> ## Documentation Index
> Fetch the complete documentation index at: https://arize-ax.mintlify.site/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# AKS cluster and resources (existing cluster)

> Requirements for node pools, labels, storage, blob containers, managed identity, and RBAC when installing Arize AX on an existing AKS cluster.

## Overview

Use this page when you already have an AKS cluster and will create or align supporting resources (storage account, containers, node pools) to match Arize AI's expectations.

## Storage buckets

Create an Azure Storage account. Set **Hierarchical namespace** to **Enabled** if using Data Fabric. Create two blob containers in that account: one for Gazette data and one for ArizeDB data.

## Node pools

Use at least two node pools:

* **Base pool** — general workloads and ingestion. Label nodes with `arize=true` and `arize-base=true`.
* **ArizeDB pool** — ArizeDB historical workloads. Label nodes with `arize=true` and `druid-historical=true`.

If you cannot use separate pools, you can deploy on a shared pool by setting `historicalNodePoolEnabled: false` in `values.yaml` (see [Prerequisites](/ax/selfhosting/getting-started/prerequisites) for sizing context).

## Storage classes

Prefer `managed-csi-premium` and `managed-csi` where available; these are used by default in the Azure distribution.

## Service Principal and permissions

Attach a user-assigned managed identity (or use a storage account key when required) with permissions that allow Arize AX to use Azure Blob Storage and other services the platform needs. Typical permission families include:

* **Storage Blob Data Contributor** (or narrower data-plane roles scoped to the Gazette and ArizeDB containers)
* **AcrPull** on Azure Container Registry when pulling private images

Exact bindings should follow your organization’s least-privilege standards.

### Workload Identity (recommended)

If you use [Azure AD Workload Identity](https://learn.microsoft.com/en-us/azure/aks/workload-identity-overview), federate the managed identity used by Arize AX with the Kubernetes service accounts the operator expects (see **Advanced → Helm** in your tarball for the current service account list and federation pattern), including namespaces such as:

* `arize/arize`
* `arize-operator/arize-operator`

### Storage account key (no Workload Identity)

If you do not use Workload Identity, provide the storage account access key via Helm values (base64-encoded) as documented in the [detailed walkthrough (Azure)](/ax/selfhosting/installation/azure/install-arize-detailed).

## Namespaces

The Helm chart can create or use existing namespaces: `arize`, `arize-operator`, and `arize-spark`.

## Optional image registry

An ACR or other container registry is optional when pulling from Arize AI's central registry. If you use a private registry, set `pushRegistry` and `pullRegistry` in `values.yaml`.

## Next steps

* [Install Arize AX (quick start)](/ax/selfhosting/installation/azure/install-arize-quickstart) or [detailed walkthrough (Azure)](/ax/selfhosting/installation/azure/install-arize-detailed)
* [Terraform-based provisioning](/ax/selfhosting/installation/azure/cluster-terraform) if you prefer to create infrastructure from the distribution modules
