Blog Post

Azure Architecture Blog
10 MIN READ

Reference Architecture for Highly Available Multi-Region Azure Kubernetes Service (AKS)

rgarofalo's avatar
rgarofalo
Icon for Microsoft rankMicrosoft
Feb 03, 2026

This article walks through a reference architecture for running Azure Kubernetes Service (AKS) across multiple regions with high availability in mind. It focuses on practical design choices, explains where complexity comes from, and highlights the trade-offs architects need to consider when building resilient Kubernetes platforms on Azure.

Introduction Cloud-native applications often support critical business functions and are expected to stay available even when parts of the platform fail. Azure Kubernetes Service (AKS) already prov...
Sample Architecture of a multi-region AKS installation
Updated Feb 03, 2026
Version 1.0
application
infrastructure
well architected
Quest198z's avatar
Quest198z
Copper Contributor
Feb 09, 2026

how much of this has to change if using private endpoints comes into play and you have strict requirements to not route anything over the internet?

AndrewCi's avatar
AndrewCi
Copper Contributor
Feb 10, 2026

I had the same question! I know the cross-region failover traffic between data services like PSQL and Azure Storage Accounts can be handled with Azure DNS, VNETs, and private endpoints; however, as far as I'm aware there's not a fully managed Azure Service for global, private load balancing across regions in terms of ingress since Azure Front Door and Azure Global Load Balancers must have public endpoints. You can configure a private endpoint as a private backend, but it'll still have the initial public ingress (although I'd argue that this is still secure and I suspect would be InfoSec approvable after some convincing). I'm curious what rgarofalo​ would suggest. Only thing I could think of would be a private AGW with a self-managed DNS failover, but you'd lose some of the L7 capabilities of front door and the more managed failover aspects.