We recommend using only CNIs that offer the option of encrypted communication. Two examples are Weave and Calico. Furthermore, it is recommended to provide the CNI in a separate namespace.
In AKS, this is, according to current knowledge, only possible with Calico.