AKS – Cilium Installation with Helm

Previously, I’ve presented the following topics:

How to install Cilium on Azure Kubernetes Service ( cilium install command)
https://cloud-cod.com/index.php/2026/02/16/azure-aks-byo-cni-with-cilium/
How to enable Hubble and verify L7 Cilium Network Policies are enforced
https://cloud-cod.com/index.php/2026/03/03/end-to-end-l7-visibility-with-cilium-hubble/

In this post, I will show how to install Cilium with Helm on an AKS cluster created in BYOCNI mode (--network-plugin none)

Create AKS BYOCNI Cluster

For BYOCNI, AKS is created without any CNI plugin. Nodes will start in NotReady until you install your own CNI. Here is the cluster definition I used:

				
					az aks create \
  --resource-group rg-aks-cilium-demo \
  --name aks-cilium-demo \
  --location germanywestcentral \
  --node-count 2 \
  --node-vm-size Standard_B2s \
  --network-plugin none \
  --pod-cidr 10.111.0.0/16 \
  --service-cidr 10.0.0.0/16 \
  --dns-service-ip 10.0.0.10 \
  --generate-ssh-keys

Key points:

--network-plugin none enables Bring Your Own CNI (BYOCNI); AKS does not install Azure CNI or kubenet.
You must provide a pod CIDR, service CIDR, and DNS service IP, and make sure these ranges do not overlap with other networks in your environment.

After the cluster is created, get credentials:

				
					az aks get-credentials \
--resource-group rg-aks-cilium-demo \
--name aks-cilium-demo \
--overwrite-existing

Adding Cilium Helm Repository

Add the official Cilium Helm repository and update it:

List the available version:

Cilium Installation

On BYOCNI you are responsible for pod IPAM, routing, and tunnel mode. AKS only uses the pod-cidr for control‑plane‑to‑pod routing. A typical Helm installation for Cilium as the primary CNI on AKS BYOCNI might look like this:

				
					helm install cilium cilium/cilium \
  --version 1.19.1 \
  --namespace kube-system \
  --set ipam.mode=cluster-pool \
  --set ipam.operator.clusterPoolIPv4PodCIDRList='{10.111.0.0/16}' \
  --set ipam.operator.clusterPoolIPv4MaskSize=24 \
  --set kubeProxyReplacement=false

Explanation:

ipam.mode=cluster-pool makes Cilium manage pod IPs from the pod CIDR you configured on the cluster (here 10.111.0.0/16).
kubeProxyReplacement=false (or disabled) means Cilium will not try to replace kube‑proxy; this setting is important given the AKS behaviour described here: https://cloud-cod.com/index.php/2026/03/04/aks-with-cilium-replacing-kube-proxy/ .

After installation, nodes should become Ready and core system pods such as CoreDNS should start running.

Verification

Cilium Status:

Nodes are “Ready”:

Cilium Pods have been created:

Conclusions

This guide demonstrates installing Cilium on an AKS BYOCNI cluster using Helm as the primary deployment method. Key steps include adding the Cilium Helm repository, configuring cluster‑pool IPAM with your pod CIDR (10.111.0.0/16) and setting kubeProxyReplacement=false to align with AKS defaults.