[Azure] Migrate (e.g. re-create) AKS clusters `publick8s` and `privatek8s` with modern settings (private API, Azure Linux, NAT outbound)

[dduportal]

Service(s)

Other

Summary

The 30 of September 2025, Azure will deprecate many items related to the outbound connectivity methods:

• [private.vpn.jenkins.io] Azure deprecates Public IPs of type "Basic" the 30 September 2025 #4615
• [cert.ci/trusted.ci/private.vpn] Default outbound access for VMs in Azure will be retired #4616

Our AKS clusters publick8s and privatek8s are not directly pointed, but since they both used a combination of LB outbound and NAT gateway due to legacy reasons, it will have an effect and we risk going back to SNAT exhaustion issues.

Additionally, these clusters have "legacy" setup which can be improved:

• Control Plane API accesses: their APIs are public with IP restrictions which makes it tedious to maintain for admin accesses. We have/had others clusters (infraci-agents-1 and cijio-agents-1) with the "private" access for API which provides automatic DNS: way easier to maintain and restrict through VPN, with less risk of mistaken exposure (not public).
• Node pools are using Ubuntu while Microsoft provides Azure Linux which is a lightweight system aimed at running containers in AKS (faster to start, automatic patch upgrades, etc.)

We should re-create these clusters with the new set of settings in order to improve the maintenance and safety of these 2 clusters

Reproduction steps

No response

[dduportal]

Update: linking to #4546 and #4618 as it is a good opportunity for the cluster privatek8s to be:

• Created in the sponsored subscription to avoid the CDF subscription to pay for it for 2 months (ref. [privatek8s] Migrate AKS cluster to the sponsored subscription #4250)
• Created in 1.31 like we did for [ci.jenkins.io-agents-1] cluster migration to azure in kubernetes 1.31 #4619

[dduportal]

Following up in #4250 (comment)