RBAC + policy guardrails<\/li>\n<li>Implement change control for fleet-level operations (pull requests, approvals, audit).<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">13. Limitations and Gotchas<\/h2>\n\n\n\n<p>Because this service evolves, validate current limits and behavior in official docs. Common gotchas in multi-cluster management include:<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Known limitations (verify current list)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Feature availability may be:<\/li>\n<li>Region-limited<\/li>\n<li>Preview-limited<\/li>\n<li>Limited to certain cluster configurations (private clusters, network plugin choices)<\/li>\n<li>Not all resource types and edge cases propagate cleanly (especially cluster-scoped objects).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Quotas<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Maximum number of member clusters per fleet (verify)<\/li>\n<li>Limits on placement objects or object sizes (verify)<\/li>\n<li>AKS quotas (vCPU, nodes, load balancers) still apply<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Regional constraints<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Hub availability might be region-bound.<\/li>\n<li>Cross-region propagation is usually supported logically but can introduce latency and governance complexity.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Pricing surprises<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>If hub mode deploys an extra AKS cluster, that cluster\u2019s compute and networking costs can dominate.<\/li>\n<li>Centralized logging across many clusters can be expensive quickly.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Compatibility issues<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>If you also use GitOps (Flux\/Argo), avoid managing the same Kubernetes object from two controllers.<\/li>\n<li>Differences in Kubernetes versions and enabled admission policies can cause objects to apply in one cluster but fail in another.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Operational gotchas<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Label drift: if cluster labels drive selection, changing labels can cause unexpected rollout or removal.<\/li>\n<li>Partial failure modes: one cluster might be down or blocked by policy, leading to inconsistent state unless you monitor placement status and reconcile.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Migration challenges<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Moving from existing GitOps \u201capp-of-apps\u201d to fleet placement requires:<\/li>\n<li>Ownership model redesign<\/li>\n<li>CI\/CD changes<\/li>\n<li>Reworking overlays (kustomize\/helm) into a model that aligns with placement and per-cluster differences<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Vendor-specific nuances<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Azure RBAC and identity integration can be powerful but also complex\u2014especially in locked-down enterprise subscriptions.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">14. Comparison with Alternatives<\/h2>\n\n\n\n<p>Azure Kubernetes Fleet Manager is one approach to multi-cluster management. Alternatives include Azure-native and third-party\/open-source tools.<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table>\n<thead>\n<tr>\n<th>Option<\/th>\n<th>Best For<\/th>\n<th>Strengths<\/th>\n<th>Weaknesses<\/th>\n<th>When to Choose<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td><strong>Azure Kubernetes Fleet Manager<\/strong><\/td>\n<td>Multi-AKS fleet management with Azure integration<\/td>\n<td>Azure-native, fleet abstraction, hub-based placement patterns, integrates with Azure RBAC<\/td>\n<td>Feature maturity\/availability can vary; may require hub resources; learning curve for CRDs<\/td>\n<td>You\u2019re standardizing on AKS and want Azure-supported fleet workflows<\/td>\n<\/tr>\n<tr>\n<td><strong>Azure Arc-enabled Kubernetes + GitOps<\/strong><\/td>\n<td>Managing heterogeneous clusters (on-prem, other clouds)<\/td>\n<td>Strong hybrid story; GitOps at scale; Azure governance<\/td>\n<td>Different model than fleet placement; Arc introduces agents and its own ops overhead<\/td>\n<td>You must manage non-AKS clusters and want Azure governance + GitOps<\/td>\n<\/tr>\n<tr>\n<td><strong>AKS + GitOps (Flux\/Argo CD) without fleet<\/strong><\/td>\n<td>Multi-cluster deployments via repo structure<\/td>\n<td>Mature OSS workflows; portable; clear desired state<\/td>\n<td>You build\/maintain multi-cluster patterns yourself; consistency depends on repo discipline<\/td>\n<td>You prefer pure GitOps and already have patterns for multi-cluster<\/td>\n<\/tr>\n<tr>\n<td><strong>Rancher<\/strong><\/td>\n<td>Central management for many clusters across environments<\/td>\n<td>Mature UI; multi-cluster governance<\/td>\n<td>Additional platform to run\/manage<\/td>\n<td>You already use Rancher or need its ecosystem features<\/td>\n<\/tr>\n<tr>\n<td><strong>Google GKE Fleet \/ Anthos<\/strong><\/td>\n<td>Google Cloud-centric multi-cluster management<\/td>\n<td>Strong multi-cluster story in GCP<\/td>\n<td>Different cloud; migration complexity<\/td>\n<td>You\u2019re on GCP and want first-class fleet features there<\/td>\n<\/tr>\n<tr>\n<td><strong>Open Cluster Management \/ Karmada<\/strong><\/td>\n<td>Open-source multi-cluster control planes<\/td>\n<td>Powerful; portable; extensible<\/td>\n<td>You operate\/control plane yourself; higher complexity<\/td>\n<td>You need cloud-agnostic multi-cluster scheduling and accept ops burden<\/td>\n<\/tr>\n<tr>\n<td><strong>Cluster API (CAPI)<\/strong><\/td>\n<td>Cluster lifecycle management at scale<\/td>\n<td>Declarative cluster management<\/td>\n<td>Not a full app placement solution by itself<\/td>\n<td>You need consistent cluster provisioning across many environments<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">15. Real-World Example<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Enterprise example (regulated industry)<\/h3>\n\n\n\n<p><strong>Problem<\/strong>\nA financial services company runs 20+ AKS clusters across regions and environments. They need consistent baseline namespaces, network policies, and observability agents, and they must roll out changes progressively with auditability.<\/p>\n\n\n\n<p><strong>Proposed architecture<\/strong>\n&#8211; Multiple AKS clusters per region (prod\/stage\/dev)\n&#8211; Azure Kubernetes Fleet Manager fleet:\n  &#8211; All clusters enrolled as members\n  &#8211; Placement rules based on labels: <code>env<\/code>, <code>region<\/code>, <code>exposure<\/code>\n&#8211; Azure Monitor and Log Analytics per environment (separate workspaces)\n&#8211; Key Vault for secrets with CSI driver<\/p>\n\n\n\n<p><strong>Why Azure Kubernetes Fleet Manager was chosen<\/strong>\n&#8211; Azure-native integration with RBAC and subscription governance\n&#8211; Fleet abstraction for membership and consistent baseline propagation\n&#8211; Reduced \u201cscript sprawl\u201d and manual cluster-by-cluster operations<\/p>\n\n\n\n<p><strong>Expected outcomes<\/strong>\n&#8211; Faster baseline rollouts with fewer inconsistencies\n&#8211; Clearer audit trail for platform changes\n&#8211; Reduced risk via environment-based progressive deployment<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Startup\/small-team example (SaaS)<\/h3>\n\n\n\n<p><strong>Problem<\/strong>\nA startup runs three AKS clusters: one for staging and two for production (two regions). They want to keep the clusters intentionally separate but don\u2019t want to manually maintain identical platform components.<\/p>\n\n\n\n<p><strong>Proposed architecture<\/strong>\n&#8211; Fleet with 3 member clusters\n&#8211; Labels:\n  &#8211; <code>env=stage|prod<\/code>\n  &#8211; <code>region=eastus|westus<\/code>\n&#8211; Fleet placement used for:\n  &#8211; Namespaces\n  &#8211; Shared configmaps\n  &#8211; Standard service accounts\n&#8211; GitOps for application workloads (separate pipeline), with strict ownership boundaries<\/p>\n\n\n\n<p><strong>Why Azure Kubernetes Fleet Manager was chosen<\/strong>\n&#8211; Keeps multi-cluster baseline management simple and Azure-aligned\n&#8211; Minimizes the need to write custom tooling as they scale cluster count<\/p>\n\n\n\n<p><strong>Expected outcomes<\/strong>\n&#8211; Fewer production drift issues\n&#8211; Faster onboarding of new clusters as the startup grows\n&#8211; Cleaner separation of platform vs application changes<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">16. FAQ<\/h2>\n\n\n\n<ol class=\"wp-block-list\">\n<li>\n<p><strong>Is Azure Kubernetes Fleet Manager the same as AKS?<\/strong><br\/>\n   No. AKS runs Kubernetes clusters. Azure Kubernetes Fleet Manager manages <strong>multiple<\/strong> clusters as a fleet.<\/p>\n<\/li>\n<li>\n<p><strong>Do I need more than one cluster to use it?<\/strong><br\/>\n   Practically, yes. It provides the most value when you have multiple AKS clusters.<\/p>\n<\/li>\n<li>\n<p><strong>Does it replace GitOps tools like Flux or Argo CD?<\/strong><br\/>\n   Not necessarily. Many teams use Fleet Manager for baseline\/platform distribution and GitOps for application delivery, but you must define ownership to avoid conflicts.<\/p>\n<\/li>\n<li>\n<p><strong>Does it require a \u201chub\u201d cluster?<\/strong><br\/>\n   Some multi-cluster placement capabilities commonly use a hub API surface. Whether this is mandatory depends on the feature set you enable\u2014verify in official docs.<\/p>\n<\/li>\n<li>\n<p><strong>Does hub mode add cost?<\/strong><br\/>\n   If hub mode uses an AKS cluster or other billable infrastructure, yes. Confirm the hub implementation and costs for your configuration.<\/p>\n<\/li>\n<li>\n<p><strong>Can I manage clusters across different Azure regions?<\/strong><br\/>\n   Usually yes in concept, but availability and constraints may apply. Verify region support and cross-region behavior.<\/p>\n<\/li>\n<li>\n<p><strong>Can I manage clusters across subscriptions?<\/strong><br\/>\n   Possibly, but it depends on supported scenarios and RBAC. Verify official docs for cross-subscription membership.<\/p>\n<\/li>\n<li>\n<p><strong>Can I manage on-prem or other-cloud clusters?<\/strong><br\/>\n   Fleet Manager is primarily positioned around AKS fleet scenarios. For heterogeneous environments, Azure Arc-enabled Kubernetes is often evaluated. Verify the supported cluster types.<\/p>\n<\/li>\n<li>\n<p><strong>How does it select which clusters receive a resource?<\/strong><br\/>\n   Typically via labels\/selectors on member clusters and placement policies defined on the hub. Exact fields depend on CRD versions.<\/p>\n<\/li>\n<li>\n<p><strong>What kinds of Kubernetes objects should I propagate?<\/strong><br\/>\n   Start with low-risk objects: namespaces, configmaps, service accounts, baseline policies. Be cautious with cluster-scoped resources and secrets.<\/p>\n<\/li>\n<li>\n<p><strong>What happens if one cluster is unhealthy during propagation?<\/strong><br\/>\n   You\u2019ll typically see partial rollout and status indicating failure for that cluster. Monitor placement status and build operational procedures for remediation.<\/p>\n<\/li>\n<li>\n<p><strong>How do I prevent developers from modifying fleet-managed resources?<\/strong><br\/>\n   Use Kubernetes RBAC and admission controls to prevent modifications in platform-owned namespaces, and clearly document ownership.<\/p>\n<\/li>\n<li>\n<p><strong>Is Fleet Manager in the data path of my applications?<\/strong><br\/>\n   No. It\u2019s a management\/control-plane mechanism. Application traffic goes through your normal service endpoints (ingress\/LB\/service mesh).<\/p>\n<\/li>\n<li>\n<p><strong>How do I monitor fleet operations?<\/strong><br\/>\n   Use Azure Activity Log for ARM operations and Kubernetes logs\/events\/status in hub and member clusters. Also use Azure Monitor\/Container insights for cluster telemetry.<\/p>\n<\/li>\n<li>\n<p><strong>What\u2019s the safest way to start in production?<\/strong><br\/>\n   Start with a small subset of clusters (dev), propagate only baseline non-sensitive resources, implement rollback strategies, and require pull-request approvals for fleet-level changes.<\/p>\n<\/li>\n<\/ol>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">17. Top Online Resources to Learn Azure Kubernetes Fleet Manager<\/h2>\n\n\n\n<figure class=\"wp-block-table\"><table>\n<thead>\n<tr>\n<th>Resource Type<\/th>\n<th>Name<\/th>\n<th>Why It Is Useful<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>Official documentation<\/td>\n<td>Azure Kubernetes Fleet Manager docs \u2014 https:\/\/learn.microsoft.com\/azure\/kubernetes-fleet\/<\/td>\n<td>Primary source for capabilities, supported regions, and current APIs<\/td>\n<\/tr>\n<tr>\n<td>Official overview<\/td>\n<td>Overview page (within docs) \u2014 https:\/\/learn.microsoft.com\/azure\/kubernetes-fleet\/<\/td>\n<td>Explains concepts like fleet, members, and hub\/placement models<\/td>\n<\/tr>\n<tr>\n<td>Official pricing<\/td>\n<td>AKS pricing (cost baseline for clusters) \u2014 https:\/\/azure.microsoft.com\/pricing\/details\/kubernetes-service\/<\/td>\n<td>Fleet cost often maps to underlying AKS and dependent services<\/td>\n<\/tr>\n<tr>\n<td>Pricing calculator<\/td>\n<td>Azure Pricing Calculator \u2014 https:\/\/azure.microsoft.com\/pricing\/calculator\/<\/td>\n<td>Build region-specific estimates for AKS nodes, networking, logging<\/td>\n<\/tr>\n<tr>\n<td>Azure CLI<\/td>\n<td>Install Azure CLI \u2014 https:\/\/learn.microsoft.com\/cli\/azure\/install-azure-cli<\/td>\n<td>Required for scripting fleet and AKS setup<\/td>\n<\/tr>\n<tr>\n<td>Kubernetes tooling<\/td>\n<td>kubectl install \u2014 https:\/\/kubernetes.io\/docs\/tasks\/tools\/<\/td>\n<td>Needed to interact with hub APIs and validate member clusters<\/td>\n<\/tr>\n<tr>\n<td>Architecture guidance<\/td>\n<td>Azure Architecture Center \u2014 https:\/\/learn.microsoft.com\/azure\/architecture\/<\/td>\n<td>Reference patterns for AKS, multi-region design, governance<\/td>\n<\/tr>\n<tr>\n<td>AKS docs<\/td>\n<td>AKS documentation \u2014 https:\/\/learn.microsoft.com\/azure\/aks\/<\/td>\n<td>Core operational guidance for cluster security, networking, upgrades<\/td>\n<\/tr>\n<tr>\n<td>GitHub (highly relevant)<\/td>\n<td>Azure Fleet OSS (if referenced by docs) \u2014 https:\/\/github.com\/Azure\/fleet<\/td>\n<td>Implementation details, samples, CRDs (use with version caution)<\/td>\n<\/tr>\n<tr>\n<td>Videos<\/td>\n<td>Microsoft Azure YouTube \u2014 https:\/\/www.youtube.com\/@MicrosoftAzure<\/td>\n<td>Conference talks and feature walkthroughs (search for Fleet Manager)<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">18. Training and Certification Providers<\/h2>\n\n\n\n<figure class=\"wp-block-table\"><table>\n<thead>\n<tr>\n<th>Institute<\/th>\n<th>Suitable Audience<\/th>\n<th>Likely Learning Focus<\/th>\n<th>Mode<\/th>\n<th>Website<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>DevOpsSchool.com<\/td>\n<td>Beginners to advanced DevOps\/SRE\/platform engineers<\/td>\n<td>AKS, Kubernetes operations, DevOps pipelines, platform engineering basics<\/td>\n<td>Check website<\/td>\n<td>https:\/\/www.devopsschool.com\/<\/td>\n<\/tr>\n<tr>\n<td>ScmGalaxy.com<\/td>\n<td>DevOps learners and managers<\/td>\n<td>DevOps process, CI\/CD, SCM, release management<\/td>\n<td>Check website<\/td>\n<td>https:\/\/www.scmgalaxy.com\/<\/td>\n<\/tr>\n<tr>\n<td>CLoudOpsNow.in<\/td>\n<td>Cloud\/ops engineers<\/td>\n<td>Cloud operations, monitoring, reliability practices<\/td>\n<td>Check website<\/td>\n<td>https:\/\/www.cloudopsnow.in\/<\/td>\n<\/tr>\n<tr>\n<td>SreSchool.com<\/td>\n<td>SREs, operations teams, platform engineers<\/td>\n<td>SRE practices, incident response, observability, reliability engineering<\/td>\n<td>Check website<\/td>\n<td>https:\/\/www.sreschool.com\/<\/td>\n<\/tr>\n<tr>\n<td>AiOpsSchool.com<\/td>\n<td>Ops teams exploring AIOps<\/td>\n<td>AIOps concepts, automation, monitoring analytics<\/td>\n<td>Check website<\/td>\n<td>https:\/\/www.aiopsschool.com\/<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">19. Top Trainers<\/h2>\n\n\n\n<figure class=\"wp-block-table\"><table>\n<thead>\n<tr>\n<th>Platform\/Site<\/th>\n<th>Likely Specialization<\/th>\n<th>Suitable Audience<\/th>\n<th>Website<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>RajeshKumar.xyz<\/td>\n<td>DevOps\/Kubernetes\/cloud coaching (verify offerings)<\/td>\n<td>Individuals seeking guided training<\/td>\n<td>https:\/\/www.rajeshkumar.xyz\/<\/td>\n<\/tr>\n<tr>\n<td>devopstrainer.in<\/td>\n<td>DevOps training (verify course catalog)<\/td>\n<td>Beginners to intermediate DevOps learners<\/td>\n<td>https:\/\/www.devopstrainer.in\/<\/td>\n<\/tr>\n<tr>\n<td>devopsfreelancer.com<\/td>\n<td>Freelance DevOps help\/training (verify services)<\/td>\n<td>Teams needing short-term expertise<\/td>\n<td>https:\/\/www.devopsfreelancer.com\/<\/td>\n<\/tr>\n<tr>\n<td>devopssupport.in<\/td>\n<td>DevOps support and training resources (verify scope)<\/td>\n<td>Ops teams needing troubleshooting support<\/td>\n<td>https:\/\/www.devopssupport.in\/<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">20. Top Consulting Companies<\/h2>\n\n\n\n<figure class=\"wp-block-table\"><table>\n<thead>\n<tr>\n<th>Company<\/th>\n<th>Likely Service Area<\/th>\n<th>Where They May Help<\/th>\n<th>Consulting Use Case Examples<\/th>\n<th>Website<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>cotocus.com<\/td>\n<td>Cloud\/DevOps consulting (verify offerings)<\/td>\n<td>Architecture, CI\/CD, Kubernetes adoption<\/td>\n<td>AKS platform setup, multi-cluster operating model design<\/td>\n<td>https:\/\/cotocus.com\/<\/td>\n<\/tr>\n<tr>\n<td>DevOpsSchool.com<\/td>\n<td>DevOps\/Kubernetes consulting and training<\/td>\n<td>Delivery acceleration, platform engineering enablement<\/td>\n<td>Fleet onboarding patterns, governance\/RBAC models, rollout practices<\/td>\n<td>https:\/\/www.devopsschool.com\/<\/td>\n<\/tr>\n<tr>\n<td>DEVOPSCONSULTING.IN<\/td>\n<td>DevOps consulting (verify offerings)<\/td>\n<td>DevOps transformation and automation<\/td>\n<td>AKS landing zone, observability rollout, operational runbooks<\/td>\n<td>https:\/\/www.devopsconsulting.in\/<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">21. Career and Learning Roadmap<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">What to learn before this service<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Kubernetes fundamentals:<\/li>\n<li>Pods, Deployments, Services, Ingress<\/li>\n<li>Namespaces, RBAC, ConfigMaps\/Secrets<\/li>\n<li>AKS fundamentals:<\/li>\n<li>Node pools, networking basics, identity integration<\/li>\n<li>Cluster upgrade strategy and workload disruption handling<\/li>\n<li>Infrastructure-as-code basics:<\/li>\n<li>Bicep\/Terraform concepts (optional but very helpful)<\/li>\n<li>Basic security:<\/li>\n<li>Least privilege, network segmentation, secret management patterns<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">What to learn after this service<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Multi-cluster delivery patterns:<\/li>\n<li>GitOps at scale, environment promotion strategies<\/li>\n<li>Governance and policy:<\/li>\n<li>Azure Policy, Gatekeeper\/Kyverno (depending on your standards)<\/li>\n<li>Observability at scale:<\/li>\n<li>Azure Monitor, OpenTelemetry, Prometheus\/Grafana patterns<\/li>\n<li>Reliability engineering:<\/li>\n<li>SLOs, error budgets, incident response, chaos testing<\/li>\n<li>Multi-region architecture:<\/li>\n<li>Traffic management, failover, data replication patterns<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Job roles that use it<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Platform Engineer<\/li>\n<li>Kubernetes Administrator \/ AKS Engineer<\/li>\n<li>DevOps Engineer<\/li>\n<li>Site Reliability Engineer (SRE)<\/li>\n<li>Cloud Solutions Architect<\/li>\n<li>Security Engineer (Kubernetes governance)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Certification path (Azure)<\/h3>\n\n\n\n<p>A practical Azure-aligned path often includes:\n&#8211; Azure fundamentals (AZ-900)\n&#8211; Azure Administrator (AZ-104)\n&#8211; Azure DevOps Engineer Expert (AZ-400)\n&#8211; Kubernetes-specific certifications (CKA\/CKAD) for Kubernetes depth<\/p>\n\n\n\n<p>(Choose based on your role; Fleet Manager work benefits from both Azure and Kubernetes credibility.)<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Project ideas for practice<\/h3>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Build a 3-cluster fleet (dev\/stage\/prod) and propagate baseline namespaces + RBAC<\/li>\n<li>Implement progressive rollout using cluster labels and staged placements<\/li>\n<li>Create a \u201ccluster onboarding\u201d automation that:\n   &#8211; Creates an AKS cluster\n   &#8211; Registers it into the fleet\n   &#8211; Applies baseline placement<\/li>\n<li>Implement policy guardrails and prove that non-compliant deployments are blocked<\/li>\n<li>Centralize logging and create a fleet-wide dashboard per cluster label (env\/region)<\/li>\n<\/ol>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">22. Glossary<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>AKS (Azure Kubernetes Service)<\/strong>: Azure managed Kubernetes service for running clusters.<\/li>\n<li><strong>Fleet<\/strong>: An Azure resource representing a group of Kubernetes clusters managed together.<\/li>\n<li><strong>Fleet member<\/strong>: A Kubernetes cluster registered into a fleet.<\/li>\n<li><strong>Hub (fleet hub)<\/strong>: A Kubernetes API endpoint\/control plane used to define placements and manage multi-cluster propagation (capability-dependent).<\/li>\n<li><strong>Placement \/ Propagation<\/strong>: The mechanism for applying Kubernetes objects to selected member clusters.<\/li>\n<li><strong>Selector<\/strong>: A rule (often label-based) used to choose which clusters receive a resource.<\/li>\n<li><strong>RBAC<\/strong>: Role-Based Access Control, used both in Azure and Kubernetes.<\/li>\n<li><strong>Microsoft Entra ID<\/strong>: Azure\u2019s identity provider (formerly Azure Active Directory).<\/li>\n<li><strong>Control plane<\/strong>: Management components (APIs\/controllers) that coordinate Kubernetes resources.<\/li>\n<li><strong>Data plane<\/strong>: Where application workloads run (pods and nodes).<\/li>\n<li><strong>Drift<\/strong>: Configuration differences between clusters that should be consistent.<\/li>\n<li><strong>Blast radius<\/strong>: The scope of impact when something fails (smaller is safer).<\/li>\n<li><strong>GitOps<\/strong>: Managing infrastructure and apps using Git as the source of truth with automated reconciliation.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">23. Summary<\/h2>\n\n\n\n<p>Azure Kubernetes Fleet Manager (Azure, Containers) is a service for managing <strong>multiple Kubernetes clusters\u2014most commonly multiple AKS clusters\u2014as a single fleet<\/strong>. It helps platform and operations teams reduce the multi-cluster tax by providing fleet membership management and, in hub-based scenarios, Kubernetes-native <strong>placement\/propagation<\/strong> workflows to distribute resources across selected clusters.<\/p>\n\n\n\n<p>Cost-wise, you should plan primarily for <strong>AKS worker node costs<\/strong>, plus any additional infrastructure required by hub-based capabilities and observability (Log Analytics). Security-wise, treat fleet and hub access as highly privileged: use least-privilege Azure RBAC and Kubernetes RBAC, keep secrets in Key Vault rather than distributing raw Secrets, and implement clear ownership boundaries to avoid controller conflicts.<\/p>\n\n\n\n<p>Use Azure Kubernetes Fleet Manager when you have (or will have) multiple AKS clusters and need consistent, scalable operations across them. Next, deepen your skills by pairing fleet concepts with a strong AKS security baseline and a multi-cluster delivery model (often GitOps plus clear platform\/app separation), using the official docs as your source of truth: https:\/\/learn.microsoft.com\/azure\/kubernetes-fleet\/<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Containers<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[40,27],"tags":[],"class_list":["post-403","post","type-post","status-publish","format-standard","hentry","category-azure","category-containers"],"_links":{"self":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/posts\/403","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/comments?post=403"}],"version-history":[{"count":0,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/posts\/403\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/media?parent=403"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/categories?post=403"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/tags?post=403"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}