Azure · zhoxing-ms · Sep 2, 2021 · Aug 29, 2021 · Aug 30, 2021 · Aug 30, 2021
@@ -61,6 +61,12 @@ aks create:
     load_balancer_outbound_ports:
       rule_exclusions:
       - option_length_too_long
+    nat_gateway_idle_timeout:
+      rule_exclusions:
+      - option_length_too_long
+    nat_gateway_managed_outbound_ip_count:
+      rule_exclusions:
+      - option_length_too_long
     node_osdisk_diskencryptionset_id:
       rule_exclusions:
       - option_length_too_long
@@ -142,6 +148,12 @@ aks update:
     load_balancer_outbound_ports:
       rule_exclusions:
       - option_length_too_long
+    nat_gateway_idle_timeout:
+      rule_exclusions:
+      - option_length_too_long
+    nat_gateway_managed_outbound_ip_count:
+      rule_exclusions:
+      - option_length_too_long
     enable_managed_identity:
       rule_exclusions:
       - option_length_too_long

@@ -3,6 +3,10 @@
 Release History
 ===============
 
+0.5.31
++++++
+* Add support for new outbound types: 'managedNATGateway' and 'userAssignedNATGateway'
+
 0.5.30
 +++++
 * Add preview support for setting scaleDownMode field on nodepools. Requires registering the feature flag "Microsoft.ContainerService/AKS-ScaleDownModePreview" for setting the value to "Deallocate".

@@ -25,7 +25,9 @@
             "test_aks_create_with_monitoring_aad_auth_msi",
             "test_aks_create_with_monitoring_aad_auth_uai",
             "test_aks_enable_monitoring_with_aad_auth_msi",
-            "test_aks_enable_monitoring_with_aad_auth_uai"
+            "test_aks_enable_monitoring_with_aad_auth_uai",
+            "test_aks_create_and_update_with_managed_nat_gateway_outbound",
+            "test_aks_create_with_http_proxy_config"
         ]
     }
 }
@@ -5,6 +5,8 @@
 
 CONST_OUTBOUND_TYPE_LOAD_BALANCER = "loadBalancer"
 CONST_OUTBOUND_TYPE_USER_DEFINED_ROUTING = "userDefinedRouting"
+CONST_OUTBOUND_TYPE_MANAGED_NAT_GATEWAY = "managedNATGateway"
+CONST_OUTBOUND_TYPE_USER_ASSIGNED_NAT_GATEWAY = "userAssignedNATGateway"
 
 CONST_SCALE_SET_PRIORITY_REGULAR = "Regular"
 CONST_SCALE_SET_PRIORITY_SPOT = "Spot"

@@ -150,10 +150,18 @@
           type: int
           short-summary: Load balancer idle timeout in minutes.
           long-summary: Desired idle timeout for load balancer outbound flows, default is 30 minutes. Please specify a value in the range of [4, 100].
+        - name: --nat-gateway-managed-outbound-ip-count
+          type: int
+          short-summary: NAT gateway managed outbound IP count.
+          long-summary: Desired number of managed outbound IPs for NAT gateway outbound connection. Please specify a value in the range of [1, 16]. Valid for Standard SKU load balancer cluster with managedNATGateway outbound type only.
+        - name: --nat-gateway-idle-timeout
+          type: int
+          short-summary: NAT gateway idle timeout in minutes.
+          long-summary: Desired idle timeout for NAT gateway outbound flows, default is 4 minutes. Please specify a value in the range of [4, 120]. Valid for Standard SKU load balancer cluster with managedNATGateway outbound type only.
         - name: --outbound-type
           type: string
           short-summary: How outbound traffic will be configured for a cluster.
-          long-summary: Select between loadBalancer and userDefinedRouting. If not set, defaults to type loadBalancer. Requires --vnet-subnet-id to be provided with a preconfigured route table and --load-balancer-sku to be Standard.
+          long-summary: Select between loadBalancer, userDefinedRouting, managedNATGateway and userAssignedNATGateway. If not set, defaults to type loadBalancer. Requires --vnet-subnet-id to be provided with a preconfigured route table and --load-balancer-sku to be Standard.
         - name: --enable-addons -a
           type: string
           short-summary: Enable the Kubernetes addons in a comma-separated list.
@@ -365,6 +373,8 @@
           text: az aks create -g MyResourceGroup -n MyManagedCluster --load-balancer-outbound-ip-prefixes <ip-prefix-resource-id-1,ip-prefix-resource-id-2>
         - name: Create a kubernetes cluster with a standard SKU load balancer, with two outbound AKS managed IPs an idle flow timeout of 5 minutes and 8000 allocated ports per machine
           text: az aks create -g MyResourceGroup -n MyManagedCluster --load-balancer-managed-outbound-ip-count 2 --load-balancer-idle-timeout 5 --load-balancer-outbound-ports 8000
+        - name: Create a kubernetes cluster with a AKS managed NAT gateway, with two outbound AKS managed IPs an idle flow timeout of 4 minutes
+          text: az aks create -g MyResourceGroup -n MyManagedCluster --nat-gateway-managed-outbound-ip-count 2 --nat-gateway-idle-timeout 4
         - name: Create a kubernetes cluster with basic SKU load balancer and AvailabilitySet vm set type.
           text: az aks create -g MyResourceGroup -n MyManagedCluster --load-balancer-sku basic --vm-set-type AvailabilitySet
         - name: Create a kubernetes cluster with authorized apiserver IP ranges.
@@ -471,6 +481,14 @@
           type: int
           short-summary: Load balancer idle timeout in minutes.
           long-summary: Desired idle timeout for load balancer outbound flows, default is 30 minutes. Please specify a value in the range of [4, 100].
+        - name: --nat-gateway-managed-outbound-ip-count
+          type: int
+          short-summary: NAT gateway managed outbound IP count.
+          long-summary: Desired number of managed outbound IPs for NAT gateway outbound connection. Please specify a value in the range of [1, 16]. Valid for Standard SKU load balancer cluster with managedNATGateway outbound type only.
+        - name: --nat-gateway-idle-timeout
+          type: int
+          short-summary: NAT gateway idle timeout in minutes.
+          long-summary: Desired idle timeout for NAT gateway outbound flows, default is 4 minutes. Please specify a value in the range of [4, 120]. Valid for Standard SKU load balancer cluster with managedNATGateway outbound type only.
         - name: --enable-pod-security-policy
           type: bool
           short-summary: (PREVIEW) Enable pod security policy.
@@ -582,6 +600,8 @@
         text: az aks update -g MyResourceGroup -n MyManagedCluster --load-balancer-outbound-ip-prefixes <ip-prefix-resource-id-1,ip-prefix-resource-id-2>
       - name: Update a kubernetes cluster with two outbound AKS managed IPs an idle flow timeout of 5 minutes and 8000 allocated ports per machine
         text: az aks update -g MyResourceGroup -n MyManagedCluster --load-balancer-managed-outbound-ip-count 2 --load-balancer-idle-timeout 5 --load-balancer-outbound-ports 8000
+      - name: Update a kubernetes cluster of managedNATGateway outbound type with two outbound AKS managed IPs an idle flow timeout of 4 minutes
+        text: az aks update -g MyResourceGroup -n MyManagedCluster --nat-gateway-managed-outbound-ip-count 2 --nat-gateway-idle-timeout 4
       - name: Update a kubernetes cluster with authorized apiserver ip ranges.
         text: az aks update -g MyResourceGroup -n MyManagedCluster --api-server-authorized-ip-ranges 193.168.1.0/24,194.168.1.0/24
       - name: Disable authorized apiserver ip ranges feature for a kubernetes cluster.

@@ -6,11 +6,13 @@
 from distutils.version import StrictVersion  # pylint: disable=no-name-in-module,import-error
 # pylint: disable=no-name-in-module,import-error
 from knack.util import CLIError
+from azure.cli.core.azclierror import ArgumentUsageError
 
 # pylint: disable=no-name-in-module,import-error
 from .vendored_sdks.azure_mgmt_preview_aks.v2021_07_01.models import ManagedClusterAPIServerAccessProfile
 from ._consts import CONST_CONTAINER_NAME_MAX_LENGTH
-from ._consts import CONST_OUTBOUND_TYPE_LOAD_BALANCER, CONST_OUTBOUND_TYPE_USER_DEFINED_ROUTING
+from ._consts import CONST_OUTBOUND_TYPE_LOAD_BALANCER, CONST_OUTBOUND_TYPE_USER_DEFINED_ROUTING, \
+    CONST_OUTBOUND_TYPE_MANAGED_NAT_GATEWAY, CONST_OUTBOUND_TYPE_USER_ASSIGNED_NAT_GATEWAY
 
 
 def _populate_api_server_access_profile(api_server_authorized_ip_ranges, instance=None):
@@ -49,21 +51,42 @@ def _set_vm_set_type(vm_set_type, kubernetes_version):
 
 
 def _set_outbound_type(outbound_type, vnet_subnet_id, load_balancer_sku, load_balancer_profile):
-    if outbound_type != CONST_OUTBOUND_TYPE_USER_DEFINED_ROUTING:
+    if (
+        outbound_type != CONST_OUTBOUND_TYPE_USER_DEFINED_ROUTING and
+        outbound_type != CONST_OUTBOUND_TYPE_MANAGED_NAT_GATEWAY and
+        outbound_type != CONST_OUTBOUND_TYPE_USER_ASSIGNED_NAT_GATEWAY
+    ):
         return CONST_OUTBOUND_TYPE_LOAD_BALANCER
 
+    if outbound_type == CONST_OUTBOUND_TYPE_MANAGED_NAT_GATEWAY:
+        if load_balancer_sku == "basic":
+            raise ArgumentUsageError("managedNATGateway doesn't support basic load balancer sku")
+
+        return CONST_OUTBOUND_TYPE_MANAGED_NAT_GATEWAY
+
+    if outbound_type == CONST_OUTBOUND_TYPE_USER_ASSIGNED_NAT_GATEWAY:
+        if load_balancer_sku == "basic":
+            raise ArgumentUsageError("userAssignedNATGateway doesn't support basic load balancer sku")
+
+        if vnet_subnet_id in ["", None]:
+            raise ArgumentUsageError("--vnet-subnet-id must be specified for userAssignedNATGateway and it must "
+                                     "be pre-associated with a NAT gateway with outbound public IPs or IP prefixes")
+
+        return CONST_OUTBOUND_TYPE_USER_ASSIGNED_NAT_GATEWAY
+
     if vnet_subnet_id in ["", None]:
-        raise CLIError("--vnet-subnet-id must be specified for userDefinedRouting and it must \
-        be pre-configured with a route table with egress rules")
+        raise ArgumentUsageError("--vnet-subnet-id must be specified for userDefinedRouting and it must "
+                                 "be pre-configured with a route table with egress rules")
 
     if load_balancer_sku == "basic":
-        raise CLIError("userDefinedRouting doesn't support basic load balancer sku")
+        raise ArgumentUsageError("userDefinedRouting doesn't support basic load balancer sku")
 
     if load_balancer_profile:
-        if (load_balancer_profile.managed_outbound_ips or
-                load_balancer_profile.outbound_ips or
+        if (load_balancer_profile.managed_outbound_i_ps or
+                load_balancer_profile.outbound_i_ps or
                 load_balancer_profile.outbound_ip_prefixes):
-            raise CLIError("userDefinedRouting doesn't support customizing a standard load balancer with IP addresses")
+            raise ArgumentUsageError("userDefinedRouting doesn't support customizing a standard load balancer "
+                                     "with IP addresses")
 
     return CONST_OUTBOUND_TYPE_USER_DEFINED_ROUTING
 

@@ -0,0 +1,44 @@
+# --------------------------------------------------------------------------------------------
+# Copyright (c) Microsoft Corporation. All rights reserved.
+# Licensed under the MIT License. See License.txt in the project root for license information.
+# --------------------------------------------------------------------------------------------
+
+from .vendored_sdks.azure_mgmt_preview_aks.v2021_07_01.models import ManagedClusterNATGatewayProfile
+from .vendored_sdks.azure_mgmt_preview_aks.v2021_07_01.models import ManagedClusterManagedOutboundIPProfile
+
+
+def create_nat_gateway_profile(managed_outbound_ip_count, idle_timeout):
+    """parse and build NAT gateway profile"""
+    if not is_nat_gateway_profile_provided(managed_outbound_ip_count, idle_timeout):
+        return None
+
+    profile = ManagedClusterNATGatewayProfile()
+    return configure_nat_gateway_profile(managed_outbound_ip_count, idle_timeout, profile)
+
+
+def update_nat_gateway_profile(managed_outbound_ip_count, idle_timeout, profile):
+    """parse and update an existing NAT gateway profile"""
+    if not is_nat_gateway_profile_provided(managed_outbound_ip_count, idle_timeout):
+        return profile
+
+    return configure_nat_gateway_profile(managed_outbound_ip_count, idle_timeout, profile)
+
+
+def is_nat_gateway_profile_provided(managed_outbound_ip_count, idle_timeout):
+    return any([managed_outbound_ip_count, idle_timeout])
+
+
+def configure_nat_gateway_profile(managed_outbound_ip_count, idle_timeout, profile):
+    """configure a NAT Gateway with customer supplied values"""
+    if not profile:
+        return profile
+
+    if managed_outbound_ip_count:
+        profile.managed_outbound_ip_profile = ManagedClusterManagedOutboundIPProfile(
+            count=managed_outbound_ip_count
+        )
+
+    if idle_timeout:
+        profile.idle_timeout_in_minutes = idle_timeout
+
+    return profile
@@ -19,13 +19,13 @@
     validate_cluster_autoscaler_profile, validate_create_parameters, validate_k8s_version, validate_linux_host_name,
     validate_ssh_key, validate_nodes_count, validate_ip_ranges,
     validate_nodepool_name, validate_vm_set_type, validate_load_balancer_sku,
-    validate_load_balancer_outbound_ips, validate_load_balancer_outbound_ip_prefixes,
+    validate_load_balancer_outbound_ips, validate_load_balancer_outbound_ip_prefixes, validate_nat_gateway_managed_outbound_ip_count,
     validate_taints, validate_priority, validate_eviction_policy, validate_spot_max_price, validate_acr, validate_user,
-    validate_load_balancer_outbound_ports, validate_load_balancer_idle_timeout, validate_nodepool_tags,
+    validate_load_balancer_outbound_ports, validate_load_balancer_idle_timeout, validate_nat_gateway_idle_timeout, validate_nodepool_tags,
     validate_nodepool_labels, validate_vnet_subnet_id, validate_pod_subnet_id, validate_max_surge, validate_assign_identity, validate_addons,
     validate_pod_identity_pod_labels, validate_pod_identity_resource_name, validate_pod_identity_resource_namespace, validate_assign_kubelet_identity)
-from ._consts import CONST_OUTBOUND_TYPE_LOAD_BALANCER, \
-    CONST_OUTBOUND_TYPE_USER_DEFINED_ROUTING, CONST_SCALE_SET_PRIORITY_REGULAR, CONST_SCALE_SET_PRIORITY_SPOT, \
+from ._consts import CONST_OUTBOUND_TYPE_LOAD_BALANCER, CONST_OUTBOUND_TYPE_USER_DEFINED_ROUTING, CONST_OUTBOUND_TYPE_MANAGED_NAT_GATEWAY, \
+    CONST_OUTBOUND_TYPE_USER_ASSIGNED_NAT_GATEWAY, CONST_SCALE_SET_PRIORITY_REGULAR, CONST_SCALE_SET_PRIORITY_SPOT, \
     CONST_SPOT_EVICTION_POLICY_DELETE, CONST_SPOT_EVICTION_POLICY_DEALLOCATE, \
     CONST_SCALE_DOWN_MODE_DELETE, CONST_SCALE_DOWN_MODE_DEALLOCATE, \
     CONST_NODEPOOL_MODE_SYSTEM, CONST_NODEPOOL_MODE_USER, \
@@ -76,8 +76,12 @@ def load_arguments(self, _):
         c.argument('load_balancer_outbound_ip_prefixes', type=str, validator=validate_load_balancer_outbound_ip_prefixes)
         c.argument('load_balancer_outbound_ports', type=int, validator=validate_load_balancer_outbound_ports)
         c.argument('load_balancer_idle_timeout', type=int, validator=validate_load_balancer_idle_timeout)
+        c.argument('nat_gateway_managed_outbound_ip_count', type=int, validator=validate_nat_gateway_managed_outbound_ip_count)
+        c.argument('nat_gateway_idle_timeout', type=int, validator=validate_nat_gateway_idle_timeout)
         c.argument('outbound_type', arg_type=get_enum_type([CONST_OUTBOUND_TYPE_LOAD_BALANCER,
-                                                            CONST_OUTBOUND_TYPE_USER_DEFINED_ROUTING]))
+                                                            CONST_OUTBOUND_TYPE_USER_DEFINED_ROUTING,
+                                                            CONST_OUTBOUND_TYPE_MANAGED_NAT_GATEWAY,
+                                                            CONST_OUTBOUND_TYPE_USER_ASSIGNED_NAT_GATEWAY]))
         c.argument('enable_addons', options_list=['--enable-addons', '-a'], validator=validate_addons)
         c.argument('disable_rbac', action='store_true')
         c.argument('enable_rbac', action='store_true', options_list=['--enable-rbac', '-r'],
@@ -152,6 +156,8 @@ def load_arguments(self, _):
         c.argument('load_balancer_outbound_ip_prefixes', type=str, validator=validate_load_balancer_outbound_ip_prefixes)
         c.argument('load_balancer_outbound_ports', type=int, validator=validate_load_balancer_outbound_ports)
         c.argument('load_balancer_idle_timeout', type=int, validator=validate_load_balancer_idle_timeout)
+        c.argument('nat_gateway_managed_outbound_ip_count', type=int, validator=validate_nat_gateway_managed_outbound_ip_count)
+        c.argument('nat_gateway_idle_timeout', type=int, validator=validate_nat_gateway_idle_timeout)
         c.argument('api_server_authorized_ip_ranges', type=str, validator=validate_ip_ranges)
         c.argument('enable_pod_security_policy', action='store_true')
         c.argument('disable_pod_security_policy', action='store_true')

@@ -12,6 +12,7 @@
 
 from knack.log import get_logger
 
+from azure.cli.core.azclierror import InvalidArgumentValueError
 from azure.cli.core.commands.validators import validate_tag
 from azure.cli.core.util import CLIError
 import azure.cli.core.keys as keys
@@ -265,6 +266,20 @@ def validate_load_balancer_idle_timeout(namespace):
             raise CLIError("--load-balancer-idle-timeout must be in the range [4,100]")
 
 
+def validate_nat_gateway_managed_outbound_ip_count(namespace):
+    """validate NAT gateway profile managed outbound IP count"""
+    if namespace.nat_gateway_managed_outbound_ip_count is not None:
+        if namespace.nat_gateway_managed_outbound_ip_count < 1 or namespace.nat_gateway_managed_outbound_ip_count > 16:
+            raise InvalidArgumentValueError("--nat-gateway-managed-outbound-ip-count must be in the range [1,16]")
+
+
+def validate_nat_gateway_idle_timeout(namespace):
+    """validate NAT gateway profile idle timeout"""
+    if namespace.nat_gateway_idle_timeout is not None:
+        if namespace.nat_gateway_idle_timeout < 4 or namespace.nat_gateway_idle_timeout > 120:
+            raise InvalidArgumentValueError("--nat-gateway-idle-timeout must be in the range [4,120]")
+
+
 def validate_nodepool_tags(ns):
     """ Extracts multiple space-separated tags in key[=value] format """
     if isinstance(ns.nodepool_tags, list):