Microsoft.ContainerService managedClusters 2021-07-01

The managedClusters resource type can be deployed to: Resource groups.

To learn about resource group deployments, see Bicep or ARM template.

Template format

To create a Microsoft.ContainerService/managedClusters resource, add the following Bicep or JSON to your template.

resource symbolicname 'Microsoft.ContainerService/managedClusters@2021-07-01' = {
  name: 'string'
  location: 'string'
  tags: {
    tagName1: 'tagValue1'
    tagName2: 'tagValue2'
  }
  sku: {
    name: 'Basic'
    tier: 'string'
  }
  extendedLocation: {
    name: 'string'
    type: 'EdgeZone'
  }
  identity: {
    type: 'string'
    userAssignedIdentities: {}
  }
  properties: {
    aadProfile: {
      adminGroupObjectIDs: [ 'string' ]
      clientAppID: 'string'
      enableAzureRBAC: bool
      managed: bool
      serverAppID: 'string'
      serverAppSecret: 'string'
      tenantID: 'string'
    }
    addonProfiles: {}
    agentPoolProfiles: [
      {
        availabilityZones: [ 'string' ]
        count: int
        enableAutoScaling: bool
        enableEncryptionAtHost: bool
        enableFIPS: bool
        enableNodePublicIP: bool
        enableUltraSSD: bool
        gpuInstanceProfile: 'string'
        kubeletConfig: {
          allowedUnsafeSysctls: [ 'string' ]
          containerLogMaxFiles: int
          containerLogMaxSizeMB: int
          cpuCfsQuota: bool
          cpuCfsQuotaPeriod: 'string'
          cpuManagerPolicy: 'string'
          failSwapOn: bool
          imageGcHighThreshold: int
          imageGcLowThreshold: int
          podMaxPids: int
          topologyManagerPolicy: 'string'
        }
        kubeletDiskType: 'string'
        linuxOSConfig: {
          swapFileSizeMB: int
          sysctls: {
            fsAioMaxNr: int
            fsFileMax: int
            fsInotifyMaxUserWatches: int
            fsNrOpen: int
            kernelThreadsMax: int
            netCoreNetdevMaxBacklog: int
            netCoreOptmemMax: int
            netCoreRmemDefault: int
            netCoreRmemMax: int
            netCoreSomaxconn: int
            netCoreWmemDefault: int
            netCoreWmemMax: int
            netIpv4IpLocalPortRange: 'string'
            netIpv4NeighDefaultGcThresh1: int
            netIpv4NeighDefaultGcThresh2: int
            netIpv4NeighDefaultGcThresh3: int
            netIpv4TcpFinTimeout: int
            netIpv4TcpkeepaliveIntvl: int
            netIpv4TcpKeepaliveProbes: int
            netIpv4TcpKeepaliveTime: int
            netIpv4TcpMaxSynBacklog: int
            netIpv4TcpMaxTwBuckets: int
            netIpv4TcpTwReuse: bool
            netNetfilterNfConntrackBuckets: int
            netNetfilterNfConntrackMax: int
            vmMaxMapCount: int
            vmSwappiness: int
            vmVfsCachePressure: int
          }
          transparentHugePageDefrag: 'string'
          transparentHugePageEnabled: 'string'
        }
        maxCount: int
        maxPods: int
        minCount: int
        mode: 'string'
        name: 'string'
        nodeLabels: {}
        nodePublicIPPrefixID: 'string'
        nodeTaints: [ 'string' ]
        orchestratorVersion: 'string'
        osDiskSizeGB: int
        osDiskType: 'string'
        osSKU: 'string'
        osType: 'string'
        podSubnetID: 'string'
        proximityPlacementGroupID: 'string'
        scaleDownMode: 'string'
        scaleSetEvictionPolicy: 'string'
        scaleSetPriority: 'string'
        spotMaxPrice: int
        tags: {
          tagName1: 'tagValue1'
          tagName2: 'tagValue2'
        }
        type: 'string'
        upgradeSettings: {
          maxSurge: 'string'
        }
        vmSize: 'string'
        vnetSubnetID: 'string'
      }
    ]
    apiServerAccessProfile: {
      authorizedIPRanges: [ 'string' ]
      enablePrivateCluster: bool
      enablePrivateClusterPublicFQDN: bool
      privateDNSZone: 'string'
    }
    autoScalerProfile: {
      balance-similar-node-groups: 'string'
      expander: 'string'
      max-empty-bulk-delete: 'string'
      max-graceful-termination-sec: 'string'
      max-node-provision-time: 'string'
      max-total-unready-percentage: 'string'
      new-pod-scale-up-delay: 'string'
      ok-total-unready-count: 'string'
      scale-down-delay-after-add: 'string'
      scale-down-delay-after-delete: 'string'
      scale-down-delay-after-failure: 'string'
      scale-down-unneeded-time: 'string'
      scale-down-unready-time: 'string'
      scale-down-utilization-threshold: 'string'
      scan-interval: 'string'
      skip-nodes-with-local-storage: 'string'
      skip-nodes-with-system-pods: 'string'
    }
    autoUpgradeProfile: {
      upgradeChannel: 'string'
    }
    disableLocalAccounts: bool
    diskEncryptionSetID: 'string'
    dnsPrefix: 'string'
    enablePodSecurityPolicy: bool
    enableRBAC: bool
    fqdnSubdomain: 'string'
    httpProxyConfig: {
      httpProxy: 'string'
      httpsProxy: 'string'
      noProxy: [ 'string' ]
      trustedCa: 'string'
    }
    identityProfile: {}
    kubernetesVersion: 'string'
    linuxProfile: {
      adminUsername: 'string'
      ssh: {
        publicKeys: [
          {
            keyData: 'string'
          }
        ]
      }
    }
    networkProfile: {
      dnsServiceIP: 'string'
      dockerBridgeCidr: 'string'
      loadBalancerProfile: {
        allocatedOutboundPorts: int
        effectiveOutboundIPs: [
          {
            id: 'string'
          }
        ]
        idleTimeoutInMinutes: int
        managedOutboundIPs: {
          count: int
        }
        outboundIPPrefixes: {
          publicIPPrefixes: [
            {
              id: 'string'
            }
          ]
        }
        outboundIPs: {
          publicIPs: [
            {
              id: 'string'
            }
          ]
        }
      }
      loadBalancerSku: 'string'
      natGatewayProfile: {
        effectiveOutboundIPs: [
          {
            id: 'string'
          }
        ]
        idleTimeoutInMinutes: int
        managedOutboundIPProfile: {
          count: int
        }
      }
      networkMode: 'string'
      networkPlugin: 'string'
      networkPolicy: 'string'
      outboundType: 'string'
      podCidr: 'string'
      serviceCidr: 'string'
    }
    nodeResourceGroup: 'string'
    podIdentityProfile: {
      allowNetworkPluginKubenet: bool
      enabled: bool
      userAssignedIdentities: [
        {
          bindingSelector: 'string'
          identity: {
            clientId: 'string'
            objectId: 'string'
            resourceId: 'string'
          }
          name: 'string'
          namespace: 'string'
        }
      ]
      userAssignedIdentityExceptions: [
        {
          name: 'string'
          namespace: 'string'
          podLabels: {}
        }
      ]
    }
    privateLinkResources: [
      {
        groupId: 'string'
        id: 'string'
        name: 'string'
        requiredMembers: [ 'string' ]
        type: 'string'
      }
    ]
    securityProfile: {
      azureDefender: {
        enabled: bool
        logAnalyticsWorkspaceResourceId: 'string'
      }
    }
    servicePrincipalProfile: {
      clientId: 'string'
      secret: 'string'
    }
    windowsProfile: {
      adminPassword: 'string'
      adminUsername: 'string'
      enableCSIProxy: bool
      licenseType: 'string'
    }
  }
}

Property values

managedClusters

Name Description Value
type The resource type

For Bicep, set this value in the resource declaration.
'Microsoft.ContainerService/managedClusters'
apiVersion The resource api version

For Bicep, set this value in the resource declaration.
'2021-07-01'
name The resource name string (required)
location Resource location string (required)
tags Resource tags Dictionary of tag names and values. See Tags in templates
sku The SKU of a Managed Cluster. ManagedClusterSKU
extendedLocation The complex type of the extended location. ExtendedLocation
identity Identity for the managed cluster. ManagedClusterIdentity
properties Properties of the managed cluster. ManagedClusterProperties

ExtendedLocation

Name Description Value
name The name of the extended location. string
type The type of extendedLocation. 'EdgeZone'

ManagedClusterIdentity

Name Description Value
type For more information see use managed identities in AKS. 'None'
'SystemAssigned'
'UserAssigned'
userAssignedIdentities The keys must be ARM resource IDs in the form: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}'. object

ManagedClusterProperties

Name Description Value
aadProfile For more details see managed AAD on AKS. ManagedClusterAADProfile
addonProfiles The profile of managed cluster add-on. object
agentPoolProfiles The agent pool properties. ManagedClusterAgentPoolProfile[]
apiServerAccessProfile Access profile for managed cluster API server. ManagedClusterAPIServerAccessProfile
autoScalerProfile Parameters to be applied to the cluster-autoscaler when enabled ManagedClusterPropertiesAutoScalerProfile
autoUpgradeProfile Auto upgrade profile for a managed cluster. ManagedClusterAutoUpgradeProfile
disableLocalAccounts If set to true, getting static credentials will be disabled for this cluster. This must only be used on Managed Clusters that are AAD enabled. For more details see disable local accounts. bool
diskEncryptionSetID This is of the form: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Compute/diskEncryptionSets/{encryptionSetName}' string
dnsPrefix This cannot be updated once the Managed Cluster has been created. string
enablePodSecurityPolicy (DEPRECATING) Whether to enable Kubernetes pod security policy (preview). This feature is set for removal on October 15th, 2020. Learn more at aka.ms/aks/azpodpolicy. bool
enableRBAC Whether to enable Kubernetes Role-Based Access Control. bool
fqdnSubdomain This cannot be updated once the Managed Cluster has been created. string
httpProxyConfig Cluster HTTP proxy configuration. ManagedClusterHttpProxyConfig
identityProfile Identities associated with the cluster. object
kubernetesVersion When you upgrade a supported AKS cluster, Kubernetes minor versions cannot be skipped. All upgrades must be performed sequentially by major version number. For example, upgrades between 1.14.x -> 1.15.x or 1.15.x -> 1.16.x are allowed, however 1.14.x -> 1.16.x is not allowed. See upgrading an AKS cluster for more details. string
linuxProfile Profile for Linux VMs in the container service cluster. ContainerServiceLinuxProfile
networkProfile Profile of network configuration. ContainerServiceNetworkProfile
nodeResourceGroup The name of the resource group containing agent pool nodes. string
podIdentityProfile See use AAD pod identity for more details on pod identity integration. ManagedClusterPodIdentityProfile
privateLinkResources Private link resources associated with the cluster. PrivateLinkResource[]
securityProfile Security profile for the container service cluster. ManagedClusterSecurityProfile
servicePrincipalProfile Information about a service principal identity for the cluster to use for manipulating Azure APIs. ManagedClusterServicePrincipalProfile
windowsProfile Profile for Windows VMs in the managed cluster. ManagedClusterWindowsProfile

ManagedClusterAADProfile

Name Description Value
adminGroupObjectIDs The list of AAD group object IDs that will have admin role of the cluster. string[]
clientAppID The client AAD application ID. string
enableAzureRBAC Whether to enable Azure RBAC for Kubernetes authorization. bool
managed Whether to enable managed AAD. bool
serverAppID The server AAD application ID. string
serverAppSecret The server AAD application secret. string
tenantID The AAD tenant ID to use for authentication. If not specified, will use the tenant of the deployment subscription. string

ManagedClusterAgentPoolProfile

Name Description Value
availabilityZones The list of Availability zones to use for nodes. This can only be specified if the AgentPoolType property is 'VirtualMachineScaleSets'. string[]
count Number of agents (VMs) to host docker containers. Allowed values must be in the range of 0 to 1000 (inclusive) for user pools and in the range of 1 to 1000 (inclusive) for system pools. The default value is 1. int
enableAutoScaling Whether to enable auto-scaler bool
enableEncryptionAtHost This is only supported on certain VM sizes and in certain Azure regions. For more information, see: /azure/aks/enable-host-encryption bool
enableFIPS See Add a FIPS-enabled node pool for more details. bool
enableNodePublicIP Some scenarios may require nodes in a node pool to receive their own dedicated public IP addresses. A common scenario is for gaming workloads, where a console needs to make a direct connection to a cloud virtual machine to minimize hops. For more information see assigning a public IP per node. The default is false. bool
enableUltraSSD Whether to enable UltraSSD bool
gpuInstanceProfile GPUInstanceProfile to be used to specify GPU MIG instance profile for supported GPU VM SKU. 'MIG1g'
'MIG2g'
'MIG3g'
'MIG4g'
'MIG7g'
kubeletConfig See AKS custom node configuration for more details. KubeletConfig
kubeletDiskType Determines the placement of emptyDir volumes, container runtime data root, and Kubelet ephemeral storage. 'OS'
'Temporary'
linuxOSConfig See AKS custom node configuration for more details. LinuxOSConfig
maxCount The maximum number of nodes for auto-scaling int
maxPods The maximum number of pods that can run on a node. int
minCount The minimum number of nodes for auto-scaling int
mode A cluster must have at least one 'System' Agent Pool at all times. For additional information on agent pool restrictions and best practices, see: /azure/aks/use-system-pools 'System'
'User'
name Windows agent pool names must be 6 characters or less. string (required)
nodeLabels The node labels to be persisted across all nodes in agent pool. object
nodePublicIPPrefixID This is of the form: /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/publicIPPrefixes/{publicIPPrefixName} string
nodeTaints The taints added to new nodes during node pool create and scale. For example, key=value:NoSchedule. string[]
orchestratorVersion As a best practice, you should upgrade all node pools in an AKS cluster to the same Kubernetes version. The node pool version must have the same major version as the control plane. The node pool minor version must be within two minor versions of the control plane version. The node pool version cannot be greater than the control plane version. For more information see upgrading a node pool. string
osDiskSizeGB OS Disk Size in GB to be used to specify the disk size for every machine in the master/agent pool. If you specify 0, it will apply the default osDisk size according to the vmSize specified. int
osDiskType The default is 'Ephemeral' if the VM supports it and has a cache disk larger than the requested OSDiskSizeGB. Otherwise, defaults to 'Managed'. May not be changed after creation. For more information see Ephemeral OS. 'Ephemeral'
'Managed'
osSKU Specifies an OS SKU. This value must not be specified if OSType is Windows. 'CBLMariner'
'Ubuntu'
osType The operating system type. The default is Linux. 'Linux'
'Windows'
podSubnetID If omitted, pod IPs are statically assigned on the node subnet (see vnetSubnetID for more details). This is of the form: /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/virtualNetworks/{virtualNetworkName}/subnets/{subnetName} string
proximityPlacementGroupID The ID for Proximity Placement Group. string
scaleDownMode Describes how VMs are added to or removed from Agent Pools. See billing states. 'Deallocate'
'Delete'
scaleSetEvictionPolicy The eviction policy specifies what to do with the VM when it is evicted. The default is Delete. For more information about eviction see spot VMs 'Deallocate'
'Delete'
scaleSetPriority The Virtual Machine Scale Set priority. 'Regular'
'Spot'
spotMaxPrice Possible values are any decimal value greater than zero or -1 which indicates the willingness to pay any on-demand price. For more details on spot pricing, see spot VMs pricing int
tags The tags to be persisted on the agent pool virtual machine scale set. Dictionary of tag names and values. See Tags in templates
type The type of Agent Pool. 'AvailabilitySet'
'VirtualMachineScaleSets'
upgradeSettings Settings for upgrading an agentpool AgentPoolUpgradeSettings
vmSize VM size availability varies by region. If a node contains insufficient compute resources (memory, cpu, etc) pods might fail to run correctly. For more details on restricted VM sizes, see: /azure/aks/quotas-skus-regions string
vnetSubnetID If this is not specified, a VNET and subnet will be generated and used. If no podSubnetID is specified, this applies to nodes and pods, otherwise it applies to just nodes. This is of the form: /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/virtualNetworks/{virtualNetworkName}/subnets/{subnetName} string

KubeletConfig

Name Description Value
allowedUnsafeSysctls Allowed list of unsafe sysctls or unsafe sysctl patterns (ending in *). string[]
containerLogMaxFiles The maximum number of container log files that can be present for a container. The number must be ≥ 2. int
containerLogMaxSizeMB The maximum size (e.g. 10Mi) of container log file before it is rotated. int
cpuCfsQuota The default is true. bool
cpuCfsQuotaPeriod The default is '100ms.' Valid values are a sequence of decimal numbers with an optional fraction and a unit suffix. For example: '300ms', '2h45m'. Supported units are 'ns', 'us', 'ms', 's', 'm', and 'h'. string
cpuManagerPolicy The default is 'none'. See Kubernetes CPU management policies for more information. Allowed values are 'none' and 'static'. string
failSwapOn If set to true it will make the Kubelet fail to start if swap is enabled on the node. bool
imageGcHighThreshold To disable image garbage collection, set to 100. The default is 85% int
imageGcLowThreshold This cannot be set higher than imageGcHighThreshold. The default is 80% int
podMaxPids The maximum number of processes per pod. int
topologyManagerPolicy For more information see Kubernetes Topology Manager. The default is 'none'. Allowed values are 'none', 'best-effort', 'restricted', and 'single-numa-node'. string

LinuxOSConfig

Name Description Value
swapFileSizeMB The size in MB of a swap file that will be created on each node. int
sysctls Sysctl settings for Linux agent nodes. SysctlConfig
transparentHugePageDefrag Valid values are 'always', 'defer', 'defer+madvise', 'madvise' and 'never'. The default is 'madvise'. For more information see Transparent Hugepages. string
transparentHugePageEnabled Valid values are 'always', 'madvise', and 'never'. The default is 'always'. For more information see Transparent Hugepages. string

SysctlConfig

Name Description Value
fsAioMaxNr Sysctl setting fs.aio-max-nr. int
fsFileMax Sysctl setting fs.file-max. int
fsInotifyMaxUserWatches Sysctl setting fs.inotify.max_user_watches. int
fsNrOpen Sysctl setting fs.nr_open. int
kernelThreadsMax Sysctl setting kernel.threads-max. int
netCoreNetdevMaxBacklog Sysctl setting net.core.netdev_max_backlog. int
netCoreOptmemMax Sysctl setting net.core.optmem_max. int
netCoreRmemDefault Sysctl setting net.core.rmem_default. int
netCoreRmemMax Sysctl setting net.core.rmem_max. int
netCoreSomaxconn Sysctl setting net.core.somaxconn. int
netCoreWmemDefault Sysctl setting net.core.wmem_default. int
netCoreWmemMax Sysctl setting net.core.wmem_max. int
netIpv4IpLocalPortRange Sysctl setting net.ipv4.ip_local_port_range. string
netIpv4NeighDefaultGcThresh1 Sysctl setting net.ipv4.neigh.default.gc_thresh1. int
netIpv4NeighDefaultGcThresh2 Sysctl setting net.ipv4.neigh.default.gc_thresh2. int
netIpv4NeighDefaultGcThresh3 Sysctl setting net.ipv4.neigh.default.gc_thresh3. int
netIpv4TcpFinTimeout Sysctl setting net.ipv4.tcp_fin_timeout. int
netIpv4TcpkeepaliveIntvl Sysctl setting net.ipv4.tcp_keepalive_intvl. int
netIpv4TcpKeepaliveProbes Sysctl setting net.ipv4.tcp_keepalive_probes. int
netIpv4TcpKeepaliveTime Sysctl setting net.ipv4.tcp_keepalive_time. int
netIpv4TcpMaxSynBacklog Sysctl setting net.ipv4.tcp_max_syn_backlog. int
netIpv4TcpMaxTwBuckets Sysctl setting net.ipv4.tcp_max_tw_buckets. int
netIpv4TcpTwReuse Sysctl setting net.ipv4.tcp_tw_reuse. bool
netNetfilterNfConntrackBuckets Sysctl setting net.netfilter.nf_conntrack_buckets. int
netNetfilterNfConntrackMax Sysctl setting net.netfilter.nf_conntrack_max. int
vmMaxMapCount Sysctl setting vm.max_map_count. int
vmSwappiness Sysctl setting vm.swappiness. int
vmVfsCachePressure Sysctl setting vm.vfs_cache_pressure. int

AgentPoolUpgradeSettings

Name Description Value
maxSurge This can either be set to an integer (e.g. '5') or a percentage (e.g. '50%'). If a percentage is specified, it is the percentage of the total agent pool size at the time of the upgrade. For percentages, fractional nodes are rounded up. If not specified, the default is 1. For more information, including best practices, see: /azure/aks/upgrade-cluster#customize-node-surge-upgrade string

ManagedClusterAPIServerAccessProfile

Name Description Value
authorizedIPRanges IP ranges are specified in CIDR format, e.g. 137.117.106.88/29. This feature is not compatible with clusters that use Public IP Per Node, or clusters that are using a Basic Load Balancer. For more information see API server authorized IP ranges. string[]
enablePrivateCluster For more details, see Creating a private AKS cluster. bool
enablePrivateClusterPublicFQDN Whether to create additional public FQDN for private cluster or not. bool
privateDNSZone The default is System. For more details see configure private DNS zone. Allowed values are 'system' and 'none'. string

ManagedClusterPropertiesAutoScalerProfile

Name Description Value
balance-similar-node-groups Valid values are 'true' and 'false' string
expander If not specified, the default is 'random'. See expanders for more information. 'least-waste'
'most-pods'
'priority'
'random'
max-empty-bulk-delete The default is 10. string
max-graceful-termination-sec The default is 600. string
max-node-provision-time The default is '15m'. Values must be an integer followed by an 'm'. No unit of time other than minutes (m) is supported. string
max-total-unready-percentage The default is 45. The maximum is 100 and the minimum is 0. string
new-pod-scale-up-delay For scenarios like burst/batch scale where you don't want CA to act before the kubernetes scheduler could schedule all the pods, you can tell CA to ignore unscheduled pods before they're a certain age. The default is '0s'. Values must be an integer followed by a unit ('s' for seconds, 'm' for minutes, 'h' for hours, etc). string
ok-total-unready-count This must be an integer. The default is 3. string
scale-down-delay-after-add The default is '10m'. Values must be an integer followed by an 'm'. No unit of time other than minutes (m) is supported. string
scale-down-delay-after-delete The default is the scan-interval. Values must be an integer followed by an 'm'. No unit of time other than minutes (m) is supported. string
scale-down-delay-after-failure The default is '3m'. Values must be an integer followed by an 'm'. No unit of time other than minutes (m) is supported. string
scale-down-unneeded-time The default is '10m'. Values must be an integer followed by an 'm'. No unit of time other than minutes (m) is supported. string
scale-down-unready-time The default is '20m'. Values must be an integer followed by an 'm'. No unit of time other than minutes (m) is supported. string
scale-down-utilization-threshold The default is '0.5'. string
scan-interval The default is '10'. Values must be an integer number of seconds. string
skip-nodes-with-local-storage The default is true. string
skip-nodes-with-system-pods The default is true. string

ManagedClusterAutoUpgradeProfile

Name Description Value
upgradeChannel For more information see setting the AKS cluster auto-upgrade channel. 'node-image'
'none'
'patch'
'rapid'
'stable'

ManagedClusterHttpProxyConfig

Name Description Value
httpProxy The HTTP proxy server endpoint to use. string
httpsProxy The HTTPS proxy server endpoint to use. string
noProxy The endpoints that should not go through proxy. string[]
trustedCa Alternative CA cert to use for connecting to proxy servers. string

ContainerServiceLinuxProfile

Name Description Value
adminUsername The administrator username to use for Linux VMs. string (required)
ssh SSH configuration for Linux-based VMs running on Azure. ContainerServiceSshConfiguration (required)

ContainerServiceSshConfiguration

Name Description Value
publicKeys The list of SSH public keys used to authenticate with Linux-based VMs. A maximum of 1 key may be specified. ContainerServiceSshPublicKey[] (required)

ContainerServiceSshPublicKey

Name Description Value
keyData Certificate public key used to authenticate with VMs through SSH. The certificate must be in PEM format with or without headers. string (required)

ContainerServiceNetworkProfile

Name Description Value
dnsServiceIP An IP address assigned to the Kubernetes DNS service. It must be within the Kubernetes service address range specified in serviceCidr. string
dockerBridgeCidr A CIDR notation IP range assigned to the Docker bridge network. It must not overlap with any Subnet IP ranges or the Kubernetes service address range. string
loadBalancerProfile Profile of the managed cluster load balancer. ManagedClusterLoadBalancerProfile
loadBalancerSku The default is 'standard'. See Azure Load Balancer SKUs for more information about the differences between load balancer SKUs. 'basic'
'standard'
natGatewayProfile Profile of the managed cluster NAT gateway. ManagedClusterNATGatewayProfile
networkMode This cannot be specified if networkPlugin is anything other than 'azure'. 'bridge'
'transparent'
networkPlugin Network plugin used for building the Kubernetes network. 'azure'
'kubenet'
networkPolicy Network policy used for building the Kubernetes network. 'azure'
'calico'
outboundType This can only be set at cluster creation time and cannot be changed later. For more information see egress outbound type. 'loadBalancer'
'managedNATGateway'
'userAssignedNATGateway'
'userDefinedRouting'
podCidr A CIDR notation IP range from which to assign pod IPs when kubenet is used. string
serviceCidr A CIDR notation IP range from which to assign service cluster IPs. It must not overlap with any Subnet IP ranges. string

ManagedClusterLoadBalancerProfile

Name Description Value
allocatedOutboundPorts The desired number of allocated SNAT ports per VM. Allowed values are in the range of 0 to 64000 (inclusive). The default value is 0 which results in Azure dynamically allocating ports. int
effectiveOutboundIPs The effective outbound IP resources of the cluster load balancer. ResourceReference[]
idleTimeoutInMinutes Desired outbound flow idle timeout in minutes. Allowed values are in the range of 4 to 120 (inclusive). The default value is 30 minutes. int
managedOutboundIPs Desired managed outbound IPs for the cluster load balancer. ManagedClusterLoadBalancerProfileManagedOutboundIPs
outboundIPPrefixes Desired outbound IP Prefix resources for the cluster load balancer. ManagedClusterLoadBalancerProfileOutboundIPPrefixes
outboundIPs Desired outbound IP resources for the cluster load balancer. ManagedClusterLoadBalancerProfileOutboundIPs

ResourceReference

Name Description Value
id The fully qualified Azure resource id. string

ManagedClusterLoadBalancerProfileManagedOutboundIPs

Name Description Value
count The desired number of outbound IPs created/managed by Azure for the cluster load balancer. Allowed values must be in the range of 1 to 100 (inclusive). The default value is 1. int

ManagedClusterLoadBalancerProfileOutboundIPPrefixes

Name Description Value
publicIPPrefixes A list of public IP prefix resources. ResourceReference[]

ManagedClusterLoadBalancerProfileOutboundIPs

Name Description Value
publicIPs A list of public IP resources. ResourceReference[]

ManagedClusterNATGatewayProfile

Name Description Value
effectiveOutboundIPs The effective outbound IP resources of the cluster NAT gateway. ResourceReference[]
idleTimeoutInMinutes Desired outbound flow idle timeout in minutes. Allowed values are in the range of 4 to 120 (inclusive). The default value is 4 minutes. int
managedOutboundIPProfile Profile of the managed outbound IP resources of the managed cluster. ManagedClusterManagedOutboundIPProfile

ManagedClusterManagedOutboundIPProfile

Name Description Value
count The desired number of outbound IPs created/managed by Azure. Allowed values must be in the range of 1 to 16 (inclusive). The default value is 1. int

ManagedClusterPodIdentityProfile

Name Description Value
allowNetworkPluginKubenet Running in Kubenet is disabled by default due to the security related nature of AAD Pod Identity and the risks of IP spoofing. See using Kubenet network plugin with AAD Pod Identity for more information. bool
enabled Whether the pod identity addon is enabled. bool
userAssignedIdentities The pod identities to use in the cluster. ManagedClusterPodIdentity[]
userAssignedIdentityExceptions The pod identity exceptions to allow. ManagedClusterPodIdentityException[]

ManagedClusterPodIdentity

Name Description Value
bindingSelector The binding selector to use for the AzureIdentityBinding resource. string
identity Details about a user assigned identity. UserAssignedIdentity (required)
name The name of the pod identity. string (required)
namespace The namespace of the pod identity. string (required)

UserAssignedIdentity

Name Description Value
clientId The client ID of the user assigned identity. string
objectId The object ID of the user assigned identity. string
resourceId The resource ID of the user assigned identity. string

ManagedClusterPodIdentityException

Name Description Value
name The name of the pod identity exception. string (required)
namespace The namespace of the pod identity exception. string (required)
podLabels The pod labels to match. object (required)

PrivateLinkResource

Name Description Value
groupId The group ID of the resource. string
id The ID of the private link resource. string
name The name of the private link resource. string
requiredMembers The RequiredMembers of the resource string[]
type The resource type. string

ManagedClusterSecurityProfile

Name Description Value
azureDefender Azure Defender settings for the security profile. ManagedClusterSecurityProfileAzureDefender

ManagedClusterSecurityProfileAzureDefender

Name Description Value
enabled Whether to enable Azure Defender bool
logAnalyticsWorkspaceResourceId Resource ID of the Log Analytics workspace to be associated with Azure Defender. When Azure Defender is enabled, this field is required and must be a valid workspace resource ID. When Azure Defender is disabled, leave the field empty. string

ManagedClusterServicePrincipalProfile

Name Description Value
clientId The ID for the service principal. string (required)
secret The secret password associated with the service principal in plain text. string

ManagedClusterWindowsProfile

Name Description Value
adminPassword Specifies the password of the administrator account.

Minimum-length: 8 characters

Max-length: 123 characters

Complexity requirements: 3 out of 4 conditions below need to be fulfilled
Has lower characters
Has upper characters
Has a digit
Has a special character (Regex match [\W_])

Disallowed values: "abc@123", "P@$$w0rd", "P@ssw0rd", "P@ssword123", "Pa$$word", "pass@word1", "Password!", "Password1", "Password22", "iloveyou!"
string
adminUsername Specifies the name of the administrator account.

Restriction: Cannot end in "."

Disallowed values: "administrator", "admin", "user", "user1", "test", "user2", "test1", "user3", "admin1", "1", "123", "a", "actuser", "adm", "admin2", "aspnet", "backup", "console", "david", "guest", "john", "owner", "root", "server", "sql", "support", "support_388945a0", "sys", "test2", "test3", "user4", "user5".

Minimum-length: 1 character

Max-length: 20 characters
string (required)
enableCSIProxy For more details on CSI proxy, see the CSI proxy GitHub repo. bool
licenseType The license type to use for Windows VMs. See Azure Hybrid User Benefits for more details. 'None'
'Windows_Server'

ManagedClusterSKU

Name Description Value
name The name of a managed cluster SKU. 'Basic'
tier If not specified, the default is 'Free'. See uptime SLA for more details. 'Free'
'Paid'

Quickstart templates

The following quickstart templates deploy this resource type.

Template Description
CI/CD using Jenkins on Azure Container Service (AKS)

Deploy to Azure
Containers make it very easy for you to continuously build and deploy your applications. By orchestrating deployment of those containers using Kubernetes in Azure Container Service, you can achieve replicable, manageable clusters of containers. By setting up a continuous build to produce your container images and orchestration, you can increase the speed and reliability of your deployment.
min.io Azure Gateway

Deploy to Azure
Fully private min.io Azure Gateway deployment to provide an S3 compliant storage API backed by blob storage
Create a Private AKS Cluster

Deploy to Azure
This sample shows how to create a private AKS cluster in a virtual network along with a jumpbox virtual machine.
Create a Private AKS Cluster with a Public DNS Zone

Deploy to Azure
This sample shows how to a deploy a private AKS cluster with a Public DNS Zone.
Deploy a managed Kubernetes Cluster (AKS).

Deploy to Azure
This ARM template demonstrates the deployment of an AKS instance with advanced networking features into an existing virtual network. Additionally, the chosen Service Principal is assigned the Network Contributor role against the subnet that contains the AKS cluster.
Deploy a managed Kubernetes Cluster (AKS).

Deploy to Azure
This ARM template demonstrates the deployment of an AKS instance with advanced networking features into an existing virtual network and Azure AD Integeration. Additionally, the chosen Service Principal is assigned the Network Contributor role against the subnet that contains the AKS cluster.
Deploy an AKS cluster for Azure ML

Deploy to Azure
This template allows you to deploy an entreprise compliant AKS cluster which can be attached to Azure ML
Azure Container Service (AKS)

Deploy to Azure
Deploy a managed cluster with Azure Container Service (AKS)
Azure Kubernetes Service (AKS)

Deploy to Azure
Deploys a managed Kubernetes cluster via Azure Kubernetes Service (AKS)
AKS cluster with the Application Gateway Ingress Controller

Deploy to Azure
This sample shows how to deploy an AKS cluster with Application Gateway, Application Gateway Ingress Controller, Azure Container Registry, Log Analytics and Key Vault