Microsoft.ContainerService managedClusters 2020-07-01

The managedClusters resource type can be deployed to: Resource groups.

To learn about resource group deployments, see Bicep or ARM template.

Template format

To create a Microsoft.ContainerService/managedClusters resource, add the following Bicep or JSON to your template.

resource symbolicname 'Microsoft.ContainerService/managedClusters@2020-07-01' = {
  name: 'string'
  location: 'string'
  tags: {
    tagName1: 'tagValue1'
    tagName2: 'tagValue2'
  }
  sku: {
    name: 'Basic'
    tier: 'string'
  }
  identity: {
    type: 'string'
    userAssignedIdentities: {}
  }
  properties: {
    aadProfile: {
      adminGroupObjectIDs: [ 'string' ]
      clientAppID: 'string'
      enableAzureRBAC: bool
      managed: bool
      serverAppID: 'string'
      serverAppSecret: 'string'
      tenantID: 'string'
    }
    addonProfiles: {}
    agentPoolProfiles: [
      {
        availabilityZones: [ 'string' ]
        count: int
        enableAutoScaling: bool
        enableNodePublicIP: bool
        maxCount: int
        maxPods: int
        minCount: int
        mode: 'string'
        name: 'string'
        nodeLabels: {}
        nodeTaints: [ 'string' ]
        orchestratorVersion: 'string'
        osDiskSizeGB: int
        osType: 'string'
        proximityPlacementGroupID: 'string'
        scaleSetEvictionPolicy: 'string'
        scaleSetPriority: 'string'
        spotMaxPrice: int
        tags: {
          tagName1: 'tagValue1'
          tagName2: 'tagValue2'
        }
        type: 'string'
        upgradeSettings: {
          maxSurge: 'string'
        }
        vmSize: 'string'
        vnetSubnetID: 'string'
      }
    ]
    apiServerAccessProfile: {
      authorizedIPRanges: [ 'string' ]
      enablePrivateCluster: bool
    }
    autoScalerProfile: {
      balance-similar-node-groups: 'string'
      max-graceful-termination-sec: 'string'
      scale-down-delay-after-add: 'string'
      scale-down-delay-after-delete: 'string'
      scale-down-delay-after-failure: 'string'
      scale-down-unneeded-time: 'string'
      scale-down-unready-time: 'string'
      scale-down-utilization-threshold: 'string'
      scan-interval: 'string'
    }
    diskEncryptionSetID: 'string'
    dnsPrefix: 'string'
    enablePodSecurityPolicy: bool
    enableRBAC: bool
    identityProfile: {}
    kubernetesVersion: 'string'
    linuxProfile: {
      adminUsername: 'string'
      ssh: {
        publicKeys: [
          {
            keyData: 'string'
          }
        ]
      }
    }
    networkProfile: {
      dnsServiceIP: 'string'
      dockerBridgeCidr: 'string'
      loadBalancerProfile: {
        allocatedOutboundPorts: int
        effectiveOutboundIPs: [
          {
            id: 'string'
          }
        ]
        idleTimeoutInMinutes: int
        managedOutboundIPs: {
          count: int
        }
        outboundIPPrefixes: {
          publicIPPrefixes: [
            {
              id: 'string'
            }
          ]
        }
        outboundIPs: {
          publicIPs: [
            {
              id: 'string'
            }
          ]
        }
      }
      loadBalancerSku: 'string'
      networkMode: 'string'
      networkPlugin: 'string'
      networkPolicy: 'string'
      outboundType: 'string'
      podCidr: 'string'
      serviceCidr: 'string'
    }
    nodeResourceGroup: 'string'
    servicePrincipalProfile: {
      clientId: 'string'
      secret: 'string'
    }
    windowsProfile: {
      adminPassword: 'string'
      adminUsername: 'string'
      licenseType: 'string'
    }
  }
}

Property values

managedClusters

Name Description Value
type The resource type

For Bicep, set this value in the resource declaration.
'Microsoft.ContainerService/managedClusters'
apiVersion The resource api version

For Bicep, set this value in the resource declaration.
'2020-07-01'
name The resource name string (required)
location Resource location string (required)
tags Resource tags Dictionary of tag names and values. See Tags in templates
sku ManagedClusterSKU
identity Identity for the managed cluster. ManagedClusterIdentity
properties Properties of the managed cluster. ManagedClusterProperties

ManagedClusterIdentity

Name Description Value
type The type of identity used for the managed cluster. Type 'SystemAssigned' will use an implicitly created identity in master components and an auto-created user assigned identity in MC_ resource group in agent nodes. Type 'None' will not use MSI for the managed cluster, service principal will be used instead. 'None'
'SystemAssigned'
'UserAssigned'
userAssignedIdentities The user identity associated with the managed cluster. This identity will be used in control plane and only one user assigned identity is allowed. The user identity dictionary key references will be ARM resource ids in the form: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}'. object

ManagedClusterProperties

Name Description Value
aadProfile AADProfile specifies attributes for Azure Active Directory integration. ManagedClusterAADProfile
addonProfiles Profile of managed cluster add-on. object
agentPoolProfiles Properties of the agent pool. ManagedClusterAgentPoolProfile[]
apiServerAccessProfile Access profile for managed cluster API server. ManagedClusterAPIServerAccessProfile
autoScalerProfile Parameters to be applied to the cluster-autoscaler when enabled ManagedClusterPropertiesAutoScalerProfile
diskEncryptionSetID ResourceId of the disk encryption set to use for enabling encryption at rest. string
dnsPrefix DNS prefix specified when creating the managed cluster. string
enablePodSecurityPolicy (DEPRECATING) Whether to enable Kubernetes pod security policy (preview). This feature is set for removal on October 15th, 2020. Learn more at aka.ms/aks/azpodpolicy. bool
enableRBAC Whether to enable Kubernetes Role-Based Access Control. bool
identityProfile Identities associated with the cluster. object
kubernetesVersion Version of Kubernetes specified when creating the managed cluster. string
linuxProfile Profile for Linux VMs in the container service cluster. ContainerServiceLinuxProfile
networkProfile Profile of network configuration. ContainerServiceNetworkProfile
nodeResourceGroup Name of the resource group containing agent pool nodes. string
servicePrincipalProfile Information about a service principal identity for the cluster to use for manipulating Azure APIs. ManagedClusterServicePrincipalProfile
windowsProfile Profile for Windows VMs in the container service cluster. ManagedClusterWindowsProfile

ManagedClusterAADProfile

Name Description Value
adminGroupObjectIDs AAD group object IDs that will have admin role of the cluster. string[]
clientAppID The client AAD application ID. string
enableAzureRBAC Whether to enable Azure RBAC for Kubernetes authorization. bool
managed Whether to enable managed AAD. bool
serverAppID The server AAD application ID. string
serverAppSecret The server AAD application secret. string
tenantID The AAD tenant ID to use for authentication. If not specified, will use the tenant of the deployment subscription. string

ManagedClusterAgentPoolProfile

Name Description Value
availabilityZones Availability zones for nodes. Must use VirtualMachineScaleSets AgentPoolType. string[]
count Number of agents (VMs) to host docker containers. Allowed values must be in the range of 0 to 100 (inclusive) for user pools and in the range of 1 to 100 (inclusive) for system pools. The default value is 1. int
enableAutoScaling Whether to enable auto-scaler bool
enableNodePublicIP Enable public IP for nodes bool
maxCount Maximum number of nodes for auto-scaling int
maxPods Maximum number of pods that can run on a node. int
minCount Minimum number of nodes for auto-scaling int
mode AgentPoolMode represents mode of an agent pool. 'System'
'User'
name Unique name of the agent pool profile in the context of the subscription and resource group. string (required)
nodeLabels Agent pool node labels to be persisted across all nodes in agent pool. object
nodeTaints Taints added to new nodes during node pool create and scale. For example, key=value:NoSchedule. string[]
orchestratorVersion Version of orchestrator specified when creating the managed cluster. string
osDiskSizeGB OS Disk Size in GB to be used to specify the disk size for every machine in this master/agent pool. If you specify 0, it will apply the default osDisk size according to the vmSize specified. int
osType OsType to be used to specify os type. Choose from Linux and Windows. Default to Linux. 'Linux'
'Windows'
proximityPlacementGroupID The ID for Proximity Placement Group. string
scaleSetEvictionPolicy ScaleSetEvictionPolicy to be used to specify eviction policy for Spot virtual machine scale set. Default to Delete. 'Deallocate'
'Delete'
scaleSetPriority ScaleSetPriority to be used to specify virtual machine scale set priority. Default to regular. 'Regular'
'Spot'
spotMaxPrice SpotMaxPrice to be used to specify the maximum price you are willing to pay in US Dollars. Possible values are any decimal value greater than zero or -1 which indicates default price to be up-to on-demand. int
tags Agent pool tags to be persisted on the agent pool virtual machine scale set. Dictionary of tag names and values. See Tags in templates
type AgentPoolType represents types of an agent pool. 'AvailabilitySet'
'VirtualMachineScaleSets'
upgradeSettings Settings for upgrading an agentpool AgentPoolUpgradeSettings
vmSize Size of agent VMs. 'Standard_A1'
'Standard_A10'
'Standard_A11'
'Standard_A1_v2'
'Standard_A2'
'Standard_A2_v2'
'Standard_A2m_v2'
'Standard_A3'
'Standard_A4'
'Standard_A4_v2'
'Standard_A4m_v2'
'Standard_A5'
'Standard_A6'
'Standard_A7'
'Standard_A8'
'Standard_A8_v2'
'Standard_A8m_v2'
'Standard_A9'
'Standard_B2ms'
'Standard_B2s'
'Standard_B4ms'
'Standard_B8ms'
'Standard_D1'
'Standard_D11'
'Standard_D11_v2'
'Standard_D11_v2_Promo'
'Standard_D12'
'Standard_D12_v2'
'Standard_D12_v2_Promo'
'Standard_D13'
'Standard_D13_v2'
'Standard_D13_v2_Promo'
'Standard_D14'
'Standard_D14_v2'
'Standard_D14_v2_Promo'
'Standard_D15_v2'
'Standard_D16_v3'
'Standard_D16s_v3'
'Standard_D1_v2'
'Standard_D2'
'Standard_D2_v2'
'Standard_D2_v2_Promo'
'Standard_D2_v3'
'Standard_D2s_v3'
'Standard_D3'
'Standard_D32_v3'
'Standard_D32s_v3'
'Standard_D3_v2'
'Standard_D3_v2_Promo'
'Standard_D4'
'Standard_D4_v2'
'Standard_D4_v2_Promo'
'Standard_D4_v3'
'Standard_D4s_v3'
'Standard_D5_v2'
'Standard_D5_v2_Promo'
'Standard_D64_v3'
'Standard_D64s_v3'
'Standard_D8_v3'
'Standard_D8s_v3'
'Standard_DS1'
'Standard_DS11'
'Standard_DS11_v2'
'Standard_DS11_v2_Promo'
'Standard_DS12'
'Standard_DS12_v2'
'Standard_DS12_v2_Promo'
'Standard_DS13'
'Standard_DS13-2_v2'
'Standard_DS13-4_v2'
'Standard_DS13_v2'
'Standard_DS13_v2_Promo'
'Standard_DS14'
'Standard_DS14-4_v2'
'Standard_DS14-8_v2'
'Standard_DS14_v2'
'Standard_DS14_v2_Promo'
'Standard_DS15_v2'
'Standard_DS1_v2'
'Standard_DS2'
'Standard_DS2_v2'
'Standard_DS2_v2_Promo'
'Standard_DS3'
'Standard_DS3_v2'
'Standard_DS3_v2_Promo'
'Standard_DS4'
'Standard_DS4_v2'
'Standard_DS4_v2_Promo'
'Standard_DS5_v2'
'Standard_DS5_v2_Promo'
'Standard_E16_v3'
'Standard_E16s_v3'
'Standard_E2_v3'
'Standard_E2s_v3'
'Standard_E32-16s_v3'
'Standard_E32-8s_v3'
'Standard_E32_v3'
'Standard_E32s_v3'
'Standard_E4_v3'
'Standard_E4s_v3'
'Standard_E64-16s_v3'
'Standard_E64-32s_v3'
'Standard_E64_v3'
'Standard_E64s_v3'
'Standard_E8_v3'
'Standard_E8s_v3'
'Standard_F1'
'Standard_F16'
'Standard_F16s'
'Standard_F16s_v2'
'Standard_F1s'
'Standard_F2'
'Standard_F2s'
'Standard_F2s_v2'
'Standard_F32s_v2'
'Standard_F4'
'Standard_F4s'
'Standard_F4s_v2'
'Standard_F64s_v2'
'Standard_F72s_v2'
'Standard_F8'
'Standard_F8s'
'Standard_F8s_v2'
'Standard_G1'
'Standard_G2'
'Standard_G3'
'Standard_G4'
'Standard_G5'
'Standard_GS1'
'Standard_GS2'
'Standard_GS3'
'Standard_GS4'
'Standard_GS4-4'
'Standard_GS4-8'
'Standard_GS5'
'Standard_GS5-16'
'Standard_GS5-8'
'Standard_H16'
'Standard_H16m'
'Standard_H16mr'
'Standard_H16r'
'Standard_H8'
'Standard_H8m'
'Standard_L16s'
'Standard_L32s'
'Standard_L4s'
'Standard_L8s'
'Standard_M128-32ms'
'Standard_M128-64ms'
'Standard_M128ms'
'Standard_M128s'
'Standard_M64-16ms'
'Standard_M64-32ms'
'Standard_M64ms'
'Standard_M64s'
'Standard_NC12'
'Standard_NC12s_v2'
'Standard_NC12s_v3'
'Standard_NC24'
'Standard_NC24r'
'Standard_NC24rs_v2'
'Standard_NC24rs_v3'
'Standard_NC24s_v2'
'Standard_NC24s_v3'
'Standard_NC6'
'Standard_NC6s_v2'
'Standard_NC6s_v3'
'Standard_ND12s'
'Standard_ND24rs'
'Standard_ND24s'
'Standard_ND6s'
'Standard_NV12'
'Standard_NV24'
'Standard_NV6'
vnetSubnetID VNet SubnetID specifies the VNet's subnet identifier. string

AgentPoolUpgradeSettings

Name Description Value
maxSurge Count or percentage of additional nodes to be added during upgrade. If empty uses AKS default string

ManagedClusterAPIServerAccessProfile

Name Description Value
authorizedIPRanges Authorized IP Ranges to kubernetes API server. string[]
enablePrivateCluster Whether to create the cluster as a private cluster or not. bool

ManagedClusterPropertiesAutoScalerProfile

Name Description Value
balance-similar-node-groups string
max-graceful-termination-sec string
scale-down-delay-after-add string
scale-down-delay-after-delete string
scale-down-delay-after-failure string
scale-down-unneeded-time string
scale-down-unready-time string
scale-down-utilization-threshold string
scan-interval string

ContainerServiceLinuxProfile

Name Description Value
adminUsername The administrator username to use for Linux VMs. string (required)
ssh SSH configuration for Linux-based VMs running on Azure. ContainerServiceSshConfiguration (required)

ContainerServiceSshConfiguration

Name Description Value
publicKeys The list of SSH public keys used to authenticate with Linux-based VMs. Only expect one key specified. ContainerServiceSshPublicKey[] (required)

ContainerServiceSshPublicKey

Name Description Value
keyData Certificate public key used to authenticate with VMs through SSH. The certificate must be in PEM format with or without headers. string (required)

ContainerServiceNetworkProfile

Name Description Value
dnsServiceIP An IP address assigned to the Kubernetes DNS service. It must be within the Kubernetes service address range specified in serviceCidr. string
dockerBridgeCidr A CIDR notation IP range assigned to the Docker bridge network. It must not overlap with any Subnet IP ranges or the Kubernetes service address range. string
loadBalancerProfile Profile of the managed cluster load balancer. ManagedClusterLoadBalancerProfile
loadBalancerSku The load balancer sku for the managed cluster. 'basic'
'standard'
networkMode Network mode used for building Kubernetes network. 'bridge'
'transparent'
networkPlugin Network plugin used for building Kubernetes network. 'azure'
'kubenet'
networkPolicy Network policy used for building Kubernetes network. 'azure'
'calico'
outboundType The outbound (egress) routing method. 'loadBalancer'
'userDefinedRouting'
podCidr A CIDR notation IP range from which to assign pod IPs when kubenet is used. string
serviceCidr A CIDR notation IP range from which to assign service cluster IPs. It must not overlap with any Subnet IP ranges. string

ManagedClusterLoadBalancerProfile

Name Description Value
allocatedOutboundPorts Desired number of allocated SNAT ports per VM. Allowed values must be in the range of 0 to 64000 (inclusive). The default value is 0 which results in Azure dynamically allocating ports. int
effectiveOutboundIPs The effective outbound IP resources of the cluster load balancer. ResourceReference[]
idleTimeoutInMinutes Desired outbound flow idle timeout in minutes. Allowed values must be in the range of 4 to 120 (inclusive). The default value is 30 minutes. int
managedOutboundIPs Desired managed outbound IPs for the cluster load balancer. ManagedClusterLoadBalancerProfileManagedOutboundIPs
outboundIPPrefixes Desired outbound IP Prefix resources for the cluster load balancer. ManagedClusterLoadBalancerProfileOutboundIPPrefixes
outboundIPs Desired outbound IP resources for the cluster load balancer. ManagedClusterLoadBalancerProfileOutboundIPs

ResourceReference

Name Description Value
id The fully qualified Azure resource id. string

ManagedClusterLoadBalancerProfileManagedOutboundIPs

Name Description Value
count Desired number of outbound IP created/managed by Azure for the cluster load balancer. Allowed values must be in the range of 1 to 100 (inclusive). The default value is 1. int

ManagedClusterLoadBalancerProfileOutboundIPPrefixes

Name Description Value
publicIPPrefixes A list of public IP prefix resources. ResourceReference[]

ManagedClusterLoadBalancerProfileOutboundIPs

Name Description Value
publicIPs A list of public IP resources. ResourceReference[]

ManagedClusterServicePrincipalProfile

Name Description Value
clientId The ID for the service principal. string (required)
secret The secret password associated with the service principal in plain text. string

ManagedClusterWindowsProfile

Name Description Value
adminPassword Specifies the password of the administrator account.

Minimum-length: 8 characters

Max-length: 123 characters

Complexity requirements: 3 out of 4 conditions below need to be fulfilled
Has lower characters
Has upper characters
Has a digit
Has a special character (Regex match [\W_])

Disallowed values: "abc@123", "P@$$w0rd", "P@ssw0rd", "P@ssword123", "Pa$$word", "pass@word1", "Password!", "Password1", "Password22", "iloveyou!"
string
adminUsername Specifies the name of the administrator account.

restriction: Cannot end in "."

Disallowed values: "administrator", "admin", "user", "user1", "test", "user2", "test1", "user3", "admin1", "1", "123", "a", "actuser", "adm", "admin2", "aspnet", "backup", "console", "david", "guest", "john", "owner", "root", "server", "sql", "support", "support_388945a0", "sys", "test2", "test3", "user4", "user5".

Minimum-length: 1 character

Max-length: 20 characters
string (required)
licenseType The licenseType to use for Windows VMs. Windows_Server is used to enable Azure Hybrid User Benefits for Windows VMs. 'None'
'Windows_Server'

ManagedClusterSKU

Name Description Value
name Name of a managed cluster SKU. 'Basic'
tier Tier of a managed cluster SKU. 'Free'
'Paid'

Quickstart templates

The following quickstart templates deploy this resource type.

Template Description
CI/CD using Jenkins on Azure Container Service (AKS)

Deploy to Azure
Containers make it very easy for you to continuously build and deploy your applications. By orchestrating deployment of those containers using Kubernetes in Azure Container Service, you can achieve replicable, manageable clusters of containers. By setting up a continuous build to produce your container images and orchestration, you can increase the speed and reliability of your deployment.
min.io Azure Gateway

Deploy to Azure
Fully private min.io Azure Gateway deployment to provide an S3 compliant storage API backed by blob storage
Create a Private AKS Cluster

Deploy to Azure
This sample shows how to create a private AKS cluster in a virtual network along with a jumpbox virtual machine.
Create a Private AKS Cluster with a Public DNS Zone

Deploy to Azure
This sample shows how to a deploy a private AKS cluster with a Public DNS Zone.
Deploy a managed Kubernetes Cluster (AKS).

Deploy to Azure
This ARM template demonstrates the deployment of an AKS instance with advanced networking features into an existing virtual network. Additionally, the chosen Service Principal is assigned the Network Contributor role against the subnet that contains the AKS cluster.
Deploy a managed Kubernetes Cluster (AKS).

Deploy to Azure
This ARM template demonstrates the deployment of an AKS instance with advanced networking features into an existing virtual network and Azure AD Integeration. Additionally, the chosen Service Principal is assigned the Network Contributor role against the subnet that contains the AKS cluster.
Deploy an AKS cluster for Azure ML

Deploy to Azure
This template allows you to deploy an entreprise compliant AKS cluster which can be attached to Azure ML
Azure Container Service (AKS)

Deploy to Azure
Deploy a managed cluster with Azure Container Service (AKS)
Azure Kubernetes Service (AKS)

Deploy to Azure
Deploys a managed Kubernetes cluster via Azure Kubernetes Service (AKS)
AKS cluster with the Application Gateway Ingress Controller

Deploy to Azure
This sample shows how to deploy an AKS cluster with Application Gateway, Application Gateway Ingress Controller, Azure Container Registry, Log Analytics and Key Vault