aks-preview: Support BYO VNet for --enable-hosted-system automatic clusters + --disable-hosted-system

Adds CLI surface for BYO VNet HOBO (hosted system pool) automatic clusters:

* `--system-node-vnet-subnet-id` and `--node-vnet-subnet-id` on `az aks create`
  to bring your own VNet for the hosted system pool and user node pool. Must
  be used together with `--apiserver-subnet-id` and `--enable-hosted-system`.
* `--disable-hosted-system` on `az aks create` to deterministically opt out of
  HOBO on automatic clusters (mutually exclusive with `--enable-hosted-system`,
  both gated to `--sku automatic`).

Supported scenarios:

1. az aks create --sku automatic --enable-hosted-system
2. ... + --system-node-vnet-subnet-id --node-vnet-subnet-id --apiserver-subnet-id (NATGW)
3. ... + --outbound-type loadBalancer for BYO VNet with SLB outbound
4. az aks create --sku automatic --disable-hosted-system
5. az aks update --sku base to downgrade an automatic+HOBO cluster

Validation (client-side, before PATCH):

* --enable-hosted-system and --disable-hosted-system are mutually exclusive.
* Both require --sku automatic.
* If --enable-hosted-system is set with any of the 3 BYO subnet flags, all
  three must be provided; otherwise a clear error lists the missing ones.
* BYO subnet flags cannot be used without --enable-hosted-system.

Live-only E2E tests cover BYO+NATGW, BYO+SLB with downgrade to base SKU, and
the disable opt-out path.

Signed-off-by: wenhug <50309350+wenhug@users.noreply.github.com>

Author: wenhug

src/aks-preview/HISTORY.rst

@@ -12,6 +12,7 @@ To release a new version, please select a new version number (usually plus 1 to
 Pending
 +++++++
 * `az aks nodepool update`: Support `--node-vm-size` to resize VM size of an existing VMSS-based agent pool (preview). Requires AFEC registration `Microsoft.ContainerService/AgentPoolVMSSResize`.
+* `az aks create`: Support BYO VNet for hosted-system automatic clusters via `--system-node-vnet-subnet-id` and `--node-vnet-subnet-id`; add `--disable-hosted-system` opt-out.
 
 20.0.0b3
 ++++++

src/aks-preview/azext_aks_preview/_help.py

@@ -715,6 +715,28 @@
         - name: --enable-hosted-system
           type: bool
           short-summary: Create a cluster with fully hosted system components. This applies only when creating a new automatic cluster.
+          long-summary: |
+              Deterministically opts the cluster into HOBO (Hosted Overlay System Pool). AKS hosts and manages the system node pool.
+              Can be combined with BYO VNet via `--system-node-vnet-subnet-id`, `--node-vnet-subnet-id`, and `--apiserver-subnet-id`
+              (all three must be provided together and must belong to the same VNet). Cannot be used with `--disable-hosted-system`.
+        - name: --disable-hosted-system
+          type: bool
+          short-summary: Opt the automatic cluster out of hosted system components.
+          long-summary: |
+              Deterministically creates an automatic cluster WITHOUT HOBO, even in regions where HOBO is the default.
+              Only valid with `--sku automatic`. Mutually exclusive with `--enable-hosted-system`.
+        - name: --system-node-vnet-subnet-id
+          type: string
+          short-summary: Resource ID of the subnet to be used by AKS-managed hosted system nodes (BYO VNet HOBO).
+          long-summary: |
+              Only valid with `--enable-hosted-system`. Must be provided together with `--node-vnet-subnet-id`
+              and `--apiserver-subnet-id`, and all three subnets must belong to the same VNet.
+        - name: --node-vnet-subnet-id
+          type: string
+          short-summary: Resource ID of the subnet joined by tenant worker nodes in BYO VNet HOBO clusters.
+          long-summary: |
+              Only valid with `--enable-hosted-system`. Must be provided together with `--system-node-vnet-subnet-id`
+              and `--apiserver-subnet-id`, and all three subnets must belong to the same VNet.
     examples:
         - name: Create a Kubernetes cluster with an existing SSH public key.
           text: az aks create -g MyResourceGroup -n MyManagedCluster --ssh-key-value /path/to/publickey
@@ -808,6 +830,12 @@
           text: az aks create -g MyResourceGroup -n MyManagedCluster --enable-gateway-api
         - name: Create an automatic cluster with hosted system components enabled.
           text: az aks create -g MyResourceGroup -n MyManagedCluster --sku automatic --enable-hosted-system
+        - name: Create a hosted-system automatic cluster in a BYO VNet (NAT gateway outbound, the default).
+          text: az aks create -g MyResourceGroup -n MyManagedCluster --sku automatic --enable-hosted-system --system-node-vnet-subnet-id <systemNodeSubnetID> --node-vnet-subnet-id <nodeSubnetID> --apiserver-subnet-id <apiserverSubnetID>
+        - name: Create a hosted-system automatic cluster in a BYO VNet with Load Balancer outbound.
+          text: az aks create -g MyResourceGroup -n MyManagedCluster --sku automatic --enable-hosted-system --system-node-vnet-subnet-id <systemNodeSubnetID> --node-vnet-subnet-id <nodeSubnetID> --apiserver-subnet-id <apiserverSubnetID> --outbound-type loadBalancer
+        - name: Create an automatic cluster and opt out of hosted system components.
+          text: az aks create -g MyResourceGroup -n MyManagedCluster --sku automatic --disable-hosted-system
 
 """
 

src/aks-preview/azext_aks_preview/_params.py

@@ -237,6 +237,8 @@
     validate_utc_offset,
     validate_vm_set_type,
     validate_vnet_subnet_id,
+    validate_system_node_vnet_subnet_id,
+    validate_node_vnet_subnet_id,
     validate_force_upgrade_disable_and_enable_parameters,
     validate_azure_service_mesh_revision,
     validate_artifact_streaming,
@@ -1261,6 +1263,19 @@ def load_arguments(self, _):
             help="Enable Gateway API based ingress on App Routing via Istio"
         )
         c.argument("enable_hosted_system", action="store_true", is_preview=True)
+        c.argument("disable_hosted_system", action="store_true", is_preview=True)
+        c.argument(
+            "system_node_vnet_subnet_id",
+            options_list=["--system-node-vnet-subnet-id"],
+            validator=validate_system_node_vnet_subnet_id,
+            is_preview=True,
+        )
+        c.argument(
+            "node_vnet_subnet_id",
+            options_list=["--node-vnet-subnet-id"],
+            validator=validate_node_vnet_subnet_id,
+            is_preview=True,
+        )
         c.argument(
             "enable_continuous_control_plane_and_addon_monitor",
             action="store_true",

src/aks-preview/azext_aks_preview/_validators.py

@@ -355,6 +355,14 @@ def validate_apiserver_subnet_id(namespace):
     _validate_subnet_id(namespace.apiserver_subnet_id, "--apiserver-subnet-id")
 
 
+def validate_system_node_vnet_subnet_id(namespace):
+    _validate_subnet_id(namespace.system_node_vnet_subnet_id, "--system-node-vnet-subnet-id")
+
+
+def validate_node_vnet_subnet_id(namespace):
+    _validate_subnet_id(namespace.node_vnet_subnet_id, "--node-vnet-subnet-id")
+
+
 def _validate_subnet_id(subnet_id, name):
     if subnet_id is None or subnet_id == '':
         return

src/aks-preview/azext_aks_preview/custom.py

@@ -1179,6 +1179,9 @@ def aks_create(
     # app routing istio
     enable_app_routing_istio=False,
     enable_hosted_system=False,
+    disable_hosted_system=False,
+    system_node_vnet_subnet_id=None,
+    node_vnet_subnet_id=None,
     # health monitor
     enable_continuous_control_plane_and_addon_monitor=False,
 ):