aks-managed-clusters
This Bicep AVM module deploys an Azure Kubernetes Service (AKS) Managed Cluster.
ipm add --package avm-bicep/aks-managed-clusters --version 0.13.0 Azure Kubernetes Service (AKS) Managed Clusters [Microsoft.ContainerService/managedClusters]
This module deploys an Azure Kubernetes Service (AKS) Managed Cluster.
You can reference the module as follows:
module managedCluster './packages/aks-managed-clusters/main.bicep' = {
params: { (...) }
}
For examples, please refer to the Usage Examples section.
Navigation
Resource Types
| Resource Type | API Version | References |
|---|---|---|
Microsoft.Authorization/locks |
2020-05-01 | |
Microsoft.Authorization/roleAssignments |
2022-04-01 | |
Microsoft.ContainerService/managedClusters |
2025-10-01 | |
Microsoft.ContainerService/managedClusters/agentPools |
2025-10-01 | |
Microsoft.ContainerService/managedClusters/maintenanceConfigurations |
2025-10-01 | |
Microsoft.Insights/diagnosticSettings |
2021-05-01-preview | |
Microsoft.KubernetesConfiguration/extensions |
2024-11-01 | |
Microsoft.KubernetesConfiguration/fluxConfigurations |
2025-04-01 |
Usage examples
The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository.
Note: Each example lists all the required parameters first, followed by the rest - each in alphabetical order.
Note: To reference the module, please use the following syntax
./packages/aks-managed-clusters/main.bicep.
- Using only defaults and use AKS Automatic mode
- Using only defaults
- Enabling encryption via a Disk Encryption Set (DES) using Customer-Managed-Keys (CMK) and a User-Assigned Identity
- Using Istio Service Mesh add-on
- Using Kubenet Network Plugin.
- Using large parameter set
- Using Private Cluster.
- WAF-aligned
Example 1: Using only defaults and use AKS Automatic mode
This instance deploys the module with the set of automatic parameters.
AKS Automatic provides an opinionated, fully-managed cluster experience that automates node provisioning, scaling, security, and other operational tasks. For more information, see the AKS Automatic documentation.
You can find the full example and the setup of its dependencies in the deployment test folder path [/tests/e2e/automatic]
via Bicep module
module managedCluster './packages/aks-managed-clusters/main.bicep' = {
params: {
// Required parameters
name: 'csauto001'
primaryAgentPoolProfiles: [
{
count: 1
mode: 'System'
name: 'systempool'
vmSize: 'Standard_DS4_v2'
}
]
// Non-required parameters
aadProfile: {
enableAzureRBAC: true
managed: true
}
autoUpgradeProfile: {
nodeOSUpgradeChannel: 'NodeImage'
}
defaultIngressControllerType: 'Internal'
disableLocalAccounts: true
enableKeyvaultSecretsProvider: true
enableSecretRotation: true
maintenanceConfigurations: [
{
maintenanceWindow: {
durationHours: 4
schedule: {
absoluteMonthly: '<absoluteMonthly>'
daily: '<daily>'
relativeMonthly: '<relativeMonthly>'
weekly: {
dayOfWeek: 'Sunday'
intervalWeeks: 1
}
}
startDate: '2024-07-03'
startTime: '00:00'
utcOffset: '+00:00'
}
name: 'aksManagedAutoUpgradeSchedule'
}
]
managedIdentities: {
systemAssigned: true
}
nodeProvisioningProfile: {
mode: 'Auto'
}
nodeResourceGroupProfile: {
restrictionLevel: 'ReadOnly'
}
outboundType: 'managedNATGateway'
publicNetworkAccess: 'Enabled'
skuName: 'Automatic'
webApplicationRoutingEnabled: true
workloadAutoScalerProfile: {
keda: {
enabled: true
}
verticalPodAutoscaler: {
enabled: true
}
}
}
}
via JSON parameters file
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
// Required parameters
"name": {
"value": "csauto001"
},
"primaryAgentPoolProfiles": {
"value": [
{
"count": 1,
"mode": "System",
"name": "systempool",
"vmSize": "Standard_DS4_v2"
}
]
},
// Non-required parameters
"aadProfile": {
"value": {
"enableAzureRBAC": true,
"managed": true
}
},
"autoUpgradeProfile": {
"value": {
"nodeOSUpgradeChannel": "NodeImage"
}
},
"defaultIngressControllerType": {
"value": "Internal"
},
"disableLocalAccounts": {
"value": true
},
"enableKeyvaultSecretsProvider": {
"value": true
},
"enableSecretRotation": {
"value": true
},
"maintenanceConfigurations": {
"value": [
{
"maintenanceWindow": {
"durationHours": 4,
"schedule": {
"absoluteMonthly": "<absoluteMonthly>",
"daily": "<daily>",
"relativeMonthly": "<relativeMonthly>",
"weekly": {
"dayOfWeek": "Sunday",
"intervalWeeks": 1
}
},
"startDate": "2024-07-03",
"startTime": "00:00",
"utcOffset": "+00:00"
},
"name": "aksManagedAutoUpgradeSchedule"
}
]
},
"managedIdentities": {
"value": {
"systemAssigned": true
}
},
"nodeProvisioningProfile": {
"value": {
"mode": "Auto"
}
},
"nodeResourceGroupProfile": {
"value": {
"restrictionLevel": "ReadOnly"
}
},
"outboundType": {
"value": "managedNATGateway"
},
"publicNetworkAccess": {
"value": "Enabled"
},
"skuName": {
"value": "Automatic"
},
"webApplicationRoutingEnabled": {
"value": true
},
"workloadAutoScalerProfile": {
"value": {
"keda": {
"enabled": true
},
"verticalPodAutoscaler": {
"enabled": true
}
}
}
}
}
via Bicep parameters file
using './packages/aks-managed-clusters/main.bicep'
// Required parameters
param name = 'csauto001'
param primaryAgentPoolProfiles = [
{
count: 1
mode: 'System'
name: 'systempool'
vmSize: 'Standard_DS4_v2'
}
]
// Non-required parameters
param aadProfile = {
enableAzureRBAC: true
managed: true
}
param autoUpgradeProfile = {
nodeOSUpgradeChannel: 'NodeImage'
}
param defaultIngressControllerType = 'Internal'
param disableLocalAccounts = true
param enableKeyvaultSecretsProvider = true
param enableSecretRotation = true
param maintenanceConfigurations = [
{
maintenanceWindow: {
durationHours: 4
schedule: {
absoluteMonthly: '<absoluteMonthly>'
daily: '<daily>'
relativeMonthly: '<relativeMonthly>'
weekly: {
dayOfWeek: 'Sunday'
intervalWeeks: 1
}
}
startDate: '2024-07-03'
startTime: '00:00'
utcOffset: '+00:00'
}
name: 'aksManagedAutoUpgradeSchedule'
}
]
param managedIdentities = {
systemAssigned: true
}
param nodeProvisioningProfile = {
mode: 'Auto'
}
param nodeResourceGroupProfile = {
restrictionLevel: 'ReadOnly'
}
param outboundType = 'managedNATGateway'
param publicNetworkAccess = 'Enabled'
param skuName = 'Automatic'
param webApplicationRoutingEnabled = true
param workloadAutoScalerProfile = {
keda: {
enabled: true
}
verticalPodAutoscaler: {
enabled: true
}
}
Example 2: Using only defaults
This instance deploys the module with the minimum set of required parameters.
You can find the full example and the setup of its dependencies in the deployment test folder path [/tests/e2e/defaults]
via Bicep module
module managedCluster './packages/aks-managed-clusters/main.bicep' = {
params: {
// Required parameters
name: 'csmin001'
primaryAgentPoolProfiles: [
{
count: 3
mode: 'System'
name: 'systempool'
vmSize: 'Standard_DS4_v2'
}
]
// Non-required parameters
aadProfile: {
enableAzureRBAC: true
managed: true
}
managedIdentities: {
systemAssigned: true
}
}
}
via JSON parameters file
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
// Required parameters
"name": {
"value": "csmin001"
},
"primaryAgentPoolProfiles": {
"value": [
{
"count": 3,
"mode": "System",
"name": "systempool",
"vmSize": "Standard_DS4_v2"
}
]
},
// Non-required parameters
"aadProfile": {
"value": {
"enableAzureRBAC": true,
"managed": true
}
},
"managedIdentities": {
"value": {
"systemAssigned": true
}
}
}
}
via Bicep parameters file
using './packages/aks-managed-clusters/main.bicep'
// Required parameters
param name = 'csmin001'
param primaryAgentPoolProfiles = [
{
count: 3
mode: 'System'
name: 'systempool'
vmSize: 'Standard_DS4_v2'
}
]
// Non-required parameters
param aadProfile = {
enableAzureRBAC: true
managed: true
}
param managedIdentities = {
systemAssigned: true
}
Example 3: Enabling encryption via a Disk Encryption Set (DES) using Customer-Managed-Keys (CMK) and a User-Assigned Identity
This instance deploys the module with encryption-at-rest using a Disk Encryption Set (DES) secured by Customer-Managed Keys (CMK), and leveraging a User-Assigned Managed Identity to access the key.
You can find the full example and the setup of its dependencies in the deployment test folder path [/tests/e2e/des-cmk-uami]
via Bicep module
module managedCluster './packages/aks-managed-clusters/main.bicep' = {
params: {
// Required parameters
name: 'csmscmk001'
primaryAgentPoolProfiles: [
{
count: 3
mode: 'System'
name: 'systempool'
vmSize: 'Standard_DS4_v2'
}
]
// Non-required parameters
aadProfile: {
enableAzureRBAC: true
managed: true
}
diskEncryptionSetResourceId: '<diskEncryptionSetResourceId>'
managedIdentities: {
systemAssigned: true
}
}
}
via JSON parameters file
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
// Required parameters
"name": {
"value": "csmscmk001"
},
"primaryAgentPoolProfiles": {
"value": [
{
"count": 3,
"mode": "System",
"name": "systempool",
"vmSize": "Standard_DS4_v2"
}
]
},
// Non-required parameters
"aadProfile": {
"value": {
"enableAzureRBAC": true,
"managed": true
}
},
"diskEncryptionSetResourceId": {
"value": "<diskEncryptionSetResourceId>"
},
"managedIdentities": {
"value": {
"systemAssigned": true
}
}
}
}
via Bicep parameters file
using './packages/aks-managed-clusters/main.bicep'
// Required parameters
param name = 'csmscmk001'
param primaryAgentPoolProfiles = [
{
count: 3
mode: 'System'
name: 'systempool'
vmSize: 'Standard_DS4_v2'
}
]
// Non-required parameters
param aadProfile = {
enableAzureRBAC: true
managed: true
}
param diskEncryptionSetResourceId = '<diskEncryptionSetResourceId>'
param managedIdentities = {
systemAssigned: true
}
Example 4: Using Istio Service Mesh add-on
This instance deploys the module with Istio Service Mesh add-on and plug a Certificate Authority from Key Vault.
You can find the full example and the setup of its dependencies in the deployment test folder path [/tests/e2e/istio]
via Bicep module
module managedCluster './packages/aks-managed-clusters/main.bicep' = {
params: {
// Required parameters
name: 'csist001'
primaryAgentPoolProfiles: [
{
count: 2
mode: 'System'
name: 'systempool'
vmSize: 'Standard_DS4_v2'
}
]
// Non-required parameters
aadProfile: {
enableAzureRBAC: true
managed: true
}
enableKeyvaultSecretsProvider: true
enableSecretRotation: true
location: '<location>'
managedIdentities: {
systemAssigned: true
}
serviceMeshProfile: {
istio: {
certificateAuthority: {
plugin: {
certChainObjectName: '<certChainObjectName>'
certObjectName: '<certObjectName>'
keyObjectName: '<keyObjectName>'
keyVaultId: '<keyVaultId>'
rootCertObjectName: '<rootCertObjectName>'
}
}
components: {
ingressGateways: [
{
enabled: true
mode: 'Internal'
}
]
}
revisions: [
'asm-1-27'
]
}
mode: 'Istio'
}
}
}
via JSON parameters file
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
// Required parameters
"name": {
"value": "csist001"
},
"primaryAgentPoolProfiles": {
"value": [
{
"count": 2,
"mode": "System",
"name": "systempool",
"vmSize": "Standard_DS4_v2"
}
]
},
// Non-required parameters
"aadProfile": {
"value": {
"enableAzureRBAC": true,
"managed": true
}
},
"enableKeyvaultSecretsProvider": {
"value": true
},
"enableSecretRotation": {
"value": true
},
"location": {
"value": "<location>"
},
"managedIdentities": {
"value": {
"systemAssigned": true
}
},
"serviceMeshProfile": {
"value": {
"istio": {
"certificateAuthority": {
"plugin": {
"certChainObjectName": "<certChainObjectName>",
"certObjectName": "<certObjectName>",
"keyObjectName": "<keyObjectName>",
"keyVaultId": "<keyVaultId>",
"rootCertObjectName": "<rootCertObjectName>"
}
},
"components": {
"ingressGateways": [
{
"enabled": true,
"mode": "Internal"
}
]
},
"revisions": [
"asm-1-27"
]
},
"mode": "Istio"
}
}
}
}
via Bicep parameters file
using './packages/aks-managed-clusters/main.bicep'
// Required parameters
param name = 'csist001'
param primaryAgentPoolProfiles = [
{
count: 2
mode: 'System'
name: 'systempool'
vmSize: 'Standard_DS4_v2'
}
]
// Non-required parameters
param aadProfile = {
enableAzureRBAC: true
managed: true
}
param enableKeyvaultSecretsProvider = true
param enableSecretRotation = true
param location = '<location>'
param managedIdentities = {
systemAssigned: true
}
param serviceMeshProfile = {
istio: {
certificateAuthority: {
plugin: {
certChainObjectName: '<certChainObjectName>'
certObjectName: '<certObjectName>'
keyObjectName: '<keyObjectName>'
keyVaultId: '<keyVaultId>'
rootCertObjectName: '<rootCertObjectName>'
}
}
components: {
ingressGateways: [
{
enabled: true
mode: 'Internal'
}
]
}
revisions: [
'asm-1-27'
]
}
mode: 'Istio'
}
Example 5: Using Kubenet Network Plugin.
This instance deploys the module with Kubenet network plugin .
You can find the full example and the setup of its dependencies in the deployment test folder path [/tests/e2e/kubenet]
via Bicep module
module managedCluster './packages/aks-managed-clusters/main.bicep' = {
params: {
// Required parameters
name: 'csmkube001'
primaryAgentPoolProfiles: [
{
availabilityZones: [
3
]
count: 1
enableAutoScaling: true
maxCount: 3
maxPods: 30
minCount: 1
mode: 'System'
name: 'systempool'
nodeTaints: [
'CriticalAddonsOnly=true:NoSchedule'
]
osDiskSizeGB: 0
osType: 'Linux'
type: 'VirtualMachineScaleSets'
vmSize: 'Standard_DS4_v2'
}
]
// Non-required parameters
aadProfile: {
enableAzureRBAC: true
managed: true
}
agentPools: [
{
availabilityZones: [
3
]
count: 2
enableAutoScaling: true
maxCount: 3
maxPods: 30
minCount: 1
minPods: 2
mode: 'User'
name: 'userpool1'
nodeLabels: {}
osDiskSizeGB: 128
osType: 'Linux'
scaleSetEvictionPolicy: 'Delete'
scaleSetPriority: 'Regular'
type: 'VirtualMachineScaleSets'
vmSize: 'Standard_DS4_v2'
}
]
diagnosticSettings: [
{
eventHubAuthorizationRuleResourceId: '<eventHubAuthorizationRuleResourceId>'
eventHubName: '<eventHubName>'
metricCategories: [
{
category: 'AllMetrics'
}
]
name: 'customSetting'
storageAccountResourceId: '<storageAccountResourceId>'
workspaceResourceId: '<workspaceResourceId>'
}
]
managedIdentities: {
userAssignedResourceIds: [
'<managedIdentityResourceId>'
]
}
networkPlugin: 'kubenet'
roleAssignments: [
{
name: '<name>'
principalId: '<principalId>'
principalType: 'ServicePrincipal'
roleDefinitionIdOrName: 'Owner'
}
{
name: '<name>'
principalId: '<principalId>'
principalType: 'ServicePrincipal'
roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c'
}
{
principalId: '<principalId>'
principalType: 'ServicePrincipal'
roleDefinitionIdOrName: '<roleDefinitionIdOrName>'
}
]
tags: {
Environment: 'Non-Prod'
'hidden-title': 'This is visible in the resource name'
Role: 'DeploymentValidation'
}
}
}
via JSON parameters file
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
// Required parameters
"name": {
"value": "csmkube001"
},
"primaryAgentPoolProfiles": {
"value": [
{
"availabilityZones": [
3
],
"count": 1,
"enableAutoScaling": true,
"maxCount": 3,
"maxPods": 30,
"minCount": 1,
"mode": "System",
"name": "systempool",
"nodeTaints": [
"CriticalAddonsOnly=true:NoSchedule"
],
"osDiskSizeGB": 0,
"osType": "Linux",
"type": "VirtualMachineScaleSets",
"vmSize": "Standard_DS4_v2"
}
]
},
// Non-required parameters
"aadProfile": {
"value": {
"enableAzureRBAC": true,
"managed": true
}
},
"agentPools": {
"value": [
{
"availabilityZones": [
3
],
"count": 2,
"enableAutoScaling": true,
"maxCount": 3,
"maxPods": 30,
"minCount": 1,
"minPods": 2,
"mode": "User",
"name": "userpool1",
"nodeLabels": {},
"osDiskSizeGB": 128,
"osType": "Linux",
"scaleSetEvictionPolicy": "Delete",
"scaleSetPriority": "Regular",
"type": "VirtualMachineScaleSets",
"vmSize": "Standard_DS4_v2"
}
]
},
"diagnosticSettings": {
"value": [
{
"eventHubAuthorizationRuleResourceId": "<eventHubAuthorizationRuleResourceId>",
"eventHubName": "<eventHubName>",
"metricCategories": [
{
"category": "AllMetrics"
}
],
"name": "customSetting",
"storageAccountResourceId": "<storageAccountResourceId>",
"workspaceResourceId": "<workspaceResourceId>"
}
]
},
"managedIdentities": {
"value": {
"userAssignedResourceIds": [
"<managedIdentityResourceId>"
]
}
},
"networkPlugin": {
"value": "kubenet"
},
"roleAssignments": {
"value": [
{
"name": "<name>",
"principalId": "<principalId>",
"principalType": "ServicePrincipal",
"roleDefinitionIdOrName": "Owner"
},
{
"name": "<name>",
"principalId": "<principalId>",
"principalType": "ServicePrincipal",
"roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c"
},
{
"principalId": "<principalId>",
"principalType": "ServicePrincipal",
"roleDefinitionIdOrName": "<roleDefinitionIdOrName>"
}
]
},
"tags": {
"value": {
"Environment": "Non-Prod",
"hidden-title": "This is visible in the resource name",
"Role": "DeploymentValidation"
}
}
}
}
via Bicep parameters file
using './packages/aks-managed-clusters/main.bicep'
// Required parameters
param name = 'csmkube001'
param primaryAgentPoolProfiles = [
{
availabilityZones: [
3
]
count: 1
enableAutoScaling: true
maxCount: 3
maxPods: 30
minCount: 1
mode: 'System'
name: 'systempool'
nodeTaints: [
'CriticalAddonsOnly=true:NoSchedule'
]
osDiskSizeGB: 0
osType: 'Linux'
type: 'VirtualMachineScaleSets'
vmSize: 'Standard_DS4_v2'
}
]
// Non-required parameters
param aadProfile = {
enableAzureRBAC: true
managed: true
}
param agentPools = [
{
availabilityZones: [
3
]
count: 2
enableAutoScaling: true
maxCount: 3
maxPods: 30
minCount: 1
minPods: 2
mode: 'User'
name: 'userpool1'
nodeLabels: {}
osDiskSizeGB: 128
osType: 'Linux'
scaleSetEvictionPolicy: 'Delete'
scaleSetPriority: 'Regular'
type: 'VirtualMachineScaleSets'
vmSize: 'Standard_DS4_v2'
}
]
param diagnosticSettings = [
{
eventHubAuthorizationRuleResourceId: '<eventHubAuthorizationRuleResourceId>'
eventHubName: '<eventHubName>'
metricCategories: [
{
category: 'AllMetrics'
}
]
name: 'customSetting'
storageAccountResourceId: '<storageAccountResourceId>'
workspaceResourceId: '<workspaceResourceId>'
}
]
param managedIdentities = {
userAssignedResourceIds: [
'<managedIdentityResourceId>'
]
}
param networkPlugin = 'kubenet'
param roleAssignments = [
{
name: '<name>'
principalId: '<principalId>'
principalType: 'ServicePrincipal'
roleDefinitionIdOrName: 'Owner'
}
{
name: '<name>'
principalId: '<principalId>'
principalType: 'ServicePrincipal'
roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c'
}
{
principalId: '<principalId>'
principalType: 'ServicePrincipal'
roleDefinitionIdOrName: '<roleDefinitionIdOrName>'
}
]
param tags = {
Environment: 'Non-Prod'
'hidden-title': 'This is visible in the resource name'
Role: 'DeploymentValidation'
}
Example 6: Using large parameter set
This instance deploys the module with most of its features enabled to test maximum parameter coverage.
You can find the full example and the setup of its dependencies in the deployment test folder path [/tests/e2e/max]
via Bicep module
module managedCluster './packages/aks-managed-clusters/main.bicep' = {
params: {
// Required parameters
name: 'csmax001'
primaryAgentPoolProfiles: [
{
availabilityZones: [
1
2
]
count: 1
enableAutoScaling: true
maxCount: 3
maxPods: 50
minCount: 1
mode: 'System'
name: 'systempool'
nodeTaints: [
'CriticalAddonsOnly=true:NoSchedule'
]
osDiskSizeGB: 128
osDiskType: 'Managed'
osType: 'Linux'
powerState: {
code: 'Running'
}
type: 'VirtualMachineScaleSets'
upgradeSettings: {
drainTimeoutInMinutes: 30
maxSurge: '33%'
nodeSoakDurationInMinutes: 0
}
vmSize: 'Standard_DS2_v2'
vnetSubnetResourceId: '<vnetSubnetResourceId>'
}
]
// Non-required parameters
aadProfile: {
enableAzureRBAC: true
managed: true
tenantID: '<tenantID>'
}
aciConnectorLinuxEnabled: false
agentPools: [
{
availabilityZones: [
1
]
count: 1
enableAutoScaling: true
kubeletConfig: {
allowedUnsafeSysctls: [
'net.core.somaxconn'
]
containerLogMaxFiles: 5
containerLogMaxSizeMB: 50
cpuCfsQuota: true
cpuCfsQuotaPeriod: '100ms'
cpuManagerPolicy: 'static'
failSwapOn: false
imageGcHighThreshold: 85
imageGcLowThreshold: 80
podMaxPids: 100
topologyManagerPolicy: 'best-effort'
}
maxCount: 2
maxPods: 30
minCount: 1
minPods: 0
mode: 'User'
name: 'userpool1'
nodeLabels: {
environment: 'dev'
workload: 'general'
}
nodeTaints: []
osDiskSizeGB: 30
osDiskType: 'Ephemeral'
osType: 'Linux'
powerState: {
code: 'Running'
}
scaleSetEvictionPolicy: 'Delete'
scaleSetPriority: 'Regular'
type: 'VirtualMachineScaleSets'
upgradeSettings: {
drainTimeoutInMinutes: 30
maxSurge: '50%'
nodeSoakDurationInMinutes: 0
}
vmSize: 'Standard_D2s_v3'
vnetSubnetResourceId: '<vnetSubnetResourceId>'
}
]
aiToolchainOperatorProfile: {
enabled: false
}
allocatedOutboundPorts: 0
apiServerAccessProfile: {
enablePrivateCluster: true
enableVnetIntegration: true
privateDNSZone: '<privateDNSZone>'
subnetId: '<subnetId>'
}
appGatewayResourceId: '<appGatewayResourceId>'
autoScalerProfile: {
'balance-similar-node-groups': 'false'
'daemonset-eviction-for-empty-nodes': false
'daemonset-eviction-for-occupied-nodes': true
expander: 'random'
'ignore-daemonsets-utilization': false
'max-empty-bulk-delete': '10'
'max-graceful-termination-sec': '600'
'max-node-provision-time': '15m'
'max-total-unready-percentage': '45'
'new-pod-scale-up-delay': '0s'
'ok-total-unready-count': '3'
'scale-down-delay-after-add': '10m'
'scale-down-delay-after-delete': '20s'
'scale-down-delay-after-failure': '3m'
'scale-down-unneeded-time': '10m'
'scale-down-unready-time': '20m'
'scale-down-utilization-threshold': '0.5'
'scan-interval': '10s'
'skip-nodes-with-local-storage': 'true'
'skip-nodes-with-system-pods': 'true'
}
autoUpgradeProfile: {
nodeOSUpgradeChannel: 'NodeImage'
upgradeChannel: 'stable'
}
azurePolicyEnabled: true
azurePolicyVersion: 'v2'
backendPoolType: 'NodeIPConfiguration'
costAnalysisEnabled: true
defaultIngressControllerType: 'Internal'
diagnosticSettings: [
{
eventHubAuthorizationRuleResourceId: '<eventHubAuthorizationRuleResourceId>'
eventHubName: '<eventHubName>'
logCategoriesAndGroups: [
{
category: 'kube-apiserver'
}
{
category: 'kube-controller-manager'
}
{
category: 'kube-scheduler'
}
{
category: 'kube-audit'
}
{
category: 'kube-audit-admin'
}
{
category: 'guard'
}
{
category: 'cluster-autoscaler'
}
{
category: 'cloud-controller-manager'
}
{
category: 'csi-azuredisk-controller'
}
{
category: 'csi-azurefile-controller'
}
{
category: 'csi-snapshot-controller'
}
]
metricCategories: [
{
category: 'AllMetrics'
}
]
name: 'customSetting'
storageAccountResourceId: '<storageAccountResourceId>'
workspaceResourceId: '<workspaceResourceId>'
}
]
disableLocalAccounts: true
diskEncryptionSetResourceId: '<diskEncryptionSetResourceId>'
dnsServiceIP: '10.10.200.10'
enableDnsZoneContributorRoleAssignment: true
enableKeyvaultSecretsProvider: true
enableOidcIssuerProfile: true
enableRBAC: true
enableSecretRotation: true
enableStorageProfileBlobCSIDriver: true
enableStorageProfileDiskCSIDriver: true
enableStorageProfileFileCSIDriver: true
enableStorageProfileSnapshotController: true
httpApplicationRoutingEnabled: false
identityProfile: {
kubeletidentity: {
resourceId: '<resourceId>'
}
}
idleTimeoutInMinutes: 30
ingressApplicationGatewayEnabled: true
kubeDashboardEnabled: false
linuxProfile: {
adminUsername: 'azureuser'
ssh: {
publicKeys: [
{
keyData: '<keyData>'
}
]
}
}
loadBalancerSku: 'standard'
location: '<location>'
lock: {
kind: 'CanNotDelete'
name: 'myCustomLockName'
}
maintenanceConfigurations: [
{
maintenanceWindow: {
durationHours: 4
schedule: {
weekly: {
dayOfWeek: 'Sunday'
intervalWeeks: 1
}
}
startDate: '2024-07-15'
startTime: '00:00'
utcOffset: '+00:00'
}
name: 'aksManagedAutoUpgradeSchedule'
}
{
maintenanceWindow: {
durationHours: 6
schedule: {
weekly: {
dayOfWeek: 'Saturday'
intervalWeeks: 1
}
}
startDate: '2024-07-15'
startTime: '02:00'
utcOffset: '+00:00'
}
name: 'aksManagedNodeOSUpgradeSchedule'
}
]
managedIdentities: {
userAssignedResourceIds: [
'<managedIdentityResourceId>'
]
}
managedOutboundIPCount: 2
monitoringWorkspaceResourceId: '<monitoringWorkspaceResourceId>'
networkDataplane: 'azure'
networkPlugin: 'azure'
networkPluginMode: 'overlay'
networkPolicy: 'azure'
nodeProvisioningProfile: {
mode: 'Manual'
}
nodeResourceGroup: '<nodeResourceGroup>'
nodeResourceGroupProfile: {
restrictionLevel: 'ReadOnly'
}
omsAgentEnabled: true
omsAgentUseAADAuth: true
openServiceMeshEnabled: false
outboundPublicIPResourceIds: [
'<publicIPAKSResourceId>'
]
outboundType: 'loadBalancer'
podCidr: '10.244.0.0/16'
podIdentityProfile: {
enabled: false
}
publicNetworkAccess: 'Disabled'
roleAssignments: [
{
name: '<name>'
principalId: '<principalId>'
principalType: 'ServicePrincipal'
roleDefinitionIdOrName: 'Owner'
}
{
principalId: '<principalId>'
principalType: 'ServicePrincipal'
roleDefinitionIdOrName: 'Azure Kubernetes Service RBAC Cluster Admin'
}
]
securityProfile: {
defender: {
logAnalyticsWorkspaceResourceId: '<logAnalyticsWorkspaceResourceId>'
securityMonitoring: {
enabled: true
}
}
imageCleaner: {
enabled: true
intervalHours: 48
}
}
serviceCidr: '10.10.200.0/24'
serviceMeshProfile: {
mode: 'Disabled'
}
skuName: 'Base'
skuTier: 'Standard'
supportPlan: 'KubernetesOfficial'
tags: {
Environment: 'Non-Prod'
'hidden-title': 'This is visible in the resource name'
Role: 'DeploymentValidation'
}
upgradeSettings: {
overrideSettings: {
forceUpgrade: false
until: '2025-12-31T23:59:59Z'
}
}
webApplicationRoutingEnabled: true
workloadAutoScalerProfile: {
keda: {
enabled: true
}
verticalPodAutoscaler: {
enabled: true
}
}
}
}
via JSON parameters file
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
// Required parameters
"name": {
"value": "csmax001"
},
"primaryAgentPoolProfiles": {
"value": [
{
"availabilityZones": [
1,
2
],
"count": 1,
"enableAutoScaling": true,
"maxCount": 3,
"maxPods": 50,
"minCount": 1,
"mode": "System",
"name": "systempool",
"nodeTaints": [
"CriticalAddonsOnly=true:NoSchedule"
],
"osDiskSizeGB": 128,
"osDiskType": "Managed",
"osType": "Linux",
"powerState": {
"code": "Running"
},
"type": "VirtualMachineScaleSets",
"upgradeSettings": {
"drainTimeoutInMinutes": 30,
"maxSurge": "33%",
"nodeSoakDurationInMinutes": 0
},
"vmSize": "Standard_DS2_v2",
"vnetSubnetResourceId": "<vnetSubnetResourceId>"
}
]
},
// Non-required parameters
"aadProfile": {
"value": {
"enableAzureRBAC": true,
"managed": true,
"tenantID": "<tenantID>"
}
},
"aciConnectorLinuxEnabled": {
"value": false
},
"agentPools": {
"value": [
{
"availabilityZones": [
1
],
"count": 1,
"enableAutoScaling": true,
"kubeletConfig": {
"allowedUnsafeSysctls": [
"net.core.somaxconn"
],
"containerLogMaxFiles": 5,
"containerLogMaxSizeMB": 50,
"cpuCfsQuota": true,
"cpuCfsQuotaPeriod": "100ms",
"cpuManagerPolicy": "static",
"failSwapOn": false,
"imageGcHighThreshold": 85,
"imageGcLowThreshold": 80,
"podMaxPids": 100,
"topologyManagerPolicy": "best-effort"
},
"maxCount": 2,
"maxPods": 30,
"minCount": 1,
"minPods": 0,
"mode": "User",
"name": "userpool1",
"nodeLabels": {
"environment": "dev",
"workload": "general"
},
"nodeTaints": [],
"osDiskSizeGB": 30,
"osDiskType": "Ephemeral",
"osType": "Linux",
"powerState": {
"code": "Running"
},
"scaleSetEvictionPolicy": "Delete",
"scaleSetPriority": "Regular",
"type": "VirtualMachineScaleSets",
"upgradeSettings": {
"drainTimeoutInMinutes": 30,
"maxSurge": "50%",
"nodeSoakDurationInMinutes": 0
},
"vmSize": "Standard_D2s_v3",
"vnetSubnetResourceId": "<vnetSubnetResourceId>"
}
]
},
"aiToolchainOperatorProfile": {
"value": {
"enabled": false
}
},
"allocatedOutboundPorts": {
"value": 0
},
"apiServerAccessProfile": {
"value": {
"enablePrivateCluster": true,
"enableVnetIntegration": true,
"privateDNSZone": "<privateDNSZone>",
"subnetId": "<subnetId>"
}
},
"appGatewayResourceId": {
"value": "<appGatewayResourceId>"
},
"autoScalerProfile": {
"value": {
"balance-similar-node-groups": "false",
"daemonset-eviction-for-empty-nodes": false,
"daemonset-eviction-for-occupied-nodes": true,
"expander": "random",
"ignore-daemonsets-utilization": false,
"max-empty-bulk-delete": "10",
"max-graceful-termination-sec": "600",
"max-node-provision-time": "15m",
"max-total-unready-percentage": "45",
"new-pod-scale-up-delay": "0s",
"ok-total-unready-count": "3",
"scale-down-delay-after-add": "10m",
"scale-down-delay-after-delete": "20s",
"scale-down-delay-after-failure": "3m",
"scale-down-unneeded-time": "10m",
"scale-down-unready-time": "20m",
"scale-down-utilization-threshold": "0.5",
"scan-interval": "10s",
"skip-nodes-with-local-storage": "true",
"skip-nodes-with-system-pods": "true"
}
},
"autoUpgradeProfile": {
"value": {
"nodeOSUpgradeChannel": "NodeImage",
"upgradeChannel": "stable"
}
},
"azurePolicyEnabled": {
"value": true
},
"azurePolicyVersion": {
"value": "v2"
},
"backendPoolType": {
"value": "NodeIPConfiguration"
},
"costAnalysisEnabled": {
"value": true
},
"defaultIngressControllerType": {
"value": "Internal"
},
"diagnosticSettings": {
"value": [
{
"eventHubAuthorizationRuleResourceId": "<eventHubAuthorizationRuleResourceId>",
"eventHubName": "<eventHubName>",
"logCategoriesAndGroups": [
{
"category": "kube-apiserver"
},
{
"category": "kube-controller-manager"
},
{
"category": "kube-scheduler"
},
{
"category": "kube-audit"
},
{
"category": "kube-audit-admin"
},
{
"category": "guard"
},
{
"category": "cluster-autoscaler"
},
{
"category": "cloud-controller-manager"
},
{
"category": "csi-azuredisk-controller"
},
{
"category": "csi-azurefile-controller"
},
{
"category": "csi-snapshot-controller"
}
],
"metricCategories": [
{
"category": "AllMetrics"
}
],
"name": "customSetting",
"storageAccountResourceId": "<storageAccountResourceId>",
"workspaceResourceId": "<workspaceResourceId>"
}
]
},
"disableLocalAccounts": {
"value": true
},
"diskEncryptionSetResourceId": {
"value": "<diskEncryptionSetResourceId>"
},
"dnsServiceIP": {
"value": "10.10.200.10"
},
"enableDnsZoneContributorRoleAssignment": {
"value": true
},
"enableKeyvaultSecretsProvider": {
"value": true
},
"enableOidcIssuerProfile": {
"value": true
},
"enableRBAC": {
"value": true
},
"enableSecretRotation": {
"value": true
},
"enableStorageProfileBlobCSIDriver": {
"value": true
},
"enableStorageProfileDiskCSIDriver": {
"value": true
},
"enableStorageProfileFileCSIDriver": {
"value": true
},
"enableStorageProfileSnapshotController": {
"value": true
},
"httpApplicationRoutingEnabled": {
"value": false
},
"identityProfile": {
"value": {
"kubeletidentity": {
"resourceId": "<resourceId>"
}
}
},
"idleTimeoutInMinutes": {
"value": 30
},
"ingressApplicationGatewayEnabled": {
"value": true
},
"kubeDashboardEnabled": {
"value": false
},
"linuxProfile": {
"value": {
"adminUsername": "azureuser",
"ssh": {
"publicKeys": [
{
"keyData": "<keyData>"
}
]
}
}
},
"loadBalancerSku": {
"value": "standard"
},
"location": {
"value": "<location>"
},
"lock": {
"value": {
"kind": "CanNotDelete",
"name": "myCustomLockName"
}
},
"maintenanceConfigurations": {
"value": [
{
"maintenanceWindow": {
"durationHours": 4,
"schedule": {
"weekly": {
"dayOfWeek": "Sunday",
"intervalWeeks": 1
}
},
"startDate": "2024-07-15",
"startTime": "00:00",
"utcOffset": "+00:00"
},
"name": "aksManagedAutoUpgradeSchedule"
},
{
"maintenanceWindow": {
"durationHours": 6,
"schedule": {
"weekly": {
"dayOfWeek": "Saturday",
"intervalWeeks": 1
}
},
"startDate": "2024-07-15",
"startTime": "02:00",
"utcOffset": "+00:00"
},
"name": "aksManagedNodeOSUpgradeSchedule"
}
]
},
"managedIdentities": {
"value": {
"userAssignedResourceIds": [
"<managedIdentityResourceId>"
]
}
},
"managedOutboundIPCount": {
"value": 2
},
"monitoringWorkspaceResourceId": {
"value": "<monitoringWorkspaceResourceId>"
},
"networkDataplane": {
"value": "azure"
},
"networkPlugin": {
"value": "azure"
},
"networkPluginMode": {
"value": "overlay"
},
"networkPolicy": {
"value": "azure"
},
"nodeProvisioningProfile": {
"value": {
"mode": "Manual"
}
},
"nodeResourceGroup": {
"value": "<nodeResourceGroup>"
},
"nodeResourceGroupProfile": {
"value": {
"restrictionLevel": "ReadOnly"
}
},
"omsAgentEnabled": {
"value": true
},
"omsAgentUseAADAuth": {
"value": true
},
"openServiceMeshEnabled": {
"value": false
},
"outboundPublicIPResourceIds": {
"value": [
"<publicIPAKSResourceId>"
]
},
"outboundType": {
"value": "loadBalancer"
},
"podCidr": {
"value": "10.244.0.0/16"
},
"podIdentityProfile": {
"value": {
"enabled": false
}
},
"publicNetworkAccess": {
"value": "Disabled"
},
"roleAssignments": {
"value": [
{
"name": "<name>",
"principalId": "<principalId>",
"principalType": "ServicePrincipal",
"roleDefinitionIdOrName": "Owner"
},
{
"principalId": "<principalId>",
"principalType": "ServicePrincipal",
"roleDefinitionIdOrName": "Azure Kubernetes Service RBAC Cluster Admin"
}
]
},
"securityProfile": {
"value": {
"defender": {
"logAnalyticsWorkspaceResourceId": "<logAnalyticsWorkspaceResourceId>",
"securityMonitoring": {
"enabled": true
}
},
"imageCleaner": {
"enabled": true,
"intervalHours": 48
}
}
},
"serviceCidr": {
"value": "10.10.200.0/24"
},
"serviceMeshProfile": {
"value": {
"mode": "Disabled"
}
},
"skuName": {
"value": "Base"
},
"skuTier": {
"value": "Standard"
},
"supportPlan": {
"value": "KubernetesOfficial"
},
"tags": {
"value": {
"Environment": "Non-Prod",
"hidden-title": "This is visible in the resource name",
"Role": "DeploymentValidation"
}
},
"upgradeSettings": {
"value": {
"overrideSettings": {
"forceUpgrade": false,
"until": "2025-12-31T23:59:59Z"
}
}
},
"webApplicationRoutingEnabled": {
"value": true
},
"workloadAutoScalerProfile": {
"value": {
"keda": {
"enabled": true
},
"verticalPodAutoscaler": {
"enabled": true
}
}
}
}
}
via Bicep parameters file
using './packages/aks-managed-clusters/main.bicep'
// Required parameters
param name = 'csmax001'
param primaryAgentPoolProfiles = [
{
availabilityZones: [
1
2
]
count: 1
enableAutoScaling: true
maxCount: 3
maxPods: 50
minCount: 1
mode: 'System'
name: 'systempool'
nodeTaints: [
'CriticalAddonsOnly=true:NoSchedule'
]
osDiskSizeGB: 128
osDiskType: 'Managed'
osType: 'Linux'
powerState: {
code: 'Running'
}
type: 'VirtualMachineScaleSets'
upgradeSettings: {
drainTimeoutInMinutes: 30
maxSurge: '33%'
nodeSoakDurationInMinutes: 0
}
vmSize: 'Standard_DS2_v2'
vnetSubnetResourceId: '<vnetSubnetResourceId>'
}
]
// Non-required parameters
param aadProfile = {
enableAzureRBAC: true
managed: true
tenantID: '<tenantID>'
}
param aciConnectorLinuxEnabled = false
param agentPools = [
{
availabilityZones: [
1
]
count: 1
enableAutoScaling: true
kubeletConfig: {
allowedUnsafeSysctls: [
'net.core.somaxconn'
]
containerLogMaxFiles: 5
containerLogMaxSizeMB: 50
cpuCfsQuota: true
cpuCfsQuotaPeriod: '100ms'
cpuManagerPolicy: 'static'
failSwapOn: false
imageGcHighThreshold: 85
imageGcLowThreshold: 80
podMaxPids: 100
topologyManagerPolicy: 'best-effort'
}
maxCount: 2
maxPods: 30
minCount: 1
minPods: 0
mode: 'User'
name: 'userpool1'
nodeLabels: {
environment: 'dev'
workload: 'general'
}
nodeTaints: []
osDiskSizeGB: 30
osDiskType: 'Ephemeral'
osType: 'Linux'
powerState: {
code: 'Running'
}
scaleSetEvictionPolicy: 'Delete'
scaleSetPriority: 'Regular'
type: 'VirtualMachineScaleSets'
upgradeSettings: {
drainTimeoutInMinutes: 30
maxSurge: '50%'
nodeSoakDurationInMinutes: 0
}
vmSize: 'Standard_D2s_v3'
vnetSubnetResourceId: '<vnetSubnetResourceId>'
}
]
param aiToolchainOperatorProfile = {
enabled: false
}
param allocatedOutboundPorts = 0
param apiServerAccessProfile = {
enablePrivateCluster: true
enableVnetIntegration: true
privateDNSZone: '<privateDNSZone>'
subnetId: '<subnetId>'
}
param appGatewayResourceId = '<appGatewayResourceId>'
param autoScalerProfile = {
'balance-similar-node-groups': 'false'
'daemonset-eviction-for-empty-nodes': false
'daemonset-eviction-for-occupied-nodes': true
expander: 'random'
'ignore-daemonsets-utilization': false
'max-empty-bulk-delete': '10'
'max-graceful-termination-sec': '600'
'max-node-provision-time': '15m'
'max-total-unready-percentage': '45'
'new-pod-scale-up-delay': '0s'
'ok-total-unready-count': '3'
'scale-down-delay-after-add': '10m'
'scale-down-delay-after-delete': '20s'
'scale-down-delay-after-failure': '3m'
'scale-down-unneeded-time': '10m'
'scale-down-unready-time': '20m'
'scale-down-utilization-threshold': '0.5'
'scan-interval': '10s'
'skip-nodes-with-local-storage': 'true'
'skip-nodes-with-system-pods': 'true'
}
param autoUpgradeProfile = {
nodeOSUpgradeChannel: 'NodeImage'
upgradeChannel: 'stable'
}
param azurePolicyEnabled = true
param azurePolicyVersion = 'v2'
param backendPoolType = 'NodeIPConfiguration'
param costAnalysisEnabled = true
param defaultIngressControllerType = 'Internal'
param diagnosticSettings = [
{
eventHubAuthorizationRuleResourceId: '<eventHubAuthorizationRuleResourceId>'
eventHubName: '<eventHubName>'
logCategoriesAndGroups: [
{
category: 'kube-apiserver'
}
{
category: 'kube-controller-manager'
}
{
category: 'kube-scheduler'
}
{
category: 'kube-audit'
}
{
category: 'kube-audit-admin'
}
{
category: 'guard'
}
{
category: 'cluster-autoscaler'
}
{
category: 'cloud-controller-manager'
}
{
category: 'csi-azuredisk-controller'
}
{
category: 'csi-azurefile-controller'
}
{
category: 'csi-snapshot-controller'
}
]
metricCategories: [
{
category: 'AllMetrics'
}
]
name: 'customSetting'
storageAccountResourceId: '<storageAccountResourceId>'
workspaceResourceId: '<workspaceResourceId>'
}
]
param disableLocalAccounts = true
param diskEncryptionSetResourceId = '<diskEncryptionSetResourceId>'
param dnsServiceIP = '10.10.200.10'
param enableDnsZoneContributorRoleAssignment = true
param enableKeyvaultSecretsProvider = true
param enableOidcIssuerProfile = true
param enableRBAC = true
param enableSecretRotation = true
param enableStorageProfileBlobCSIDriver = true
param enableStorageProfileDiskCSIDriver = true
param enableStorageProfileFileCSIDriver = true
param enableStorageProfileSnapshotController = true
param httpApplicationRoutingEnabled = false
param identityProfile = {
kubeletidentity: {
resourceId: '<resourceId>'
}
}
param idleTimeoutInMinutes = 30
param ingressApplicationGatewayEnabled = true
param kubeDashboardEnabled = false
param linuxProfile = {
adminUsername: 'azureuser'
ssh: {
publicKeys: [
{
keyData: '<keyData>'
}
]
}
}
param loadBalancerSku = 'standard'
param location = '<location>'
param lock = {
kind: 'CanNotDelete'
name: 'myCustomLockName'
}
param maintenanceConfigurations = [
{
maintenanceWindow: {
durationHours: 4
schedule: {
weekly: {
dayOfWeek: 'Sunday'
intervalWeeks: 1
}
}
startDate: '2024-07-15'
startTime: '00:00'
utcOffset: '+00:00'
}
name: 'aksManagedAutoUpgradeSchedule'
}
{
maintenanceWindow: {
durationHours: 6
schedule: {
weekly: {
dayOfWeek: 'Saturday'
intervalWeeks: 1
}
}
startDate: '2024-07-15'
startTime: '02:00'
utcOffset: '+00:00'
}
name: 'aksManagedNodeOSUpgradeSchedule'
}
]
param managedIdentities = {
userAssignedResourceIds: [
'<managedIdentityResourceId>'
]
}
param managedOutboundIPCount = 2
param monitoringWorkspaceResourceId = '<monitoringWorkspaceResourceId>'
param networkDataplane = 'azure'
param networkPlugin = 'azure'
param networkPluginMode = 'overlay'
param networkPolicy = 'azure'
param nodeProvisioningProfile = {
mode: 'Manual'
}
param nodeResourceGroup = '<nodeResourceGroup>'
param nodeResourceGroupProfile = {
restrictionLevel: 'ReadOnly'
}
param omsAgentEnabled = true
param omsAgentUseAADAuth = true
param openServiceMeshEnabled = false
param outboundPublicIPResourceIds = [
'<publicIPAKSResourceId>'
]
param outboundType = 'loadBalancer'
param podCidr = '10.244.0.0/16'
param podIdentityProfile = {
enabled: false
}
param publicNetworkAccess = 'Disabled'
param roleAssignments = [
{
name: '<name>'
principalId: '<principalId>'
principalType: 'ServicePrincipal'
roleDefinitionIdOrName: 'Owner'
}
{
principalId: '<principalId>'
principalType: 'ServicePrincipal'
roleDefinitionIdOrName: 'Azure Kubernetes Service RBAC Cluster Admin'
}
]
param securityProfile = {
defender: {
logAnalyticsWorkspaceResourceId: '<logAnalyticsWorkspaceResourceId>'
securityMonitoring: {
enabled: true
}
}
imageCleaner: {
enabled: true
intervalHours: 48
}
}
param serviceCidr = '10.10.200.0/24'
param serviceMeshProfile = {
mode: 'Disabled'
}
param skuName = 'Base'
param skuTier = 'Standard'
param supportPlan = 'KubernetesOfficial'
param tags = {
Environment: 'Non-Prod'
'hidden-title': 'This is visible in the resource name'
Role: 'DeploymentValidation'
}
param upgradeSettings = {
overrideSettings: {
forceUpgrade: false
until: '2025-12-31T23:59:59Z'
}
}
param webApplicationRoutingEnabled = true
param workloadAutoScalerProfile = {
keda: {
enabled: true
}
verticalPodAutoscaler: {
enabled: true
}
}
Example 7: Using Private Cluster.
This instance deploys the module with a private cluster instance.
You can find the full example and the setup of its dependencies in the deployment test folder path [/tests/e2e/priv]
via Bicep module
module managedCluster './packages/aks-managed-clusters/main.bicep' = {
params: {
// Required parameters
name: 'csmpriv001'
primaryAgentPoolProfiles: [
{
availabilityZones: [
3
]
count: 1
enableAutoScaling: true
maxCount: 3
maxPods: 30
minCount: 1
mode: 'System'
name: 'systempool'
nodeTaints: [
'CriticalAddonsOnly=true:NoSchedule'
]
osDiskSizeGB: 0
osType: 'Linux'
type: 'VirtualMachineScaleSets'
vmSize: 'Standard_DS4_v2'
vnetSubnetResourceId: '<vnetSubnetResourceId>'
}
]
// Non-required parameters
aadProfile: {
enableAzureRBAC: true
managed: true
}
agentPools: [
{
availabilityZones: [
3
]
count: 2
enableAutoScaling: true
maxCount: 3
maxPods: 30
minCount: 1
minPods: 2
mode: 'User'
name: 'userpool1'
nodeLabels: {}
osDiskSizeGB: 128
osType: 'Linux'
scaleSetEvictionPolicy: 'Delete'
scaleSetPriority: 'Regular'
type: 'VirtualMachineScaleSets'
vmSize: 'Standard_DS4_v2'
vnetSubnetResourceId: '<vnetSubnetResourceId>'
}
]
apiServerAccessProfile: {
enablePrivateCluster: true
privateDNSZone: '<privateDNSZone>'
}
dnsServiceIP: '10.10.200.10'
managedIdentities: {
userAssignedResourceIds: [
'<managedIdentityResourceId>'
]
}
networkPlugin: 'azure'
serviceCidr: '10.10.200.0/24'
skuTier: 'Standard'
}
}
via JSON parameters file
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
// Required parameters
"name": {
"value": "csmpriv001"
},
"primaryAgentPoolProfiles": {
"value": [
{
"availabilityZones": [
3
],
"count": 1,
"enableAutoScaling": true,
"maxCount": 3,
"maxPods": 30,
"minCount": 1,
"mode": "System",
"name": "systempool",
"nodeTaints": [
"CriticalAddonsOnly=true:NoSchedule"
],
"osDiskSizeGB": 0,
"osType": "Linux",
"type": "VirtualMachineScaleSets",
"vmSize": "Standard_DS4_v2",
"vnetSubnetResourceId": "<vnetSubnetResourceId>"
}
]
},
// Non-required parameters
"aadProfile": {
"value": {
"enableAzureRBAC": true,
"managed": true
}
},
"agentPools": {
"value": [
{
"availabilityZones": [
3
],
"count": 2,
"enableAutoScaling": true,
"maxCount": 3,
"maxPods": 30,
"minCount": 1,
"minPods": 2,
"mode": "User",
"name": "userpool1",
"nodeLabels": {},
"osDiskSizeGB": 128,
"osType": "Linux",
"scaleSetEvictionPolicy": "Delete",
"scaleSetPriority": "Regular",
"type": "VirtualMachineScaleSets",
"vmSize": "Standard_DS4_v2",
"vnetSubnetResourceId": "<vnetSubnetResourceId>"
}
]
},
"apiServerAccessProfile": {
"value": {
"enablePrivateCluster": true,
"privateDNSZone": "<privateDNSZone>"
}
},
"dnsServiceIP": {
"value": "10.10.200.10"
},
"managedIdentities": {
"value": {
"userAssignedResourceIds": [
"<managedIdentityResourceId>"
]
}
},
"networkPlugin": {
"value": "azure"
},
"serviceCidr": {
"value": "10.10.200.0/24"
},
"skuTier": {
"value": "Standard"
}
}
}
via Bicep parameters file
using './packages/aks-managed-clusters/main.bicep'
// Required parameters
param name = 'csmpriv001'
param primaryAgentPoolProfiles = [
{
availabilityZones: [
3
]
count: 1
enableAutoScaling: true
maxCount: 3
maxPods: 30
minCount: 1
mode: 'System'
name: 'systempool'
nodeTaints: [
'CriticalAddonsOnly=true:NoSchedule'
]
osDiskSizeGB: 0
osType: 'Linux'
type: 'VirtualMachineScaleSets'
vmSize: 'Standard_DS4_v2'
vnetSubnetResourceId: '<vnetSubnetResourceId>'
}
]
// Non-required parameters
param aadProfile = {
enableAzureRBAC: true
managed: true
}
param agentPools = [
{
availabilityZones: [
3
]
count: 2
enableAutoScaling: true
maxCount: 3
maxPods: 30
minCount: 1
minPods: 2
mode: 'User'
name: 'userpool1'
nodeLabels: {}
osDiskSizeGB: 128
osType: 'Linux'
scaleSetEvictionPolicy: 'Delete'
scaleSetPriority: 'Regular'
type: 'VirtualMachineScaleSets'
vmSize: 'Standard_DS4_v2'
vnetSubnetResourceId: '<vnetSubnetResourceId>'
}
]
param apiServerAccessProfile = {
enablePrivateCluster: true
privateDNSZone: '<privateDNSZone>'
}
param dnsServiceIP = '10.10.200.10'
param managedIdentities = {
userAssignedResourceIds: [
'<managedIdentityResourceId>'
]
}
param networkPlugin = 'azure'
param serviceCidr = '10.10.200.0/24'
param skuTier = 'Standard'
Example 8: WAF-aligned
This instance deploys the module in alignment with the best-practices of the Well-Architected Framework.
You can find the full example and the setup of its dependencies in the deployment test folder path [/tests/e2e/waf-aligned]
via Bicep module
module managedCluster './packages/aks-managed-clusters/main.bicep' = {
params: {
// Required parameters
name: 'cswaf001'
primaryAgentPoolProfiles: [
{
availabilityZones: [
3
]
count: 1
enableAutoScaling: true
maxCount: 3
maxPods: 50
minCount: 3
mode: 'System'
name: 'systempool'
nodeTaints: [
'CriticalAddonsOnly=true:NoSchedule'
]
osDiskSizeGB: 0
osType: 'Linux'
type: 'VirtualMachineScaleSets'
vmSize: 'Standard_DS4_v2'
vnetSubnetResourceId: '<vnetSubnetResourceId>'
}
]
// Non-required parameters
aadProfile: {
enableAzureRBAC: true
managed: true
}
agentPools: [
{
availabilityZones: [
3
]
count: 2
enableAutoScaling: true
maxCount: 3
maxPods: 50
minCount: 3
minPods: 2
mode: 'User'
name: 'userpool1'
nodeLabels: {}
osDiskSizeGB: 60
osDiskType: 'Ephemeral'
osType: 'Linux'
scaleSetEvictionPolicy: 'Delete'
scaleSetPriority: 'Regular'
type: 'VirtualMachineScaleSets'
vmSize: 'Standard_DS4_v2'
vnetSubnetResourceId: '<vnetSubnetResourceId>'
}
{
availabilityZones: [
3
]
count: 2
enableAutoScaling: true
maxCount: 3
maxPods: 50
minCount: 3
minPods: 2
mode: 'User'
name: 'userpool2'
nodeLabels: {}
osDiskSizeGB: 60
osDiskType: 'Ephemeral'
osType: 'Linux'
scaleSetEvictionPolicy: 'Delete'
scaleSetPriority: 'Regular'
type: 'VirtualMachineScaleSets'
vmSize: 'Standard_DS4_v2'
}
]
apiServerAccessProfile: {
enablePrivateCluster: true
privateDNSZone: '<privateDNSZone>'
}
autoUpgradeProfile: {
nodeOSUpgradeChannel: 'Unmanaged'
upgradeChannel: 'stable'
}
diagnosticSettings: [
{
eventHubAuthorizationRuleResourceId: '<eventHubAuthorizationRuleResourceId>'
eventHubName: '<eventHubName>'
logCategoriesAndGroups: [
{
category: 'kube-apiserver'
}
{
category: 'kube-controller-manager'
}
{
category: 'kube-scheduler'
}
{
category: 'cluster-autoscaler'
}
]
metricCategories: [
{
category: 'AllMetrics'
}
]
name: 'customSetting'
storageAccountResourceId: '<storageAccountResourceId>'
workspaceResourceId: '<workspaceResourceId>'
}
]
disableLocalAccounts: true
dnsServiceIP: '10.10.200.10'
maintenanceConfigurations: [
{
maintenanceWindow: {
durationHours: 4
schedule: {
weekly: {
dayOfWeek: 'Sunday'
intervalWeeks: 1
}
}
startDate: '2024-07-15'
startTime: '00:00'
utcOffset: '+00:00'
}
name: 'aksManagedAutoUpgradeSchedule'
}
{
maintenanceWindow: {
durationHours: 4
schedule: {
weekly: {
dayOfWeek: 'Sunday'
intervalWeeks: 1
}
}
startDate: '2024-07-15'
startTime: '00:00'
utcOffset: '+00:00'
}
name: 'aksManagedNodeOSUpgradeSchedule'
}
]
managedIdentities: {
userAssignedResourceIds: [
'<managedIdentityResourceId>'
]
}
monitoringWorkspaceResourceId: '<monitoringWorkspaceResourceId>'
networkPlugin: 'azure'
networkPolicy: 'azure'
omsAgentEnabled: true
securityProfile: {
defender: {
logAnalyticsWorkspaceResourceId: '<logAnalyticsWorkspaceResourceId>'
securityMonitoring: {
enabled: true
}
}
}
serviceCidr: '10.10.200.0/24'
skuTier: 'Standard'
tags: {
Environment: 'Non-Prod'
'hidden-title': 'This is visible in the resource name'
Role: 'DeploymentValidation'
}
}
}
via JSON parameters file
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
// Required parameters
"name": {
"value": "cswaf001"
},
"primaryAgentPoolProfiles": {
"value": [
{
"availabilityZones": [
3
],
"count": 1,
"enableAutoScaling": true,
"maxCount": 3,
"maxPods": 50,
"minCount": 3,
"mode": "System",
"name": "systempool",
"nodeTaints": [
"CriticalAddonsOnly=true:NoSchedule"
],
"osDiskSizeGB": 0,
"osType": "Linux",
"type": "VirtualMachineScaleSets",
"vmSize": "Standard_DS4_v2",
"vnetSubnetResourceId": "<vnetSubnetResourceId>"
}
]
},
// Non-required parameters
"aadProfile": {
"value": {
"enableAzureRBAC": true,
"managed": true
}
},
"agentPools": {
"value": [
{
"availabilityZones": [
3
],
"count": 2,
"enableAutoScaling": true,
"maxCount": 3,
"maxPods": 50,
"minCount": 3,
"minPods": 2,
"mode": "User",
"name": "userpool1",
"nodeLabels": {},
"osDiskSizeGB": 60,
"osDiskType": "Ephemeral",
"osType": "Linux",
"scaleSetEvictionPolicy": "Delete",
"scaleSetPriority": "Regular",
"type": "VirtualMachineScaleSets",
"vmSize": "Standard_DS4_v2",
"vnetSubnetResourceId": "<vnetSubnetResourceId>"
},
{
"availabilityZones": [
3
],
"count": 2,
"enableAutoScaling": true,
"maxCount": 3,
"maxPods": 50,
"minCount": 3,
"minPods": 2,
"mode": "User",
"name": "userpool2",
"nodeLabels": {},
"osDiskSizeGB": 60,
"osDiskType": "Ephemeral",
"osType": "Linux",
"scaleSetEvictionPolicy": "Delete",
"scaleSetPriority": "Regular",
"type": "VirtualMachineScaleSets",
"vmSize": "Standard_DS4_v2"
}
]
},
"apiServerAccessProfile": {
"value": {
"enablePrivateCluster": true,
"privateDNSZone": "<privateDNSZone>"
}
},
"autoUpgradeProfile": {
"value": {
"nodeOSUpgradeChannel": "Unmanaged",
"upgradeChannel": "stable"
}
},
"diagnosticSettings": {
"value": [
{
"eventHubAuthorizationRuleResourceId": "<eventHubAuthorizationRuleResourceId>",
"eventHubName": "<eventHubName>",
"logCategoriesAndGroups": [
{
"category": "kube-apiserver"
},
{
"category": "kube-controller-manager"
},
{
"category": "kube-scheduler"
},
{
"category": "cluster-autoscaler"
}
],
"metricCategories": [
{
"category": "AllMetrics"
}
],
"name": "customSetting",
"storageAccountResourceId": "<storageAccountResourceId>",
"workspaceResourceId": "<workspaceResourceId>"
}
]
},
"disableLocalAccounts": {
"value": true
},
"dnsServiceIP": {
"value": "10.10.200.10"
},
"maintenanceConfigurations": {
"value": [
{
"maintenanceWindow": {
"durationHours": 4,
"schedule": {
"weekly": {
"dayOfWeek": "Sunday",
"intervalWeeks": 1
}
},
"startDate": "2024-07-15",
"startTime": "00:00",
"utcOffset": "+00:00"
},
"name": "aksManagedAutoUpgradeSchedule"
},
{
"maintenanceWindow": {
"durationHours": 4,
"schedule": {
"weekly": {
"dayOfWeek": "Sunday",
"intervalWeeks": 1
}
},
"startDate": "2024-07-15",
"startTime": "00:00",
"utcOffset": "+00:00"
},
"name": "aksManagedNodeOSUpgradeSchedule"
}
]
},
"managedIdentities": {
"value": {
"userAssignedResourceIds": [
"<managedIdentityResourceId>"
]
}
},
"monitoringWorkspaceResourceId": {
"value": "<monitoringWorkspaceResourceId>"
},
"networkPlugin": {
"value": "azure"
},
"networkPolicy": {
"value": "azure"
},
"omsAgentEnabled": {
"value": true
},
"securityProfile": {
"value": {
"defender": {
"logAnalyticsWorkspaceResourceId": "<logAnalyticsWorkspaceResourceId>",
"securityMonitoring": {
"enabled": true
}
}
}
},
"serviceCidr": {
"value": "10.10.200.0/24"
},
"skuTier": {
"value": "Standard"
},
"tags": {
"value": {
"Environment": "Non-Prod",
"hidden-title": "This is visible in the resource name",
"Role": "DeploymentValidation"
}
}
}
}
via Bicep parameters file
using './packages/aks-managed-clusters/main.bicep'
// Required parameters
param name = 'cswaf001'
param primaryAgentPoolProfiles = [
{
availabilityZones: [
3
]
count: 1
enableAutoScaling: true
maxCount: 3
maxPods: 50
minCount: 3
mode: 'System'
name: 'systempool'
nodeTaints: [
'CriticalAddonsOnly=true:NoSchedule'
]
osDiskSizeGB: 0
osType: 'Linux'
type: 'VirtualMachineScaleSets'
vmSize: 'Standard_DS4_v2'
vnetSubnetResourceId: '<vnetSubnetResourceId>'
}
]
// Non-required parameters
param aadProfile = {
enableAzureRBAC: true
managed: true
}
param agentPools = [
{
availabilityZones: [
3
]
count: 2
enableAutoScaling: true
maxCount: 3
maxPods: 50
minCount: 3
minPods: 2
mode: 'User'
name: 'userpool1'
nodeLabels: {}
osDiskSizeGB: 60
osDiskType: 'Ephemeral'
osType: 'Linux'
scaleSetEvictionPolicy: 'Delete'
scaleSetPriority: 'Regular'
type: 'VirtualMachineScaleSets'
vmSize: 'Standard_DS4_v2'
vnetSubnetResourceId: '<vnetSubnetResourceId>'
}
{
availabilityZones: [
3
]
count: 2
enableAutoScaling: true
maxCount: 3
maxPods: 50
minCount: 3
minPods: 2
mode: 'User'
name: 'userpool2'
nodeLabels: {}
osDiskSizeGB: 60
osDiskType: 'Ephemeral'
osType: 'Linux'
scaleSetEvictionPolicy: 'Delete'
scaleSetPriority: 'Regular'
type: 'VirtualMachineScaleSets'
vmSize: 'Standard_DS4_v2'
}
]
param apiServerAccessProfile = {
enablePrivateCluster: true
privateDNSZone: '<privateDNSZone>'
}
param autoUpgradeProfile = {
nodeOSUpgradeChannel: 'Unmanaged'
upgradeChannel: 'stable'
}
param diagnosticSettings = [
{
eventHubAuthorizationRuleResourceId: '<eventHubAuthorizationRuleResourceId>'
eventHubName: '<eventHubName>'
logCategoriesAndGroups: [
{
category: 'kube-apiserver'
}
{
category: 'kube-controller-manager'
}
{
category: 'kube-scheduler'
}
{
category: 'cluster-autoscaler'
}
]
metricCategories: [
{
category: 'AllMetrics'
}
]
name: 'customSetting'
storageAccountResourceId: '<storageAccountResourceId>'
workspaceResourceId: '<workspaceResourceId>'
}
]
param disableLocalAccounts = true
param dnsServiceIP = '10.10.200.10'
param maintenanceConfigurations = [
{
maintenanceWindow: {
durationHours: 4
schedule: {
weekly: {
dayOfWeek: 'Sunday'
intervalWeeks: 1
}
}
startDate: '2024-07-15'
startTime: '00:00'
utcOffset: '+00:00'
}
name: 'aksManagedAutoUpgradeSchedule'
}
{
maintenanceWindow: {
durationHours: 4
schedule: {
weekly: {
dayOfWeek: 'Sunday'
intervalWeeks: 1
}
}
startDate: '2024-07-15'
startTime: '00:00'
utcOffset: '+00:00'
}
name: 'aksManagedNodeOSUpgradeSchedule'
}
]
param managedIdentities = {
userAssignedResourceIds: [
'<managedIdentityResourceId>'
]
}
param monitoringWorkspaceResourceId = '<monitoringWorkspaceResourceId>'
param networkPlugin = 'azure'
param networkPolicy = 'azure'
param omsAgentEnabled = true
param securityProfile = {
defender: {
logAnalyticsWorkspaceResourceId: '<logAnalyticsWorkspaceResourceId>'
securityMonitoring: {
enabled: true
}
}
}
param serviceCidr = '10.10.200.0/24'
param skuTier = 'Standard'
param tags = {
Environment: 'Non-Prod'
'hidden-title': 'This is visible in the resource name'
Role: 'DeploymentValidation'
}
Parameters
Required parameters
| Parameter | Type | Description |
|---|---|---|
name |
string | Specifies the name of the AKS cluster. |
primaryAgentPoolProfiles |
array | Properties of the primary agent pool. |
Conditional parameters
| Parameter | Type | Description |
|---|---|---|
aksServicePrincipalProfile |
object | Information about a service principal identity for the cluster to use for manipulating Azure APIs. Required if no managed identities are assigned to the cluster. |
appGatewayResourceId |
string | Specifies the resource ID of connected application gateway. Required if ingressApplicationGatewayEnabled is set to true. |
Optional parameters
| Parameter | Type | Description |
|---|---|---|
aadProfile |
object | Enable Azure Active Directory integration. |
aciConnectorLinuxEnabled |
bool | Specifies whether the aciConnectorLinux add-on is enabled or not. |
advancedNetworking |
object | Advanced Networking profile for enabling observability and security feature suite on a cluster. For more information see https://aka.ms/aksadvancednetworking. |
agentPools |
array | Define one or more secondary/additional agent pools. |
aiToolchainOperatorProfile |
object | AI toolchain operator settings that apply to the whole cluster. |
allocatedOutboundPorts |
int | The desired number of allocated SNAT ports per VM. Default is 0, which results in Azure dynamically allocating ports. |
apiServerAccessProfile |
object | The access profile for managed cluster API server. |
autoScalerProfile |
object | Parameters to be applied to the cluster-autoscaler when enabled. |
autoUpgradeProfile |
object | The auto upgrade configuration. |
azureMonitorProfile |
object | Azure Monitor addon profiles for monitoring the managed cluster. |
azurePolicyEnabled |
bool | Specifies whether the azurepolicy add-on is enabled or not. For security reasons, this setting should be enabled. |
azurePolicyVersion |
string | Specifies the azure policy version to use. |
backendPoolType |
string | The type of the managed inbound Load Balancer BackendPool. |
bootstrapProfile |
object | Profile of the cluster bootstrap configuration. |
costAnalysisEnabled |
bool | Specifies whether the cost analysis add-on is enabled or not. If Enabled enableStorageProfileDiskCSIDriver is set to true as it is needed. |
defaultIngressControllerType |
string | Ingress type for the default NginxIngressController custom resource. It will be ignored if webApplicationRoutingEnabled is set to false. |
diagnosticSettings |
array | The diagnostic settings of the service. |
disableLocalAccounts |
bool | If set to true, getting static credentials will be disabled for this cluster. This must only be used on Managed Clusters that are AAD enabled. |
diskEncryptionSetResourceId |
string | The Resource ID of the disk encryption set to use for enabling encryption at rest. For security reasons, this value should be provided. |
dnsPrefix |
string | Specifies the DNS prefix specified when creating the managed cluster. |
dnsServiceIP |
string | Specifies the IP address assigned to the Kubernetes DNS service. It must be within the Kubernetes service address range specified in serviceCidr. |
dnsZoneResourceId |
string | Specifies the resource ID of connected DNS zone. It will be ignored if webApplicationRoutingEnabled is set to false. |
enableDnsZoneContributorRoleAssignment |
bool | Specifies whether assing the DNS zone contributor role to the cluster service principal. It will be ignored if webApplicationRoutingEnabled is set to false or dnsZoneResourceId not provided. |
enableKeyvaultSecretsProvider |
bool | Specifies whether the KeyvaultSecretsProvider add-on is enabled or not. |
enableOidcIssuerProfile |
bool | Whether the The OIDC issuer profile of the Managed Cluster is enabled. |
enableRBAC |
bool | Whether to enable Kubernetes Role-Based Access Control. |
enableSecretRotation |
bool | Specifies whether the KeyvaultSecretsProvider add-on uses secret rotation. |
enableStorageProfileBlobCSIDriver |
bool | Whether the AzureBlob CSI Driver for the storage profile is enabled. |
enableStorageProfileDiskCSIDriver |
bool | Whether the AzureDisk CSI Driver for the storage profile is enabled. |
enableStorageProfileFileCSIDriver |
bool | Whether the AzureFile CSI Driver for the storage profile is enabled. |
enableStorageProfileSnapshotController |
bool | Whether the snapshot controller for the storage profile is enabled. |
enableTelemetry |
bool | Enable/Disable usage telemetry for module. |
fluxExtension |
object | Settings and configurations for the flux extension. |
fqdnSubdomain |
string | The FQDN subdomain of the private cluster with custom private dns zone. This cannot be updated once the Managed Cluster has been created. |
httpApplicationRoutingEnabled |
bool | Specifies whether the httpApplicationRouting add-on is enabled or not. |
httpProxyConfig |
object | Configurations for provisioning the cluster with HTTP proxy servers. |
identityProfile |
object | Identities associated with the cluster. |
idleTimeoutInMinutes |
int | Desired outbound flow idle timeout in minutes. |
ingressApplicationGatewayEnabled |
bool | Specifies whether the ingressApplicationGateway (AGIC) add-on is enabled or not. |
ipFamilies |
array | The IP families used for the cluster. |
kubeDashboardEnabled |
bool | Specifies whether the kubeDashboard add-on is enabled or not. |
kubernetesVersion |
string | Version of Kubernetes specified when creating the managed cluster. |
linuxProfile |
object | The profile for Linux VMs in the Managed Cluster. |
loadBalancerSku |
string | Specifies the sku of the load balancer used by the virtual machine scale sets used by nodepools. |
location |
string | Specifies the location of AKS cluster. It picks up Resource Group's location by default. |
lock |
object | The lock settings of the service. |
maintenanceConfigurations |
array | Maintenance configurations for the managed cluster. |
managedIdentities |
object | The managed identity definition for this resource. Only one type of identity is supported: system-assigned or user-assigned, but not both. |
managedOutboundIPCount |
int | Outbound IP Count for the Load balancer. |
monitoringWorkspaceResourceId |
string | Resource ID of the monitoring log analytics workspace. |
natGatewayProfile |
object | NAT Gateway profile for the cluster. |
networkDataplane |
string | Network dataplane used in the Kubernetes cluster. Not compatible with kubenet network plugin. |
networkMode |
string | Network mode used for building the Kubernetes network. |
networkPlugin |
string | Specifies the network plugin used for building Kubernetes network. |
networkPluginMode |
string | Network plugin mode used for building the Kubernetes network. Not compatible with kubenet network plugin. |
networkPolicy |
string | Specifies the network policy used for building Kubernetes network. - calico or azure. |
nodeProvisioningProfile |
object | Node provisioning settings that apply to the whole cluster. |
nodeResourceGroup |
string | Name of the resource group containing agent pool nodes. |
nodeResourceGroupProfile |
object | The node resource group configuration profile. |
omsAgentEnabled |
bool | Specifies whether the OMS agent is enabled. |
omsAgentUseAADAuth |
bool | Specifies whether the OMS agent is using managed identity authentication. |
openServiceMeshEnabled |
bool | Specifies whether the openServiceMesh add-on is enabled or not. |
outboundPublicIPPrefixResourceIds |
array | A list of the resource IDs of the public IP prefixes to use for the load balancer outbound rules. |
outboundPublicIPResourceIds |
array | A list of the resource IDs of the public IP addresses to use for the load balancer outbound rules. |
outboundType |
string | Specifies outbound (egress) routing method. |
podCidr |
string | Specifies the CIDR notation IP range from which to assign pod IPs when kubenet is used. |
podCidrs |
array | The CIDR notation IP ranges from which to assign pod IPs. One IPv4 CIDR is expected for single-stack networking. Two CIDRs, one for each IP family (IPv4/IPv6), is expected for dual-stack networking. |
podIdentityProfile |
object | The pod identity profile of the Managed Cluster. See use AAD pod identity for more details on AAD pod identity integration. |
publicNetworkAccess |
string | Allow or deny public network access for AKS. |
roleAssignments |
array | Array of role assignments to create. |
securityProfile |
object | Security profile for the managed cluster. |
serviceCidr |
string | A CIDR notation IP range from which to assign service cluster IPs. It must not overlap with any Subnet IP ranges. |
serviceCidrs |
array | The CIDR notation IP ranges from which to assign service cluster IPs. One IPv4 CIDR is expected for single-stack networking. Two CIDRs, one for each IP family (IPv4/IPv6), is expected for dual-stack networking. They must not overlap with any Subnet IP ranges. |
serviceMeshProfile |
object | Service mesh profile for a managed cluster. |
skuName |
string | Name of a managed cluster SKU. |
skuTier |
string | Tier of a managed cluster SKU. |
staticEgressGatewayProfile |
object | Static egress gateway profile for the cluster. |
supportPlan |
string | The support plan for the Managed Cluster. |
tags |
object | Tags of the resource. |
upgradeSettings |
object | Settings for upgrading the cluster with override options. |
webApplicationRoutingEnabled |
bool | Specifies whether the webApplicationRoutingEnabled add-on is enabled or not. |
windowsProfile |
object | The profile for Windows VMs in the Managed Cluster. |
workloadAutoScalerProfile |
object | Workload Auto-scaler profile for the managed cluster. |
Parameter: name
Specifies the name of the AKS cluster.
- Required: Yes
- Type: string
Parameter: primaryAgentPoolProfiles
Properties of the primary agent pool.
- Required: Yes
- Type: array
Required parameters
| Parameter | Type | Description |
|---|---|---|
name |
string | The name of the agent pool. |
Optional parameters
| Parameter | Type | Description |
|---|---|---|
availabilityZones |
array | The availability zones of the agent pool. |
capacityReservationGroupResourceId |
string | AKS will associate the specified agent pool with the Capacity Reservation Group. |
count |
int | The number of agents (VMs) to host docker containers. Allowed values must be in the range of 1 to 100 (inclusive). |
enableAutoScaling |
bool | Whether to enable auto-scaling for the agent pool. |
enableDefaultTelemetry |
bool | The enable default telemetry of the agent pool. |
enableEncryptionAtHost |
bool | Whether to enable encryption at host for the agent pool. |
enableFIPS |
bool | Whether to enable FIPS for the agent pool. |
enableNodePublicIP |
bool | Whether to enable node public IP for the agent pool. |
enableUltraSSD |
bool | Whether to enable Ultra SSD for the agent pool. |
gatewayProfile |
object | Represents the Gateway node pool configuration. |
gpuInstanceProfile |
string | The GPU instance profile of the agent pool. |
gpuProfile |
object | GPU settings. |
hostGroupResourceId |
string | Host group resource ID. |
kubeletConfig |
object | Kubelet configuration on agent pool nodes. |
kubeletDiskType |
string | The kubelet disk type of the agent pool. |
linuxOSConfig |
object | The Linux OS configuration of the agent pool. |
localDNSProfile |
object | Local DNS configuration. |
maxCount |
int | The maximum number of agents (VMs) to host docker containers. Allowed values must be in the range of 1 to 100 (inclusive). |
maxPods |
int | The maximum number of pods that can run on a node. |
messageOfTheDay |
string | A message of the day will be a multi-line message that is prepended to the command prompt and the SSH login message. |
minCount |
int | The minimum number of agents (VMs) to host docker containers. Allowed values must be in the range of 1 to 100 (inclusive). |
minPods |
int | The minimum number of pods that can run on a node. |
mode |
string | The mode of the agent pool. |
networkProfile |
object | Network profile to be used for agent pool nodes. |
nodeLabels |
object | The node labels of the agent pool. |
nodePublicIpPrefixResourceId |
string | The node public IP prefix ID of the agent pool. |
nodeTaints |
array | The node taints of the agent pool. |
orchestratorVersion |
string | The Kubernetes version of the agent pool. |
osDiskSizeGB |
int | The OS disk size in GB of the agent pool. |
osDiskType |
string | The OS disk type of the agent pool. |
osSKU |
string | The OS SKU of the agent pool. |
osType |
string | The OS type of the agent pool. |
podIPAllocationMode |
string | Pod IP allocation mode. |
podSubnetResourceId |
string | The pod subnet ID of the agent pool. |
powerState |
object | Power State of the agent pool. |
proximityPlacementGroupResourceId |
string | The proximity placement group resource ID of the agent pool. |
scaleDownMode |
string | The scale down mode of the agent pool. |
scaleSetEvictionPolicy |
string | The scale set eviction policy of the agent pool. |
scaleSetPriority |
string | The scale set priority of the agent pool. |
securityProfile |
object | The security settings of an agent pool. |
sourceResourceId |
string | The source resource ID to create the agent pool from. |
spotMaxPrice |
int | The spot max price of the agent pool. |
tags |
object | The tags of the agent pool. |
type |
string | The type of the agent pool. |
upgradeSettings |
object | Upgrade settings. |
virtualMachinesProfile |
object | Virtual Machines resource status. |
vmSize |
string | The VM size of the agent pool. |
vnetSubnetResourceId |
string | The VNet subnet ID of the agent pool. |
windowsProfile |
object | The Windows profile of the agent pool. |
workloadRuntime |
string | The workload runtime of the agent pool. |
Parameter: primaryAgentPoolProfiles.name
The name of the agent pool.
- Required: Yes
- Type: string
Parameter: primaryAgentPoolProfiles.availabilityZones
The availability zones of the agent pool.
- Required: No
- Type: array
Parameter: primaryAgentPoolProfiles.capacityReservationGroupResourceId
AKS will associate the specified agent pool with the Capacity Reservation Group.
- Required: No
- Type: string
Parameter: primaryAgentPoolProfiles.count
The number of agents (VMs) to host docker containers. Allowed values must be in the range of 1 to 100 (inclusive).
- Required: No
- Type: int
Parameter: primaryAgentPoolProfiles.enableAutoScaling
Whether to enable auto-scaling for the agent pool.
- Required: No
- Type: bool
Parameter: primaryAgentPoolProfiles.enableDefaultTelemetry
The enable default telemetry of the agent pool.
- Required: No
- Type: bool
Parameter: primaryAgentPoolProfiles.enableEncryptionAtHost
Whether to enable encryption at host for the agent pool.
- Required: No
- Type: bool
Parameter: primaryAgentPoolProfiles.enableFIPS
Whether to enable FIPS for the agent pool.
- Required: No
- Type: bool
Parameter: primaryAgentPoolProfiles.enableNodePublicIP
Whether to enable node public IP for the agent pool.
- Required: No
- Type: bool
Parameter: primaryAgentPoolProfiles.enableUltraSSD
Whether to enable Ultra SSD for the agent pool.
- Required: No
- Type: bool
Parameter: primaryAgentPoolProfiles.gatewayProfile
Represents the Gateway node pool configuration.
- Required: No
- Type: object
Parameter: primaryAgentPoolProfiles.gpuInstanceProfile
The GPU instance profile of the agent pool.
- Required: No
- Type: string
Parameter: primaryAgentPoolProfiles.gpuProfile
GPU settings.
- Required: No
- Type: object
Parameter: primaryAgentPoolProfiles.hostGroupResourceId
Host group resource ID.
- Required: No
- Type: string
Parameter: primaryAgentPoolProfiles.kubeletConfig
Kubelet configuration on agent pool nodes.
- Required: No
- Type: object
Parameter: primaryAgentPoolProfiles.kubeletDiskType
The kubelet disk type of the agent pool.
- Required: No
- Type: string
Parameter: primaryAgentPoolProfiles.linuxOSConfig
The Linux OS configuration of the agent pool.
- Required: No
- Type: object
Parameter: primaryAgentPoolProfiles.localDNSProfile
Local DNS configuration.
- Required: No
- Type: object
Parameter: primaryAgentPoolProfiles.maxCount
The maximum number of agents (VMs) to host docker containers. Allowed values must be in the range of 1 to 100 (inclusive).
- Required: No
- Type: int
Parameter: primaryAgentPoolProfiles.maxPods
The maximum number of pods that can run on a node.
- Required: No
- Type: int
Parameter: primaryAgentPoolProfiles.messageOfTheDay
A message of the day will be a multi-line message that is prepended to the command prompt and the SSH login message.
- Required: No
- Type: string
Parameter: primaryAgentPoolProfiles.minCount
The minimum number of agents (VMs) to host docker containers. Allowed values must be in the range of 1 to 100 (inclusive).
- Required: No
- Type: int
Parameter: primaryAgentPoolProfiles.minPods
The minimum number of pods that can run on a node.
- Required: No
- Type: int
Parameter: primaryAgentPoolProfiles.mode
The mode of the agent pool.
- Required: No
- Type: string
Parameter: primaryAgentPoolProfiles.networkProfile
Network profile to be used for agent pool nodes.
- Required: No
- Type: object
Parameter: primaryAgentPoolProfiles.nodeLabels
The node labels of the agent pool.
- Required: No
- Type: object
Parameter: primaryAgentPoolProfiles.nodePublicIpPrefixResourceId
The node public IP prefix ID of the agent pool.
- Required: No
- Type: string
Parameter: primaryAgentPoolProfiles.nodeTaints
The node taints of the agent pool.
- Required: No
- Type: array
Parameter: primaryAgentPoolProfiles.orchestratorVersion
The Kubernetes version of the agent pool.
- Required: No
- Type: string
Parameter: primaryAgentPoolProfiles.osDiskSizeGB
The OS disk size in GB of the agent pool.
- Required: No
- Type: int
Parameter: primaryAgentPoolProfiles.osDiskType
The OS disk type of the agent pool.
- Required: No
- Type: string
Parameter: primaryAgentPoolProfiles.osSKU
The OS SKU of the agent pool.
- Required: No
- Type: string
- Allowed:
[ 'AzureLinux' 'AzureLinux3' 'CBLMariner' 'Ubuntu' 'Ubuntu2204' 'Ubuntu2404' 'Windows2019' 'Windows2022' 'Windows2025' ]
Parameter: primaryAgentPoolProfiles.osType
The OS type of the agent pool.
- Required: No
- Type: string
Parameter: primaryAgentPoolProfiles.podIPAllocationMode
Pod IP allocation mode.
- Required: No
- Type: string
Parameter: primaryAgentPoolProfiles.podSubnetResourceId
The pod subnet ID of the agent pool.
- Required: No
- Type: string
Parameter: primaryAgentPoolProfiles.powerState
Power State of the agent pool.
- Required: No
- Type: object
Parameter: primaryAgentPoolProfiles.proximityPlacementGroupResourceId
The proximity placement group resource ID of the agent pool.
- Required: No
- Type: string
Parameter: primaryAgentPoolProfiles.scaleDownMode
The scale down mode of the agent pool.
- Required: No
- Type: string
Parameter: primaryAgentPoolProfiles.scaleSetEvictionPolicy
The scale set eviction policy of the agent pool.
- Required: No
- Type: string
Parameter: primaryAgentPoolProfiles.scaleSetPriority
The scale set priority of the agent pool.
- Required: No
- Type: string
Parameter: primaryAgentPoolProfiles.securityProfile
The security settings of an agent pool.
- Required: No
- Type: object
Parameter: primaryAgentPoolProfiles.sourceResourceId
The source resource ID to create the agent pool from.
- Required: No
- Type: string
Parameter: primaryAgentPoolProfiles.spotMaxPrice
The spot max price of the agent pool.
- Required: No
- Type: int
Parameter: primaryAgentPoolProfiles.tags
The tags of the agent pool.
- Required: No
- Type: object
Parameter: primaryAgentPoolProfiles.type
The type of the agent pool.
- Required: No
- Type: string
- Allowed:
[ 'AvailabilitySet' 'VirtualMachineScaleSets' ]
Parameter: primaryAgentPoolProfiles.upgradeSettings
Upgrade settings.
- Required: No
- Type: object
Parameter: primaryAgentPoolProfiles.virtualMachinesProfile
Virtual Machines resource status.
- Required: No
- Type: object
Parameter: primaryAgentPoolProfiles.vmSize
The VM size of the agent pool.
- Required: No
- Type: string
Parameter: primaryAgentPoolProfiles.vnetSubnetResourceId
The VNet subnet ID of the agent pool.
- Required: No
- Type: string
Parameter: primaryAgentPoolProfiles.windowsProfile
The Windows profile of the agent pool.
- Required: No
- Type: object
Parameter: primaryAgentPoolProfiles.workloadRuntime
The workload runtime of the agent pool.
- Required: No
- Type: string
Parameter: aksServicePrincipalProfile
Information about a service principal identity for the cluster to use for manipulating Azure APIs. Required if no managed identities are assigned to the cluster.
- Required: No
- Type: object
Parameter: appGatewayResourceId
Specifies the resource ID of connected application gateway. Required if ingressApplicationGatewayEnabled is set to true.
- Required: No
- Type: string
Parameter: aadProfile
Enable Azure Active Directory integration.
- Required: No
- Type: object
Parameter: aciConnectorLinuxEnabled
Specifies whether the aciConnectorLinux add-on is enabled or not.
- Required: No
- Type: bool
- Default:
False
Parameter: advancedNetworking
Advanced Networking profile for enabling observability and security feature suite on a cluster. For more information see https://aka.ms/aksadvancednetworking.
- Required: No
- Type: object
Parameter: agentPools
Define one or more secondary/additional agent pools.
- Required: No
- Type: array
Required parameters
| Parameter | Type | Description |
|---|---|---|
name |
string | The name of the agent pool. |
Optional parameters
| Parameter | Type | Description |
|---|---|---|
availabilityZones |
array | The availability zones of the agent pool. |
capacityReservationGroupResourceId |
string | AKS will associate the specified agent pool with the Capacity Reservation Group. |
count |
int | The number of agents (VMs) to host docker containers. Allowed values must be in the range of 1 to 100 (inclusive). |
enableAutoScaling |
bool | Whether to enable auto-scaling for the agent pool. |
enableDefaultTelemetry |
bool | The enable default telemetry of the agent pool. |
enableEncryptionAtHost |
bool | Whether to enable encryption at host for the agent pool. |
enableFIPS |
bool | Whether to enable FIPS for the agent pool. |
enableNodePublicIP |
bool | Whether to enable node public IP for the agent pool. |
enableUltraSSD |
bool | Whether to enable Ultra SSD for the agent pool. |
gatewayProfile |
object | Represents the Gateway node pool configuration. |
gpuInstanceProfile |
string | The GPU instance profile of the agent pool. |
gpuProfile |
object | GPU settings. |
hostGroupResourceId |
string | Host group resource ID. |
kubeletConfig |
object | Kubelet configuration on agent pool nodes. |
kubeletDiskType |
string | The kubelet disk type of the agent pool. |
linuxOSConfig |
object | The Linux OS configuration of the agent pool. |
localDNSProfile |
object | Local DNS configuration. |
maxCount |
int | The maximum number of agents (VMs) to host docker containers. Allowed values must be in the range of 1 to 100 (inclusive). |
maxPods |
int | The maximum number of pods that can run on a node. |
messageOfTheDay |
string | A message of the day will be a multi-line message that is prepended to the command prompt and the SSH login message. |
minCount |
int | The minimum number of agents (VMs) to host docker containers. Allowed values must be in the range of 1 to 100 (inclusive). |
minPods |
int | The minimum number of pods that can run on a node. |
mode |
string | The mode of the agent pool. |
networkProfile |
object | Network profile to be used for agent pool nodes. |
nodeLabels |
object | The node labels of the agent pool. |
nodePublicIpPrefixResourceId |
string | The node public IP prefix ID of the agent pool. |
nodeTaints |
array | The node taints of the agent pool. |
orchestratorVersion |
string | The Kubernetes version of the agent pool. |
osDiskSizeGB |
int | The OS disk size in GB of the agent pool. |
osDiskType |
string | The OS disk type of the agent pool. |
osSKU |
string | The OS SKU of the agent pool. |
osType |
string | The OS type of the agent pool. |
podIPAllocationMode |
string | Pod IP allocation mode. |
podSubnetResourceId |
string | The pod subnet ID of the agent pool. |
powerState |
object | Power State of the agent pool. |
proximityPlacementGroupResourceId |
string | The proximity placement group resource ID of the agent pool. |
scaleDownMode |
string | The scale down mode of the agent pool. |
scaleSetEvictionPolicy |
string | The scale set eviction policy of the agent pool. |
scaleSetPriority |
string | The scale set priority of the agent pool. |
securityProfile |
object | The security settings of an agent pool. |
sourceResourceId |
string | The source resource ID to create the agent pool from. |
spotMaxPrice |
int | The spot max price of the agent pool. |
tags |
object | The tags of the agent pool. |
type |
string | The type of the agent pool. |
upgradeSettings |
object | Upgrade settings. |
virtualMachinesProfile |
object | Virtual Machines resource status. |
vmSize |
string | The VM size of the agent pool. |
vnetSubnetResourceId |
string | The VNet subnet ID of the agent pool. |
windowsProfile |
object | The Windows profile of the agent pool. |
workloadRuntime |
string | The workload runtime of the agent pool. |
Parameter: agentPools.name
The name of the agent pool.
- Required: Yes
- Type: string
Parameter: agentPools.availabilityZones
The availability zones of the agent pool.
- Required: No
- Type: array
Parameter: agentPools.capacityReservationGroupResourceId
AKS will associate the specified agent pool with the Capacity Reservation Group.
- Required: No
- Type: string
Parameter: agentPools.count
The number of agents (VMs) to host docker containers. Allowed values must be in the range of 1 to 100 (inclusive).
- Required: No
- Type: int
Parameter: agentPools.enableAutoScaling
Whether to enable auto-scaling for the agent pool.
- Required: No
- Type: bool
Parameter: agentPools.enableDefaultTelemetry
The enable default telemetry of the agent pool.
- Required: No
- Type: bool
Parameter: agentPools.enableEncryptionAtHost
Whether to enable encryption at host for the agent pool.
- Required: No
- Type: bool
Parameter: agentPools.enableFIPS
Whether to enable FIPS for the agent pool.
- Required: No
- Type: bool
Parameter: agentPools.enableNodePublicIP
Whether to enable node public IP for the agent pool.
- Required: No
- Type: bool
Parameter: agentPools.enableUltraSSD
Whether to enable Ultra SSD for the agent pool.
- Required: No
- Type: bool
Parameter: agentPools.gatewayProfile
Represents the Gateway node pool configuration.
- Required: No
- Type: object
Parameter: agentPools.gpuInstanceProfile
The GPU instance profile of the agent pool.
- Required: No
- Type: string
Parameter: agentPools.gpuProfile
GPU settings.
- Required: No
- Type: object
Parameter: agentPools.hostGroupResourceId
Host group resource ID.
- Required: No
- Type: string
Parameter: agentPools.kubeletConfig
Kubelet configuration on agent pool nodes.
- Required: No
- Type: object
Parameter: agentPools.kubeletDiskType
The kubelet disk type of the agent pool.
- Required: No
- Type: string
Parameter: agentPools.linuxOSConfig
The Linux OS configuration of the agent pool.
- Required: No
- Type: object
Parameter: agentPools.localDNSProfile
Local DNS configuration.
- Required: No
- Type: object
Parameter: agentPools.maxCount
The maximum number of agents (VMs) to host docker containers. Allowed values must be in the range of 1 to 100 (inclusive).
- Required: No
- Type: int
Parameter: agentPools.maxPods
The maximum number of pods that can run on a node.
- Required: No
- Type: int
Parameter: agentPools.messageOfTheDay
A message of the day will be a multi-line message that is prepended to the command prompt and the SSH login message.
- Required: No
- Type: string
Parameter: agentPools.minCount
The minimum number of agents (VMs) to host docker containers. Allowed values must be in the range of 1 to 100 (inclusive).
- Required: No
- Type: int
Parameter: agentPools.minPods
The minimum number of pods that can run on a node.
- Required: No
- Type: int
Parameter: agentPools.mode
The mode of the agent pool.
- Required: No
- Type: string
Parameter: agentPools.networkProfile
Network profile to be used for agent pool nodes.
- Required: No
- Type: object
Parameter: agentPools.nodeLabels
The node labels of the agent pool.
- Required: No
- Type: object
Parameter: agentPools.nodePublicIpPrefixResourceId
The node public IP prefix ID of the agent pool.
- Required: No
- Type: string
Parameter: agentPools.nodeTaints
The node taints of the agent pool.
- Required: No
- Type: array
Parameter: agentPools.orchestratorVersion
The Kubernetes version of the agent pool.
- Required: No
- Type: string
Parameter: agentPools.osDiskSizeGB
The OS disk size in GB of the agent pool.
- Required: No
- Type: int
Parameter: agentPools.osDiskType
The OS disk type of the agent pool.
- Required: No
- Type: string
Parameter: agentPools.osSKU
The OS SKU of the agent pool.
- Required: No
- Type: string
- Allowed:
[ 'AzureLinux' 'AzureLinux3' 'CBLMariner' 'Ubuntu' 'Ubuntu2204' 'Ubuntu2404' 'Windows2019' 'Windows2022' 'Windows2025' ]
Parameter: agentPools.osType
The OS type of the agent pool.
- Required: No
- Type: string
Parameter: agentPools.podIPAllocationMode
Pod IP allocation mode.
- Required: No
- Type: string
Parameter: agentPools.podSubnetResourceId
The pod subnet ID of the agent pool.
- Required: No
- Type: string
Parameter: agentPools.powerState
Power State of the agent pool.
- Required: No
- Type: object
Parameter: agentPools.proximityPlacementGroupResourceId
The proximity placement group resource ID of the agent pool.
- Required: No
- Type: string
Parameter: agentPools.scaleDownMode
The scale down mode of the agent pool.
- Required: No
- Type: string
Parameter: agentPools.scaleSetEvictionPolicy
The scale set eviction policy of the agent pool.
- Required: No
- Type: string
Parameter: agentPools.scaleSetPriority
The scale set priority of the agent pool.
- Required: No
- Type: string
Parameter: agentPools.securityProfile
The security settings of an agent pool.
- Required: No
- Type: object
Parameter: agentPools.sourceResourceId
The source resource ID to create the agent pool from.
- Required: No
- Type: string
Parameter: agentPools.spotMaxPrice
The spot max price of the agent pool.
- Required: No
- Type: int
Parameter: agentPools.tags
The tags of the agent pool.
- Required: No
- Type: object
Parameter: agentPools.type
The type of the agent pool.
- Required: No
- Type: string
- Allowed:
[ 'AvailabilitySet' 'VirtualMachineScaleSets' ]
Parameter: agentPools.upgradeSettings
Upgrade settings.
- Required: No
- Type: object
Parameter: agentPools.virtualMachinesProfile
Virtual Machines resource status.
- Required: No
- Type: object
Parameter: agentPools.vmSize
The VM size of the agent pool.
- Required: No
- Type: string
Parameter: agentPools.vnetSubnetResourceId
The VNet subnet ID of the agent pool.
- Required: No
- Type: string
Parameter: agentPools.windowsProfile
The Windows profile of the agent pool.
- Required: No
- Type: object
Parameter: agentPools.workloadRuntime
The workload runtime of the agent pool.
- Required: No
- Type: string
Parameter: aiToolchainOperatorProfile
AI toolchain operator settings that apply to the whole cluster.
- Required: No
- Type: object
Parameter: allocatedOutboundPorts
The desired number of allocated SNAT ports per VM. Default is 0, which results in Azure dynamically allocating ports.
- Required: No
- Type: int
- Default:
0
Parameter: apiServerAccessProfile
The access profile for managed cluster API server.
- Required: No
- Type: object
Parameter: autoScalerProfile
Parameters to be applied to the cluster-autoscaler when enabled.
- Required: No
- Type: object
Parameter: autoUpgradeProfile
The auto upgrade configuration.
- Required: No
- Type: object
- Default:
{ upgradeChannel: 'stable' }
Parameter: azureMonitorProfile
Azure Monitor addon profiles for monitoring the managed cluster.
- Required: No
- Type: object
Parameter: azurePolicyEnabled
Specifies whether the azurepolicy add-on is enabled or not. For security reasons, this setting should be enabled.
- Required: No
- Type: bool
- Default:
True
Parameter: azurePolicyVersion
Specifies the azure policy version to use.
- Required: No
- Type: string
- Default:
'v2'
Parameter: backendPoolType
The type of the managed inbound Load Balancer BackendPool.
- Required: No
- Type: string
- Default:
'NodeIPConfiguration'
Parameter: bootstrapProfile
Profile of the cluster bootstrap configuration.
- Required: No
- Type: object
Parameter: costAnalysisEnabled
Specifies whether the cost analysis add-on is enabled or not. If Enabled enableStorageProfileDiskCSIDriver is set to true as it is needed.
- Required: No
- Type: bool
- Default:
False
Parameter: defaultIngressControllerType
Ingress type for the default NginxIngressController custom resource. It will be ignored if webApplicationRoutingEnabled is set to false.
- Required: No
- Type: string
Parameter: diagnosticSettings
The diagnostic settings of the service.
- Required: No
- Type: array
Optional parameters
| Parameter | Type | Description |
|---|---|---|
eventHubAuthorizationRuleResourceId |
string | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. |
eventHubName |
string | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. |
logAnalyticsDestinationType |
string | A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type. |
logCategoriesAndGroups |
array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to [] to disable log collection. |
marketplacePartnerResourceId |
string | The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. |
metricCategories |
array | The name of metrics that will be streamed. "allMetrics" includes all possible metrics for the resource. Set to [] to disable metric collection. |
name |
string | The name of the diagnostic setting. |
storageAccountResourceId |
string | Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. |
workspaceResourceId |
string | Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. |
Parameter: diagnosticSettings.eventHubAuthorizationRuleResourceId
Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.
- Required: No
- Type: string
Parameter: diagnosticSettings.eventHubName
Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.
- Required: No
- Type: string
Parameter: diagnosticSettings.logAnalyticsDestinationType
A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.
- Required: No
- Type: string
- Allowed:
[ 'AzureDiagnostics' 'Dedicated' ]
Parameter: diagnosticSettings.logCategoriesAndGroups
The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to [] to disable log collection.
- Required: No
- Type: array
Optional parameters
| Parameter | Type | Description |
|---|---|---|
category |
string | Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here. |
categoryGroup |
string | Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to allLogs to collect all logs. |
enabled |
bool | Enable or disable the category explicitly. Default is true. |
Parameter: diagnosticSettings.logCategoriesAndGroups.category
Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here.
- Required: No
- Type: string
Parameter: diagnosticSettings.logCategoriesAndGroups.categoryGroup
Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to allLogs to collect all logs.
- Required: No
- Type: string
Parameter: diagnosticSettings.logCategoriesAndGroups.enabled
Enable or disable the category explicitly. Default is true.
- Required: No
- Type: bool
Parameter: diagnosticSettings.marketplacePartnerResourceId
The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs.
- Required: No
- Type: string
Parameter: diagnosticSettings.metricCategories
The name of metrics that will be streamed. "allMetrics" includes all possible metrics for the resource. Set to [] to disable metric collection.
- Required: No
- Type: array
Required parameters
| Parameter | Type | Description |
|---|---|---|
category |
string | Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to AllMetrics to collect all metrics. |
Optional parameters
| Parameter | Type | Description |
|---|---|---|
enabled |
bool | Enable or disable the category explicitly. Default is true. |
Parameter: diagnosticSettings.metricCategories.category
Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to AllMetrics to collect all metrics.
- Required: Yes
- Type: string
Parameter: diagnosticSettings.metricCategories.enabled
Enable or disable the category explicitly. Default is true.
- Required: No
- Type: bool
Parameter: diagnosticSettings.name
The name of the diagnostic setting.
- Required: No
- Type: string
Parameter: diagnosticSettings.storageAccountResourceId
Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.
- Required: No
- Type: string
Parameter: diagnosticSettings.workspaceResourceId
Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.
- Required: No
- Type: string
Parameter: disableLocalAccounts
If set to true, getting static credentials will be disabled for this cluster. This must only be used on Managed Clusters that are AAD enabled.
- Required: No
- Type: bool
- Default:
True
Parameter: diskEncryptionSetResourceId
The Resource ID of the disk encryption set to use for enabling encryption at rest. For security reasons, this value should be provided.
- Required: No
- Type: string
Parameter: dnsPrefix
Specifies the DNS prefix specified when creating the managed cluster.
- Required: No
- Type: string
- Default:
[parameters('name')]
Parameter: dnsServiceIP
Specifies the IP address assigned to the Kubernetes DNS service. It must be within the Kubernetes service address range specified in serviceCidr.
- Required: No
- Type: string
Parameter: dnsZoneResourceId
Specifies the resource ID of connected DNS zone. It will be ignored if webApplicationRoutingEnabled is set to false.
- Required: No
- Type: string
Parameter: enableDnsZoneContributorRoleAssignment
Specifies whether assing the DNS zone contributor role to the cluster service principal. It will be ignored if webApplicationRoutingEnabled is set to false or dnsZoneResourceId not provided.
- Required: No
- Type: bool
- Default:
True
Parameter: enableKeyvaultSecretsProvider
Specifies whether the KeyvaultSecretsProvider add-on is enabled or not.
- Required: No
- Type: bool
- Default:
False
Parameter: enableOidcIssuerProfile
Whether the The OIDC issuer profile of the Managed Cluster is enabled.
- Required: No
- Type: bool
- Default:
False
Parameter: enableRBAC
Whether to enable Kubernetes Role-Based Access Control.
- Required: No
- Type: bool
- Default:
True
Parameter: enableSecretRotation
Specifies whether the KeyvaultSecretsProvider add-on uses secret rotation.
- Required: No
- Type: bool
- Default:
False
Parameter: enableStorageProfileBlobCSIDriver
Whether the AzureBlob CSI Driver for the storage profile is enabled.
- Required: No
- Type: bool
- Default:
False
Parameter: enableStorageProfileDiskCSIDriver
Whether the AzureDisk CSI Driver for the storage profile is enabled.
- Required: No
- Type: bool
- Default:
False
Parameter: enableStorageProfileFileCSIDriver
Whether the AzureFile CSI Driver for the storage profile is enabled.
- Required: No
- Type: bool
- Default:
False
Parameter: enableStorageProfileSnapshotController
Whether the snapshot controller for the storage profile is enabled.
- Required: No
- Type: bool
- Default:
False
Parameter: enableTelemetry
Enable/Disable usage telemetry for module.
- Required: No
- Type: bool
- Default:
True
Parameter: fluxExtension
Settings and configurations for the flux extension.
- Required: No
- Type: object
Optional parameters
| Parameter | Type | Description |
|---|---|---|
configurationProtectedSettings |
object | The configuration protected settings of the extension. |
configurationSettings |
object | The configuration settings of the extension. |
fluxConfigurations |
array | The flux configurations of the extension. |
name |
string | The name of the extension. |
releaseNamespace |
string | Namespace where the extension Release must be placed. |
releaseTrain |
string | The release train of the extension. |
targetNamespace |
string | Namespace where the extension will be created for an Namespace scoped extension. |
version |
string | The version of the extension. |
Parameter: fluxExtension.configurationProtectedSettings
The configuration protected settings of the extension.
- Required: No
- Type: object
Parameter: fluxExtension.configurationSettings
The configuration settings of the extension.
- Required: No
- Type: object
Parameter: fluxExtension.fluxConfigurations
The flux configurations of the extension.
- Required: No
- Type: array
Parameter: fluxExtension.name
The name of the extension.
- Required: No
- Type: string
Parameter: fluxExtension.releaseNamespace
Namespace where the extension Release must be placed.
- Required: No
- Type: string
Parameter: fluxExtension.releaseTrain
The release train of the extension.
- Required: No
- Type: string
Parameter: fluxExtension.targetNamespace
Namespace where the extension will be created for an Namespace scoped extension.
- Required: No
- Type: string
Parameter: fluxExtension.version
The version of the extension.
- Required: No
- Type: string
Parameter: fqdnSubdomain
The FQDN subdomain of the private cluster with custom private dns zone. This cannot be updated once the Managed Cluster has been created.
- Required: No
- Type: string
Parameter: httpApplicationRoutingEnabled
Specifies whether the httpApplicationRouting add-on is enabled or not.
- Required: No
- Type: bool
- Default:
False
Parameter: httpProxyConfig
Configurations for provisioning the cluster with HTTP proxy servers.
- Required: No
- Type: object
Parameter: identityProfile
Identities associated with the cluster.
- Required: No
- Type: object
Parameter: idleTimeoutInMinutes
Desired outbound flow idle timeout in minutes.
- Required: No
- Type: int
- Default:
30
Parameter: ingressApplicationGatewayEnabled
Specifies whether the ingressApplicationGateway (AGIC) add-on is enabled or not.
- Required: No
- Type: bool
- Default:
False
Parameter: ipFamilies
The IP families used for the cluster.
- Required: No
- Type: array
- Default:
[ 'IPv4' ]
Parameter: kubeDashboardEnabled
Specifies whether the kubeDashboard add-on is enabled or not.
- Required: No
- Type: bool
- Default:
False
Parameter: kubernetesVersion
Version of Kubernetes specified when creating the managed cluster.
- Required: No
- Type: string
Parameter: linuxProfile
The profile for Linux VMs in the Managed Cluster.
- Required: No
- Type: object
Parameter: loadBalancerSku
Specifies the sku of the load balancer used by the virtual machine scale sets used by nodepools.
- Required: No
- Type: string
- Default:
'standard'
Parameter: location
Specifies the location of AKS cluster. It picks up Resource Group's location by default.
- Required: No
- Type: string
- Default:
[resourceGroup().location]
Parameter: lock
The lock settings of the service.
- Required: No
- Type: object
Optional parameters
| Parameter | Type | Description |
|---|---|---|
kind |
string | Specify the type of lock. |
name |
string | Specify the name of lock. |
notes |
string | Specify the notes of the lock. |
Parameter: lock.kind
Specify the type of lock.
- Required: No
- Type: string
- Allowed:
[ 'CanNotDelete' 'None' 'ReadOnly' ]
Parameter: lock.name
Specify the name of lock.
- Required: No
- Type: string
Parameter: lock.notes
Specify the notes of the lock.
- Required: No
- Type: string
Parameter: maintenanceConfigurations
Maintenance configurations for the managed cluster.
- Required: No
- Type: array
Required parameters
| Parameter | Type | Description |
|---|---|---|
maintenanceWindow |
object | Maintenance window for the maintenance configuration. |
name |
string | Name of maintenance window. |
Optional parameters
| Parameter | Type | Description |
|---|---|---|
notAllowedTime |
array | Time slots on which upgrade is not allowed. |
timeInWeek |
array | Time slots during the week when planned maintenance is allowed to proceed. |
Parameter: maintenanceConfigurations.maintenanceWindow
Maintenance window for the maintenance configuration.
- Required: Yes
- Type: object
Parameter: maintenanceConfigurations.name
Name of maintenance window.
- Required: Yes
- Type: string
- Allowed:
[ 'aksManagedAutoUpgradeSchedule' 'aksManagedNodeOSUpgradeSchedule' ]
Parameter: maintenanceConfigurations.notAllowedTime
Time slots on which upgrade is not allowed.
- Required: No
- Type: array
Parameter: maintenanceConfigurations.timeInWeek
Time slots during the week when planned maintenance is allowed to proceed.
- Required: No
- Type: array
Parameter: managedIdentities
The managed identity definition for this resource. Only one type of identity is supported: system-assigned or user-assigned, but not both.
- Required: No
- Type: object
Optional parameters
| Parameter | Type | Description |
|---|---|---|
systemAssigned |
bool | Enables system assigned managed identity on the resource. |
userAssignedResourceIds |
array | The resource ID(s) to assign to the resource. Required if a user assigned identity is used for encryption. |
Parameter: managedIdentities.systemAssigned
Enables system assigned managed identity on the resource.
- Required: No
- Type: bool
Parameter: managedIdentities.userAssignedResourceIds
The resource ID(s) to assign to the resource. Required if a user assigned identity is used for encryption.
- Required: No
- Type: array
Parameter: managedOutboundIPCount
Outbound IP Count for the Load balancer.
- Required: No
- Type: int
- Default:
0
Parameter: monitoringWorkspaceResourceId
Resource ID of the monitoring log analytics workspace.
- Required: No
- Type: string
Parameter: natGatewayProfile
NAT Gateway profile for the cluster.
- Required: No
- Type: object
Parameter: networkDataplane
Network dataplane used in the Kubernetes cluster. Not compatible with kubenet network plugin.
- Required: No
- Type: string
Parameter: networkMode
Network mode used for building the Kubernetes network.
- Required: No
- Type: string
Parameter: networkPlugin
Specifies the network plugin used for building Kubernetes network.
- Required: No
- Type: string
Parameter: networkPluginMode
Network plugin mode used for building the Kubernetes network. Not compatible with kubenet network plugin.
- Required: No
- Type: string
Parameter: networkPolicy
Specifies the network policy used for building Kubernetes network. - calico or azure.
- Required: No
- Type: string
Parameter: nodeProvisioningProfile
Node provisioning settings that apply to the whole cluster.
- Required: No
- Type: object
Parameter: nodeResourceGroup
Name of the resource group containing agent pool nodes.
- Required: No
- Type: string
- Default:
[format('{0}_aks_{1}_nodes', resourceGroup().name, parameters('name'))]
Parameter: nodeResourceGroupProfile
The node resource group configuration profile.
- Required: No
- Type: object
Parameter: omsAgentEnabled
Specifies whether the OMS agent is enabled.
- Required: No
- Type: bool
- Default:
True
Parameter: omsAgentUseAADAuth
Specifies whether the OMS agent is using managed identity authentication.
- Required: No
- Type: bool
- Default:
False
Parameter: openServiceMeshEnabled
Specifies whether the openServiceMesh add-on is enabled or not.
- Required: No
- Type: bool
- Default:
False
Parameter: outboundPublicIPPrefixResourceIds
A list of the resource IDs of the public IP prefixes to use for the load balancer outbound rules.
- Required: No
- Type: array
Parameter: outboundPublicIPResourceIds
A list of the resource IDs of the public IP addresses to use for the load balancer outbound rules.
- Required: No
- Type: array
Parameter: outboundType
Specifies outbound (egress) routing method.
- Required: No
- Type: string
- Default:
'loadBalancer'
Parameter: podCidr
Specifies the CIDR notation IP range from which to assign pod IPs when kubenet is used.
- Required: No
- Type: string
Parameter: podCidrs
The CIDR notation IP ranges from which to assign pod IPs. One IPv4 CIDR is expected for single-stack networking. Two CIDRs, one for each IP family (IPv4/IPv6), is expected for dual-stack networking.
- Required: No
- Type: array
Parameter: podIdentityProfile
The pod identity profile of the Managed Cluster. See use AAD pod identity for more details on AAD pod identity integration.
- Required: No
- Type: object
Parameter: publicNetworkAccess
Allow or deny public network access for AKS.
- Required: No
- Type: string
- Default:
'Disabled' - Allowed:
[ 'Disabled' 'Enabled' 'SecuredByPerimeter' ]
Parameter: roleAssignments
Array of role assignments to create.
- Required: No
- Type: array
- Roles configurable by name:
'Azure Kubernetes Fleet Manager Contributor Role''Azure Kubernetes Fleet Manager RBAC Admin''Azure Kubernetes Fleet Manager RBAC Cluster Admin''Azure Kubernetes Fleet Manager RBAC Reader''Azure Kubernetes Fleet Manager RBAC Writer''Azure Kubernetes Service Cluster Admin Role''Azure Kubernetes Service Cluster Monitoring User''Azure Kubernetes Service Cluster User Role''Azure Kubernetes Service Contributor Role''Azure Kubernetes Service RBAC Admin''Azure Kubernetes Service RBAC Cluster Admin''Azure Kubernetes Service RBAC Reader''Azure Kubernetes Service RBAC Writer''Contributor''Kubernetes Agentless Operator''Owner''Reader''Role Based Access Control Administrator''User Access Administrator'
Required parameters
| Parameter | Type | Description |
|---|---|---|
principalId |
string | The principal ID of the principal (user/group/identity) to assign the role to. |
roleDefinitionIdOrName |
string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. |
Optional parameters
| Parameter | Type | Description |
|---|---|---|
condition |
string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container". |
conditionVersion |
string | Version of the condition. |
delegatedManagedIdentityResourceId |
string | The Resource Id of the delegated managed identity resource. |
description |
string | The description of the role assignment. |
name |
string | The name (as GUID) of the role assignment. If not provided, a GUID will be generated. |
principalType |
string | The principal type of the assigned principal ID. |
Parameter: roleAssignments.principalId
The principal ID of the principal (user/group/identity) to assign the role to.
- Required: Yes
- Type: string
Parameter: roleAssignments.roleDefinitionIdOrName
The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'.
- Required: Yes
- Type: string
Parameter: roleAssignments.condition
The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container".
- Required: No
- Type: string
Parameter: roleAssignments.conditionVersion
Version of the condition.
- Required: No
- Type: string
- Allowed:
[ '2.0' ]
Parameter: roleAssignments.delegatedManagedIdentityResourceId
The Resource Id of the delegated managed identity resource.
- Required: No
- Type: string
Parameter: roleAssignments.description
The description of the role assignment.
- Required: No
- Type: string
Parameter: roleAssignments.name
The name (as GUID) of the role assignment. If not provided, a GUID will be generated.
- Required: No
- Type: string
Parameter: roleAssignments.principalType
The principal type of the assigned principal ID.
- Required: No
- Type: string
- Allowed:
[ 'Device' 'ForeignGroup' 'Group' 'ServicePrincipal' 'User' ]
Parameter: securityProfile
Security profile for the managed cluster.
- Required: No
- Type: object
Parameter: serviceCidr
A CIDR notation IP range from which to assign service cluster IPs. It must not overlap with any Subnet IP ranges.
- Required: No
- Type: string
Parameter: serviceCidrs
The CIDR notation IP ranges from which to assign service cluster IPs. One IPv4 CIDR is expected for single-stack networking. Two CIDRs, one for each IP family (IPv4/IPv6), is expected for dual-stack networking. They must not overlap with any Subnet IP ranges.
- Required: No
- Type: array
Parameter: serviceMeshProfile
Service mesh profile for a managed cluster.
- Required: No
- Type: object
Parameter: skuName
Name of a managed cluster SKU.
- Required: No
- Type: string
- Default:
'Base'
Parameter: skuTier
Tier of a managed cluster SKU.
- Required: No
- Type: string
- Default:
'Standard'
Parameter: staticEgressGatewayProfile
Static egress gateway profile for the cluster.
- Required: No
- Type: object
Parameter: supportPlan
The support plan for the Managed Cluster.
- Required: No
- Type: string
- Default:
'KubernetesOfficial'
Parameter: tags
Tags of the resource.
- Required: No
- Type: object
Parameter: upgradeSettings
Settings for upgrading the cluster with override options.
- Required: No
- Type: object
Parameter: webApplicationRoutingEnabled
Specifies whether the webApplicationRoutingEnabled add-on is enabled or not.
- Required: No
- Type: bool
- Default:
False
Parameter: windowsProfile
The profile for Windows VMs in the Managed Cluster.
- Required: No
- Type: object
Parameter: workloadAutoScalerProfile
Workload Auto-scaler profile for the managed cluster.
- Required: No
- Type: object
Outputs
| Output | Type | Description |
|---|---|---|
addonProfiles |
object | The addonProfiles of the Kubernetes cluster. |
controlPlaneFQDN |
string | The control plane FQDN of the managed cluster. |
ingressApplicationGatewayIdentityObjectId |
string | The Object ID of Application Gateway Ingress Controller (AGIC) identity. |
keyvaultIdentityClientId |
string | The Client ID of the Key Vault Secrets Provider identity. |
keyvaultIdentityObjectId |
string | The Object ID of the Key Vault Secrets Provider identity. |
kubeletIdentityClientId |
string | The Client ID of the AKS identity. |
kubeletIdentityObjectId |
string | The Object ID of the AKS identity. |
kubeletIdentityResourceId |
string | The Resource ID of the AKS identity. |
location |
string | The location the resource was deployed into. |
name |
string | The name of the managed cluster. |
oidcIssuerUrl |
string | The OIDC token issuer URL. |
omsagentIdentityObjectId |
string | The Object ID of the OMS agent identity. |
resourceGroupName |
string | The resource group the managed cluster was deployed into. |
resourceId |
string | The resource ID of the managed cluster. |
systemAssignedMIPrincipalId |
string | The principal ID of the system assigned identity. |
webAppRoutingIdentityObjectId |
string | The Object ID of Web Application Routing. |
Cross-referenced modules
This section gives you an overview of all local-referenced module files (i.e., other modules that are referenced in this module) and all remote-referenced files (i.e., Bicep modules that are referenced from a Bicep Registry or Template Specs).
| Reference | Type |
|---|---|
./packages/kubernetes-config-extensions/main.bicep |
Local Reference |
./packages/utl-common-types/main.bicep |
Local Reference |
Data Collection
The software may collect information about you and your use of the software and send it to Microsoft. Microsoft may use this information to provide services and improve our products and services. You may turn off the telemetry as described in the repository. There are also some features in the software that may enable you and Microsoft to collect data from users of your applications. If you use these features, you must comply with applicable law, including providing appropriate notices to users of your applications together with a copy of Microsoft's privacy statement. Our privacy statement is located at https://go.microsoft.com/fwlink/?LinkID=824704. You can learn more about data collection and use in the help documentation and our privacy statement. Your use of the software operates as your consent to these practices.
Changelog
The latest version of the changelog can be found here.
0.13.0
Changes
- Updated ARM API versions to
2025-10-01in the main module and child modules.
Breaking Changes
- None
0.12.0
Changes
- Updated ARM API versions to
2025-09-01in the main module and child modules. - Added new parameters
advancedNetworking,aiToolchainOperatorProfile,bootstrapProfile,fqdnSubdomain,ipFamilies,natGatewayProfile,networkMode,nodeProvisioningProfile,podCidrs,serviceCidrs,staticEgressGatewayProfileandwindowsProfilefollowing the API specification. agent-poolchild module: Added new parameters, following the API specification:capacityReservationGroupResourceId,gatewayProfile,gpuInstanceProfile,gpuProfile,hostGroupId,kubeletConfig,localDNSProfile,messageOfTheDay,networkProfile,podIPAllocationMode,powerStateandvirtualMachinesProfile.agent-poolchild module: Added new allowed values toosSkuparameter:AzureLinux3,Ubuntu2204,Ubuntu2404,Windows2025.maintenance-configurationchild module: Added new parametersnotAllowedTimeandtimeInWeekfor blackout windows and weekly maintenance schedules.
Breaking Changes
- API version updates may introduce new required parameters or behavior changes in the underlying Azure Resource Manager API
- Replaced individual parameters with API-typed parameters:
aadProfile,aksServicePrincipalProfile,backendPoolType,defaultIngressControllerType,httpProxyConfig,identityProfile,loadBalancerSku,networkDataplane,networkPlugin,networkPolicy,nodeProvisioningProfileMode,nodeResourceGroupProfile,outboundType,skuName,skuTier,supportPlanandtags. - Removed individual
adminUsernameandsshPublicKeyparameters in favor oflinuxProfile, which now includes these settings. - Removed individual API server access parameters
authorizedIPRanges,disableRunCommand,enablePrivateCluster,enablePrivateClusterPublicFQDN,privateDNSZonein favor ofapiServerAccessProfile, which now includes these settings. - Removed individual autoscaler parameters
autoScalerProfileScanInterval,autoScalerProfileScaleDownDelayAfterAdd,autoScalerProfileScaleDownDelayAfterDelete,autoScalerProfileScaleDownDelayAfterFailure,autoScalerProfileScaleDownUnneededTime,autoScalerProfileScaleDownUnreadyTime,autoScalerProfileUtilizationThreshold,autoScalerProfileMaxGracefulTerminationSec,autoScalerProfileBalanceSimilarNodeGroups,autoScalerProfileDaemonsetEvictionForEmptyNodes,autoScalerProfileDaemonsetEvictionForOccupiedNodes,autoScalerProfileIgnoreDaemonsetsUtilization,autoScalerProfileExpander,autoScalerProfileMaxEmptyBulkDelete,autoScalerProfileMaxNodeProvisionTime,autoScalerProfileMaxTotalUnreadyPercentage,autoScalerProfileNewPodScaleUpDelay,autoScalerProfileOkTotalUnreadyCount,autoScalerProfileSkipNodesWithLocalStorage,autoScalerProfileSkipNodesWithSystemPodsin favor ofautoScalerProfile, which now includes these settings. - Removed individual auto upgrade parameters
autoUpgradeProfileUpgradeChannelandautoNodeOsUpgradeProfileUpgradeChannelin favor ofautoUpgradeProfile, which now includes these settings. - Removed individual pod identity parameters
podIdentityProfileAllowNetworkPluginKubenet,podIdentityProfileEnable,podIdentityProfileUserAssignedIdentitiesandpodIdentityProfileUserAssignedIdentityExceptionsin favor ofpodIdentityProfile, which now includes these settings. - Removed individual security parameters
enableWorkloadIdentity,enableAzureDefender,securityGatingConfig,enableImageCleaner,enableImageIntegrity,enableNodeRestrictionandimageCleanerIntervalHoursin favor ofsecurityProfile, which now includes these settings. Please note that some security settings have been removed in the API version 2025-09-01. - Removed parameters
kedaAddonandvpaAddon, now they're part ofworkloadAutoScalerProfile. - Removed individual Azure Monitor parameters
appMonitoring,enableContainerInsights,disableCustomMetrics,disablePrometheusMetricsScraping,syslogPortas the properties wre removed from theazureMonitorProfilein the api version2025-09-01. - Removed individual Azure Monitor parameters
enableAzureMonitorProfileMetrics,metricLabelsAllowlistandmetricAnnotationsAllowListin favor ofazureMonitorProfile. - Removed Istio-specific parameters
istioServiceMeshEnabled,istioServiceMeshRevisions,istioServiceMeshInternalIngressGatewayEnabledandistioServiceMeshCertificateAuthorityin favor of genericserviceMeshProfile agent-poolchild module: Updated parametersgpuInstanceProfile,kubeletDiskType,linuxOSConfig,mode,osDiskType,osType,scaleDownMode,scaleSetEvictionPolicy,scaleSetPriority,tags,workloadRuntimeandwindowsProfileto use resource input types fromMicrosoft.ContainerService/managedClusters/agentPools@2025-09-01for consistency with the RP schema and built-in validation.agent-poolchild module: Updated parametersnodeLabels,nodeTaintsto use strong types.agent-poolchild module: Removed parametermaxSurge, now it's part ofupgradeSettings.agent-poolchild module: Removed parametersenableSecureBoot,enableVTPMandsshAccess, now they're part ofsecurityProfile.maintenance-configurationchild module: UpdatedmaintenanceWindowparameter to use strong types fromMicrosoft.ContainerService/managedClusters/maintenanceConfigurations@2025-09-01.- Changed
fluxExtension.configurationstofluxExtension.fluxConfigurationsfor consistency - SKU tier value changed from lowercase
'free'to'Free'(capital F) to match API specification
0.11.1
Changes
- Update
discEncryptionSetResourceIdparameter description
Breaking Changes
- None
0.11.0
Changes
- Updated ARM API versions:
- Updated
Microsoft.ContainerService/managedClustersfrom previous version to2025-05-02-preview - Updated
Microsoft.ContainerService/managedClusters/agentPoolsto2025-05-02-preview - Updated
Microsoft.ContainerService/managedClusters/maintenanceConfigurationsto2025-05-01
- Updated
- Updated some parameter types to reference newer API versions for better type safety
- Updated resource templates and JSON output to use the latest API versions
- Adding Linux and Windows profile config to
Microsoft.ContainerService/managedClusters/agentPools
Breaking Changes
- API version updates may introduce new required parameters or behavior changes in the underlying Azure Resource Manager API
- Some parameter schemas may have changed due to the updated API versions
0.10.1
Changes
- Updated LockType to 'avm-common-types version'
0.6.0, enabling custom notes for locks. - Added types to
tags,httpProxyConfig&identityProfileparameters - Updated version of referenced
avm/res/kubernetes-configuration/extensionmodule to0.3.6and adding a pass-thru of thetargetNamespaceparameter
Breaking Changes
- None
0.10.0
Changes
- Adding load balancer configuration options
- Updated ReadMe with AzAdvertizer reference
Breaking Changes
- None
0.9.0
Changes
- Initial version
Breaking Changes
- None
{
"workingFolder": "packages",
"packages": [
// packages defined earlier
{
"name": "avm-bicep/aks-managed-clusters",
"version": "0.13.0"
}
]
}
Stats
Selected version:
0.13.0
Downloads this version:
0
Downloads all versions:
7
Latest version:
0.13.0
Latest update:
11-03-2026
avm-bicep
Other packages
from avm-bicep
Ready to End Infrastructure Code Chaos?
Join infrastructure teams who've moved from scattered repositories to unified package management
Built by infrastructure experts
Who understand your challengesComplete solutions
No scattered filesSee what's deployed where
When it needs updatesZero vendor lock-in
Packages work without usDirect founder access Zero security incidents in 2+ years Works with any cloud, any CI/CD platform