The azure-native:containerservice:ManagedCluster resource, part of the Pulumi Azure Native provider, provisions an AKS managed Kubernetes cluster with control plane, agent pools, and Azure integrations. This guide focuses on four capabilities: agent pool snapshots for standardized node configurations, network egress through NAT gateway or HTTP proxy, security profiles with Defender and workload identity, and Azure AD integration with Azure RBAC.
Clusters require at least one agent pool definition and may reference snapshots, NAT gateways, HTTP proxies, Log Analytics workspaces, and Azure AD configuration. The examples are intentionally small. Combine them with your own networking, identity, and monitoring infrastructure.
Create a cluster from an agent pool snapshot
Teams standardizing node configurations often capture agent pool snapshots to replicate VM settings, OS configurations, and security policies across multiple clusters.
import * as pulumi from "@pulumi/pulumi";
import * as azure_native from "@pulumi/azure-native";
const managedCluster = new azure_native.containerservice.ManagedCluster("managedCluster", {
addonProfiles: {},
agentPoolProfiles: [{
count: 3,
creationData: {
sourceResourceId: "/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/rg1/providers/Microsoft.ContainerService/snapshots/snapshot1",
},
enableFIPS: true,
enableNodePublicIP: true,
mode: azure_native.containerservice.AgentPoolMode.System,
name: "nodepool1",
osType: azure_native.containerservice.OSType.Linux,
type: azure_native.containerservice.AgentPoolType.VirtualMachineScaleSets,
vmSize: "Standard_DS2_v2",
}],
autoScalerProfile: {
scaleDownDelayAfterAdd: "15m",
scanInterval: "20s",
},
diskEncryptionSetID: "/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/rg1/providers/Microsoft.Compute/diskEncryptionSets/des",
dnsPrefix: "dnsprefix1",
enableRBAC: true,
kubernetesVersion: "",
linuxProfile: {
adminUsername: "azureuser",
ssh: {
publicKeys: [{
keyData: "keydata",
}],
},
},
location: "location1",
networkProfile: {
loadBalancerProfile: {
managedOutboundIPs: {
count: 2,
},
},
loadBalancerSku: azure_native.containerservice.LoadBalancerSku.Standard,
outboundType: azure_native.containerservice.OutboundType.LoadBalancer,
},
resourceGroupName: "rg1",
resourceName: "clustername1",
servicePrincipalProfile: {
clientId: "clientid",
secret: "secret",
},
sku: {
name: "Basic",
tier: azure_native.containerservice.ManagedClusterSKUTier.Free,
},
tags: {
archv2: "",
tier: "production",
},
windowsProfile: {
adminPassword: "replacePassword1234$",
adminUsername: "azureuser",
},
});
import pulumi
import pulumi_azure_native as azure_native
managed_cluster = azure_native.containerservice.ManagedCluster("managedCluster",
addon_profiles={},
agent_pool_profiles=[{
"count": 3,
"creation_data": {
"source_resource_id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/rg1/providers/Microsoft.ContainerService/snapshots/snapshot1",
},
"enable_fips": True,
"enable_node_public_ip": True,
"mode": azure_native.containerservice.AgentPoolMode.SYSTEM,
"name": "nodepool1",
"os_type": azure_native.containerservice.OSType.LINUX,
"type": azure_native.containerservice.AgentPoolType.VIRTUAL_MACHINE_SCALE_SETS,
"vm_size": "Standard_DS2_v2",
}],
auto_scaler_profile={
"scale_down_delay_after_add": "15m",
"scan_interval": "20s",
},
disk_encryption_set_id="/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/rg1/providers/Microsoft.Compute/diskEncryptionSets/des",
dns_prefix="dnsprefix1",
enable_rbac=True,
kubernetes_version="",
linux_profile={
"admin_username": "azureuser",
"ssh": {
"public_keys": [{
"key_data": "keydata",
}],
},
},
location="location1",
network_profile={
"load_balancer_profile": {
"managed_outbound_ips": {
"count": 2,
},
},
"load_balancer_sku": azure_native.containerservice.LoadBalancerSku.STANDARD,
"outbound_type": azure_native.containerservice.OutboundType.LOAD_BALANCER,
},
resource_group_name="rg1",
resource_name_="clustername1",
service_principal_profile={
"client_id": "clientid",
"secret": "secret",
},
sku={
"name": "Basic",
"tier": azure_native.containerservice.ManagedClusterSKUTier.FREE,
},
tags={
"archv2": "",
"tier": "production",
},
windows_profile={
"admin_password": "replacePassword1234$",
"admin_username": "azureuser",
})
package main
import (
containerservice "github.com/pulumi/pulumi-azure-native-sdk/containerservice/v3"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := containerservice.NewManagedCluster(ctx, "managedCluster", &containerservice.ManagedClusterArgs{
AddonProfiles: containerservice.ManagedClusterAddonProfileMap{},
AgentPoolProfiles: containerservice.ManagedClusterAgentPoolProfileArray{
&containerservice.ManagedClusterAgentPoolProfileArgs{
Count: pulumi.Int(3),
CreationData: &containerservice.CreationDataArgs{
SourceResourceId: pulumi.String("/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/rg1/providers/Microsoft.ContainerService/snapshots/snapshot1"),
},
EnableFIPS: pulumi.Bool(true),
EnableNodePublicIP: pulumi.Bool(true),
Mode: pulumi.String(containerservice.AgentPoolModeSystem),
Name: pulumi.String("nodepool1"),
OsType: pulumi.String(containerservice.OSTypeLinux),
Type: pulumi.String(containerservice.AgentPoolTypeVirtualMachineScaleSets),
VmSize: pulumi.String("Standard_DS2_v2"),
},
},
AutoScalerProfile: &containerservice.ManagedClusterPropertiesAutoScalerProfileArgs{
ScaleDownDelayAfterAdd: pulumi.String("15m"),
ScanInterval: pulumi.String("20s"),
},
DiskEncryptionSetID: pulumi.String("/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/rg1/providers/Microsoft.Compute/diskEncryptionSets/des"),
DnsPrefix: pulumi.String("dnsprefix1"),
EnableRBAC: pulumi.Bool(true),
KubernetesVersion: pulumi.String(""),
LinuxProfile: &containerservice.ContainerServiceLinuxProfileArgs{
AdminUsername: pulumi.String("azureuser"),
Ssh: &containerservice.ContainerServiceSshConfigurationArgs{
PublicKeys: containerservice.ContainerServiceSshPublicKeyArray{
&containerservice.ContainerServiceSshPublicKeyArgs{
KeyData: pulumi.String("keydata"),
},
},
},
},
Location: pulumi.String("location1"),
NetworkProfile: &containerservice.ContainerServiceNetworkProfileArgs{
LoadBalancerProfile: &containerservice.ManagedClusterLoadBalancerProfileArgs{
ManagedOutboundIPs: &containerservice.ManagedClusterLoadBalancerProfileManagedOutboundIPsArgs{
Count: pulumi.Int(2),
},
},
LoadBalancerSku: pulumi.String(containerservice.LoadBalancerSkuStandard),
OutboundType: pulumi.String(containerservice.OutboundTypeLoadBalancer),
},
ResourceGroupName: pulumi.String("rg1"),
ResourceName: pulumi.String("clustername1"),
ServicePrincipalProfile: &containerservice.ManagedClusterServicePrincipalProfileArgs{
ClientId: pulumi.String("clientid"),
Secret: pulumi.String("secret"),
},
Sku: &containerservice.ManagedClusterSKUArgs{
Name: pulumi.String("Basic"),
Tier: pulumi.String(containerservice.ManagedClusterSKUTierFree),
},
Tags: pulumi.StringMap{
"archv2": pulumi.String(""),
"tier": pulumi.String("production"),
},
WindowsProfile: &containerservice.ManagedClusterWindowsProfileArgs{
AdminPassword: pulumi.String("replacePassword1234$"),
AdminUsername: pulumi.String("azureuser"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureNative = Pulumi.AzureNative;
return await Deployment.RunAsync(() =>
{
var managedCluster = new AzureNative.ContainerService.ManagedCluster("managedCluster", new()
{
AddonProfiles = null,
AgentPoolProfiles = new[]
{
new AzureNative.ContainerService.Inputs.ManagedClusterAgentPoolProfileArgs
{
Count = 3,
CreationData = new AzureNative.ContainerService.Inputs.CreationDataArgs
{
SourceResourceId = "/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/rg1/providers/Microsoft.ContainerService/snapshots/snapshot1",
},
EnableFIPS = true,
EnableNodePublicIP = true,
Mode = AzureNative.ContainerService.AgentPoolMode.System,
Name = "nodepool1",
OsType = AzureNative.ContainerService.OSType.Linux,
Type = AzureNative.ContainerService.AgentPoolType.VirtualMachineScaleSets,
VmSize = "Standard_DS2_v2",
},
},
AutoScalerProfile = new AzureNative.ContainerService.Inputs.ManagedClusterPropertiesAutoScalerProfileArgs
{
ScaleDownDelayAfterAdd = "15m",
ScanInterval = "20s",
},
DiskEncryptionSetID = "/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/rg1/providers/Microsoft.Compute/diskEncryptionSets/des",
DnsPrefix = "dnsprefix1",
EnableRBAC = true,
KubernetesVersion = "",
LinuxProfile = new AzureNative.ContainerService.Inputs.ContainerServiceLinuxProfileArgs
{
AdminUsername = "azureuser",
Ssh = new AzureNative.ContainerService.Inputs.ContainerServiceSshConfigurationArgs
{
PublicKeys = new[]
{
new AzureNative.ContainerService.Inputs.ContainerServiceSshPublicKeyArgs
{
KeyData = "keydata",
},
},
},
},
Location = "location1",
NetworkProfile = new AzureNative.ContainerService.Inputs.ContainerServiceNetworkProfileArgs
{
LoadBalancerProfile = new AzureNative.ContainerService.Inputs.ManagedClusterLoadBalancerProfileArgs
{
ManagedOutboundIPs = new AzureNative.ContainerService.Inputs.ManagedClusterLoadBalancerProfileManagedOutboundIPsArgs
{
Count = 2,
},
},
LoadBalancerSku = AzureNative.ContainerService.LoadBalancerSku.Standard,
OutboundType = AzureNative.ContainerService.OutboundType.LoadBalancer,
},
ResourceGroupName = "rg1",
ResourceName = "clustername1",
ServicePrincipalProfile = new AzureNative.ContainerService.Inputs.ManagedClusterServicePrincipalProfileArgs
{
ClientId = "clientid",
Secret = "secret",
},
Sku = new AzureNative.ContainerService.Inputs.ManagedClusterSKUArgs
{
Name = "Basic",
Tier = AzureNative.ContainerService.ManagedClusterSKUTier.Free,
},
Tags =
{
{ "archv2", "" },
{ "tier", "production" },
},
WindowsProfile = new AzureNative.ContainerService.Inputs.ManagedClusterWindowsProfileArgs
{
AdminPassword = "replacePassword1234$",
AdminUsername = "azureuser",
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azurenative.containerservice.ManagedCluster;
import com.pulumi.azurenative.containerservice.ManagedClusterArgs;
import com.pulumi.azurenative.containerservice.inputs.ManagedClusterAgentPoolProfileArgs;
import com.pulumi.azurenative.containerservice.inputs.CreationDataArgs;
import com.pulumi.azurenative.containerservice.inputs.ManagedClusterPropertiesAutoScalerProfileArgs;
import com.pulumi.azurenative.containerservice.inputs.ContainerServiceLinuxProfileArgs;
import com.pulumi.azurenative.containerservice.inputs.ContainerServiceSshConfigurationArgs;
import com.pulumi.azurenative.containerservice.inputs.ContainerServiceNetworkProfileArgs;
import com.pulumi.azurenative.containerservice.inputs.ManagedClusterLoadBalancerProfileArgs;
import com.pulumi.azurenative.containerservice.inputs.ManagedClusterLoadBalancerProfileManagedOutboundIPsArgs;
import com.pulumi.azurenative.containerservice.inputs.ManagedClusterServicePrincipalProfileArgs;
import com.pulumi.azurenative.containerservice.inputs.ManagedClusterSKUArgs;
import com.pulumi.azurenative.containerservice.inputs.ManagedClusterWindowsProfileArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var managedCluster = new ManagedCluster("managedCluster", ManagedClusterArgs.builder()
.addonProfiles(Map.ofEntries(
))
.agentPoolProfiles(ManagedClusterAgentPoolProfileArgs.builder()
.count(3)
.creationData(CreationDataArgs.builder()
.sourceResourceId("/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/rg1/providers/Microsoft.ContainerService/snapshots/snapshot1")
.build())
.enableFIPS(true)
.enableNodePublicIP(true)
.mode("System")
.name("nodepool1")
.osType("Linux")
.type("VirtualMachineScaleSets")
.vmSize("Standard_DS2_v2")
.build())
.autoScalerProfile(ManagedClusterPropertiesAutoScalerProfileArgs.builder()
.scaleDownDelayAfterAdd("15m")
.scanInterval("20s")
.build())
.diskEncryptionSetID("/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/rg1/providers/Microsoft.Compute/diskEncryptionSets/des")
.dnsPrefix("dnsprefix1")
.enableRBAC(true)
.kubernetesVersion("")
.linuxProfile(ContainerServiceLinuxProfileArgs.builder()
.adminUsername("azureuser")
.ssh(ContainerServiceSshConfigurationArgs.builder()
.publicKeys(ContainerServiceSshPublicKeyArgs.builder()
.keyData("keydata")
.build())
.build())
.build())
.location("location1")
.networkProfile(ContainerServiceNetworkProfileArgs.builder()
.loadBalancerProfile(ManagedClusterLoadBalancerProfileArgs.builder()
.managedOutboundIPs(ManagedClusterLoadBalancerProfileManagedOutboundIPsArgs.builder()
.count(2)
.build())
.build())
.loadBalancerSku("standard")
.outboundType("loadBalancer")
.build())
.resourceGroupName("rg1")
.resourceName("clustername1")
.servicePrincipalProfile(ManagedClusterServicePrincipalProfileArgs.builder()
.clientId("clientid")
.secret("secret")
.build())
.sku(ManagedClusterSKUArgs.builder()
.name("Basic")
.tier("Free")
.build())
.tags(Map.ofEntries(
Map.entry("archv2", ""),
Map.entry("tier", "production")
))
.windowsProfile(ManagedClusterWindowsProfileArgs.builder()
.adminPassword("replacePassword1234$")
.adminUsername("azureuser")
.build())
.build());
}
}
resources:
managedCluster:
type: azure-native:containerservice:ManagedCluster
properties:
addonProfiles: {}
agentPoolProfiles:
- count: 3
creationData:
sourceResourceId: /subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/rg1/providers/Microsoft.ContainerService/snapshots/snapshot1
enableFIPS: true
enableNodePublicIP: true
mode: System
name: nodepool1
osType: Linux
type: VirtualMachineScaleSets
vmSize: Standard_DS2_v2
autoScalerProfile:
scaleDownDelayAfterAdd: 15m
scanInterval: 20s
diskEncryptionSetID: /subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/rg1/providers/Microsoft.Compute/diskEncryptionSets/des
dnsPrefix: dnsprefix1
enableRBAC: true
kubernetesVersion: ""
linuxProfile:
adminUsername: azureuser
ssh:
publicKeys:
- keyData: keydata
location: location1
networkProfile:
loadBalancerProfile:
managedOutboundIPs:
count: 2
loadBalancerSku: standard
outboundType: loadBalancer
resourceGroupName: rg1
resourceName: clustername1
servicePrincipalProfile:
clientId: clientid
secret: secret
sku:
name: Basic
tier: Free
tags:
archv2: ""
tier: production
windowsProfile:
adminPassword: replacePassword1234$
adminUsername: azureuser
The creationData property references a snapshot resource ID, allowing the agent pool to inherit VM size, OS configuration, and security settings like FIPS mode. The sourceResourceId must point to an existing snapshot; replace the placeholder ID with your own snapshot resource.
Route egress through AKS-managed NAT gateway
Clusters requiring predictable outbound IPs for firewall rules or third-party integrations can use AKS-managed NAT gateways instead of load balancers.
import * as pulumi from "@pulumi/pulumi";
import * as azure_native from "@pulumi/azure-native";
const managedCluster = new azure_native.containerservice.ManagedCluster("managedCluster", {
addonProfiles: {},
agentPoolProfiles: [{
count: 3,
enableNodePublicIP: false,
mode: azure_native.containerservice.AgentPoolMode.System,
name: "nodepool1",
osType: azure_native.containerservice.OSType.Linux,
type: azure_native.containerservice.AgentPoolType.VirtualMachineScaleSets,
vmSize: "Standard_DS2_v2",
}],
autoScalerProfile: {
scaleDownDelayAfterAdd: "15m",
scanInterval: "20s",
},
diskEncryptionSetID: "/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/rg1/providers/Microsoft.Compute/diskEncryptionSets/des",
dnsPrefix: "dnsprefix1",
enableRBAC: true,
kubernetesVersion: "",
linuxProfile: {
adminUsername: "azureuser",
ssh: {
publicKeys: [{
keyData: "keydata",
}],
},
},
location: "location1",
networkProfile: {
loadBalancerSku: azure_native.containerservice.LoadBalancerSku.Standard,
natGatewayProfile: {
managedOutboundIPProfile: {
count: 2,
},
},
outboundType: azure_native.containerservice.OutboundType.ManagedNATGateway,
},
resourceGroupName: "rg1",
resourceName: "clustername1",
servicePrincipalProfile: {
clientId: "clientid",
secret: "secret",
},
sku: {
name: "Basic",
tier: azure_native.containerservice.ManagedClusterSKUTier.Free,
},
tags: {
archv2: "",
tier: "production",
},
windowsProfile: {
adminPassword: "replacePassword1234$",
adminUsername: "azureuser",
},
});
import pulumi
import pulumi_azure_native as azure_native
managed_cluster = azure_native.containerservice.ManagedCluster("managedCluster",
addon_profiles={},
agent_pool_profiles=[{
"count": 3,
"enable_node_public_ip": False,
"mode": azure_native.containerservice.AgentPoolMode.SYSTEM,
"name": "nodepool1",
"os_type": azure_native.containerservice.OSType.LINUX,
"type": azure_native.containerservice.AgentPoolType.VIRTUAL_MACHINE_SCALE_SETS,
"vm_size": "Standard_DS2_v2",
}],
auto_scaler_profile={
"scale_down_delay_after_add": "15m",
"scan_interval": "20s",
},
disk_encryption_set_id="/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/rg1/providers/Microsoft.Compute/diskEncryptionSets/des",
dns_prefix="dnsprefix1",
enable_rbac=True,
kubernetes_version="",
linux_profile={
"admin_username": "azureuser",
"ssh": {
"public_keys": [{
"key_data": "keydata",
}],
},
},
location="location1",
network_profile={
"load_balancer_sku": azure_native.containerservice.LoadBalancerSku.STANDARD,
"nat_gateway_profile": {
"managed_outbound_ip_profile": {
"count": 2,
},
},
"outbound_type": azure_native.containerservice.OutboundType.MANAGED_NAT_GATEWAY,
},
resource_group_name="rg1",
resource_name_="clustername1",
service_principal_profile={
"client_id": "clientid",
"secret": "secret",
},
sku={
"name": "Basic",
"tier": azure_native.containerservice.ManagedClusterSKUTier.FREE,
},
tags={
"archv2": "",
"tier": "production",
},
windows_profile={
"admin_password": "replacePassword1234$",
"admin_username": "azureuser",
})
package main
import (
containerservice "github.com/pulumi/pulumi-azure-native-sdk/containerservice/v3"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := containerservice.NewManagedCluster(ctx, "managedCluster", &containerservice.ManagedClusterArgs{
AddonProfiles: containerservice.ManagedClusterAddonProfileMap{},
AgentPoolProfiles: containerservice.ManagedClusterAgentPoolProfileArray{
&containerservice.ManagedClusterAgentPoolProfileArgs{
Count: pulumi.Int(3),
EnableNodePublicIP: pulumi.Bool(false),
Mode: pulumi.String(containerservice.AgentPoolModeSystem),
Name: pulumi.String("nodepool1"),
OsType: pulumi.String(containerservice.OSTypeLinux),
Type: pulumi.String(containerservice.AgentPoolTypeVirtualMachineScaleSets),
VmSize: pulumi.String("Standard_DS2_v2"),
},
},
AutoScalerProfile: &containerservice.ManagedClusterPropertiesAutoScalerProfileArgs{
ScaleDownDelayAfterAdd: pulumi.String("15m"),
ScanInterval: pulumi.String("20s"),
},
DiskEncryptionSetID: pulumi.String("/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/rg1/providers/Microsoft.Compute/diskEncryptionSets/des"),
DnsPrefix: pulumi.String("dnsprefix1"),
EnableRBAC: pulumi.Bool(true),
KubernetesVersion: pulumi.String(""),
LinuxProfile: &containerservice.ContainerServiceLinuxProfileArgs{
AdminUsername: pulumi.String("azureuser"),
Ssh: &containerservice.ContainerServiceSshConfigurationArgs{
PublicKeys: containerservice.ContainerServiceSshPublicKeyArray{
&containerservice.ContainerServiceSshPublicKeyArgs{
KeyData: pulumi.String("keydata"),
},
},
},
},
Location: pulumi.String("location1"),
NetworkProfile: &containerservice.ContainerServiceNetworkProfileArgs{
LoadBalancerSku: pulumi.String(containerservice.LoadBalancerSkuStandard),
NatGatewayProfile: &containerservice.ManagedClusterNATGatewayProfileArgs{
ManagedOutboundIPProfile: &containerservice.ManagedClusterManagedOutboundIPProfileArgs{
Count: pulumi.Int(2),
},
},
OutboundType: pulumi.String(containerservice.OutboundTypeManagedNATGateway),
},
ResourceGroupName: pulumi.String("rg1"),
ResourceName: pulumi.String("clustername1"),
ServicePrincipalProfile: &containerservice.ManagedClusterServicePrincipalProfileArgs{
ClientId: pulumi.String("clientid"),
Secret: pulumi.String("secret"),
},
Sku: &containerservice.ManagedClusterSKUArgs{
Name: pulumi.String("Basic"),
Tier: pulumi.String(containerservice.ManagedClusterSKUTierFree),
},
Tags: pulumi.StringMap{
"archv2": pulumi.String(""),
"tier": pulumi.String("production"),
},
WindowsProfile: &containerservice.ManagedClusterWindowsProfileArgs{
AdminPassword: pulumi.String("replacePassword1234$"),
AdminUsername: pulumi.String("azureuser"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureNative = Pulumi.AzureNative;
return await Deployment.RunAsync(() =>
{
var managedCluster = new AzureNative.ContainerService.ManagedCluster("managedCluster", new()
{
AddonProfiles = null,
AgentPoolProfiles = new[]
{
new AzureNative.ContainerService.Inputs.ManagedClusterAgentPoolProfileArgs
{
Count = 3,
EnableNodePublicIP = false,
Mode = AzureNative.ContainerService.AgentPoolMode.System,
Name = "nodepool1",
OsType = AzureNative.ContainerService.OSType.Linux,
Type = AzureNative.ContainerService.AgentPoolType.VirtualMachineScaleSets,
VmSize = "Standard_DS2_v2",
},
},
AutoScalerProfile = new AzureNative.ContainerService.Inputs.ManagedClusterPropertiesAutoScalerProfileArgs
{
ScaleDownDelayAfterAdd = "15m",
ScanInterval = "20s",
},
DiskEncryptionSetID = "/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/rg1/providers/Microsoft.Compute/diskEncryptionSets/des",
DnsPrefix = "dnsprefix1",
EnableRBAC = true,
KubernetesVersion = "",
LinuxProfile = new AzureNative.ContainerService.Inputs.ContainerServiceLinuxProfileArgs
{
AdminUsername = "azureuser",
Ssh = new AzureNative.ContainerService.Inputs.ContainerServiceSshConfigurationArgs
{
PublicKeys = new[]
{
new AzureNative.ContainerService.Inputs.ContainerServiceSshPublicKeyArgs
{
KeyData = "keydata",
},
},
},
},
Location = "location1",
NetworkProfile = new AzureNative.ContainerService.Inputs.ContainerServiceNetworkProfileArgs
{
LoadBalancerSku = AzureNative.ContainerService.LoadBalancerSku.Standard,
NatGatewayProfile = new AzureNative.ContainerService.Inputs.ManagedClusterNATGatewayProfileArgs
{
ManagedOutboundIPProfile = new AzureNative.ContainerService.Inputs.ManagedClusterManagedOutboundIPProfileArgs
{
Count = 2,
},
},
OutboundType = AzureNative.ContainerService.OutboundType.ManagedNATGateway,
},
ResourceGroupName = "rg1",
ResourceName = "clustername1",
ServicePrincipalProfile = new AzureNative.ContainerService.Inputs.ManagedClusterServicePrincipalProfileArgs
{
ClientId = "clientid",
Secret = "secret",
},
Sku = new AzureNative.ContainerService.Inputs.ManagedClusterSKUArgs
{
Name = "Basic",
Tier = AzureNative.ContainerService.ManagedClusterSKUTier.Free,
},
Tags =
{
{ "archv2", "" },
{ "tier", "production" },
},
WindowsProfile = new AzureNative.ContainerService.Inputs.ManagedClusterWindowsProfileArgs
{
AdminPassword = "replacePassword1234$",
AdminUsername = "azureuser",
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azurenative.containerservice.ManagedCluster;
import com.pulumi.azurenative.containerservice.ManagedClusterArgs;
import com.pulumi.azurenative.containerservice.inputs.ManagedClusterAgentPoolProfileArgs;
import com.pulumi.azurenative.containerservice.inputs.ManagedClusterPropertiesAutoScalerProfileArgs;
import com.pulumi.azurenative.containerservice.inputs.ContainerServiceLinuxProfileArgs;
import com.pulumi.azurenative.containerservice.inputs.ContainerServiceSshConfigurationArgs;
import com.pulumi.azurenative.containerservice.inputs.ContainerServiceNetworkProfileArgs;
import com.pulumi.azurenative.containerservice.inputs.ManagedClusterNATGatewayProfileArgs;
import com.pulumi.azurenative.containerservice.inputs.ManagedClusterManagedOutboundIPProfileArgs;
import com.pulumi.azurenative.containerservice.inputs.ManagedClusterServicePrincipalProfileArgs;
import com.pulumi.azurenative.containerservice.inputs.ManagedClusterSKUArgs;
import com.pulumi.azurenative.containerservice.inputs.ManagedClusterWindowsProfileArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var managedCluster = new ManagedCluster("managedCluster", ManagedClusterArgs.builder()
.addonProfiles(Map.ofEntries(
))
.agentPoolProfiles(ManagedClusterAgentPoolProfileArgs.builder()
.count(3)
.enableNodePublicIP(false)
.mode("System")
.name("nodepool1")
.osType("Linux")
.type("VirtualMachineScaleSets")
.vmSize("Standard_DS2_v2")
.build())
.autoScalerProfile(ManagedClusterPropertiesAutoScalerProfileArgs.builder()
.scaleDownDelayAfterAdd("15m")
.scanInterval("20s")
.build())
.diskEncryptionSetID("/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/rg1/providers/Microsoft.Compute/diskEncryptionSets/des")
.dnsPrefix("dnsprefix1")
.enableRBAC(true)
.kubernetesVersion("")
.linuxProfile(ContainerServiceLinuxProfileArgs.builder()
.adminUsername("azureuser")
.ssh(ContainerServiceSshConfigurationArgs.builder()
.publicKeys(ContainerServiceSshPublicKeyArgs.builder()
.keyData("keydata")
.build())
.build())
.build())
.location("location1")
.networkProfile(ContainerServiceNetworkProfileArgs.builder()
.loadBalancerSku("standard")
.natGatewayProfile(ManagedClusterNATGatewayProfileArgs.builder()
.managedOutboundIPProfile(ManagedClusterManagedOutboundIPProfileArgs.builder()
.count(2)
.build())
.build())
.outboundType("managedNATGateway")
.build())
.resourceGroupName("rg1")
.resourceName("clustername1")
.servicePrincipalProfile(ManagedClusterServicePrincipalProfileArgs.builder()
.clientId("clientid")
.secret("secret")
.build())
.sku(ManagedClusterSKUArgs.builder()
.name("Basic")
.tier("Free")
.build())
.tags(Map.ofEntries(
Map.entry("archv2", ""),
Map.entry("tier", "production")
))
.windowsProfile(ManagedClusterWindowsProfileArgs.builder()
.adminPassword("replacePassword1234$")
.adminUsername("azureuser")
.build())
.build());
}
}
resources:
managedCluster:
type: azure-native:containerservice:ManagedCluster
properties:
addonProfiles: {}
agentPoolProfiles:
- count: 3
enableNodePublicIP: false
mode: System
name: nodepool1
osType: Linux
type: VirtualMachineScaleSets
vmSize: Standard_DS2_v2
autoScalerProfile:
scaleDownDelayAfterAdd: 15m
scanInterval: 20s
diskEncryptionSetID: /subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/rg1/providers/Microsoft.Compute/diskEncryptionSets/des
dnsPrefix: dnsprefix1
enableRBAC: true
kubernetesVersion: ""
linuxProfile:
adminUsername: azureuser
ssh:
publicKeys:
- keyData: keydata
location: location1
networkProfile:
loadBalancerSku: standard
natGatewayProfile:
managedOutboundIPProfile:
count: 2
outboundType: managedNATGateway
resourceGroupName: rg1
resourceName: clustername1
servicePrincipalProfile:
clientId: clientid
secret: secret
sku:
name: Basic
tier: Free
tags:
archv2: ""
tier: production
windowsProfile:
adminPassword: replacePassword1234$
adminUsername: azureuser
The networkProfile sets outboundType to managedNATGateway, and natGatewayProfile defines the number of managed outbound IPs. This configuration provides stable egress IPs without managing a separate NAT gateway resource.
Configure HTTP proxy for restricted networks
Clusters in corporate networks often require HTTP proxies to reach Azure services and container registries.
import * as pulumi from "@pulumi/pulumi";
import * as azure_native from "@pulumi/azure-native";
const managedCluster = new azure_native.containerservice.ManagedCluster("managedCluster", {
addonProfiles: {},
agentPoolProfiles: [{
count: 3,
enableNodePublicIP: true,
mode: azure_native.containerservice.AgentPoolMode.System,
name: "nodepool1",
osType: azure_native.containerservice.OSType.Linux,
type: azure_native.containerservice.AgentPoolType.VirtualMachineScaleSets,
vmSize: "Standard_DS2_v2",
}],
autoScalerProfile: {
scaleDownDelayAfterAdd: "15m",
scanInterval: "20s",
},
diskEncryptionSetID: "/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/rg1/providers/Microsoft.Compute/diskEncryptionSets/des",
dnsPrefix: "dnsprefix1",
enableRBAC: true,
httpProxyConfig: {
httpProxy: "http://myproxy.server.com:8080",
httpsProxy: "https://myproxy.server.com:8080",
noProxy: [
"localhost",
"127.0.0.1",
],
trustedCa: "Q29uZ3JhdHMhIFlvdSBoYXZlIGZvdW5kIGEgaGlkZGVuIG1lc3NhZ2U=",
},
kubernetesVersion: "",
linuxProfile: {
adminUsername: "azureuser",
ssh: {
publicKeys: [{
keyData: "keydata",
}],
},
},
location: "location1",
networkProfile: {
loadBalancerProfile: {
managedOutboundIPs: {
count: 2,
},
},
loadBalancerSku: azure_native.containerservice.LoadBalancerSku.Standard,
outboundType: azure_native.containerservice.OutboundType.LoadBalancer,
},
resourceGroupName: "rg1",
resourceName: "clustername1",
servicePrincipalProfile: {
clientId: "clientid",
secret: "secret",
},
sku: {
name: "Basic",
tier: azure_native.containerservice.ManagedClusterSKUTier.Free,
},
tags: {
archv2: "",
tier: "production",
},
windowsProfile: {
adminPassword: "replacePassword1234$",
adminUsername: "azureuser",
},
});
import pulumi
import pulumi_azure_native as azure_native
managed_cluster = azure_native.containerservice.ManagedCluster("managedCluster",
addon_profiles={},
agent_pool_profiles=[{
"count": 3,
"enable_node_public_ip": True,
"mode": azure_native.containerservice.AgentPoolMode.SYSTEM,
"name": "nodepool1",
"os_type": azure_native.containerservice.OSType.LINUX,
"type": azure_native.containerservice.AgentPoolType.VIRTUAL_MACHINE_SCALE_SETS,
"vm_size": "Standard_DS2_v2",
}],
auto_scaler_profile={
"scale_down_delay_after_add": "15m",
"scan_interval": "20s",
},
disk_encryption_set_id="/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/rg1/providers/Microsoft.Compute/diskEncryptionSets/des",
dns_prefix="dnsprefix1",
enable_rbac=True,
http_proxy_config={
"http_proxy": "http://myproxy.server.com:8080",
"https_proxy": "https://myproxy.server.com:8080",
"no_proxy": [
"localhost",
"127.0.0.1",
],
"trusted_ca": "Q29uZ3JhdHMhIFlvdSBoYXZlIGZvdW5kIGEgaGlkZGVuIG1lc3NhZ2U=",
},
kubernetes_version="",
linux_profile={
"admin_username": "azureuser",
"ssh": {
"public_keys": [{
"key_data": "keydata",
}],
},
},
location="location1",
network_profile={
"load_balancer_profile": {
"managed_outbound_ips": {
"count": 2,
},
},
"load_balancer_sku": azure_native.containerservice.LoadBalancerSku.STANDARD,
"outbound_type": azure_native.containerservice.OutboundType.LOAD_BALANCER,
},
resource_group_name="rg1",
resource_name_="clustername1",
service_principal_profile={
"client_id": "clientid",
"secret": "secret",
},
sku={
"name": "Basic",
"tier": azure_native.containerservice.ManagedClusterSKUTier.FREE,
},
tags={
"archv2": "",
"tier": "production",
},
windows_profile={
"admin_password": "replacePassword1234$",
"admin_username": "azureuser",
})
package main
import (
containerservice "github.com/pulumi/pulumi-azure-native-sdk/containerservice/v3"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := containerservice.NewManagedCluster(ctx, "managedCluster", &containerservice.ManagedClusterArgs{
AddonProfiles: containerservice.ManagedClusterAddonProfileMap{},
AgentPoolProfiles: containerservice.ManagedClusterAgentPoolProfileArray{
&containerservice.ManagedClusterAgentPoolProfileArgs{
Count: pulumi.Int(3),
EnableNodePublicIP: pulumi.Bool(true),
Mode: pulumi.String(containerservice.AgentPoolModeSystem),
Name: pulumi.String("nodepool1"),
OsType: pulumi.String(containerservice.OSTypeLinux),
Type: pulumi.String(containerservice.AgentPoolTypeVirtualMachineScaleSets),
VmSize: pulumi.String("Standard_DS2_v2"),
},
},
AutoScalerProfile: &containerservice.ManagedClusterPropertiesAutoScalerProfileArgs{
ScaleDownDelayAfterAdd: pulumi.String("15m"),
ScanInterval: pulumi.String("20s"),
},
DiskEncryptionSetID: pulumi.String("/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/rg1/providers/Microsoft.Compute/diskEncryptionSets/des"),
DnsPrefix: pulumi.String("dnsprefix1"),
EnableRBAC: pulumi.Bool(true),
HttpProxyConfig: &containerservice.ManagedClusterHTTPProxyConfigArgs{
HttpProxy: pulumi.String("http://myproxy.server.com:8080"),
HttpsProxy: pulumi.String("https://myproxy.server.com:8080"),
NoProxy: pulumi.StringArray{
pulumi.String("localhost"),
pulumi.String("127.0.0.1"),
},
TrustedCa: pulumi.String("Q29uZ3JhdHMhIFlvdSBoYXZlIGZvdW5kIGEgaGlkZGVuIG1lc3NhZ2U="),
},
KubernetesVersion: pulumi.String(""),
LinuxProfile: &containerservice.ContainerServiceLinuxProfileArgs{
AdminUsername: pulumi.String("azureuser"),
Ssh: &containerservice.ContainerServiceSshConfigurationArgs{
PublicKeys: containerservice.ContainerServiceSshPublicKeyArray{
&containerservice.ContainerServiceSshPublicKeyArgs{
KeyData: pulumi.String("keydata"),
},
},
},
},
Location: pulumi.String("location1"),
NetworkProfile: &containerservice.ContainerServiceNetworkProfileArgs{
LoadBalancerProfile: &containerservice.ManagedClusterLoadBalancerProfileArgs{
ManagedOutboundIPs: &containerservice.ManagedClusterLoadBalancerProfileManagedOutboundIPsArgs{
Count: pulumi.Int(2),
},
},
LoadBalancerSku: pulumi.String(containerservice.LoadBalancerSkuStandard),
OutboundType: pulumi.String(containerservice.OutboundTypeLoadBalancer),
},
ResourceGroupName: pulumi.String("rg1"),
ResourceName: pulumi.String("clustername1"),
ServicePrincipalProfile: &containerservice.ManagedClusterServicePrincipalProfileArgs{
ClientId: pulumi.String("clientid"),
Secret: pulumi.String("secret"),
},
Sku: &containerservice.ManagedClusterSKUArgs{
Name: pulumi.String("Basic"),
Tier: pulumi.String(containerservice.ManagedClusterSKUTierFree),
},
Tags: pulumi.StringMap{
"archv2": pulumi.String(""),
"tier": pulumi.String("production"),
},
WindowsProfile: &containerservice.ManagedClusterWindowsProfileArgs{
AdminPassword: pulumi.String("replacePassword1234$"),
AdminUsername: pulumi.String("azureuser"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureNative = Pulumi.AzureNative;
return await Deployment.RunAsync(() =>
{
var managedCluster = new AzureNative.ContainerService.ManagedCluster("managedCluster", new()
{
AddonProfiles = null,
AgentPoolProfiles = new[]
{
new AzureNative.ContainerService.Inputs.ManagedClusterAgentPoolProfileArgs
{
Count = 3,
EnableNodePublicIP = true,
Mode = AzureNative.ContainerService.AgentPoolMode.System,
Name = "nodepool1",
OsType = AzureNative.ContainerService.OSType.Linux,
Type = AzureNative.ContainerService.AgentPoolType.VirtualMachineScaleSets,
VmSize = "Standard_DS2_v2",
},
},
AutoScalerProfile = new AzureNative.ContainerService.Inputs.ManagedClusterPropertiesAutoScalerProfileArgs
{
ScaleDownDelayAfterAdd = "15m",
ScanInterval = "20s",
},
DiskEncryptionSetID = "/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/rg1/providers/Microsoft.Compute/diskEncryptionSets/des",
DnsPrefix = "dnsprefix1",
EnableRBAC = true,
HttpProxyConfig = new AzureNative.ContainerService.Inputs.ManagedClusterHTTPProxyConfigArgs
{
HttpProxy = "http://myproxy.server.com:8080",
HttpsProxy = "https://myproxy.server.com:8080",
NoProxy = new[]
{
"localhost",
"127.0.0.1",
},
TrustedCa = "Q29uZ3JhdHMhIFlvdSBoYXZlIGZvdW5kIGEgaGlkZGVuIG1lc3NhZ2U=",
},
KubernetesVersion = "",
LinuxProfile = new AzureNative.ContainerService.Inputs.ContainerServiceLinuxProfileArgs
{
AdminUsername = "azureuser",
Ssh = new AzureNative.ContainerService.Inputs.ContainerServiceSshConfigurationArgs
{
PublicKeys = new[]
{
new AzureNative.ContainerService.Inputs.ContainerServiceSshPublicKeyArgs
{
KeyData = "keydata",
},
},
},
},
Location = "location1",
NetworkProfile = new AzureNative.ContainerService.Inputs.ContainerServiceNetworkProfileArgs
{
LoadBalancerProfile = new AzureNative.ContainerService.Inputs.ManagedClusterLoadBalancerProfileArgs
{
ManagedOutboundIPs = new AzureNative.ContainerService.Inputs.ManagedClusterLoadBalancerProfileManagedOutboundIPsArgs
{
Count = 2,
},
},
LoadBalancerSku = AzureNative.ContainerService.LoadBalancerSku.Standard,
OutboundType = AzureNative.ContainerService.OutboundType.LoadBalancer,
},
ResourceGroupName = "rg1",
ResourceName = "clustername1",
ServicePrincipalProfile = new AzureNative.ContainerService.Inputs.ManagedClusterServicePrincipalProfileArgs
{
ClientId = "clientid",
Secret = "secret",
},
Sku = new AzureNative.ContainerService.Inputs.ManagedClusterSKUArgs
{
Name = "Basic",
Tier = AzureNative.ContainerService.ManagedClusterSKUTier.Free,
},
Tags =
{
{ "archv2", "" },
{ "tier", "production" },
},
WindowsProfile = new AzureNative.ContainerService.Inputs.ManagedClusterWindowsProfileArgs
{
AdminPassword = "replacePassword1234$",
AdminUsername = "azureuser",
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azurenative.containerservice.ManagedCluster;
import com.pulumi.azurenative.containerservice.ManagedClusterArgs;
import com.pulumi.azurenative.containerservice.inputs.ManagedClusterAgentPoolProfileArgs;
import com.pulumi.azurenative.containerservice.inputs.ManagedClusterPropertiesAutoScalerProfileArgs;
import com.pulumi.azurenative.containerservice.inputs.ManagedClusterHTTPProxyConfigArgs;
import com.pulumi.azurenative.containerservice.inputs.ContainerServiceLinuxProfileArgs;
import com.pulumi.azurenative.containerservice.inputs.ContainerServiceSshConfigurationArgs;
import com.pulumi.azurenative.containerservice.inputs.ContainerServiceNetworkProfileArgs;
import com.pulumi.azurenative.containerservice.inputs.ManagedClusterLoadBalancerProfileArgs;
import com.pulumi.azurenative.containerservice.inputs.ManagedClusterLoadBalancerProfileManagedOutboundIPsArgs;
import com.pulumi.azurenative.containerservice.inputs.ManagedClusterServicePrincipalProfileArgs;
import com.pulumi.azurenative.containerservice.inputs.ManagedClusterSKUArgs;
import com.pulumi.azurenative.containerservice.inputs.ManagedClusterWindowsProfileArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var managedCluster = new ManagedCluster("managedCluster", ManagedClusterArgs.builder()
.addonProfiles(Map.ofEntries(
))
.agentPoolProfiles(ManagedClusterAgentPoolProfileArgs.builder()
.count(3)
.enableNodePublicIP(true)
.mode("System")
.name("nodepool1")
.osType("Linux")
.type("VirtualMachineScaleSets")
.vmSize("Standard_DS2_v2")
.build())
.autoScalerProfile(ManagedClusterPropertiesAutoScalerProfileArgs.builder()
.scaleDownDelayAfterAdd("15m")
.scanInterval("20s")
.build())
.diskEncryptionSetID("/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/rg1/providers/Microsoft.Compute/diskEncryptionSets/des")
.dnsPrefix("dnsprefix1")
.enableRBAC(true)
.httpProxyConfig(ManagedClusterHTTPProxyConfigArgs.builder()
.httpProxy("http://myproxy.server.com:8080")
.httpsProxy("https://myproxy.server.com:8080")
.noProxy(
"localhost",
"127.0.0.1")
.trustedCa("Q29uZ3JhdHMhIFlvdSBoYXZlIGZvdW5kIGEgaGlkZGVuIG1lc3NhZ2U=")
.build())
.kubernetesVersion("")
.linuxProfile(ContainerServiceLinuxProfileArgs.builder()
.adminUsername("azureuser")
.ssh(ContainerServiceSshConfigurationArgs.builder()
.publicKeys(ContainerServiceSshPublicKeyArgs.builder()
.keyData("keydata")
.build())
.build())
.build())
.location("location1")
.networkProfile(ContainerServiceNetworkProfileArgs.builder()
.loadBalancerProfile(ManagedClusterLoadBalancerProfileArgs.builder()
.managedOutboundIPs(ManagedClusterLoadBalancerProfileManagedOutboundIPsArgs.builder()
.count(2)
.build())
.build())
.loadBalancerSku("standard")
.outboundType("loadBalancer")
.build())
.resourceGroupName("rg1")
.resourceName("clustername1")
.servicePrincipalProfile(ManagedClusterServicePrincipalProfileArgs.builder()
.clientId("clientid")
.secret("secret")
.build())
.sku(ManagedClusterSKUArgs.builder()
.name("Basic")
.tier("Free")
.build())
.tags(Map.ofEntries(
Map.entry("archv2", ""),
Map.entry("tier", "production")
))
.windowsProfile(ManagedClusterWindowsProfileArgs.builder()
.adminPassword("replacePassword1234$")
.adminUsername("azureuser")
.build())
.build());
}
}
resources:
managedCluster:
type: azure-native:containerservice:ManagedCluster
properties:
addonProfiles: {}
agentPoolProfiles:
- count: 3
enableNodePublicIP: true
mode: System
name: nodepool1
osType: Linux
type: VirtualMachineScaleSets
vmSize: Standard_DS2_v2
autoScalerProfile:
scaleDownDelayAfterAdd: 15m
scanInterval: 20s
diskEncryptionSetID: /subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/rg1/providers/Microsoft.Compute/diskEncryptionSets/des
dnsPrefix: dnsprefix1
enableRBAC: true
httpProxyConfig:
httpProxy: http://myproxy.server.com:8080
httpsProxy: https://myproxy.server.com:8080
noProxy:
- localhost
- 127.0.0.1
trustedCa: Q29uZ3JhdHMhIFlvdSBoYXZlIGZvdW5kIGEgaGlkZGVuIG1lc3NhZ2U=
kubernetesVersion: ""
linuxProfile:
adminUsername: azureuser
ssh:
publicKeys:
- keyData: keydata
location: location1
networkProfile:
loadBalancerProfile:
managedOutboundIPs:
count: 2
loadBalancerSku: standard
outboundType: loadBalancer
resourceGroupName: rg1
resourceName: clustername1
servicePrincipalProfile:
clientId: clientid
secret: secret
sku:
name: Basic
tier: Free
tags:
archv2: ""
tier: production
windowsProfile:
adminPassword: replacePassword1234$
adminUsername: azureuser
The httpProxyConfig property defines proxy endpoints for HTTP and HTTPS traffic. The noProxy list excludes localhost and internal addresses, and trustedCa provides a base64-encoded certificate for proxy trust validation.
Disable RunCommand for compliance requirements
Security policies may require disabling direct command execution on cluster nodes to enforce audit trails and access controls.
import * as pulumi from "@pulumi/pulumi";
import * as azure_native from "@pulumi/azure-native";
const managedCluster = new azure_native.containerservice.ManagedCluster("managedCluster", {
addonProfiles: {},
agentPoolProfiles: [{
count: 3,
enableEncryptionAtHost: true,
enableNodePublicIP: true,
mode: azure_native.containerservice.AgentPoolMode.System,
name: "nodepool1",
osType: azure_native.containerservice.OSType.Linux,
type: azure_native.containerservice.AgentPoolType.VirtualMachineScaleSets,
vmSize: "Standard_DS2_v2",
}],
apiServerAccessProfile: {
disableRunCommand: true,
},
autoScalerProfile: {
scaleDownDelayAfterAdd: "15m",
scanInterval: "20s",
},
dnsPrefix: "dnsprefix1",
enableRBAC: true,
kubernetesVersion: "",
linuxProfile: {
adminUsername: "azureuser",
ssh: {
publicKeys: [{
keyData: "keydata",
}],
},
},
location: "location1",
networkProfile: {
loadBalancerProfile: {
managedOutboundIPs: {
count: 2,
},
},
loadBalancerSku: azure_native.containerservice.LoadBalancerSku.Standard,
outboundType: azure_native.containerservice.OutboundType.LoadBalancer,
},
resourceGroupName: "rg1",
resourceName: "clustername1",
servicePrincipalProfile: {
clientId: "clientid",
secret: "secret",
},
sku: {
name: "Basic",
tier: azure_native.containerservice.ManagedClusterSKUTier.Free,
},
tags: {
archv2: "",
tier: "production",
},
windowsProfile: {
adminPassword: "replacePassword1234$",
adminUsername: "azureuser",
},
});
import pulumi
import pulumi_azure_native as azure_native
managed_cluster = azure_native.containerservice.ManagedCluster("managedCluster",
addon_profiles={},
agent_pool_profiles=[{
"count": 3,
"enable_encryption_at_host": True,
"enable_node_public_ip": True,
"mode": azure_native.containerservice.AgentPoolMode.SYSTEM,
"name": "nodepool1",
"os_type": azure_native.containerservice.OSType.LINUX,
"type": azure_native.containerservice.AgentPoolType.VIRTUAL_MACHINE_SCALE_SETS,
"vm_size": "Standard_DS2_v2",
}],
api_server_access_profile={
"disable_run_command": True,
},
auto_scaler_profile={
"scale_down_delay_after_add": "15m",
"scan_interval": "20s",
},
dns_prefix="dnsprefix1",
enable_rbac=True,
kubernetes_version="",
linux_profile={
"admin_username": "azureuser",
"ssh": {
"public_keys": [{
"key_data": "keydata",
}],
},
},
location="location1",
network_profile={
"load_balancer_profile": {
"managed_outbound_ips": {
"count": 2,
},
},
"load_balancer_sku": azure_native.containerservice.LoadBalancerSku.STANDARD,
"outbound_type": azure_native.containerservice.OutboundType.LOAD_BALANCER,
},
resource_group_name="rg1",
resource_name_="clustername1",
service_principal_profile={
"client_id": "clientid",
"secret": "secret",
},
sku={
"name": "Basic",
"tier": azure_native.containerservice.ManagedClusterSKUTier.FREE,
},
tags={
"archv2": "",
"tier": "production",
},
windows_profile={
"admin_password": "replacePassword1234$",
"admin_username": "azureuser",
})
package main
import (
containerservice "github.com/pulumi/pulumi-azure-native-sdk/containerservice/v3"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := containerservice.NewManagedCluster(ctx, "managedCluster", &containerservice.ManagedClusterArgs{
AddonProfiles: containerservice.ManagedClusterAddonProfileMap{},
AgentPoolProfiles: containerservice.ManagedClusterAgentPoolProfileArray{
&containerservice.ManagedClusterAgentPoolProfileArgs{
Count: pulumi.Int(3),
EnableEncryptionAtHost: pulumi.Bool(true),
EnableNodePublicIP: pulumi.Bool(true),
Mode: pulumi.String(containerservice.AgentPoolModeSystem),
Name: pulumi.String("nodepool1"),
OsType: pulumi.String(containerservice.OSTypeLinux),
Type: pulumi.String(containerservice.AgentPoolTypeVirtualMachineScaleSets),
VmSize: pulumi.String("Standard_DS2_v2"),
},
},
ApiServerAccessProfile: &containerservice.ManagedClusterAPIServerAccessProfileArgs{
DisableRunCommand: pulumi.Bool(true),
},
AutoScalerProfile: &containerservice.ManagedClusterPropertiesAutoScalerProfileArgs{
ScaleDownDelayAfterAdd: pulumi.String("15m"),
ScanInterval: pulumi.String("20s"),
},
DnsPrefix: pulumi.String("dnsprefix1"),
EnableRBAC: pulumi.Bool(true),
KubernetesVersion: pulumi.String(""),
LinuxProfile: &containerservice.ContainerServiceLinuxProfileArgs{
AdminUsername: pulumi.String("azureuser"),
Ssh: &containerservice.ContainerServiceSshConfigurationArgs{
PublicKeys: containerservice.ContainerServiceSshPublicKeyArray{
&containerservice.ContainerServiceSshPublicKeyArgs{
KeyData: pulumi.String("keydata"),
},
},
},
},
Location: pulumi.String("location1"),
NetworkProfile: &containerservice.ContainerServiceNetworkProfileArgs{
LoadBalancerProfile: &containerservice.ManagedClusterLoadBalancerProfileArgs{
ManagedOutboundIPs: &containerservice.ManagedClusterLoadBalancerProfileManagedOutboundIPsArgs{
Count: pulumi.Int(2),
},
},
LoadBalancerSku: pulumi.String(containerservice.LoadBalancerSkuStandard),
OutboundType: pulumi.String(containerservice.OutboundTypeLoadBalancer),
},
ResourceGroupName: pulumi.String("rg1"),
ResourceName: pulumi.String("clustername1"),
ServicePrincipalProfile: &containerservice.ManagedClusterServicePrincipalProfileArgs{
ClientId: pulumi.String("clientid"),
Secret: pulumi.String("secret"),
},
Sku: &containerservice.ManagedClusterSKUArgs{
Name: pulumi.String("Basic"),
Tier: pulumi.String(containerservice.ManagedClusterSKUTierFree),
},
Tags: pulumi.StringMap{
"archv2": pulumi.String(""),
"tier": pulumi.String("production"),
},
WindowsProfile: &containerservice.ManagedClusterWindowsProfileArgs{
AdminPassword: pulumi.String("replacePassword1234$"),
AdminUsername: pulumi.String("azureuser"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureNative = Pulumi.AzureNative;
return await Deployment.RunAsync(() =>
{
var managedCluster = new AzureNative.ContainerService.ManagedCluster("managedCluster", new()
{
AddonProfiles = null,
AgentPoolProfiles = new[]
{
new AzureNative.ContainerService.Inputs.ManagedClusterAgentPoolProfileArgs
{
Count = 3,
EnableEncryptionAtHost = true,
EnableNodePublicIP = true,
Mode = AzureNative.ContainerService.AgentPoolMode.System,
Name = "nodepool1",
OsType = AzureNative.ContainerService.OSType.Linux,
Type = AzureNative.ContainerService.AgentPoolType.VirtualMachineScaleSets,
VmSize = "Standard_DS2_v2",
},
},
ApiServerAccessProfile = new AzureNative.ContainerService.Inputs.ManagedClusterAPIServerAccessProfileArgs
{
DisableRunCommand = true,
},
AutoScalerProfile = new AzureNative.ContainerService.Inputs.ManagedClusterPropertiesAutoScalerProfileArgs
{
ScaleDownDelayAfterAdd = "15m",
ScanInterval = "20s",
},
DnsPrefix = "dnsprefix1",
EnableRBAC = true,
KubernetesVersion = "",
LinuxProfile = new AzureNative.ContainerService.Inputs.ContainerServiceLinuxProfileArgs
{
AdminUsername = "azureuser",
Ssh = new AzureNative.ContainerService.Inputs.ContainerServiceSshConfigurationArgs
{
PublicKeys = new[]
{
new AzureNative.ContainerService.Inputs.ContainerServiceSshPublicKeyArgs
{
KeyData = "keydata",
},
},
},
},
Location = "location1",
NetworkProfile = new AzureNative.ContainerService.Inputs.ContainerServiceNetworkProfileArgs
{
LoadBalancerProfile = new AzureNative.ContainerService.Inputs.ManagedClusterLoadBalancerProfileArgs
{
ManagedOutboundIPs = new AzureNative.ContainerService.Inputs.ManagedClusterLoadBalancerProfileManagedOutboundIPsArgs
{
Count = 2,
},
},
LoadBalancerSku = AzureNative.ContainerService.LoadBalancerSku.Standard,
OutboundType = AzureNative.ContainerService.OutboundType.LoadBalancer,
},
ResourceGroupName = "rg1",
ResourceName = "clustername1",
ServicePrincipalProfile = new AzureNative.ContainerService.Inputs.ManagedClusterServicePrincipalProfileArgs
{
ClientId = "clientid",
Secret = "secret",
},
Sku = new AzureNative.ContainerService.Inputs.ManagedClusterSKUArgs
{
Name = "Basic",
Tier = AzureNative.ContainerService.ManagedClusterSKUTier.Free,
},
Tags =
{
{ "archv2", "" },
{ "tier", "production" },
},
WindowsProfile = new AzureNative.ContainerService.Inputs.ManagedClusterWindowsProfileArgs
{
AdminPassword = "replacePassword1234$",
AdminUsername = "azureuser",
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azurenative.containerservice.ManagedCluster;
import com.pulumi.azurenative.containerservice.ManagedClusterArgs;
import com.pulumi.azurenative.containerservice.inputs.ManagedClusterAgentPoolProfileArgs;
import com.pulumi.azurenative.containerservice.inputs.ManagedClusterAPIServerAccessProfileArgs;
import com.pulumi.azurenative.containerservice.inputs.ManagedClusterPropertiesAutoScalerProfileArgs;
import com.pulumi.azurenative.containerservice.inputs.ContainerServiceLinuxProfileArgs;
import com.pulumi.azurenative.containerservice.inputs.ContainerServiceSshConfigurationArgs;
import com.pulumi.azurenative.containerservice.inputs.ContainerServiceNetworkProfileArgs;
import com.pulumi.azurenative.containerservice.inputs.ManagedClusterLoadBalancerProfileArgs;
import com.pulumi.azurenative.containerservice.inputs.ManagedClusterLoadBalancerProfileManagedOutboundIPsArgs;
import com.pulumi.azurenative.containerservice.inputs.ManagedClusterServicePrincipalProfileArgs;
import com.pulumi.azurenative.containerservice.inputs.ManagedClusterSKUArgs;
import com.pulumi.azurenative.containerservice.inputs.ManagedClusterWindowsProfileArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var managedCluster = new ManagedCluster("managedCluster", ManagedClusterArgs.builder()
.addonProfiles(Map.ofEntries(
))
.agentPoolProfiles(ManagedClusterAgentPoolProfileArgs.builder()
.count(3)
.enableEncryptionAtHost(true)
.enableNodePublicIP(true)
.mode("System")
.name("nodepool1")
.osType("Linux")
.type("VirtualMachineScaleSets")
.vmSize("Standard_DS2_v2")
.build())
.apiServerAccessProfile(ManagedClusterAPIServerAccessProfileArgs.builder()
.disableRunCommand(true)
.build())
.autoScalerProfile(ManagedClusterPropertiesAutoScalerProfileArgs.builder()
.scaleDownDelayAfterAdd("15m")
.scanInterval("20s")
.build())
.dnsPrefix("dnsprefix1")
.enableRBAC(true)
.kubernetesVersion("")
.linuxProfile(ContainerServiceLinuxProfileArgs.builder()
.adminUsername("azureuser")
.ssh(ContainerServiceSshConfigurationArgs.builder()
.publicKeys(ContainerServiceSshPublicKeyArgs.builder()
.keyData("keydata")
.build())
.build())
.build())
.location("location1")
.networkProfile(ContainerServiceNetworkProfileArgs.builder()
.loadBalancerProfile(ManagedClusterLoadBalancerProfileArgs.builder()
.managedOutboundIPs(ManagedClusterLoadBalancerProfileManagedOutboundIPsArgs.builder()
.count(2)
.build())
.build())
.loadBalancerSku("standard")
.outboundType("loadBalancer")
.build())
.resourceGroupName("rg1")
.resourceName("clustername1")
.servicePrincipalProfile(ManagedClusterServicePrincipalProfileArgs.builder()
.clientId("clientid")
.secret("secret")
.build())
.sku(ManagedClusterSKUArgs.builder()
.name("Basic")
.tier("Free")
.build())
.tags(Map.ofEntries(
Map.entry("archv2", ""),
Map.entry("tier", "production")
))
.windowsProfile(ManagedClusterWindowsProfileArgs.builder()
.adminPassword("replacePassword1234$")
.adminUsername("azureuser")
.build())
.build());
}
}
resources:
managedCluster:
type: azure-native:containerservice:ManagedCluster
properties:
addonProfiles: {}
agentPoolProfiles:
- count: 3
enableEncryptionAtHost: true
enableNodePublicIP: true
mode: System
name: nodepool1
osType: Linux
type: VirtualMachineScaleSets
vmSize: Standard_DS2_v2
apiServerAccessProfile:
disableRunCommand: true
autoScalerProfile:
scaleDownDelayAfterAdd: 15m
scanInterval: 20s
dnsPrefix: dnsprefix1
enableRBAC: true
kubernetesVersion: ""
linuxProfile:
adminUsername: azureuser
ssh:
publicKeys:
- keyData: keydata
location: location1
networkProfile:
loadBalancerProfile:
managedOutboundIPs:
count: 2
loadBalancerSku: standard
outboundType: loadBalancer
resourceGroupName: rg1
resourceName: clustername1
servicePrincipalProfile:
clientId: clientid
secret: secret
sku:
name: Basic
tier: Free
tags:
archv2: ""
tier: production
windowsProfile:
adminPassword: replacePassword1234$
adminUsername: azureuser
The apiServerAccessProfile sets disableRunCommand to true, blocking kubectl exec and Azure RunCommand. This enforces that all node access goes through audited channels rather than direct command execution.
Enable Defender and workload identity
Production clusters often enable Microsoft Defender for threat detection and workload identity for pod-level Azure authentication.
import * as pulumi from "@pulumi/pulumi";
import * as azure_native from "@pulumi/azure-native";
const managedCluster = new azure_native.containerservice.ManagedCluster("managedCluster", {
agentPoolProfiles: [{
count: 3,
enableNodePublicIP: true,
mode: azure_native.containerservice.AgentPoolMode.System,
name: "nodepool1",
osType: azure_native.containerservice.OSType.Linux,
type: azure_native.containerservice.AgentPoolType.VirtualMachineScaleSets,
vmSize: "Standard_DS2_v2",
}],
dnsPrefix: "dnsprefix1",
kubernetesVersion: "",
linuxProfile: {
adminUsername: "azureuser",
ssh: {
publicKeys: [{
keyData: "keydata",
}],
},
},
location: "location1",
networkProfile: {
loadBalancerProfile: {
managedOutboundIPs: {
count: 2,
},
},
loadBalancerSku: azure_native.containerservice.LoadBalancerSku.Standard,
outboundType: azure_native.containerservice.OutboundType.LoadBalancer,
},
resourceGroupName: "rg1",
resourceName: "clustername1",
securityProfile: {
defender: {
logAnalyticsWorkspaceResourceId: "/subscriptions/SUB_ID/resourcegroups/RG_NAME/providers/microsoft.operationalinsights/workspaces/WORKSPACE_NAME",
securityMonitoring: {
enabled: true,
},
},
workloadIdentity: {
enabled: true,
},
},
sku: {
name: "Basic",
tier: azure_native.containerservice.ManagedClusterSKUTier.Free,
},
tags: {
archv2: "",
tier: "production",
},
});
import pulumi
import pulumi_azure_native as azure_native
managed_cluster = azure_native.containerservice.ManagedCluster("managedCluster",
agent_pool_profiles=[{
"count": 3,
"enable_node_public_ip": True,
"mode": azure_native.containerservice.AgentPoolMode.SYSTEM,
"name": "nodepool1",
"os_type": azure_native.containerservice.OSType.LINUX,
"type": azure_native.containerservice.AgentPoolType.VIRTUAL_MACHINE_SCALE_SETS,
"vm_size": "Standard_DS2_v2",
}],
dns_prefix="dnsprefix1",
kubernetes_version="",
linux_profile={
"admin_username": "azureuser",
"ssh": {
"public_keys": [{
"key_data": "keydata",
}],
},
},
location="location1",
network_profile={
"load_balancer_profile": {
"managed_outbound_ips": {
"count": 2,
},
},
"load_balancer_sku": azure_native.containerservice.LoadBalancerSku.STANDARD,
"outbound_type": azure_native.containerservice.OutboundType.LOAD_BALANCER,
},
resource_group_name="rg1",
resource_name_="clustername1",
security_profile={
"defender": {
"log_analytics_workspace_resource_id": "/subscriptions/SUB_ID/resourcegroups/RG_NAME/providers/microsoft.operationalinsights/workspaces/WORKSPACE_NAME",
"security_monitoring": {
"enabled": True,
},
},
"workload_identity": {
"enabled": True,
},
},
sku={
"name": "Basic",
"tier": azure_native.containerservice.ManagedClusterSKUTier.FREE,
},
tags={
"archv2": "",
"tier": "production",
})
package main
import (
containerservice "github.com/pulumi/pulumi-azure-native-sdk/containerservice/v3"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := containerservice.NewManagedCluster(ctx, "managedCluster", &containerservice.ManagedClusterArgs{
AgentPoolProfiles: containerservice.ManagedClusterAgentPoolProfileArray{
&containerservice.ManagedClusterAgentPoolProfileArgs{
Count: pulumi.Int(3),
EnableNodePublicIP: pulumi.Bool(true),
Mode: pulumi.String(containerservice.AgentPoolModeSystem),
Name: pulumi.String("nodepool1"),
OsType: pulumi.String(containerservice.OSTypeLinux),
Type: pulumi.String(containerservice.AgentPoolTypeVirtualMachineScaleSets),
VmSize: pulumi.String("Standard_DS2_v2"),
},
},
DnsPrefix: pulumi.String("dnsprefix1"),
KubernetesVersion: pulumi.String(""),
LinuxProfile: &containerservice.ContainerServiceLinuxProfileArgs{
AdminUsername: pulumi.String("azureuser"),
Ssh: &containerservice.ContainerServiceSshConfigurationArgs{
PublicKeys: containerservice.ContainerServiceSshPublicKeyArray{
&containerservice.ContainerServiceSshPublicKeyArgs{
KeyData: pulumi.String("keydata"),
},
},
},
},
Location: pulumi.String("location1"),
NetworkProfile: &containerservice.ContainerServiceNetworkProfileArgs{
LoadBalancerProfile: &containerservice.ManagedClusterLoadBalancerProfileArgs{
ManagedOutboundIPs: &containerservice.ManagedClusterLoadBalancerProfileManagedOutboundIPsArgs{
Count: pulumi.Int(2),
},
},
LoadBalancerSku: pulumi.String(containerservice.LoadBalancerSkuStandard),
OutboundType: pulumi.String(containerservice.OutboundTypeLoadBalancer),
},
ResourceGroupName: pulumi.String("rg1"),
ResourceName: pulumi.String("clustername1"),
SecurityProfile: &containerservice.ManagedClusterSecurityProfileArgs{
Defender: &containerservice.ManagedClusterSecurityProfileDefenderArgs{
LogAnalyticsWorkspaceResourceId: pulumi.String("/subscriptions/SUB_ID/resourcegroups/RG_NAME/providers/microsoft.operationalinsights/workspaces/WORKSPACE_NAME"),
SecurityMonitoring: &containerservice.ManagedClusterSecurityProfileDefenderSecurityMonitoringArgs{
Enabled: pulumi.Bool(true),
},
},
WorkloadIdentity: &containerservice.ManagedClusterSecurityProfileWorkloadIdentityArgs{
Enabled: pulumi.Bool(true),
},
},
Sku: &containerservice.ManagedClusterSKUArgs{
Name: pulumi.String("Basic"),
Tier: pulumi.String(containerservice.ManagedClusterSKUTierFree),
},
Tags: pulumi.StringMap{
"archv2": pulumi.String(""),
"tier": pulumi.String("production"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureNative = Pulumi.AzureNative;
return await Deployment.RunAsync(() =>
{
var managedCluster = new AzureNative.ContainerService.ManagedCluster("managedCluster", new()
{
AgentPoolProfiles = new[]
{
new AzureNative.ContainerService.Inputs.ManagedClusterAgentPoolProfileArgs
{
Count = 3,
EnableNodePublicIP = true,
Mode = AzureNative.ContainerService.AgentPoolMode.System,
Name = "nodepool1",
OsType = AzureNative.ContainerService.OSType.Linux,
Type = AzureNative.ContainerService.AgentPoolType.VirtualMachineScaleSets,
VmSize = "Standard_DS2_v2",
},
},
DnsPrefix = "dnsprefix1",
KubernetesVersion = "",
LinuxProfile = new AzureNative.ContainerService.Inputs.ContainerServiceLinuxProfileArgs
{
AdminUsername = "azureuser",
Ssh = new AzureNative.ContainerService.Inputs.ContainerServiceSshConfigurationArgs
{
PublicKeys = new[]
{
new AzureNative.ContainerService.Inputs.ContainerServiceSshPublicKeyArgs
{
KeyData = "keydata",
},
},
},
},
Location = "location1",
NetworkProfile = new AzureNative.ContainerService.Inputs.ContainerServiceNetworkProfileArgs
{
LoadBalancerProfile = new AzureNative.ContainerService.Inputs.ManagedClusterLoadBalancerProfileArgs
{
ManagedOutboundIPs = new AzureNative.ContainerService.Inputs.ManagedClusterLoadBalancerProfileManagedOutboundIPsArgs
{
Count = 2,
},
},
LoadBalancerSku = AzureNative.ContainerService.LoadBalancerSku.Standard,
OutboundType = AzureNative.ContainerService.OutboundType.LoadBalancer,
},
ResourceGroupName = "rg1",
ResourceName = "clustername1",
SecurityProfile = new AzureNative.ContainerService.Inputs.ManagedClusterSecurityProfileArgs
{
Defender = new AzureNative.ContainerService.Inputs.ManagedClusterSecurityProfileDefenderArgs
{
LogAnalyticsWorkspaceResourceId = "/subscriptions/SUB_ID/resourcegroups/RG_NAME/providers/microsoft.operationalinsights/workspaces/WORKSPACE_NAME",
SecurityMonitoring = new AzureNative.ContainerService.Inputs.ManagedClusterSecurityProfileDefenderSecurityMonitoringArgs
{
Enabled = true,
},
},
WorkloadIdentity = new AzureNative.ContainerService.Inputs.ManagedClusterSecurityProfileWorkloadIdentityArgs
{
Enabled = true,
},
},
Sku = new AzureNative.ContainerService.Inputs.ManagedClusterSKUArgs
{
Name = "Basic",
Tier = AzureNative.ContainerService.ManagedClusterSKUTier.Free,
},
Tags =
{
{ "archv2", "" },
{ "tier", "production" },
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azurenative.containerservice.ManagedCluster;
import com.pulumi.azurenative.containerservice.ManagedClusterArgs;
import com.pulumi.azurenative.containerservice.inputs.ManagedClusterAgentPoolProfileArgs;
import com.pulumi.azurenative.containerservice.inputs.ContainerServiceLinuxProfileArgs;
import com.pulumi.azurenative.containerservice.inputs.ContainerServiceSshConfigurationArgs;
import com.pulumi.azurenative.containerservice.inputs.ContainerServiceNetworkProfileArgs;
import com.pulumi.azurenative.containerservice.inputs.ManagedClusterLoadBalancerProfileArgs;
import com.pulumi.azurenative.containerservice.inputs.ManagedClusterLoadBalancerProfileManagedOutboundIPsArgs;
import com.pulumi.azurenative.containerservice.inputs.ManagedClusterSecurityProfileArgs;
import com.pulumi.azurenative.containerservice.inputs.ManagedClusterSecurityProfileDefenderArgs;
import com.pulumi.azurenative.containerservice.inputs.ManagedClusterSecurityProfileDefenderSecurityMonitoringArgs;
import com.pulumi.azurenative.containerservice.inputs.ManagedClusterSecurityProfileWorkloadIdentityArgs;
import com.pulumi.azurenative.containerservice.inputs.ManagedClusterSKUArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var managedCluster = new ManagedCluster("managedCluster", ManagedClusterArgs.builder()
.agentPoolProfiles(ManagedClusterAgentPoolProfileArgs.builder()
.count(3)
.enableNodePublicIP(true)
.mode("System")
.name("nodepool1")
.osType("Linux")
.type("VirtualMachineScaleSets")
.vmSize("Standard_DS2_v2")
.build())
.dnsPrefix("dnsprefix1")
.kubernetesVersion("")
.linuxProfile(ContainerServiceLinuxProfileArgs.builder()
.adminUsername("azureuser")
.ssh(ContainerServiceSshConfigurationArgs.builder()
.publicKeys(ContainerServiceSshPublicKeyArgs.builder()
.keyData("keydata")
.build())
.build())
.build())
.location("location1")
.networkProfile(ContainerServiceNetworkProfileArgs.builder()
.loadBalancerProfile(ManagedClusterLoadBalancerProfileArgs.builder()
.managedOutboundIPs(ManagedClusterLoadBalancerProfileManagedOutboundIPsArgs.builder()
.count(2)
.build())
.build())
.loadBalancerSku("standard")
.outboundType("loadBalancer")
.build())
.resourceGroupName("rg1")
.resourceName("clustername1")
.securityProfile(ManagedClusterSecurityProfileArgs.builder()
.defender(ManagedClusterSecurityProfileDefenderArgs.builder()
.logAnalyticsWorkspaceResourceId("/subscriptions/SUB_ID/resourcegroups/RG_NAME/providers/microsoft.operationalinsights/workspaces/WORKSPACE_NAME")
.securityMonitoring(ManagedClusterSecurityProfileDefenderSecurityMonitoringArgs.builder()
.enabled(true)
.build())
.build())
.workloadIdentity(ManagedClusterSecurityProfileWorkloadIdentityArgs.builder()
.enabled(true)
.build())
.build())
.sku(ManagedClusterSKUArgs.builder()
.name("Basic")
.tier("Free")
.build())
.tags(Map.ofEntries(
Map.entry("archv2", ""),
Map.entry("tier", "production")
))
.build());
}
}
resources:
managedCluster:
type: azure-native:containerservice:ManagedCluster
properties:
agentPoolProfiles:
- count: 3
enableNodePublicIP: true
mode: System
name: nodepool1
osType: Linux
type: VirtualMachineScaleSets
vmSize: Standard_DS2_v2
dnsPrefix: dnsprefix1
kubernetesVersion: ""
linuxProfile:
adminUsername: azureuser
ssh:
publicKeys:
- keyData: keydata
location: location1
networkProfile:
loadBalancerProfile:
managedOutboundIPs:
count: 2
loadBalancerSku: standard
outboundType: loadBalancer
resourceGroupName: rg1
resourceName: clustername1
securityProfile:
defender:
logAnalyticsWorkspaceResourceId: /subscriptions/SUB_ID/resourcegroups/RG_NAME/providers/microsoft.operationalinsights/workspaces/WORKSPACE_NAME
securityMonitoring:
enabled: true
workloadIdentity:
enabled: true
sku:
name: Basic
tier: Free
tags:
archv2: ""
tier: production
The securityProfile configures two features: defender enables security monitoring with a Log Analytics workspace, and workloadIdentity allows pods to authenticate to Azure services using managed identities. The logAnalyticsWorkspaceResourceId must reference an existing workspace.
Configure Azure RBAC for Kubernetes authorization
Teams using Azure Active Directory for cluster access can enable Azure RBAC to manage Kubernetes permissions through Azure role assignments.
import * as pulumi from "@pulumi/pulumi";
import * as azure_native from "@pulumi/azure-native";
const managedCluster = new azure_native.containerservice.ManagedCluster("managedCluster", {
aadProfile: {
enableAzureRBAC: true,
managed: true,
},
addonProfiles: {},
agentPoolProfiles: [{
availabilityZones: [
"1",
"2",
"3",
],
count: 3,
enableNodePublicIP: true,
mode: azure_native.containerservice.AgentPoolMode.System,
name: "nodepool1",
osType: azure_native.containerservice.OSType.Linux,
type: azure_native.containerservice.AgentPoolType.VirtualMachineScaleSets,
vmSize: "Standard_DS1_v2",
}],
autoScalerProfile: {
scaleDownDelayAfterAdd: "15m",
scanInterval: "20s",
},
diskEncryptionSetID: "/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/rg1/providers/Microsoft.Compute/diskEncryptionSets/des",
dnsPrefix: "dnsprefix1",
enableRBAC: true,
kubernetesVersion: "",
linuxProfile: {
adminUsername: "azureuser",
ssh: {
publicKeys: [{
keyData: "keydata",
}],
},
},
location: "location1",
networkProfile: {
loadBalancerProfile: {
managedOutboundIPs: {
count: 2,
},
},
loadBalancerSku: azure_native.containerservice.LoadBalancerSku.Standard,
outboundType: azure_native.containerservice.OutboundType.LoadBalancer,
},
resourceGroupName: "rg1",
resourceName: "clustername1",
servicePrincipalProfile: {
clientId: "clientid",
secret: "secret",
},
sku: {
name: "Basic",
tier: azure_native.containerservice.ManagedClusterSKUTier.Free,
},
tags: {
archv2: "",
tier: "production",
},
windowsProfile: {
adminPassword: "replacePassword1234$",
adminUsername: "azureuser",
},
});
import pulumi
import pulumi_azure_native as azure_native
managed_cluster = azure_native.containerservice.ManagedCluster("managedCluster",
aad_profile={
"enable_azure_rbac": True,
"managed": True,
},
addon_profiles={},
agent_pool_profiles=[{
"availability_zones": [
"1",
"2",
"3",
],
"count": 3,
"enable_node_public_ip": True,
"mode": azure_native.containerservice.AgentPoolMode.SYSTEM,
"name": "nodepool1",
"os_type": azure_native.containerservice.OSType.LINUX,
"type": azure_native.containerservice.AgentPoolType.VIRTUAL_MACHINE_SCALE_SETS,
"vm_size": "Standard_DS1_v2",
}],
auto_scaler_profile={
"scale_down_delay_after_add": "15m",
"scan_interval": "20s",
},
disk_encryption_set_id="/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/rg1/providers/Microsoft.Compute/diskEncryptionSets/des",
dns_prefix="dnsprefix1",
enable_rbac=True,
kubernetes_version="",
linux_profile={
"admin_username": "azureuser",
"ssh": {
"public_keys": [{
"key_data": "keydata",
}],
},
},
location="location1",
network_profile={
"load_balancer_profile": {
"managed_outbound_ips": {
"count": 2,
},
},
"load_balancer_sku": azure_native.containerservice.LoadBalancerSku.STANDARD,
"outbound_type": azure_native.containerservice.OutboundType.LOAD_BALANCER,
},
resource_group_name="rg1",
resource_name_="clustername1",
service_principal_profile={
"client_id": "clientid",
"secret": "secret",
},
sku={
"name": "Basic",
"tier": azure_native.containerservice.ManagedClusterSKUTier.FREE,
},
tags={
"archv2": "",
"tier": "production",
},
windows_profile={
"admin_password": "replacePassword1234$",
"admin_username": "azureuser",
})
package main
import (
containerservice "github.com/pulumi/pulumi-azure-native-sdk/containerservice/v3"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := containerservice.NewManagedCluster(ctx, "managedCluster", &containerservice.ManagedClusterArgs{
AadProfile: &containerservice.ManagedClusterAADProfileArgs{
EnableAzureRBAC: pulumi.Bool(true),
Managed: pulumi.Bool(true),
},
AddonProfiles: containerservice.ManagedClusterAddonProfileMap{},
AgentPoolProfiles: containerservice.ManagedClusterAgentPoolProfileArray{
&containerservice.ManagedClusterAgentPoolProfileArgs{
AvailabilityZones: pulumi.StringArray{
pulumi.String("1"),
pulumi.String("2"),
pulumi.String("3"),
},
Count: pulumi.Int(3),
EnableNodePublicIP: pulumi.Bool(true),
Mode: pulumi.String(containerservice.AgentPoolModeSystem),
Name: pulumi.String("nodepool1"),
OsType: pulumi.String(containerservice.OSTypeLinux),
Type: pulumi.String(containerservice.AgentPoolTypeVirtualMachineScaleSets),
VmSize: pulumi.String("Standard_DS1_v2"),
},
},
AutoScalerProfile: &containerservice.ManagedClusterPropertiesAutoScalerProfileArgs{
ScaleDownDelayAfterAdd: pulumi.String("15m"),
ScanInterval: pulumi.String("20s"),
},
DiskEncryptionSetID: pulumi.String("/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/rg1/providers/Microsoft.Compute/diskEncryptionSets/des"),
DnsPrefix: pulumi.String("dnsprefix1"),
EnableRBAC: pulumi.Bool(true),
KubernetesVersion: pulumi.String(""),
LinuxProfile: &containerservice.ContainerServiceLinuxProfileArgs{
AdminUsername: pulumi.String("azureuser"),
Ssh: &containerservice.ContainerServiceSshConfigurationArgs{
PublicKeys: containerservice.ContainerServiceSshPublicKeyArray{
&containerservice.ContainerServiceSshPublicKeyArgs{
KeyData: pulumi.String("keydata"),
},
},
},
},
Location: pulumi.String("location1"),
NetworkProfile: &containerservice.ContainerServiceNetworkProfileArgs{
LoadBalancerProfile: &containerservice.ManagedClusterLoadBalancerProfileArgs{
ManagedOutboundIPs: &containerservice.ManagedClusterLoadBalancerProfileManagedOutboundIPsArgs{
Count: pulumi.Int(2),
},
},
LoadBalancerSku: pulumi.String(containerservice.LoadBalancerSkuStandard),
OutboundType: pulumi.String(containerservice.OutboundTypeLoadBalancer),
},
ResourceGroupName: pulumi.String("rg1"),
ResourceName: pulumi.String("clustername1"),
ServicePrincipalProfile: &containerservice.ManagedClusterServicePrincipalProfileArgs{
ClientId: pulumi.String("clientid"),
Secret: pulumi.String("secret"),
},
Sku: &containerservice.ManagedClusterSKUArgs{
Name: pulumi.String("Basic"),
Tier: pulumi.String(containerservice.ManagedClusterSKUTierFree),
},
Tags: pulumi.StringMap{
"archv2": pulumi.String(""),
"tier": pulumi.String("production"),
},
WindowsProfile: &containerservice.ManagedClusterWindowsProfileArgs{
AdminPassword: pulumi.String("replacePassword1234$"),
AdminUsername: pulumi.String("azureuser"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureNative = Pulumi.AzureNative;
return await Deployment.RunAsync(() =>
{
var managedCluster = new AzureNative.ContainerService.ManagedCluster("managedCluster", new()
{
AadProfile = new AzureNative.ContainerService.Inputs.ManagedClusterAADProfileArgs
{
EnableAzureRBAC = true,
Managed = true,
},
AddonProfiles = null,
AgentPoolProfiles = new[]
{
new AzureNative.ContainerService.Inputs.ManagedClusterAgentPoolProfileArgs
{
AvailabilityZones = new[]
{
"1",
"2",
"3",
},
Count = 3,
EnableNodePublicIP = true,
Mode = AzureNative.ContainerService.AgentPoolMode.System,
Name = "nodepool1",
OsType = AzureNative.ContainerService.OSType.Linux,
Type = AzureNative.ContainerService.AgentPoolType.VirtualMachineScaleSets,
VmSize = "Standard_DS1_v2",
},
},
AutoScalerProfile = new AzureNative.ContainerService.Inputs.ManagedClusterPropertiesAutoScalerProfileArgs
{
ScaleDownDelayAfterAdd = "15m",
ScanInterval = "20s",
},
DiskEncryptionSetID = "/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/rg1/providers/Microsoft.Compute/diskEncryptionSets/des",
DnsPrefix = "dnsprefix1",
EnableRBAC = true,
KubernetesVersion = "",
LinuxProfile = new AzureNative.ContainerService.Inputs.ContainerServiceLinuxProfileArgs
{
AdminUsername = "azureuser",
Ssh = new AzureNative.ContainerService.Inputs.ContainerServiceSshConfigurationArgs
{
PublicKeys = new[]
{
new AzureNative.ContainerService.Inputs.ContainerServiceSshPublicKeyArgs
{
KeyData = "keydata",
},
},
},
},
Location = "location1",
NetworkProfile = new AzureNative.ContainerService.Inputs.ContainerServiceNetworkProfileArgs
{
LoadBalancerProfile = new AzureNative.ContainerService.Inputs.ManagedClusterLoadBalancerProfileArgs
{
ManagedOutboundIPs = new AzureNative.ContainerService.Inputs.ManagedClusterLoadBalancerProfileManagedOutboundIPsArgs
{
Count = 2,
},
},
LoadBalancerSku = AzureNative.ContainerService.LoadBalancerSku.Standard,
OutboundType = AzureNative.ContainerService.OutboundType.LoadBalancer,
},
ResourceGroupName = "rg1",
ResourceName = "clustername1",
ServicePrincipalProfile = new AzureNative.ContainerService.Inputs.ManagedClusterServicePrincipalProfileArgs
{
ClientId = "clientid",
Secret = "secret",
},
Sku = new AzureNative.ContainerService.Inputs.ManagedClusterSKUArgs
{
Name = "Basic",
Tier = AzureNative.ContainerService.ManagedClusterSKUTier.Free,
},
Tags =
{
{ "archv2", "" },
{ "tier", "production" },
},
WindowsProfile = new AzureNative.ContainerService.Inputs.ManagedClusterWindowsProfileArgs
{
AdminPassword = "replacePassword1234$",
AdminUsername = "azureuser",
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azurenative.containerservice.ManagedCluster;
import com.pulumi.azurenative.containerservice.ManagedClusterArgs;
import com.pulumi.azurenative.containerservice.inputs.ManagedClusterAADProfileArgs;
import com.pulumi.azurenative.containerservice.inputs.ManagedClusterAgentPoolProfileArgs;
import com.pulumi.azurenative.containerservice.inputs.ManagedClusterPropertiesAutoScalerProfileArgs;
import com.pulumi.azurenative.containerservice.inputs.ContainerServiceLinuxProfileArgs;
import com.pulumi.azurenative.containerservice.inputs.ContainerServiceSshConfigurationArgs;
import com.pulumi.azurenative.containerservice.inputs.ContainerServiceNetworkProfileArgs;
import com.pulumi.azurenative.containerservice.inputs.ManagedClusterLoadBalancerProfileArgs;
import com.pulumi.azurenative.containerservice.inputs.ManagedClusterLoadBalancerProfileManagedOutboundIPsArgs;
import com.pulumi.azurenative.containerservice.inputs.ManagedClusterServicePrincipalProfileArgs;
import com.pulumi.azurenative.containerservice.inputs.ManagedClusterSKUArgs;
import com.pulumi.azurenative.containerservice.inputs.ManagedClusterWindowsProfileArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var managedCluster = new ManagedCluster("managedCluster", ManagedClusterArgs.builder()
.aadProfile(ManagedClusterAADProfileArgs.builder()
.enableAzureRBAC(true)
.managed(true)
.build())
.addonProfiles(Map.ofEntries(
))
.agentPoolProfiles(ManagedClusterAgentPoolProfileArgs.builder()
.availabilityZones(
"1",
"2",
"3")
.count(3)
.enableNodePublicIP(true)
.mode("System")
.name("nodepool1")
.osType("Linux")
.type("VirtualMachineScaleSets")
.vmSize("Standard_DS1_v2")
.build())
.autoScalerProfile(ManagedClusterPropertiesAutoScalerProfileArgs.builder()
.scaleDownDelayAfterAdd("15m")
.scanInterval("20s")
.build())
.diskEncryptionSetID("/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/rg1/providers/Microsoft.Compute/diskEncryptionSets/des")
.dnsPrefix("dnsprefix1")
.enableRBAC(true)
.kubernetesVersion("")
.linuxProfile(ContainerServiceLinuxProfileArgs.builder()
.adminUsername("azureuser")
.ssh(ContainerServiceSshConfigurationArgs.builder()
.publicKeys(ContainerServiceSshPublicKeyArgs.builder()
.keyData("keydata")
.build())
.build())
.build())
.location("location1")
.networkProfile(ContainerServiceNetworkProfileArgs.builder()
.loadBalancerProfile(ManagedClusterLoadBalancerProfileArgs.builder()
.managedOutboundIPs(ManagedClusterLoadBalancerProfileManagedOutboundIPsArgs.builder()
.count(2)
.build())
.build())
.loadBalancerSku("standard")
.outboundType("loadBalancer")
.build())
.resourceGroupName("rg1")
.resourceName("clustername1")
.servicePrincipalProfile(ManagedClusterServicePrincipalProfileArgs.builder()
.clientId("clientid")
.secret("secret")
.build())
.sku(ManagedClusterSKUArgs.builder()
.name("Basic")
.tier("Free")
.build())
.tags(Map.ofEntries(
Map.entry("archv2", ""),
Map.entry("tier", "production")
))
.windowsProfile(ManagedClusterWindowsProfileArgs.builder()
.adminPassword("replacePassword1234$")
.adminUsername("azureuser")
.build())
.build());
}
}
resources:
managedCluster:
type: azure-native:containerservice:ManagedCluster
properties:
aadProfile:
enableAzureRBAC: true
managed: true
addonProfiles: {}
agentPoolProfiles:
- availabilityZones:
- '1'
- '2'
- '3'
count: 3
enableNodePublicIP: true
mode: System
name: nodepool1
osType: Linux
type: VirtualMachineScaleSets
vmSize: Standard_DS1_v2
autoScalerProfile:
scaleDownDelayAfterAdd: 15m
scanInterval: 20s
diskEncryptionSetID: /subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/rg1/providers/Microsoft.Compute/diskEncryptionSets/des
dnsPrefix: dnsprefix1
enableRBAC: true
kubernetesVersion: ""
linuxProfile:
adminUsername: azureuser
ssh:
publicKeys:
- keyData: keydata
location: location1
networkProfile:
loadBalancerProfile:
managedOutboundIPs:
count: 2
loadBalancerSku: standard
outboundType: loadBalancer
resourceGroupName: rg1
resourceName: clustername1
servicePrincipalProfile:
clientId: clientid
secret: secret
sku:
name: Basic
tier: Free
tags:
archv2: ""
tier: production
windowsProfile:
adminPassword: replacePassword1234$
adminUsername: azureuser
The aadProfile sets managed to true for AKS-managed Azure AD integration, and enableAzureRBAC allows Azure role assignments to control Kubernetes API access. This unifies Azure and Kubernetes authorization under a single RBAC model.
Beyond these examples
These snippets focus on specific cluster-level features: agent pool snapshots and node configuration, network egress (NAT gateway and HTTP proxy), security features (Defender, workload identity, and RunCommand), and Azure AD integration with RBAC. They’re intentionally minimal rather than full cluster deployments.
The examples may reference pre-existing infrastructure such as agent pool snapshots, NAT gateways or HTTP proxy servers, Log Analytics workspaces for Defender, Azure AD tenant and service principals, and disk encryption sets, Key Vaults, or capacity reservation groups. They focus on configuring the cluster rather than provisioning everything around it.
To keep things focused, common cluster patterns are omitted, including:
- Service mesh configuration (Istio components and certificates)
- Ingress profiles (Web App Routing with DNS zones)
- Node-level features (FIPS, EncryptionAtHost, UltraSSD, GPU partitioning)
- Specialized compute (dedicated host groups, proximity placement groups, capacity reservations)
- Private cluster configurations (private DNS zones, FQDN subdomains)
- Support plans and long-term support options
These omissions are intentional: the goal is to illustrate how each cluster feature is wired, not provide drop-in production modules. See the ManagedCluster resource reference for all available configuration options.
Let's deploy Azure Kubernetes Service Clusters
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Agent Pool Configuration
How do I modify the initial agent pool after cluster creation?
The agentPoolProfiles property cannot be updated directly after cluster creation. You have three options:
- Use the
AgentPoolresource to create additional agent pools - Use the
replaceOnChangesresource option to recreate the entire cluster - Modify the pool directly in Azure Portal, then run
pulumi refreshto sync state
Do I need to define agent pools at cluster creation?
Yes. You must define at least one agent pool inline via the
agentPoolProfiles property when creating a managed cluster. Additional pools can be added later using the AgentPool resource.Cluster Lifecycle & Updates
What properties can't be changed after cluster creation?
These properties are immutable:
location, dnsPrefix, fqdnSubdomain, nodeResourceGroup, diskEncryptionSetID, linuxProfile, windowsProfile, and networkProfile. Changing them requires recreating the cluster.Can I specify just the major.minor Kubernetes version?
Yes. When you specify
<major.minor> (e.g., 1.20), AKS automatically selects the latest supported GA patch version. Updating the cluster with the same <major.minor> won’t trigger an upgrade, even if a newer patch is available.Can I skip Kubernetes minor versions when upgrading?
No. All upgrades must be performed sequentially by major version number. For example, 1.14.x → 1.15.x → 1.16.x is required; you cannot skip from 1.14.x directly to 1.16.x.
Networking & Connectivity
What outbound connectivity options are available?
You can configure
LoadBalancer, ManagedNATGateway, or UserAssignedNATGateway as the outboundType in networkProfile. This setting is immutable after cluster creation.Can I have a private cluster that's still accessible from Azure Portal?
Yes. Set
enablePrivateCluster to true and enablePrivateClusterPublicFQDN to true in apiServerAccessProfile. This creates a special FQDN that supports CORS for Azure Portal access while keeping the cluster private.Support & Maintenance
What's the difference between standard support and Long-Term Support?
Set
supportPlan to AKSLongTermSupport for extended support duration. This requires the Premium SKU tier (sku.tier set to Premium). The default is KubernetesOfficial with standard support.