AKS cluster resources must use standard naming#
Operational Excellence · Azure Kubernetes Service · Rule · 2025_12 · Awareness
AKS cluster resources without a standard naming convention may be difficult to identify and manage.
Description#
An effective naming convention allows operators to quickly identify resources, related systems, and their purpose. Identifying resources easily is important to improve operational efficiency, reduce the time to respond to incidents, and minimize the risk of human error.
Some of the benefits of using standardized tagging and naming conventions are:
- They provide consistency and clarity for resource identification and discovery across the Azure Portal, CLIs, and APIs.
- They enable filtering and grouping of resources for billing, monitoring, security, and compliance purposes.
- They support resource lifecycle management, such as provisioning, decommissioning, backup, and recovery.
For example, if you come upon a security incident, it's critical to quickly identify affected systems, the functions that those systems support, and the potential business impact.
For AKS cluster, the Cloud Adoption Framework (CAF) recommends using the aks- prefix.
Requirements for AKS cluster resource names:
- Between 1 and 63 characters long.
- Can include alphanumeric characters, hyphens, underscores, and periods (restrictions vary by resource type).
- Resource names must be unique within their scope.
Recommendation#
Consider creating AKS cluster resources with a standard name. Additionally consider using Azure Policy to only permit creation using a standard naming convention.
Examples#
Configure with Bicep#
To deploy clusters that pass this rule:
- Set the
nameproperty to a string that matches the naming requirements. - Optionally, consider constraining name parameters with
minLengthandmaxLengthattributes.
For example:
@minLength(1)
@maxLength(63)
@description('The name of the resource.')
param name string
@description('The location resources will be deployed.')
param location string = resourceGroup().location
resource cluster 'Microsoft.ContainerService/managedClusters@2025-07-01' = {
location: location
name: name
identity: {
type: 'UserAssigned'
userAssignedIdentities: {
'${identity.id}': {}
}
}
properties: {
kubernetesVersion: kubernetesVersion
disableLocalAccounts: true
enableRBAC: true
dnsPrefix: dnsPrefix
agentPoolProfiles: allPools
aadProfile: {
managed: true
enableAzureRBAC: true
adminGroupObjectIDs: clusterAdmins
tenantID: subscription().tenantId
}
networkProfile: {
networkPlugin: 'azure'
networkPolicy: 'azure'
loadBalancerSku: 'standard'
serviceCidr: serviceCidr
dnsServiceIP: dnsServiceIP
}
apiServerAccessProfile: {
authorizedIPRanges: [
'0.0.0.0/32'
]
}
autoUpgradeProfile: {
upgradeChannel: 'stable'
}
oidcIssuerProfile: {
enabled: true
}
addonProfiles: {
azurepolicy: {
enabled: true
}
omsagent: {
enabled: true
config: {
logAnalyticsWorkspaceResourceID: workspaceId
}
}
azureKeyvaultSecretsProvider: {
enabled: true
config: {
enableSecretRotation: 'true'
}
}
}
}
}
Configure with Azure Verified Modules
A pre-validated module supported by Microsoft is available from the Azure Bicep public registry. To reference the module, please use the following syntax:
To use the latest version:
Configure with Azure template#
To deploy clusters that pass this rule:
- Set the
nameproperty to a string that matches the naming requirements. - Optionally, consider constraining name parameters with
minLengthandmaxLengthattributes.
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"name": {
"type": "string",
"metadata": {
"description": "The name of the AKS cluster."
}
},
"location": {
"type": "string",
"defaultValue": "[resourceGroup().location]",
"metadata": {
"description": "Optional. The Azure region to deploy to."
}
}
},
"resources": [
{
"type": "Microsoft.ContainerService/managedClusters",
"apiVersion": "2025-07-01",
"name": "[parameters('name')]",
"location": "[parameters('location')]",
"identity": {
"type": "UserAssigned",
"userAssignedIdentities": {
"[format('{0}', resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName')))]": {}
}
},
"properties": {
"kubernetesVersion": "[parameters('kubernetesVersion')]",
"disableLocalAccounts": true,
"enableRBAC": true,
"dnsPrefix": "[parameters('dnsPrefix')]",
"agentPoolProfiles": "[variables('allPools')]",
"aadProfile": {
"managed": true,
"enableAzureRBAC": true,
"adminGroupObjectIDs": "[parameters('clusterAdmins')]",
"tenantID": "[subscription().tenantId]"
},
"networkProfile": {
"networkPlugin": "azure",
"networkPolicy": "azure",
"loadBalancerSku": "standard",
"serviceCidr": "[variables('serviceCidr')]",
"dnsServiceIP": "[variables('dnsServiceIP')]"
},
"apiServerAccessProfile": {
"authorizedIPRanges": [
"0.0.0.0/32"
]
},
"autoUpgradeProfile": {
"upgradeChannel": "stable"
},
"oidcIssuerProfile": {
"enabled": true
},
"addonProfiles": {
"azurepolicy": {
"enabled": true
},
"omsagent": {
"enabled": true,
"config": {
"logAnalyticsWorkspaceResourceID": "[parameters('workspaceId')]"
}
},
"azureKeyvaultSecretsProvider": {
"enabled": true,
"config": {
"enableSecretRotation": "true"
}
}
}
}
}
]
}
Notes#
This rule does not check if AKS cluster resource names are unique.
Rule configuration#
To configure this rule set the AZURE_AKS_CLUSTER_NAME_FORMAT configuration value to a regular expression
that matches the required format.
For example:
Links#
- OE:04 Tools and processes
- Operational Excellence: Level 2
- Recommended abbreviations for Azure resource types
- Naming rules and restrictions for Azure resources
- Define your naming convention
- Parameters in Bicep
- Bicep functions
- Azure deployment reference