Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
- Latest
- 2025-08-02-preview
- 2025-08-01
- 2025-07-02-preview
- 2025-07-01
- 2025-06-02-preview
- 2025-05-02-preview
- 2025-05-01
- 2025-04-02-preview
- 2025-04-01
- 2025-03-02-preview
- 2025-03-01
- 2025-02-02-preview
- 2025-02-01
- 2025-01-02-preview
- 2025-01-01
- 2024-10-02-preview
- 2024-10-01
- 2024-09-02-preview
- 2024-09-01
- 2024-08-01
- 2024-07-02-preview
- 2024-07-01
- 2024-06-02-preview
- 2024-05-02-preview
- 2024-05-01
- 2024-04-02-preview
- 2024-03-02-preview
- 2024-02-02-preview
- 2024-02-01
- 2024-01-02-preview
- 2024-01-01
- 2023-11-02-preview
- 2023-11-01
- 2023-10-02-preview
- 2023-10-01
- 2023-09-02-preview
- 2023-09-01
- 2023-08-02-preview
- 2023-08-01
- 2023-07-02-preview
- 2023-07-01
- 2023-06-02-preview
- 2023-06-01
- 2023-05-02-preview
- 2023-05-01
- 2023-04-02-preview
- 2023-04-01
- 2023-03-02-preview
- 2023-03-01
- 2023-02-02-preview
- 2023-02-01
- 2023-01-02-preview
- 2023-01-01
- 2022-11-02-preview
- 2022-11-01
- 2022-10-02-preview
- 2022-09-02-preview
- 2022-09-01
- 2022-08-03-preview
- 2022-08-02-preview
- 2022-07-02-preview
- 2022-07-01
- 2022-06-02-preview
- 2022-06-01
- 2022-05-02-preview
- 2022-04-02-preview
- 2022-04-01
- 2022-03-02-preview
- 2022-03-01
- 2022-02-02-preview
- 2022-02-01
- 2022-01-02-preview
- 2022-01-01
- 2021-11-01-preview
- 2021-10-01
- 2021-09-01
- 2021-08-01
- 2021-07-01
- 2021-05-01
- 2021-03-01
- 2021-02-01
- 2020-12-01
- 2020-11-01
- 2020-09-01
- 2020-07-01
- 2020-06-01
- 2020-04-01
- 2020-03-01
- 2020-02-01
- 2020-01-01
- 2019-11-01
- 2019-10-01
- 2019-08-01
- 2019-06-01
- 2019-04-01
- 2019-02-01
- 2018-08-01-preview
- 2018-03-31
- 2017-08-31
Remarks
For information about available add-ons, see Add-ons, extensions, and other integrations with Azure Kubernetes Service.
Bicep resource definition
The managedClusters resource type can be deployed with operations that target:
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.ContainerService/managedClusters resource, add the following Bicep to your template.
resource symbolicname 'Microsoft.ContainerService/managedClusters@2020-01-01' = {
  scope: resourceSymbolicName or scope
  identity: {
    type: 'string'
  }
  location: 'string'
  name: 'string'
  properties: {
    aadProfile: {
      clientAppID: 'string'
      serverAppID: 'string'
      serverAppSecret: 'string'
      tenantID: 'string'
    }
    addonProfiles: {
      {customized property}: {
        config: {
          {customized property}: 'string'
        }
        enabled: bool
      }
    }
    agentPoolProfiles: [
      {
        availabilityZones: [
          'string'
        ]
        count: int
        enableAutoScaling: bool
        enableNodePublicIP: bool
        maxCount: int
        maxPods: int
        minCount: int
        name: 'string'
        nodeLabels: {
          {customized property}: 'string'
        }
        nodeTaints: [
          'string'
        ]
        orchestratorVersion: 'string'
        osDiskSizeGB: int
        osType: 'string'
        scaleSetEvictionPolicy: 'string'
        scaleSetPriority: 'string'
        tags: {
          {customized property}: 'string'
        }
        type: 'string'
        vmSize: 'string'
        vnetSubnetID: 'string'
      }
    ]
    apiServerAccessProfile: {
      authorizedIPRanges: [
        'string'
      ]
      enablePrivateCluster: bool
    }
    diskEncryptionSetID: 'string'
    dnsPrefix: 'string'
    enablePodSecurityPolicy: bool
    enableRBAC: bool
    identityProfile: {
      {customized property}: {
        clientId: 'string'
        objectId: 'string'
        resourceId: 'string'
      }
    }
    kubernetesVersion: 'string'
    linuxProfile: {
      adminUsername: 'string'
      ssh: {
        publicKeys: [
          {
            keyData: 'string'
          }
        ]
      }
    }
    networkProfile: {
      dnsServiceIP: 'string'
      dockerBridgeCidr: 'string'
      loadBalancerProfile: {
        allocatedOutboundPorts: int
        effectiveOutboundIPs: [
          {
            id: 'string'
          }
        ]
        idleTimeoutInMinutes: int
        managedOutboundIPs: {
          count: int
        }
        outboundIPPrefixes: {
          publicIPPrefixes: [
            {
              id: 'string'
            }
          ]
        }
        outboundIPs: {
          publicIPs: [
            {
              id: 'string'
            }
          ]
        }
      }
      loadBalancerSku: 'string'
      networkPlugin: 'string'
      networkPolicy: 'string'
      outboundType: 'string'
      podCidr: 'string'
      serviceCidr: 'string'
    }
    nodeResourceGroup: 'string'
    servicePrincipalProfile: {
      clientId: 'string'
      secret: 'string'
    }
    windowsProfile: {
      adminPassword: 'string'
      adminUsername: 'string'
    }
  }
  tags: {
    {customized property}: 'string'
  }
}
Property Values
Microsoft.ContainerService/managedClusters
| Name | Description | Value | 
|---|---|---|
| identity | The identity of the managed cluster, if configured. | ManagedClusterIdentity | 
| location | Resource location | string (required) | 
| name | The resource name | string Constraints: Min length = 1 Max length = 63 Pattern = ^[a-zA-Z0-9]$|^[a-zA-Z0-9][-_a-zA-Z0-9]{0,61}[a-zA-Z0-9]$(required) | 
| properties | Properties of a managed cluster. | ManagedClusterProperties | 
| scope | Use when creating a resource at a scope that is different than the deployment scope. | Set this property to the symbolic name of a resource to apply the extension resource. | 
| tags | Resource tags | Dictionary of tag names and values. See Tags in templates | 
ContainerServiceLinuxProfile
| Name | Description | Value | 
|---|---|---|
| adminUsername | The administrator username to use for Linux VMs. | string Constraints: Pattern = ^[A-Za-z][-A-Za-z0-9_]*$(required) | 
| ssh | SSH configuration for Linux-based VMs running on Azure. | ContainerServiceSshConfiguration (required) | 
ContainerServiceNetworkProfile
| Name | Description | Value | 
|---|---|---|
| dnsServiceIP | An IP address assigned to the Kubernetes DNS service. It must be within the Kubernetes service address range specified in serviceCidr. | string Constraints: Pattern = ^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$ | 
| dockerBridgeCidr | A CIDR notation IP range assigned to the Docker bridge network. It must not overlap with any Subnet IP ranges or the Kubernetes service address range. | string Constraints: Pattern = ^([0-9]{1,3}\.){3}[0-9]{1,3}(\/([0-9]|[1-2][0-9]|3[0-2]))?$ | 
| loadBalancerProfile | Profile of the cluster load balancer. | ManagedClusterLoadBalancerProfile | 
| loadBalancerSku | The load balancer sku for the managed cluster. | 'basic' 'standard' | 
| networkPlugin | Network plugin used for building Kubernetes network. | 'azure' 'kubenet' | 
| networkPolicy | Network policy used for building Kubernetes network. | 'azure' 'calico' | 
| outboundType | The outbound (egress) routing method. | 'loadBalancer' 'userDefinedRouting' | 
| podCidr | A CIDR notation IP range from which to assign pod IPs when kubenet is used. | string Constraints: Pattern = ^([0-9]{1,3}\.){3}[0-9]{1,3}(\/([0-9]|[1-2][0-9]|3[0-2]))?$ | 
| serviceCidr | A CIDR notation IP range from which to assign service cluster IPs. It must not overlap with any Subnet IP ranges. | string Constraints: Pattern = ^([0-9]{1,3}\.){3}[0-9]{1,3}(\/([0-9]|[1-2][0-9]|3[0-2]))?$ | 
ContainerServiceSshConfiguration
| Name | Description | Value | 
|---|---|---|
| publicKeys | The list of SSH public keys used to authenticate with Linux-based VMs. Only expect one key specified. | ContainerServiceSshPublicKey[] (required) | 
ContainerServiceSshPublicKey
| Name | Description | Value | 
|---|---|---|
| keyData | Certificate public key used to authenticate with VMs through SSH. The certificate must be in PEM format with or without headers. | string (required) | 
ManagedClusterAADProfile
| Name | Description | Value | 
|---|---|---|
| clientAppID | The client AAD application ID. | string (required) | 
| serverAppID | The server AAD application ID. | string (required) | 
| serverAppSecret | The server AAD application secret. | string | 
| tenantID | The AAD tenant ID to use for authentication. If not specified, will use the tenant of the deployment subscription. | string | 
ManagedClusterAddonProfile
| Name | Description | Value | 
|---|---|---|
| config | Key-value pairs for configuring an add-on. | ManagedClusterAddonProfileConfig | 
| enabled | Whether the add-on is enabled or not. | bool (required) | 
ManagedClusterAddonProfileConfig
| Name | Description | Value | 
|---|
ManagedClusterAgentPoolProfile
| Name | Description | Value | 
|---|---|---|
| availabilityZones | Availability zones for nodes. Must use VirtualMachineScaleSets AgentPoolType. | string[] | 
| count | Number of agents (VMs) to host docker containers. Allowed values must be in the range of 1 to 100 (inclusive). The default value is 1. | int | 
| enableAutoScaling | Whether to enable auto-scaler | bool | 
| enableNodePublicIP | Enable public IP for nodes | bool | 
| maxCount | Maximum number of nodes for auto-scaling | int | 
| maxPods | Maximum number of pods that can run on a node. | int | 
| minCount | Minimum number of nodes for auto-scaling | int | 
| name | Unique name of the agent pool profile in the context of the subscription and resource group. | string Constraints: Pattern = ^[a-z][a-z0-9]{0,11}$(required) | 
| nodeLabels | Agent pool node labels to be persisted across all nodes in agent pool. | ManagedClusterAgentPoolProfilePropertiesNodeLabels | 
| nodeTaints | Taints added to new nodes during node pool create and scale. For example, key=value:NoSchedule. | string[] | 
| orchestratorVersion | Version of orchestrator specified when creating the managed cluster. | string | 
| osDiskSizeGB | OS Disk Size in GB to be used to specify the disk size for every machine in this master/agent pool. If you specify 0, it will apply the default osDisk size according to the vmSize specified. | int Constraints: Min value = 0 Max value = 1023 | 
| osType | OsType to be used to specify os type. Choose from Linux and Windows. Default to Linux. | 'Linux' 'Windows' | 
| scaleSetEvictionPolicy | ScaleSetEvictionPolicy to be used to specify eviction policy for low priority virtual machine scale set. Default to Delete. | 'Deallocate' 'Delete' | 
| scaleSetPriority | ScaleSetPriority to be used to specify virtual machine scale set priority. Default to regular. | 'Low' 'Regular' | 
| tags | Agent pool tags to be persisted on the agent pool virtual machine scale set. | ManagedClusterAgentPoolProfilePropertiesTags | 
| type | AgentPoolType represents types of an agent pool | 'AvailabilitySet' 'VirtualMachineScaleSets' | 
| vmSize | Size of agent VMs. | 'Standard_A1' 'Standard_A10' 'Standard_A11' 'Standard_A1_v2' 'Standard_A2' 'Standard_A2m_v2' 'Standard_A2_v2' 'Standard_A3' 'Standard_A4' 'Standard_A4m_v2' 'Standard_A4_v2' 'Standard_A5' 'Standard_A6' 'Standard_A7' 'Standard_A8' 'Standard_A8m_v2' 'Standard_A8_v2' 'Standard_A9' 'Standard_B2ms' 'Standard_B2s' 'Standard_B4ms' 'Standard_B8ms' 'Standard_D1' 'Standard_D11' 'Standard_D11_v2' 'Standard_D11_v2_Promo' 'Standard_D12' 'Standard_D12_v2' 'Standard_D12_v2_Promo' 'Standard_D13' 'Standard_D13_v2' 'Standard_D13_v2_Promo' 'Standard_D14' 'Standard_D14_v2' 'Standard_D14_v2_Promo' 'Standard_D15_v2' 'Standard_D16s_v3' 'Standard_D16_v3' 'Standard_D1_v2' 'Standard_D2' 'Standard_D2s_v3' 'Standard_D2_v2' 'Standard_D2_v2_Promo' 'Standard_D2_v3' 'Standard_D3' 'Standard_D32s_v3' 'Standard_D32_v3' 'Standard_D3_v2' 'Standard_D3_v2_Promo' 'Standard_D4' 'Standard_D4s_v3' 'Standard_D4_v2' 'Standard_D4_v2_Promo' 'Standard_D4_v3' 'Standard_D5_v2' 'Standard_D5_v2_Promo' 'Standard_D64s_v3' 'Standard_D64_v3' 'Standard_D8s_v3' 'Standard_D8_v3' 'Standard_DS1' 'Standard_DS11' 'Standard_DS11_v2' 'Standard_DS11_v2_Promo' 'Standard_DS12' 'Standard_DS12_v2' 'Standard_DS12_v2_Promo' 'Standard_DS13' 'Standard_DS13-2_v2' 'Standard_DS13-4_v2' 'Standard_DS13_v2' 'Standard_DS13_v2_Promo' 'Standard_DS14' 'Standard_DS14-4_v2' 'Standard_DS14-8_v2' 'Standard_DS14_v2' 'Standard_DS14_v2_Promo' 'Standard_DS15_v2' 'Standard_DS1_v2' 'Standard_DS2' 'Standard_DS2_v2' 'Standard_DS2_v2_Promo' 'Standard_DS3' 'Standard_DS3_v2' 'Standard_DS3_v2_Promo' 'Standard_DS4' 'Standard_DS4_v2' 'Standard_DS4_v2_Promo' 'Standard_DS5_v2' 'Standard_DS5_v2_Promo' 'Standard_E16s_v3' 'Standard_E16_v3' 'Standard_E2s_v3' 'Standard_E2_v3' 'Standard_E32-16s_v3' 'Standard_E32-8s_v3' 'Standard_E32s_v3' 'Standard_E32_v3' 'Standard_E4s_v3' 'Standard_E4_v3' 'Standard_E64-16s_v3' 'Standard_E64-32s_v3' 'Standard_E64s_v3' 'Standard_E64_v3' 'Standard_E8s_v3' 'Standard_E8_v3' 'Standard_F1' 'Standard_F16' 'Standard_F16s' 'Standard_F16s_v2' 'Standard_F1s' 'Standard_F2' 'Standard_F2s' 'Standard_F2s_v2' 'Standard_F32s_v2' 'Standard_F4' 'Standard_F4s' 'Standard_F4s_v2' 'Standard_F64s_v2' 'Standard_F72s_v2' 'Standard_F8' 'Standard_F8s' 'Standard_F8s_v2' 'Standard_G1' 'Standard_G2' 'Standard_G3' 'Standard_G4' 'Standard_G5' 'Standard_GS1' 'Standard_GS2' 'Standard_GS3' 'Standard_GS4' 'Standard_GS4-4' 'Standard_GS4-8' 'Standard_GS5' 'Standard_GS5-16' 'Standard_GS5-8' 'Standard_H16' 'Standard_H16m' 'Standard_H16mr' 'Standard_H16r' 'Standard_H8' 'Standard_H8m' 'Standard_L16s' 'Standard_L32s' 'Standard_L4s' 'Standard_L8s' 'Standard_M128-32ms' 'Standard_M128-64ms' 'Standard_M128ms' 'Standard_M128s' 'Standard_M64-16ms' 'Standard_M64-32ms' 'Standard_M64ms' 'Standard_M64s' 'Standard_NC12' 'Standard_NC12s_v2' 'Standard_NC12s_v3' 'Standard_NC24' 'Standard_NC24r' 'Standard_NC24rs_v2' 'Standard_NC24rs_v3' 'Standard_NC24s_v2' 'Standard_NC24s_v3' 'Standard_NC6' 'Standard_NC6s_v2' 'Standard_NC6s_v3' 'Standard_ND12s' 'Standard_ND24rs' 'Standard_ND24s' 'Standard_ND6s' 'Standard_NV12' 'Standard_NV24' 'Standard_NV6' | 
| vnetSubnetID | VNet SubnetID specifies the VNet's subnet identifier. | string | 
ManagedClusterAgentPoolProfilePropertiesNodeLabels
| Name | Description | Value | 
|---|
ManagedClusterAgentPoolProfilePropertiesTags
| Name | Description | Value | 
|---|
ManagedClusterAPIServerAccessProfile
| Name | Description | Value | 
|---|---|---|
| authorizedIPRanges | Authorized IP Ranges to kubernetes API server. | string[] | 
| enablePrivateCluster | Whether to create the cluster as a private cluster or not. | bool | 
ManagedClusterIdentity
| Name | Description | Value | 
|---|---|---|
| type | The type of identity used for the managed cluster. Type 'SystemAssigned' will use an implicitly created identity in master components and an auto-created user assigned identity in MC_ resource group in agent nodes. Type 'None' will not use MSI for the managed cluster, service principal will be used instead. | 'None' 'SystemAssigned' | 
ManagedClusterLoadBalancerProfile
| Name | Description | Value | 
|---|---|---|
| allocatedOutboundPorts | Desired number of allocated SNAT ports per VM. Allowed values must be in the range of 0 to 64000 (inclusive). The default value is 0 which results in Azure dynamically allocating ports. | int Constraints: Min value = 0 Max value = 64000 | 
| effectiveOutboundIPs | The effective outbound IP resources of the cluster load balancer. | ResourceReference[] | 
| idleTimeoutInMinutes | Desired outbound flow idle timeout in minutes. Allowed values must be in the range of 4 to 120 (inclusive). The default value is 30 minutes. | int Constraints: Min value = 4 Max value = 120 | 
| managedOutboundIPs | Desired managed outbound IPs for the cluster load balancer. | ManagedClusterLoadBalancerProfileManagedOutboundIPs | 
| outboundIPPrefixes | Desired outbound IP Prefix resources for the cluster load balancer. | ManagedClusterLoadBalancerProfileOutboundIPPrefixes | 
| outboundIPs | Desired outbound IP resources for the cluster load balancer. | ManagedClusterLoadBalancerProfileOutboundIPs | 
ManagedClusterLoadBalancerProfileManagedOutboundIPs
| Name | Description | Value | 
|---|---|---|
| count | Desired number of outbound IP created/managed by Azure for the cluster load balancer. Allowed values must be in the range of 1 to 100 (inclusive). The default value is 1. | int Constraints: Min value = 1 Max value = 100 | 
ManagedClusterLoadBalancerProfileOutboundIPPrefixes
| Name | Description | Value | 
|---|---|---|
| publicIPPrefixes | A list of public IP prefix resources. | ResourceReference[] | 
ManagedClusterLoadBalancerProfileOutboundIPs
| Name | Description | Value | 
|---|---|---|
| publicIPs | A list of public IP resources. | ResourceReference[] | 
ManagedClusterProperties
| Name | Description | Value | 
|---|---|---|
| aadProfile | Profile of Azure Active Directory configuration. | ManagedClusterAADProfile | 
| addonProfiles | Profile of managed cluster add-on. | ManagedClusterPropertiesAddonProfiles | 
| agentPoolProfiles | Properties of the agent pool. | ManagedClusterAgentPoolProfile[] | 
| apiServerAccessProfile | Access profile for managed cluster API server. | ManagedClusterAPIServerAccessProfile | 
| diskEncryptionSetID | ResourceId of the disk encryption set to use for enabling encryption at rest. | string | 
| dnsPrefix | DNS prefix specified when creating the managed cluster. | string | 
| enablePodSecurityPolicy | (DEPRECATING) Whether to enable Kubernetes pod security policy (preview). This feature is set for removal on October 15th, 2020. Learn more at aka.ms/aks/azpodpolicy. | bool | 
| enableRBAC | Whether to enable Kubernetes Role-Based Access Control. | bool | 
| identityProfile | Identities associated with the cluster. | ManagedClusterPropertiesIdentityProfile | 
| kubernetesVersion | Version of Kubernetes specified when creating the managed cluster. | string | 
| linuxProfile | Profile for Linux VMs in the container service cluster. | ContainerServiceLinuxProfile | 
| networkProfile | Profile of network configuration. | ContainerServiceNetworkProfile | 
| nodeResourceGroup | Name of the resource group containing agent pool nodes. | string | 
| servicePrincipalProfile | Information about a service principal identity for the cluster to use for manipulating Azure APIs. | ManagedClusterServicePrincipalProfile | 
| windowsProfile | Profile for Windows VMs in the container service cluster. | ManagedClusterWindowsProfile | 
ManagedClusterPropertiesAddonProfiles
| Name | Description | Value | 
|---|
ManagedClusterPropertiesIdentityProfile
| Name | Description | Value | 
|---|
ManagedClusterPropertiesIdentityProfileValue
| Name | Description | Value | 
|---|---|---|
| clientId | The client id of the user assigned identity. | string | 
| objectId | The object id of the user assigned identity. | string | 
| resourceId | The resource id of the user assigned identity. | string | 
ManagedClusterServicePrincipalProfile
| Name | Description | Value | 
|---|---|---|
| clientId | The ID for the service principal. | string (required) | 
| secret | The secret password associated with the service principal in plain text. | string | 
ManagedClusterWindowsProfile
| Name | Description | Value | 
|---|---|---|
| adminPassword | Specifies the password of the administrator account. Minimum-length: 8 characters Max-length: 123 characters Complexity requirements: 3 out of 4 conditions below need to be fulfilled Has lower characters Has upper characters Has a digit Has a special character (Regex match [\W_]) Disallowed values: "abc@123", "P@$$w0rd", "P@ssw0rd", "P@ssword123", "Pa$$word", "pass@word1", "Password!", "Password1", "Password22", "iloveyou!" | string | 
| adminUsername | Specifies the name of the administrator account. restriction: Cannot end in "." Disallowed values: "administrator", "admin", "user", "user1", "test", "user2", "test1", "user3", "admin1", "1", "123", "a", "actuser", "adm", "admin2", "aspnet", "backup", "console", "david", "guest", "john", "owner", "root", "server", "sql", "support", "support_388945a0", "sys", "test2", "test3", "user4", "user5". Minimum-length: 1 character Max-length: 20 characters | string (required) | 
ResourceReference
| Name | Description | Value | 
|---|---|---|
| id | The fully qualified Azure resource id. | string | 
ResourceTags
| Name | Description | Value | 
|---|
Usage Examples
Azure Verified Modules
The following Azure Verified Modules can be used to deploy this resource type.
| Module | Description | 
|---|---|
| Azure Kubernetes Service (AKS) Managed Cluster | AVM Resource Module for Azure Kubernetes Service (AKS) Managed Cluster | 
Azure Quickstart Samples
The following Azure Quickstart templates contain Bicep samples for deploying this resource type.
| Bicep File | Description | 
|---|---|
| AKS Cluster with a NAT Gateway and an Application Gateway | This sample shows how to a deploy an AKS cluster with NAT Gateway for outbound connections and an Application Gateway for inbound connections. | 
| AKS cluster with the Application Gateway Ingress Controller | This sample shows how to deploy an AKS cluster with Application Gateway, Application Gateway Ingress Controller, Azure Container Registry, Log Analytics and Key Vault | 
| Azure Container Service (AKS) | Deploy a managed cluster with Azure Container Service (AKS) using Azure Linux container hosts | 
| Azure Container Service (AKS) | Deploy a managed cluster with Azure Container Service (AKS) | 
| Azure Container Service (AKS) with Helm | Deploy a managed cluster with Azure Container Service (AKS) with Helm | 
| Azure Kubernetes Service (AKS) | Deploys a managed Kubernetes cluster via Azure Kubernetes Service (AKS) | 
| Azure Machine Learning end-to-end secure setup | This set of Bicep templates demonstrates how to set up Azure Machine Learning end-to-end in a secure set up. This reference implementation includes the Workspace, a compute cluster, compute instance and attached private AKS cluster. | 
| Azure Machine Learning end-to-end secure setup (legacy) | This set of Bicep templates demonstrates how to set up Azure Machine Learning end-to-end in a secure set up. This reference implementation includes the Workspace, a compute cluster, compute instance and attached private AKS cluster. | 
| Create a Private AKS Cluster | This sample shows how to create a private AKS cluster in a virtual network along with a jumpbox virtual machine. | 
| Create AKS with Prometheus and Grafana with privae link | This will create an Azure grafana, AKS and install Prometheus, an open-source monitoring and alerting toolkit, on an Azure Kubernetes Service (AKS) cluster. Then you use Azure Managed Grafana's managed private endpoint to connect to this Prometheus server and display the Prometheus data in a Grafana dashboard | 
ARM template resource definition
The managedClusters resource type can be deployed with operations that target:
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.ContainerService/managedClusters resource, add the following JSON to your template.
{
  "type": "Microsoft.ContainerService/managedClusters",
  "apiVersion": "2020-01-01",
  "name": "string",
  "identity": {
    "type": "string"
  },
  "location": "string",
  "properties": {
    "aadProfile": {
      "clientAppID": "string",
      "serverAppID": "string",
      "serverAppSecret": "string",
      "tenantID": "string"
    },
    "addonProfiles": {
      "{customized property}": {
        "config": {
          "{customized property}": "string"
        },
        "enabled": "bool"
      }
    },
    "agentPoolProfiles": [
      {
        "availabilityZones": [ "string" ],
        "count": "int",
        "enableAutoScaling": "bool",
        "enableNodePublicIP": "bool",
        "maxCount": "int",
        "maxPods": "int",
        "minCount": "int",
        "name": "string",
        "nodeLabels": {
          "{customized property}": "string"
        },
        "nodeTaints": [ "string" ],
        "orchestratorVersion": "string",
        "osDiskSizeGB": "int",
        "osType": "string",
        "scaleSetEvictionPolicy": "string",
        "scaleSetPriority": "string",
        "tags": {
          "{customized property}": "string"
        },
        "type": "string",
        "vmSize": "string",
        "vnetSubnetID": "string"
      }
    ],
    "apiServerAccessProfile": {
      "authorizedIPRanges": [ "string" ],
      "enablePrivateCluster": "bool"
    },
    "diskEncryptionSetID": "string",
    "dnsPrefix": "string",
    "enablePodSecurityPolicy": "bool",
    "enableRBAC": "bool",
    "identityProfile": {
      "{customized property}": {
        "clientId": "string",
        "objectId": "string",
        "resourceId": "string"
      }
    },
    "kubernetesVersion": "string",
    "linuxProfile": {
      "adminUsername": "string",
      "ssh": {
        "publicKeys": [
          {
            "keyData": "string"
          }
        ]
      }
    },
    "networkProfile": {
      "dnsServiceIP": "string",
      "dockerBridgeCidr": "string",
      "loadBalancerProfile": {
        "allocatedOutboundPorts": "int",
        "effectiveOutboundIPs": [
          {
            "id": "string"
          }
        ],
        "idleTimeoutInMinutes": "int",
        "managedOutboundIPs": {
          "count": "int"
        },
        "outboundIPPrefixes": {
          "publicIPPrefixes": [
            {
              "id": "string"
            }
          ]
        },
        "outboundIPs": {
          "publicIPs": [
            {
              "id": "string"
            }
          ]
        }
      },
      "loadBalancerSku": "string",
      "networkPlugin": "string",
      "networkPolicy": "string",
      "outboundType": "string",
      "podCidr": "string",
      "serviceCidr": "string"
    },
    "nodeResourceGroup": "string",
    "servicePrincipalProfile": {
      "clientId": "string",
      "secret": "string"
    },
    "windowsProfile": {
      "adminPassword": "string",
      "adminUsername": "string"
    }
  },
  "tags": {
    "{customized property}": "string"
  }
}
Property Values
Microsoft.ContainerService/managedClusters
| Name | Description | Value | 
|---|---|---|
| apiVersion | The api version | '2020-01-01' | 
| identity | The identity of the managed cluster, if configured. | ManagedClusterIdentity | 
| location | Resource location | string (required) | 
| name | The resource name | string Constraints: Min length = 1 Max length = 63 Pattern = ^[a-zA-Z0-9]$|^[a-zA-Z0-9][-_a-zA-Z0-9]{0,61}[a-zA-Z0-9]$(required) | 
| properties | Properties of a managed cluster. | ManagedClusterProperties | 
| tags | Resource tags | Dictionary of tag names and values. See Tags in templates | 
| type | The resource type | 'Microsoft.ContainerService/managedClusters' | 
ContainerServiceLinuxProfile
| Name | Description | Value | 
|---|---|---|
| adminUsername | The administrator username to use for Linux VMs. | string Constraints: Pattern = ^[A-Za-z][-A-Za-z0-9_]*$(required) | 
| ssh | SSH configuration for Linux-based VMs running on Azure. | ContainerServiceSshConfiguration (required) | 
ContainerServiceNetworkProfile
| Name | Description | Value | 
|---|---|---|
| dnsServiceIP | An IP address assigned to the Kubernetes DNS service. It must be within the Kubernetes service address range specified in serviceCidr. | string Constraints: Pattern = ^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$ | 
| dockerBridgeCidr | A CIDR notation IP range assigned to the Docker bridge network. It must not overlap with any Subnet IP ranges or the Kubernetes service address range. | string Constraints: Pattern = ^([0-9]{1,3}\.){3}[0-9]{1,3}(\/([0-9]|[1-2][0-9]|3[0-2]))?$ | 
| loadBalancerProfile | Profile of the cluster load balancer. | ManagedClusterLoadBalancerProfile | 
| loadBalancerSku | The load balancer sku for the managed cluster. | 'basic' 'standard' | 
| networkPlugin | Network plugin used for building Kubernetes network. | 'azure' 'kubenet' | 
| networkPolicy | Network policy used for building Kubernetes network. | 'azure' 'calico' | 
| outboundType | The outbound (egress) routing method. | 'loadBalancer' 'userDefinedRouting' | 
| podCidr | A CIDR notation IP range from which to assign pod IPs when kubenet is used. | string Constraints: Pattern = ^([0-9]{1,3}\.){3}[0-9]{1,3}(\/([0-9]|[1-2][0-9]|3[0-2]))?$ | 
| serviceCidr | A CIDR notation IP range from which to assign service cluster IPs. It must not overlap with any Subnet IP ranges. | string Constraints: Pattern = ^([0-9]{1,3}\.){3}[0-9]{1,3}(\/([0-9]|[1-2][0-9]|3[0-2]))?$ | 
ContainerServiceSshConfiguration
| Name | Description | Value | 
|---|---|---|
| publicKeys | The list of SSH public keys used to authenticate with Linux-based VMs. Only expect one key specified. | ContainerServiceSshPublicKey[] (required) | 
ContainerServiceSshPublicKey
| Name | Description | Value | 
|---|---|---|
| keyData | Certificate public key used to authenticate with VMs through SSH. The certificate must be in PEM format with or without headers. | string (required) | 
ManagedClusterAADProfile
| Name | Description | Value | 
|---|---|---|
| clientAppID | The client AAD application ID. | string (required) | 
| serverAppID | The server AAD application ID. | string (required) | 
| serverAppSecret | The server AAD application secret. | string | 
| tenantID | The AAD tenant ID to use for authentication. If not specified, will use the tenant of the deployment subscription. | string | 
ManagedClusterAddonProfile
| Name | Description | Value | 
|---|---|---|
| config | Key-value pairs for configuring an add-on. | ManagedClusterAddonProfileConfig | 
| enabled | Whether the add-on is enabled or not. | bool (required) | 
ManagedClusterAddonProfileConfig
| Name | Description | Value | 
|---|
ManagedClusterAgentPoolProfile
| Name | Description | Value | 
|---|---|---|
| availabilityZones | Availability zones for nodes. Must use VirtualMachineScaleSets AgentPoolType. | string[] | 
| count | Number of agents (VMs) to host docker containers. Allowed values must be in the range of 1 to 100 (inclusive). The default value is 1. | int | 
| enableAutoScaling | Whether to enable auto-scaler | bool | 
| enableNodePublicIP | Enable public IP for nodes | bool | 
| maxCount | Maximum number of nodes for auto-scaling | int | 
| maxPods | Maximum number of pods that can run on a node. | int | 
| minCount | Minimum number of nodes for auto-scaling | int | 
| name | Unique name of the agent pool profile in the context of the subscription and resource group. | string Constraints: Pattern = ^[a-z][a-z0-9]{0,11}$(required) | 
| nodeLabels | Agent pool node labels to be persisted across all nodes in agent pool. | ManagedClusterAgentPoolProfilePropertiesNodeLabels | 
| nodeTaints | Taints added to new nodes during node pool create and scale. For example, key=value:NoSchedule. | string[] | 
| orchestratorVersion | Version of orchestrator specified when creating the managed cluster. | string | 
| osDiskSizeGB | OS Disk Size in GB to be used to specify the disk size for every machine in this master/agent pool. If you specify 0, it will apply the default osDisk size according to the vmSize specified. | int Constraints: Min value = 0 Max value = 1023 | 
| osType | OsType to be used to specify os type. Choose from Linux and Windows. Default to Linux. | 'Linux' 'Windows' | 
| scaleSetEvictionPolicy | ScaleSetEvictionPolicy to be used to specify eviction policy for low priority virtual machine scale set. Default to Delete. | 'Deallocate' 'Delete' | 
| scaleSetPriority | ScaleSetPriority to be used to specify virtual machine scale set priority. Default to regular. | 'Low' 'Regular' | 
| tags | Agent pool tags to be persisted on the agent pool virtual machine scale set. | ManagedClusterAgentPoolProfilePropertiesTags | 
| type | AgentPoolType represents types of an agent pool | 'AvailabilitySet' 'VirtualMachineScaleSets' | 
| vmSize | Size of agent VMs. | 'Standard_A1' 'Standard_A10' 'Standard_A11' 'Standard_A1_v2' 'Standard_A2' 'Standard_A2m_v2' 'Standard_A2_v2' 'Standard_A3' 'Standard_A4' 'Standard_A4m_v2' 'Standard_A4_v2' 'Standard_A5' 'Standard_A6' 'Standard_A7' 'Standard_A8' 'Standard_A8m_v2' 'Standard_A8_v2' 'Standard_A9' 'Standard_B2ms' 'Standard_B2s' 'Standard_B4ms' 'Standard_B8ms' 'Standard_D1' 'Standard_D11' 'Standard_D11_v2' 'Standard_D11_v2_Promo' 'Standard_D12' 'Standard_D12_v2' 'Standard_D12_v2_Promo' 'Standard_D13' 'Standard_D13_v2' 'Standard_D13_v2_Promo' 'Standard_D14' 'Standard_D14_v2' 'Standard_D14_v2_Promo' 'Standard_D15_v2' 'Standard_D16s_v3' 'Standard_D16_v3' 'Standard_D1_v2' 'Standard_D2' 'Standard_D2s_v3' 'Standard_D2_v2' 'Standard_D2_v2_Promo' 'Standard_D2_v3' 'Standard_D3' 'Standard_D32s_v3' 'Standard_D32_v3' 'Standard_D3_v2' 'Standard_D3_v2_Promo' 'Standard_D4' 'Standard_D4s_v3' 'Standard_D4_v2' 'Standard_D4_v2_Promo' 'Standard_D4_v3' 'Standard_D5_v2' 'Standard_D5_v2_Promo' 'Standard_D64s_v3' 'Standard_D64_v3' 'Standard_D8s_v3' 'Standard_D8_v3' 'Standard_DS1' 'Standard_DS11' 'Standard_DS11_v2' 'Standard_DS11_v2_Promo' 'Standard_DS12' 'Standard_DS12_v2' 'Standard_DS12_v2_Promo' 'Standard_DS13' 'Standard_DS13-2_v2' 'Standard_DS13-4_v2' 'Standard_DS13_v2' 'Standard_DS13_v2_Promo' 'Standard_DS14' 'Standard_DS14-4_v2' 'Standard_DS14-8_v2' 'Standard_DS14_v2' 'Standard_DS14_v2_Promo' 'Standard_DS15_v2' 'Standard_DS1_v2' 'Standard_DS2' 'Standard_DS2_v2' 'Standard_DS2_v2_Promo' 'Standard_DS3' 'Standard_DS3_v2' 'Standard_DS3_v2_Promo' 'Standard_DS4' 'Standard_DS4_v2' 'Standard_DS4_v2_Promo' 'Standard_DS5_v2' 'Standard_DS5_v2_Promo' 'Standard_E16s_v3' 'Standard_E16_v3' 'Standard_E2s_v3' 'Standard_E2_v3' 'Standard_E32-16s_v3' 'Standard_E32-8s_v3' 'Standard_E32s_v3' 'Standard_E32_v3' 'Standard_E4s_v3' 'Standard_E4_v3' 'Standard_E64-16s_v3' 'Standard_E64-32s_v3' 'Standard_E64s_v3' 'Standard_E64_v3' 'Standard_E8s_v3' 'Standard_E8_v3' 'Standard_F1' 'Standard_F16' 'Standard_F16s' 'Standard_F16s_v2' 'Standard_F1s' 'Standard_F2' 'Standard_F2s' 'Standard_F2s_v2' 'Standard_F32s_v2' 'Standard_F4' 'Standard_F4s' 'Standard_F4s_v2' 'Standard_F64s_v2' 'Standard_F72s_v2' 'Standard_F8' 'Standard_F8s' 'Standard_F8s_v2' 'Standard_G1' 'Standard_G2' 'Standard_G3' 'Standard_G4' 'Standard_G5' 'Standard_GS1' 'Standard_GS2' 'Standard_GS3' 'Standard_GS4' 'Standard_GS4-4' 'Standard_GS4-8' 'Standard_GS5' 'Standard_GS5-16' 'Standard_GS5-8' 'Standard_H16' 'Standard_H16m' 'Standard_H16mr' 'Standard_H16r' 'Standard_H8' 'Standard_H8m' 'Standard_L16s' 'Standard_L32s' 'Standard_L4s' 'Standard_L8s' 'Standard_M128-32ms' 'Standard_M128-64ms' 'Standard_M128ms' 'Standard_M128s' 'Standard_M64-16ms' 'Standard_M64-32ms' 'Standard_M64ms' 'Standard_M64s' 'Standard_NC12' 'Standard_NC12s_v2' 'Standard_NC12s_v3' 'Standard_NC24' 'Standard_NC24r' 'Standard_NC24rs_v2' 'Standard_NC24rs_v3' 'Standard_NC24s_v2' 'Standard_NC24s_v3' 'Standard_NC6' 'Standard_NC6s_v2' 'Standard_NC6s_v3' 'Standard_ND12s' 'Standard_ND24rs' 'Standard_ND24s' 'Standard_ND6s' 'Standard_NV12' 'Standard_NV24' 'Standard_NV6' | 
| vnetSubnetID | VNet SubnetID specifies the VNet's subnet identifier. | string | 
ManagedClusterAgentPoolProfilePropertiesNodeLabels
| Name | Description | Value | 
|---|
ManagedClusterAgentPoolProfilePropertiesTags
| Name | Description | Value | 
|---|
ManagedClusterAPIServerAccessProfile
| Name | Description | Value | 
|---|---|---|
| authorizedIPRanges | Authorized IP Ranges to kubernetes API server. | string[] | 
| enablePrivateCluster | Whether to create the cluster as a private cluster or not. | bool | 
ManagedClusterIdentity
| Name | Description | Value | 
|---|---|---|
| type | The type of identity used for the managed cluster. Type 'SystemAssigned' will use an implicitly created identity in master components and an auto-created user assigned identity in MC_ resource group in agent nodes. Type 'None' will not use MSI for the managed cluster, service principal will be used instead. | 'None' 'SystemAssigned' | 
ManagedClusterLoadBalancerProfile
| Name | Description | Value | 
|---|---|---|
| allocatedOutboundPorts | Desired number of allocated SNAT ports per VM. Allowed values must be in the range of 0 to 64000 (inclusive). The default value is 0 which results in Azure dynamically allocating ports. | int Constraints: Min value = 0 Max value = 64000 | 
| effectiveOutboundIPs | The effective outbound IP resources of the cluster load balancer. | ResourceReference[] | 
| idleTimeoutInMinutes | Desired outbound flow idle timeout in minutes. Allowed values must be in the range of 4 to 120 (inclusive). The default value is 30 minutes. | int Constraints: Min value = 4 Max value = 120 | 
| managedOutboundIPs | Desired managed outbound IPs for the cluster load balancer. | ManagedClusterLoadBalancerProfileManagedOutboundIPs | 
| outboundIPPrefixes | Desired outbound IP Prefix resources for the cluster load balancer. | ManagedClusterLoadBalancerProfileOutboundIPPrefixes | 
| outboundIPs | Desired outbound IP resources for the cluster load balancer. | ManagedClusterLoadBalancerProfileOutboundIPs | 
ManagedClusterLoadBalancerProfileManagedOutboundIPs
| Name | Description | Value | 
|---|---|---|
| count | Desired number of outbound IP created/managed by Azure for the cluster load balancer. Allowed values must be in the range of 1 to 100 (inclusive). The default value is 1. | int Constraints: Min value = 1 Max value = 100 | 
ManagedClusterLoadBalancerProfileOutboundIPPrefixes
| Name | Description | Value | 
|---|---|---|
| publicIPPrefixes | A list of public IP prefix resources. | ResourceReference[] | 
ManagedClusterLoadBalancerProfileOutboundIPs
| Name | Description | Value | 
|---|---|---|
| publicIPs | A list of public IP resources. | ResourceReference[] | 
ManagedClusterProperties
| Name | Description | Value | 
|---|---|---|
| aadProfile | Profile of Azure Active Directory configuration. | ManagedClusterAADProfile | 
| addonProfiles | Profile of managed cluster add-on. | ManagedClusterPropertiesAddonProfiles | 
| agentPoolProfiles | Properties of the agent pool. | ManagedClusterAgentPoolProfile[] | 
| apiServerAccessProfile | Access profile for managed cluster API server. | ManagedClusterAPIServerAccessProfile | 
| diskEncryptionSetID | ResourceId of the disk encryption set to use for enabling encryption at rest. | string | 
| dnsPrefix | DNS prefix specified when creating the managed cluster. | string | 
| enablePodSecurityPolicy | (DEPRECATING) Whether to enable Kubernetes pod security policy (preview). This feature is set for removal on October 15th, 2020. Learn more at aka.ms/aks/azpodpolicy. | bool | 
| enableRBAC | Whether to enable Kubernetes Role-Based Access Control. | bool | 
| identityProfile | Identities associated with the cluster. | ManagedClusterPropertiesIdentityProfile | 
| kubernetesVersion | Version of Kubernetes specified when creating the managed cluster. | string | 
| linuxProfile | Profile for Linux VMs in the container service cluster. | ContainerServiceLinuxProfile | 
| networkProfile | Profile of network configuration. | ContainerServiceNetworkProfile | 
| nodeResourceGroup | Name of the resource group containing agent pool nodes. | string | 
| servicePrincipalProfile | Information about a service principal identity for the cluster to use for manipulating Azure APIs. | ManagedClusterServicePrincipalProfile | 
| windowsProfile | Profile for Windows VMs in the container service cluster. | ManagedClusterWindowsProfile | 
ManagedClusterPropertiesAddonProfiles
| Name | Description | Value | 
|---|
ManagedClusterPropertiesIdentityProfile
| Name | Description | Value | 
|---|
ManagedClusterPropertiesIdentityProfileValue
| Name | Description | Value | 
|---|---|---|
| clientId | The client id of the user assigned identity. | string | 
| objectId | The object id of the user assigned identity. | string | 
| resourceId | The resource id of the user assigned identity. | string | 
ManagedClusterServicePrincipalProfile
| Name | Description | Value | 
|---|---|---|
| clientId | The ID for the service principal. | string (required) | 
| secret | The secret password associated with the service principal in plain text. | string | 
ManagedClusterWindowsProfile
| Name | Description | Value | 
|---|---|---|
| adminPassword | Specifies the password of the administrator account. Minimum-length: 8 characters Max-length: 123 characters Complexity requirements: 3 out of 4 conditions below need to be fulfilled Has lower characters Has upper characters Has a digit Has a special character (Regex match [\W_]) Disallowed values: "abc@123", "P@$$w0rd", "P@ssw0rd", "P@ssword123", "Pa$$word", "pass@word1", "Password!", "Password1", "Password22", "iloveyou!" | string | 
| adminUsername | Specifies the name of the administrator account. restriction: Cannot end in "." Disallowed values: "administrator", "admin", "user", "user1", "test", "user2", "test1", "user3", "admin1", "1", "123", "a", "actuser", "adm", "admin2", "aspnet", "backup", "console", "david", "guest", "john", "owner", "root", "server", "sql", "support", "support_388945a0", "sys", "test2", "test3", "user4", "user5". Minimum-length: 1 character Max-length: 20 characters | string (required) | 
ResourceReference
| Name | Description | Value | 
|---|---|---|
| id | The fully qualified Azure resource id. | string | 
ResourceTags
| Name | Description | Value | 
|---|
Usage Examples
Azure Quickstart Templates
The following Azure Quickstart templates deploy this resource type.
| Template | Description | 
|---|---|
| AKS Cluster with a NAT Gateway and an Application Gateway | This sample shows how to a deploy an AKS cluster with NAT Gateway for outbound connections and an Application Gateway for inbound connections. | 
| AKS cluster with the Application Gateway Ingress Controller | This sample shows how to deploy an AKS cluster with Application Gateway, Application Gateway Ingress Controller, Azure Container Registry, Log Analytics and Key Vault | 
| Azure Container Service (AKS) | Deploy a managed cluster with Azure Container Service (AKS) using Azure Linux container hosts | 
| Azure Container Service (AKS) | Deploy a managed cluster with Azure Container Service (AKS) | 
| Azure Container Service (AKS) with Helm | Deploy a managed cluster with Azure Container Service (AKS) with Helm | 
| Azure Kubernetes Service (AKS) | Deploys a managed Kubernetes cluster via Azure Kubernetes Service (AKS) | 
| Azure Machine Learning end-to-end secure setup | This set of Bicep templates demonstrates how to set up Azure Machine Learning end-to-end in a secure set up. This reference implementation includes the Workspace, a compute cluster, compute instance and attached private AKS cluster. | 
| Azure Machine Learning end-to-end secure setup (legacy) | This set of Bicep templates demonstrates how to set up Azure Machine Learning end-to-end in a secure set up. This reference implementation includes the Workspace, a compute cluster, compute instance and attached private AKS cluster. | 
| CI/CD using Jenkins on Azure Container Service (AKS) | Containers make it very easy for you to continuously build and deploy your applications. By orchestrating deployment of those containers using Kubernetes in Azure Container Service, you can achieve replicable, manageable clusters of containers. By setting up a continuous build to produce your container images and orchestration, you can increase the speed and reliability of your deployment. | 
| Create a Private AKS Cluster | This sample shows how to create a private AKS cluster in a virtual network along with a jumpbox virtual machine. | 
| Create a Private AKS Cluster with a Public DNS Zone | This sample shows how to a deploy a private AKS cluster with a Public DNS Zone. | 
| Create AKS with Prometheus and Grafana with privae link | This will create an Azure grafana, AKS and install Prometheus, an open-source monitoring and alerting toolkit, on an Azure Kubernetes Service (AKS) cluster. Then you use Azure Managed Grafana's managed private endpoint to connect to this Prometheus server and display the Prometheus data in a Grafana dashboard | 
| Deploy a managed Kubernetes Cluster (AKS) | This ARM template demonstrates the deployment of an AKS instance with advanced networking features into an existing virtual network. Additionally, the chosen Service Principal is assigned the Network Contributor role against the subnet that contains the AKS cluster. | 
| Deploy a managed Kubernetes Cluster with AAD (AKS) | This ARM template demonstrates the deployment of an AKS instance with advanced networking features into an existing virtual network and Azure AD Integeration. Additionally, the chosen Service Principal is assigned the Network Contributor role against the subnet that contains the AKS cluster. | 
| Deploy an AKS cluster for Azure ML | This template allows you to deploy an entreprise compliant AKS cluster which can be attached to Azure ML | 
| min.io Azure Gateway | Fully private min.io Azure Gateway deployment to provide an S3 compliant storage API backed by blob storage | 
Terraform (AzAPI provider) resource definition
The managedClusters resource type can be deployed with operations that target:
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.ContainerService/managedClusters resource, add the following Terraform to your template.
resource "azapi_resource" "symbolicname" {
  type = "Microsoft.ContainerService/managedClusters@2020-01-01"
  name = "string"
  parent_id = "string"
  identity {
    type = "string"
    identity_ids = [
      "string"
    ]
  }
  location = "string"
  tags = {
    {customized property} = "string"
  }
  body = {
    properties = {
      aadProfile = {
        clientAppID = "string"
        serverAppID = "string"
        serverAppSecret = "string"
        tenantID = "string"
      }
      addonProfiles = {
        {customized property} = {
          config = {
            {customized property} = "string"
          }
          enabled = bool
        }
      }
      agentPoolProfiles = [
        {
          availabilityZones = [
            "string"
          ]
          count = int
          enableAutoScaling = bool
          enableNodePublicIP = bool
          maxCount = int
          maxPods = int
          minCount = int
          name = "string"
          nodeLabels = {
            {customized property} = "string"
          }
          nodeTaints = [
            "string"
          ]
          orchestratorVersion = "string"
          osDiskSizeGB = int
          osType = "string"
          scaleSetEvictionPolicy = "string"
          scaleSetPriority = "string"
          tags = {
            {customized property} = "string"
          }
          type = "string"
          vmSize = "string"
          vnetSubnetID = "string"
        }
      ]
      apiServerAccessProfile = {
        authorizedIPRanges = [
          "string"
        ]
        enablePrivateCluster = bool
      }
      diskEncryptionSetID = "string"
      dnsPrefix = "string"
      enablePodSecurityPolicy = bool
      enableRBAC = bool
      identityProfile = {
        {customized property} = {
          clientId = "string"
          objectId = "string"
          resourceId = "string"
        }
      }
      kubernetesVersion = "string"
      linuxProfile = {
        adminUsername = "string"
        ssh = {
          publicKeys = [
            {
              keyData = "string"
            }
          ]
        }
      }
      networkProfile = {
        dnsServiceIP = "string"
        dockerBridgeCidr = "string"
        loadBalancerProfile = {
          allocatedOutboundPorts = int
          effectiveOutboundIPs = [
            {
              id = "string"
            }
          ]
          idleTimeoutInMinutes = int
          managedOutboundIPs = {
            count = int
          }
          outboundIPPrefixes = {
            publicIPPrefixes = [
              {
                id = "string"
              }
            ]
          }
          outboundIPs = {
            publicIPs = [
              {
                id = "string"
              }
            ]
          }
        }
        loadBalancerSku = "string"
        networkPlugin = "string"
        networkPolicy = "string"
        outboundType = "string"
        podCidr = "string"
        serviceCidr = "string"
      }
      nodeResourceGroup = "string"
      servicePrincipalProfile = {
        clientId = "string"
        secret = "string"
      }
      windowsProfile = {
        adminPassword = "string"
        adminUsername = "string"
      }
    }
  }
}
Property Values
Microsoft.ContainerService/managedClusters
| Name | Description | Value | 
|---|---|---|
| identity | The identity of the managed cluster, if configured. | ManagedClusterIdentity | 
| location | Resource location | string (required) | 
| name | The resource name | string Constraints: Min length = 1 Max length = 63 Pattern = ^[a-zA-Z0-9]$|^[a-zA-Z0-9][-_a-zA-Z0-9]{0,61}[a-zA-Z0-9]$(required) | 
| parent_id | The ID of the resource to apply this extension resource to. | string (required) | 
| properties | Properties of a managed cluster. | ManagedClusterProperties | 
| tags | Resource tags | Dictionary of tag names and values. | 
| type | The resource type | "Microsoft.ContainerService/managedClusters@2020-01-01" | 
ContainerServiceLinuxProfile
| Name | Description | Value | 
|---|---|---|
| adminUsername | The administrator username to use for Linux VMs. | string Constraints: Pattern = ^[A-Za-z][-A-Za-z0-9_]*$(required) | 
| ssh | SSH configuration for Linux-based VMs running on Azure. | ContainerServiceSshConfiguration (required) | 
ContainerServiceNetworkProfile
| Name | Description | Value | 
|---|---|---|
| dnsServiceIP | An IP address assigned to the Kubernetes DNS service. It must be within the Kubernetes service address range specified in serviceCidr. | string Constraints: Pattern = ^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$ | 
| dockerBridgeCidr | A CIDR notation IP range assigned to the Docker bridge network. It must not overlap with any Subnet IP ranges or the Kubernetes service address range. | string Constraints: Pattern = ^([0-9]{1,3}\.){3}[0-9]{1,3}(\/([0-9]|[1-2][0-9]|3[0-2]))?$ | 
| loadBalancerProfile | Profile of the cluster load balancer. | ManagedClusterLoadBalancerProfile | 
| loadBalancerSku | The load balancer sku for the managed cluster. | 'basic' 'standard' | 
| networkPlugin | Network plugin used for building Kubernetes network. | 'azure' 'kubenet' | 
| networkPolicy | Network policy used for building Kubernetes network. | 'azure' 'calico' | 
| outboundType | The outbound (egress) routing method. | 'loadBalancer' 'userDefinedRouting' | 
| podCidr | A CIDR notation IP range from which to assign pod IPs when kubenet is used. | string Constraints: Pattern = ^([0-9]{1,3}\.){3}[0-9]{1,3}(\/([0-9]|[1-2][0-9]|3[0-2]))?$ | 
| serviceCidr | A CIDR notation IP range from which to assign service cluster IPs. It must not overlap with any Subnet IP ranges. | string Constraints: Pattern = ^([0-9]{1,3}\.){3}[0-9]{1,3}(\/([0-9]|[1-2][0-9]|3[0-2]))?$ | 
ContainerServiceSshConfiguration
| Name | Description | Value | 
|---|---|---|
| publicKeys | The list of SSH public keys used to authenticate with Linux-based VMs. Only expect one key specified. | ContainerServiceSshPublicKey[] (required) | 
ContainerServiceSshPublicKey
| Name | Description | Value | 
|---|---|---|
| keyData | Certificate public key used to authenticate with VMs through SSH. The certificate must be in PEM format with or without headers. | string (required) | 
ManagedClusterAADProfile
| Name | Description | Value | 
|---|---|---|
| clientAppID | The client AAD application ID. | string (required) | 
| serverAppID | The server AAD application ID. | string (required) | 
| serverAppSecret | The server AAD application secret. | string | 
| tenantID | The AAD tenant ID to use for authentication. If not specified, will use the tenant of the deployment subscription. | string | 
ManagedClusterAddonProfile
| Name | Description | Value | 
|---|---|---|
| config | Key-value pairs for configuring an add-on. | ManagedClusterAddonProfileConfig | 
| enabled | Whether the add-on is enabled or not. | bool (required) | 
ManagedClusterAddonProfileConfig
| Name | Description | Value | 
|---|
ManagedClusterAgentPoolProfile
| Name | Description | Value | 
|---|---|---|
| availabilityZones | Availability zones for nodes. Must use VirtualMachineScaleSets AgentPoolType. | string[] | 
| count | Number of agents (VMs) to host docker containers. Allowed values must be in the range of 1 to 100 (inclusive). The default value is 1. | int | 
| enableAutoScaling | Whether to enable auto-scaler | bool | 
| enableNodePublicIP | Enable public IP for nodes | bool | 
| maxCount | Maximum number of nodes for auto-scaling | int | 
| maxPods | Maximum number of pods that can run on a node. | int | 
| minCount | Minimum number of nodes for auto-scaling | int | 
| name | Unique name of the agent pool profile in the context of the subscription and resource group. | string Constraints: Pattern = ^[a-z][a-z0-9]{0,11}$(required) | 
| nodeLabels | Agent pool node labels to be persisted across all nodes in agent pool. | ManagedClusterAgentPoolProfilePropertiesNodeLabels | 
| nodeTaints | Taints added to new nodes during node pool create and scale. For example, key=value:NoSchedule. | string[] | 
| orchestratorVersion | Version of orchestrator specified when creating the managed cluster. | string | 
| osDiskSizeGB | OS Disk Size in GB to be used to specify the disk size for every machine in this master/agent pool. If you specify 0, it will apply the default osDisk size according to the vmSize specified. | int Constraints: Min value = 0 Max value = 1023 | 
| osType | OsType to be used to specify os type. Choose from Linux and Windows. Default to Linux. | 'Linux' 'Windows' | 
| scaleSetEvictionPolicy | ScaleSetEvictionPolicy to be used to specify eviction policy for low priority virtual machine scale set. Default to Delete. | 'Deallocate' 'Delete' | 
| scaleSetPriority | ScaleSetPriority to be used to specify virtual machine scale set priority. Default to regular. | 'Low' 'Regular' | 
| tags | Agent pool tags to be persisted on the agent pool virtual machine scale set. | ManagedClusterAgentPoolProfilePropertiesTags | 
| type | AgentPoolType represents types of an agent pool | 'AvailabilitySet' 'VirtualMachineScaleSets' | 
| vmSize | Size of agent VMs. | 'Standard_A1' 'Standard_A10' 'Standard_A11' 'Standard_A1_v2' 'Standard_A2' 'Standard_A2m_v2' 'Standard_A2_v2' 'Standard_A3' 'Standard_A4' 'Standard_A4m_v2' 'Standard_A4_v2' 'Standard_A5' 'Standard_A6' 'Standard_A7' 'Standard_A8' 'Standard_A8m_v2' 'Standard_A8_v2' 'Standard_A9' 'Standard_B2ms' 'Standard_B2s' 'Standard_B4ms' 'Standard_B8ms' 'Standard_D1' 'Standard_D11' 'Standard_D11_v2' 'Standard_D11_v2_Promo' 'Standard_D12' 'Standard_D12_v2' 'Standard_D12_v2_Promo' 'Standard_D13' 'Standard_D13_v2' 'Standard_D13_v2_Promo' 'Standard_D14' 'Standard_D14_v2' 'Standard_D14_v2_Promo' 'Standard_D15_v2' 'Standard_D16s_v3' 'Standard_D16_v3' 'Standard_D1_v2' 'Standard_D2' 'Standard_D2s_v3' 'Standard_D2_v2' 'Standard_D2_v2_Promo' 'Standard_D2_v3' 'Standard_D3' 'Standard_D32s_v3' 'Standard_D32_v3' 'Standard_D3_v2' 'Standard_D3_v2_Promo' 'Standard_D4' 'Standard_D4s_v3' 'Standard_D4_v2' 'Standard_D4_v2_Promo' 'Standard_D4_v3' 'Standard_D5_v2' 'Standard_D5_v2_Promo' 'Standard_D64s_v3' 'Standard_D64_v3' 'Standard_D8s_v3' 'Standard_D8_v3' 'Standard_DS1' 'Standard_DS11' 'Standard_DS11_v2' 'Standard_DS11_v2_Promo' 'Standard_DS12' 'Standard_DS12_v2' 'Standard_DS12_v2_Promo' 'Standard_DS13' 'Standard_DS13-2_v2' 'Standard_DS13-4_v2' 'Standard_DS13_v2' 'Standard_DS13_v2_Promo' 'Standard_DS14' 'Standard_DS14-4_v2' 'Standard_DS14-8_v2' 'Standard_DS14_v2' 'Standard_DS14_v2_Promo' 'Standard_DS15_v2' 'Standard_DS1_v2' 'Standard_DS2' 'Standard_DS2_v2' 'Standard_DS2_v2_Promo' 'Standard_DS3' 'Standard_DS3_v2' 'Standard_DS3_v2_Promo' 'Standard_DS4' 'Standard_DS4_v2' 'Standard_DS4_v2_Promo' 'Standard_DS5_v2' 'Standard_DS5_v2_Promo' 'Standard_E16s_v3' 'Standard_E16_v3' 'Standard_E2s_v3' 'Standard_E2_v3' 'Standard_E32-16s_v3' 'Standard_E32-8s_v3' 'Standard_E32s_v3' 'Standard_E32_v3' 'Standard_E4s_v3' 'Standard_E4_v3' 'Standard_E64-16s_v3' 'Standard_E64-32s_v3' 'Standard_E64s_v3' 'Standard_E64_v3' 'Standard_E8s_v3' 'Standard_E8_v3' 'Standard_F1' 'Standard_F16' 'Standard_F16s' 'Standard_F16s_v2' 'Standard_F1s' 'Standard_F2' 'Standard_F2s' 'Standard_F2s_v2' 'Standard_F32s_v2' 'Standard_F4' 'Standard_F4s' 'Standard_F4s_v2' 'Standard_F64s_v2' 'Standard_F72s_v2' 'Standard_F8' 'Standard_F8s' 'Standard_F8s_v2' 'Standard_G1' 'Standard_G2' 'Standard_G3' 'Standard_G4' 'Standard_G5' 'Standard_GS1' 'Standard_GS2' 'Standard_GS3' 'Standard_GS4' 'Standard_GS4-4' 'Standard_GS4-8' 'Standard_GS5' 'Standard_GS5-16' 'Standard_GS5-8' 'Standard_H16' 'Standard_H16m' 'Standard_H16mr' 'Standard_H16r' 'Standard_H8' 'Standard_H8m' 'Standard_L16s' 'Standard_L32s' 'Standard_L4s' 'Standard_L8s' 'Standard_M128-32ms' 'Standard_M128-64ms' 'Standard_M128ms' 'Standard_M128s' 'Standard_M64-16ms' 'Standard_M64-32ms' 'Standard_M64ms' 'Standard_M64s' 'Standard_NC12' 'Standard_NC12s_v2' 'Standard_NC12s_v3' 'Standard_NC24' 'Standard_NC24r' 'Standard_NC24rs_v2' 'Standard_NC24rs_v3' 'Standard_NC24s_v2' 'Standard_NC24s_v3' 'Standard_NC6' 'Standard_NC6s_v2' 'Standard_NC6s_v3' 'Standard_ND12s' 'Standard_ND24rs' 'Standard_ND24s' 'Standard_ND6s' 'Standard_NV12' 'Standard_NV24' 'Standard_NV6' | 
| vnetSubnetID | VNet SubnetID specifies the VNet's subnet identifier. | string | 
ManagedClusterAgentPoolProfilePropertiesNodeLabels
| Name | Description | Value | 
|---|
ManagedClusterAgentPoolProfilePropertiesTags
| Name | Description | Value | 
|---|
ManagedClusterAPIServerAccessProfile
| Name | Description | Value | 
|---|---|---|
| authorizedIPRanges | Authorized IP Ranges to kubernetes API server. | string[] | 
| enablePrivateCluster | Whether to create the cluster as a private cluster or not. | bool | 
ManagedClusterIdentity
| Name | Description | Value | 
|---|---|---|
| type | The type of identity used for the managed cluster. Type 'SystemAssigned' will use an implicitly created identity in master components and an auto-created user assigned identity in MC_ resource group in agent nodes. Type 'None' will not use MSI for the managed cluster, service principal will be used instead. | 'None' 'SystemAssigned' | 
ManagedClusterLoadBalancerProfile
| Name | Description | Value | 
|---|---|---|
| allocatedOutboundPorts | Desired number of allocated SNAT ports per VM. Allowed values must be in the range of 0 to 64000 (inclusive). The default value is 0 which results in Azure dynamically allocating ports. | int Constraints: Min value = 0 Max value = 64000 | 
| effectiveOutboundIPs | The effective outbound IP resources of the cluster load balancer. | ResourceReference[] | 
| idleTimeoutInMinutes | Desired outbound flow idle timeout in minutes. Allowed values must be in the range of 4 to 120 (inclusive). The default value is 30 minutes. | int Constraints: Min value = 4 Max value = 120 | 
| managedOutboundIPs | Desired managed outbound IPs for the cluster load balancer. | ManagedClusterLoadBalancerProfileManagedOutboundIPs | 
| outboundIPPrefixes | Desired outbound IP Prefix resources for the cluster load balancer. | ManagedClusterLoadBalancerProfileOutboundIPPrefixes | 
| outboundIPs | Desired outbound IP resources for the cluster load balancer. | ManagedClusterLoadBalancerProfileOutboundIPs | 
ManagedClusterLoadBalancerProfileManagedOutboundIPs
| Name | Description | Value | 
|---|---|---|
| count | Desired number of outbound IP created/managed by Azure for the cluster load balancer. Allowed values must be in the range of 1 to 100 (inclusive). The default value is 1. | int Constraints: Min value = 1 Max value = 100 | 
ManagedClusterLoadBalancerProfileOutboundIPPrefixes
| Name | Description | Value | 
|---|---|---|
| publicIPPrefixes | A list of public IP prefix resources. | ResourceReference[] | 
ManagedClusterLoadBalancerProfileOutboundIPs
| Name | Description | Value | 
|---|---|---|
| publicIPs | A list of public IP resources. | ResourceReference[] | 
ManagedClusterProperties
| Name | Description | Value | 
|---|---|---|
| aadProfile | Profile of Azure Active Directory configuration. | ManagedClusterAADProfile | 
| addonProfiles | Profile of managed cluster add-on. | ManagedClusterPropertiesAddonProfiles | 
| agentPoolProfiles | Properties of the agent pool. | ManagedClusterAgentPoolProfile[] | 
| apiServerAccessProfile | Access profile for managed cluster API server. | ManagedClusterAPIServerAccessProfile | 
| diskEncryptionSetID | ResourceId of the disk encryption set to use for enabling encryption at rest. | string | 
| dnsPrefix | DNS prefix specified when creating the managed cluster. | string | 
| enablePodSecurityPolicy | (DEPRECATING) Whether to enable Kubernetes pod security policy (preview). This feature is set for removal on October 15th, 2020. Learn more at aka.ms/aks/azpodpolicy. | bool | 
| enableRBAC | Whether to enable Kubernetes Role-Based Access Control. | bool | 
| identityProfile | Identities associated with the cluster. | ManagedClusterPropertiesIdentityProfile | 
| kubernetesVersion | Version of Kubernetes specified when creating the managed cluster. | string | 
| linuxProfile | Profile for Linux VMs in the container service cluster. | ContainerServiceLinuxProfile | 
| networkProfile | Profile of network configuration. | ContainerServiceNetworkProfile | 
| nodeResourceGroup | Name of the resource group containing agent pool nodes. | string | 
| servicePrincipalProfile | Information about a service principal identity for the cluster to use for manipulating Azure APIs. | ManagedClusterServicePrincipalProfile | 
| windowsProfile | Profile for Windows VMs in the container service cluster. | ManagedClusterWindowsProfile | 
ManagedClusterPropertiesAddonProfiles
| Name | Description | Value | 
|---|
ManagedClusterPropertiesIdentityProfile
| Name | Description | Value | 
|---|
ManagedClusterPropertiesIdentityProfileValue
| Name | Description | Value | 
|---|---|---|
| clientId | The client id of the user assigned identity. | string | 
| objectId | The object id of the user assigned identity. | string | 
| resourceId | The resource id of the user assigned identity. | string | 
ManagedClusterServicePrincipalProfile
| Name | Description | Value | 
|---|---|---|
| clientId | The ID for the service principal. | string (required) | 
| secret | The secret password associated with the service principal in plain text. | string | 
ManagedClusterWindowsProfile
| Name | Description | Value | 
|---|---|---|
| adminPassword | Specifies the password of the administrator account. Minimum-length: 8 characters Max-length: 123 characters Complexity requirements: 3 out of 4 conditions below need to be fulfilled Has lower characters Has upper characters Has a digit Has a special character (Regex match [\W_]) Disallowed values: "abc@123", "P@$$w0rd", "P@ssw0rd", "P@ssword123", "Pa$$word", "pass@word1", "Password!", "Password1", "Password22", "iloveyou!" | string | 
| adminUsername | Specifies the name of the administrator account. restriction: Cannot end in "." Disallowed values: "administrator", "admin", "user", "user1", "test", "user2", "test1", "user3", "admin1", "1", "123", "a", "actuser", "adm", "admin2", "aspnet", "backup", "console", "david", "guest", "john", "owner", "root", "server", "sql", "support", "support_388945a0", "sys", "test2", "test3", "user4", "user5". Minimum-length: 1 character Max-length: 20 characters | string (required) | 
ResourceReference
| Name | Description | Value | 
|---|---|---|
| id | The fully qualified Azure resource id. | string | 
ResourceTags
| Name | Description | Value | 
|---|
Usage Examples
Terraform Samples
A basic example of deploying managed Kubernetes Cluster (also known as AKS / Azure Kubernetes Service).
terraform {
  required_providers {
    azapi = {
      source = "Azure/azapi"
    }
  }
}
provider "azapi" {
  skip_provider_registration = false
}
variable "resource_name" {
  type    = string
  default = "acctest0001"
}
variable "location" {
  type    = string
  default = "westeurope"
}
resource "azapi_resource" "resourceGroup" {
  type                      = "Microsoft.Resources/resourceGroups@2020-06-01"
  name                      = var.resource_name
  location                  = var.location
  schema_validation_enabled = false
  response_export_values    = ["*"]
}
resource "azapi_resource" "managedCluster" {
  type      = "Microsoft.ContainerService/managedClusters@2023-04-02-preview"
  parent_id = azapi_resource.resourceGroup.id
  name      = var.resource_name
  location  = var.location
  identity {
    type         = "SystemAssigned"
    identity_ids = []
  }
  body = {
    properties = {
      agentPoolProfiles = [
        {
          count  = 1
          mode   = "System"
          name   = "default"
          vmSize = "Standard_DS2_v2"
        },
      ]
      dnsPrefix = var.resource_name
    }
  }
  schema_validation_enabled = false
  response_export_values    = ["*"]
}
Azure Verified Modules
The following Azure Verified Modules can be used to deploy this resource type.
| Module | Description | 
|---|---|
| AKS Managed Cluster | AVM Resource Module for AKS Managed Cluster |