aks-preview: Add managedNATGatewayV2 outbound type support

Add support for the managedNATGatewayV2 outbound type which uses Azure NAT
Gateway Standard V2 SKU. New CLI parameters:
- --nat-gateway-managed-outbound-ipv6-count: IPv6 managed IPs (1-16, dual-stack)
- --nat-gateway-outbound-ip-ids: User-provided public IP resource IDs
- --nat-gateway-outbound-ip-prefix-ids: User-provided IP prefix resource IDs

These are valid only with --outbound-type managedNATGatewayV2.

Author: christine33-creator

src/aks-preview/HISTORY.rst

@@ -12,6 +12,10 @@ To release a new version, please select a new version number (usually plus 1 to
 Pending
 +++++++
 
+19.0.0b25
++++++++
+* `az aks create/update`: Add `--outbound-type managedNATGatewayV2` support using Azure NAT Gateway Standard V2 SKU with IPv6, user-provided IPs, and IP prefixes.
+
 19.0.0b24
 +++++++
 * Vendor new SDK and bump API version to 2026-01-02-preview.

src/aks-preview/azext_aks_preview/_consts.py

@@ -377,6 +377,7 @@
 
 CONST_OUTBOUND_TYPE_NONE = "none"
 CONST_OUTBOUND_TYPE_BLOCK = "block"
+CONST_OUTBOUND_TYPE_MANAGED_NAT_GATEWAY_V2 = "managedNATGatewayV2"
 
 # IMDS restriction consts
 CONST_IMDS_RESTRICTION_ENABLED = "None"

src/aks-preview/azext_aks_preview/_help.py

@@ -158,15 +158,15 @@
         - name: --nat-gateway-managed-outbound-ip-count
           type: int
           short-summary: NAT gateway managed outbound IP count.
-          long-summary: Desired number of managed outbound IPs for NAT gateway outbound connection. Please specify a value in the range of [1, 16]. Valid for Standard SKU load balancer cluster with managedNATGateway outbound type only.
+          long-summary: Desired number of managed outbound IPs for NAT gateway outbound connection. Please specify a value in the range of [1, 16]. Valid for Standard SKU load balancer cluster with managedNATGateway or managedNATGatewayV2 outbound type only.
         - name: --nat-gateway-idle-timeout
           type: int
           short-summary: NAT gateway idle timeout in minutes.
-          long-summary: Desired idle timeout for NAT gateway outbound flows, default is 4 minutes. Please specify a value in the range of [4, 120]. Valid for Standard SKU load balancer cluster with managedNATGateway outbound type only.
+          long-summary: Desired idle timeout for NAT gateway outbound flows, default is 4 minutes. Please specify a value in the range of [4, 120]. Valid for Standard SKU load balancer cluster with managedNATGateway or managedNATGatewayV2 outbound type only.
         - name: --outbound-type
           type: string
           short-summary: How outbound traffic will be configured for a cluster.
-          long-summary: Select between loadBalancer, userDefinedRouting, managedNATGateway, userAssignedNATGateway, none and block. If not set, defaults to type loadBalancer. Requires --vnet-subnet-id to be provided with a preconfigured route table and --load-balancer-sku to be Standard.
+          long-summary: Select between loadBalancer, userDefinedRouting, managedNATGateway, managedNATGatewayV2, userAssignedNATGateway, none and block. If not set, defaults to type loadBalancer. managedNATGatewayV2 uses Azure NAT Gateway Standard V2 SKU and supports IPv6, user-provided public IPs, and user-provided IP prefixes.
         - name: --enable-addons -a
           type: string
           short-summary: Enable the Kubernetes addons in a comma-separated list.
@@ -928,15 +928,15 @@
         - name: --nat-gateway-managed-outbound-ip-count
           type: int
           short-summary: NAT gateway managed outbound IP count.
-          long-summary: Desired number of managed outbound IPs for NAT gateway outbound connection. Please specify a value in the range of [1, 16]. Valid for Standard SKU load balancer cluster with managedNATGateway outbound type only.
+          long-summary: Desired number of managed outbound IPs for NAT gateway outbound connection. Please specify a value in the range of [1, 16]. Valid for Standard SKU load balancer cluster with managedNATGateway or managedNATGatewayV2 outbound type only.
         - name: --nat-gateway-idle-timeout
           type: int
           short-summary: NAT gateway idle timeout in minutes.
-          long-summary: Desired idle timeout for NAT gateway outbound flows, default is 4 minutes. Please specify a value in the range of [4, 120]. Valid for Standard SKU load balancer cluster with managedNATGateway outbound type only.
+          long-summary: Desired idle timeout for NAT gateway outbound flows, default is 4 minutes. Please specify a value in the range of [4, 120]. Valid for Standard SKU load balancer cluster with managedNATGateway or managedNATGatewayV2 outbound type only.
         - name: --outbound-type
           type: string
           short-summary: How outbound traffic will be configured for a cluster.
-          long-summary: This option will change the way how the outbound connections are managed in the AKS cluster. Available options are loadbalancer, managedNATGateway, userAssignedNATGateway, userDefinedRouting, none and block. For custom vnet, loadbalancer, userAssignedNATGateway and userDefinedRouting are supported. For aks managed vnet, loadbalancer, managedNATGateway and userDefinedRouting are supported.
+          long-summary: This option will change the way how the outbound connections are managed in the AKS cluster. Available options are loadbalancer, managedNATGateway, managedNATGatewayV2, userAssignedNATGateway, userDefinedRouting, none and block.
         - name: --nrg-lockdown-restriction-level
           type: string
           short-summary: Restriction level on the managed node resource.

src/aks-preview/azext_aks_preview/_natgateway.py

@@ -6,37 +6,99 @@
 from types import SimpleNamespace
 
 
-def create_nat_gateway_profile(managed_outbound_ip_count, idle_timeout, models: SimpleNamespace):
+def create_nat_gateway_profile(
+    managed_outbound_ip_count,
+    idle_timeout,
+    models: SimpleNamespace,
+    managed_outbound_ipv6_count=None,
+    outbound_ip_ids=None,
+    outbound_ip_prefix_ids=None,
+):
     """parse and build NAT gateway profile"""
-    if not is_nat_gateway_profile_provided(managed_outbound_ip_count, idle_timeout):
+    if not is_nat_gateway_profile_provided(
+        managed_outbound_ip_count, idle_timeout,
+        managed_outbound_ipv6_count, outbound_ip_ids, outbound_ip_prefix_ids,
+    ):
         return None
 
     profile = models.ManagedClusterNATGatewayProfile()
-    return configure_nat_gateway_profile(managed_outbound_ip_count, idle_timeout, profile, models)
+    return configure_nat_gateway_profile(
+        managed_outbound_ip_count, idle_timeout, profile, models,
+        managed_outbound_ipv6_count, outbound_ip_ids, outbound_ip_prefix_ids,
+    )
 
 
-def update_nat_gateway_profile(managed_outbound_ip_count, idle_timeout, profile, models: SimpleNamespace):
+def update_nat_gateway_profile(
+    managed_outbound_ip_count,
+    idle_timeout,
+    profile,
+    models: SimpleNamespace,
+    managed_outbound_ipv6_count=None,
+    outbound_ip_ids=None,
+    outbound_ip_prefix_ids=None,
+):
     """parse and update an existing NAT gateway profile"""
-    if not is_nat_gateway_profile_provided(managed_outbound_ip_count, idle_timeout):
+    if not is_nat_gateway_profile_provided(
+        managed_outbound_ip_count, idle_timeout,
+        managed_outbound_ipv6_count, outbound_ip_ids, outbound_ip_prefix_ids,
+    ):
         return profile
     if not profile:
         profile = models.ManagedClusterNATGatewayProfile()
-    return configure_nat_gateway_profile(managed_outbound_ip_count, idle_timeout, profile, models)
+    return configure_nat_gateway_profile(
+        managed_outbound_ip_count, idle_timeout, profile, models,
+        managed_outbound_ipv6_count, outbound_ip_ids, outbound_ip_prefix_ids,
+    )
 
 
-def is_nat_gateway_profile_provided(managed_outbound_ip_count, idle_timeout):
-    return any([managed_outbound_ip_count is not None, idle_timeout])
+def is_nat_gateway_profile_provided(
+    managed_outbound_ip_count,
+    idle_timeout,
+    managed_outbound_ipv6_count=None,
+    outbound_ip_ids=None,
+    outbound_ip_prefix_ids=None,
+):
+    return any([
+        managed_outbound_ip_count is not None,
+        idle_timeout,
+        managed_outbound_ipv6_count is not None,
+        outbound_ip_ids,
+        outbound_ip_prefix_ids,
+    ])
 
 
-def configure_nat_gateway_profile(managed_outbound_ip_count, idle_timeout, profile, models: SimpleNamespace):
+def configure_nat_gateway_profile(
+    managed_outbound_ip_count,
+    idle_timeout,
+    profile,
+    models: SimpleNamespace,
+    managed_outbound_ipv6_count=None,
+    outbound_ip_ids=None,
+    outbound_ip_prefix_ids=None,
+):
     """configure a NAT Gateway with customer supplied values"""
-    if managed_outbound_ip_count is not None:
+    if managed_outbound_ip_count is not None or managed_outbound_ipv6_count is not None:
         ManagedClusterManagedOutboundIPProfile = models.ManagedClusterManagedOutboundIPProfile
-        profile.managed_outbound_ip_profile = ManagedClusterManagedOutboundIPProfile(
-            count=managed_outbound_ip_count
-        )
+        if not profile.managed_outbound_ip_profile:
+            profile.managed_outbound_ip_profile = ManagedClusterManagedOutboundIPProfile()
+        if managed_outbound_ip_count is not None:
+            profile.managed_outbound_ip_profile.count = managed_outbound_ip_count
+        if managed_outbound_ipv6_count is not None:
+            profile.managed_outbound_ip_profile.count_i_pv6 = managed_outbound_ipv6_count
 
     if idle_timeout:
         profile.idle_timeout_in_minutes = idle_timeout
 
+    if outbound_ip_ids is not None:
+        ManagedClusterNATGatewayProfileOutboundIPs = models.ManagedClusterNATGatewayProfileOutboundIPs
+        profile.outbound_i_ps = ManagedClusterNATGatewayProfileOutboundIPs(
+            public_i_ps=outbound_ip_ids
+        )
+
+    if outbound_ip_prefix_ids is not None:
+        ManagedClusterNATGatewayProfileOutboundIPPrefixes = models.ManagedClusterNATGatewayProfileOutboundIPPrefixes
+        profile.outbound_ip_prefixes = ManagedClusterNATGatewayProfileOutboundIPPrefixes(
+            public_ip_prefixes=outbound_ip_prefix_ids
+        )
+
     return profile

src/aks-preview/azext_aks_preview/_params.py

@@ -33,6 +33,9 @@
     tags_type,
     zones_type,
 )
+from azext_aks_preview._validators import (
+    validate_nat_gateway_managed_outbound_ipv6_count,
+)
 from azext_aks_preview._client_factory import CUSTOM_MGMT_AKS_PREVIEW
 from azext_aks_preview._completers import (
     get_k8s_upgrades_completion_list,
@@ -147,6 +150,7 @@
     CONST_ARTIFACT_SOURCE_CACHE,
     CONST_OUTBOUND_TYPE_NONE,
     CONST_OUTBOUND_TYPE_BLOCK,
+    CONST_OUTBOUND_TYPE_MANAGED_NAT_GATEWAY_V2,
     CONST_APP_ROUTING_ANNOTATION_CONTROLLED_NGINX,
     CONST_APP_ROUTING_EXTERNAL_NGINX,
     CONST_APP_ROUTING_INTERNAL_NGINX,
@@ -371,6 +375,7 @@
     CONST_OUTBOUND_TYPE_LOAD_BALANCER,
     CONST_OUTBOUND_TYPE_USER_DEFINED_ROUTING,
     CONST_OUTBOUND_TYPE_MANAGED_NAT_GATEWAY,
+    CONST_OUTBOUND_TYPE_MANAGED_NAT_GATEWAY_V2,
     CONST_OUTBOUND_TYPE_USER_ASSIGNED_NAT_GATEWAY,
     CONST_OUTBOUND_TYPE_NONE,
     CONST_OUTBOUND_TYPE_BLOCK,
@@ -659,6 +664,37 @@ def load_arguments(self, _):
             type=int,
             validator=validate_nat_gateway_idle_timeout,
         )
+        c.argument(
+            "nat_gateway_managed_outbound_ipv6_count",
+            options_list=[
+                "--nat-gateway-managed-outbound-ipv6-count",
+                "--nat-gw-ipv6-count",
+            ],
+            type=int,
+            validator=validate_nat_gateway_managed_outbound_ipv6_count,
+            help="NAT gateway managed outbound IPv6 IP count. "
+                 "Valid only with --outbound-type managedNATGatewayV2.",
+        )
+        c.argument(
+            "nat_gateway_outbound_ip_ids",
+            options_list=[
+                "--nat-gateway-outbound-ip-ids",
+                "--nat-gw-ip-ids",
+            ],
+            nargs="+",
+            help="Space-separated public IP resource IDs for the "
+                 "cluster NAT gateway. V2 only.",
+        )
+        c.argument(
+            "nat_gateway_outbound_ip_prefix_ids",
+            options_list=[
+                "--nat-gateway-outbound-ip-prefix-ids",
+                "--nat-gw-prefix-ids",
+            ],
+            nargs="+",
+            help="Space-separated public IP prefix resource IDs "
+                 "for the cluster NAT gateway. V2 only.",
+        )
         c.argument("outbound_type", arg_type=get_enum_type(outbound_types))
         c.argument("network_plugin", arg_type=get_enum_type(network_plugins))
         c.argument("network_plugin_mode", arg_type=get_enum_type(network_plugin_modes))
@@ -1247,6 +1283,37 @@ def load_arguments(self, _):
             type=int,
             validator=validate_nat_gateway_idle_timeout,
         )
+        c.argument(
+            "nat_gateway_managed_outbound_ipv6_count",
+            options_list=[
+                "--nat-gateway-managed-outbound-ipv6-count",
+                "--nat-gw-ipv6-count",
+            ],
+            type=int,
+            validator=validate_nat_gateway_managed_outbound_ipv6_count,
+            help="NAT gateway managed outbound IPv6 IP count. "
+                 "Valid only with --outbound-type managedNATGatewayV2.",
+        )
+        c.argument(
+            "nat_gateway_outbound_ip_ids",
+            options_list=[
+                "--nat-gateway-outbound-ip-ids",
+                "--nat-gw-ip-ids",
+            ],
+            nargs="+",
+            help="Space-separated public IP resource IDs for the "
+                 "cluster NAT gateway. V2 only.",
+        )
+        c.argument(
+            "nat_gateway_outbound_ip_prefix_ids",
+            options_list=[
+                "--nat-gateway-outbound-ip-prefix-ids",
+                "--nat-gw-prefix-ids",
+            ],
+            nargs="+",
+            help="Space-separated public IP prefix resource IDs "
+                 "for the cluster NAT gateway. V2 only.",
+        )
         c.argument("network_dataplane", arg_type=get_enum_type(network_dataplanes))
         c.argument("network_policy")
         c.argument("network_plugin", arg_type=get_enum_type(network_plugins))

src/aks-preview/azext_aks_preview/_validators.py

@@ -1144,3 +1144,13 @@ def validate_azure_monitor_logs_enable_disable(namespace):
             "Cannot specify both '--enable-azure-monitor-logs' and '--disable-azure-monitor-logs'. "
             "Use either '--enable-azure-monitor-logs' or '--disable-azure-monitor-logs'."
         )
+
+
+def validate_nat_gateway_managed_outbound_ipv6_count(namespace):
+    """validate NAT gateway profile managed outbound IPv6 count"""
+    if namespace.nat_gateway_managed_outbound_ipv6_count is not None:
+        if (namespace.nat_gateway_managed_outbound_ipv6_count < 1 or
+                namespace.nat_gateway_managed_outbound_ipv6_count > 16):
+            raise InvalidArgumentValueError(
+                "--nat-gateway-managed-outbound-ipv6-count must be in the range [1,16]"
+            )

src/aks-preview/azext_aks_preview/custom.py

@@ -955,6 +955,9 @@ def aks_create(
     load_balancer_backend_pool_type=None,
     nat_gateway_managed_outbound_ip_count=None,
     nat_gateway_idle_timeout=None,
+    nat_gateway_managed_outbound_ipv6_count=None,
+    nat_gateway_outbound_ip_ids=None,
+    nat_gateway_outbound_ip_prefix_ids=None,
     outbound_type=None,
     network_plugin=None,
     network_plugin_mode=None,
@@ -1217,6 +1220,9 @@ def aks_update(
     load_balancer_backend_pool_type=None,
     nat_gateway_managed_outbound_ip_count=None,
     nat_gateway_idle_timeout=None,
+    nat_gateway_managed_outbound_ipv6_count=None,
+    nat_gateway_outbound_ip_ids=None,
+    nat_gateway_outbound_ip_prefix_ids=None,
     kube_proxy_config=None,
     auto_upgrade_channel=None,
     node_os_upgrade_channel=None,