AKS Naming Conventions: Azure CAF Best Practices for Kubernetes
CAF-compliant naming for Azure Kubernetes Service clusters, node pools, and the surrounding infrastructure — ACR, VNet, NSG, and managed identities.
Deploying Azure Kubernetes Service involves more than naming the cluster itself. A production AKS setup typically spans a dozen or more Azure resources — the cluster, node pools, a Container Registry, Virtual Network, subnets, NSGs, a managed identity, and often a Key Vault for secrets. Consistent naming across all of them is what makes the deployment navigable, automatable, and supportable long-term.
This guide covers CAF-compliant naming for AKS clusters and everything that surrounds them.
AKS cluster naming
The CAF abbreviation for AKS is aks. The naming rule:
- Max length: 63 characters
- Allowed characters: Alphanumerics and hyphens
- Must start with: A letter
Standard CAF pattern:
aks-{company}-{workload}-{environment}-{region}-{instance}Examples:
| Convention | Name |
|---|---|
| contoso / payments / prod / eus / 001 | aks-contoso-payments-prod-eus-001 |
| fabrikam / api / dev / weu / 001 | aks-fabrikam-api-dev-weu-001 |
At 63 characters maximum, AKS clusters have more room than most resources — the full pattern including company and department rarely hits the limit.
Node pool naming
Node pools are the awkward exception in an AKS deployment. They have a strict constraint that the cluster name doesn’t:
- Max length: 12 characters
- Allowed characters: Lowercase alphanumerics only (no hyphens)
- Must start with: A lowercase letter
The system node pool must be named agentpool (it’s the default and cannot be renamed on existing clusters). For additional node pools, use a short descriptive name:
{workload}{pool-role}{instance}Examples:
| Purpose | Name |
|---|---|
| System pool | agentpool |
| General workloads | general001 |
| GPU compute | gpu001 |
| Memory-optimised | mem001 |
| Spot instances | spot001 |
Keep node pool names functional, not decorative — they appear in kubectl output constantly and short names reduce noise.
Supporting resources
A complete AKS deployment involves these surrounding resources, each with its own CAF abbreviation and constraints:
Container Registry
cr-{company}-{workload}-{environment}-{region}-{instance}- Max length: 50 characters
- Alphanumerics only (no hyphens in the registry name itself — note: the CAF abbreviation
cris used as a prefix even though the registry name can’t contain hyphens in some configurations, so:cr{company}{workload}{env}{instance}for the actual ACR name)
Example: crcontosopaymentsprod001
Virtual Network
vnet-{company}-{workload}-{environment}-{region}-{instance}Example: vnet-contoso-payments-prod-eus-001
Subnet
snet-{purpose}-{environment}-{instance}Example: snet-aks-prod-001
Subnets are scoped to the VNet, so full company/workload context is usually redundant.
Network Security Group
nsg-{company}-{workload}-{environment}-{region}-{instance}Example: nsg-contoso-payments-prod-eus-001
Managed Identity (for AKS)
id-{company}-{workload}-{environment}-{region}-{instance}Example: id-contoso-payments-prod-eus-001
Key Vault (for secrets)
Key Vault’s 24-character limit means dropping components. Drop region first, then department:
kv-{workload}-{environment}-{instance}Example: kv-payments-prod-001 (20 chars ✓)
Full naming example
For a production AKS deployment: company contoso, workload payments, region eus:
| Resource | Name |
|---|---|
| Resource Group | rg-contoso-payments-prod-eus-001 |
| AKS Cluster | aks-contoso-payments-prod-eus-001 |
| System Node Pool | agentpool |
| User Node Pool | general001 |
| Container Registry | crcontosopaymentsprod001 |
| Virtual Network | vnet-contoso-payments-prod-eus-001 |
| AKS Subnet | snet-aks-prod-001 |
| NSG | nsg-contoso-payments-prod-eus-001 |
| Managed Identity | id-contoso-payments-prod-eus-001 |
| Key Vault | kv-payments-prod-001 |
DNS and ingress naming
If you use an NGINX or Application Gateway ingress, the public DNS name is typically set via an Azure DNS zone or annotation. Follow the same convention for the DNS zone name and any A records:
# Azure DNS zone
payments.contoso.com
# Ingress hostname pattern
{workload}.{environment}.{company}.com
payments.prod.contoso.comFor internal services within the cluster, use Kubernetes Service naming conventions (lowercase, hyphens), which already align well with CAF patterns.
Applying names in Terraform
For Terraform-based AKS deployments, centralise all names in locals before writing resource blocks:
locals {
company = "contoso"
workload = "payments"
env = "prod"
region = "eus"
instance = "001"
base = "${local.company}-${local.workload}-${local.env}-${local.region}-${local.instance}"
rg_name = "rg-${local.base}"
aks_name = "aks-${local.base}"
vnet_name = "vnet-${local.base}"
nsg_name = "nsg-${local.base}"
id_name = "id-${local.base}"
kv_name = "kv-${local.workload}-${local.env}-${local.instance}"
acr_name = lower("cr${local.company}${local.workload}${local.env}${local.instance}")
}Generating names for your AKS deployment
AzureNamer covers all AKS-related resource types — clusters, Container Registries, VNets, NSGs, and more. Enter your convention once and export the full set as CSV to use in Terraform, Bicep, or directly in the Azure portal.
Try AzureNamer
Generate CAF-compliant names for all 203 Azure resource types — free, no login required.
Open the Generator →