Azure · zhoxing-ms · Dec 22, 2025 · Nov 4, 2025 · Nov 4, 2025 · Nov 4, 2025
@@ -40,6 +40,9 @@ aks create:
     enable_private_cluster:
       rule_exclusions:
       - option_length_too_long
+    enable_application_load_balancer:
+      rule_exclusions:
+      - option_length_too_long
     load_balancer_idle_timeout:
       rule_exclusions:
       - option_length_too_long
@@ -198,6 +201,12 @@ aks update:
     cluster_service_load_balancer_health_probe_mode:
       rule_exclusions:
       - option_length_too_long
+    enable_application_load_balancer:
+      rule_exclusions:
+      - option_length_too_long
+    disable_application_load_balancer:
+      rule_exclusions:
+      - option_length_too_long
 aks agent:
   parameters:
     prompt:

@@ -11,6 +11,11 @@ To release a new version, please select a new version number (usually plus 1 to
 
 Pending
 +++++++
+* Add add-on support for `ApplicationLoadBalancer` (Application Gateway for Containers)
+- AKS Create and Update parameters for `--enable-application-load-balancer` and `--disable-application-load-balancer`
+ - `az aks applicationloadbalancer enable`: Enable Application Load Balancer add-on for an existing cluster.
+ - `az aks applicationloadbalancer disable`: Disable Application Load Balancer add-on for an existing cluster.
+ - `az aks applicationloadbalancer update`: Update Application Load Balancer add-on for an existing cluster.
 
 19.0.0b18
 +++++++

@@ -168,6 +168,9 @@
 CONST_DISK_DRIVER_V2 = "v2"
 
 # consts for addons
+# application load balancer (Application Gateway for Containers)
+CONST_APPLICATION_LOAD_BALANCER_ADDON_NAME = "applicationLoadBalancer"
+
 # http application routing
 CONST_HTTP_APPLICATION_ROUTING_ADDON_NAME = "httpApplicationRouting"
 
@@ -225,6 +228,7 @@
 
 # all supported addons
 ADDONS = {
+    "application-load-balancer": CONST_APPLICATION_LOAD_BALANCER_ADDON_NAME,
     "http_application_routing": CONST_HTTP_APPLICATION_ROUTING_ADDON_NAME,
     "monitoring": CONST_MONITORING_ADDON_NAME,
     "virtual-node": CONST_VIRTUAL_NODE_ADDON_NAME,
@@ -255,7 +259,10 @@
         "- enable Azure policy. The Azure Policy add-on for AKS enables at-scale enforcements and safeguards on "
         "your clusters in a centralized, consistent manner.\nLearn more at aka.ms/aks/policy."
     ),
-    CONST_INGRESS_APPGW_ADDON_NAME: "- enable Application Gateway Ingress Controller addon (PREVIEW).",
+    CONST_APPLICATION_LOAD_BALANCER_ADDON_NAME: (
+        "- enable Application Load Balancer (Application Gateway for Containers) addon (PREVIEW)."
+    ),
+    CONST_INGRESS_APPGW_ADDON_NAME: "- enable Application Gateway Ingress Controller addon.",
     CONST_CONFCOM_ADDON_NAME: "- enable confcom addon, this will enable SGX device plugin by default (PREVIEW).",
     CONST_OPEN_SERVICE_MESH_ADDON_NAME: "- enable Open Service Mesh addon (PREVIEW).",
     CONST_AZURE_KEYVAULT_SECRETS_PROVIDER_ADDON_NAME: "- enable Azure Keyvault Secrets Provider addon.",

@@ -175,7 +175,8 @@
             - monitoring                      :  turn on Log Analytics monitoring. Uses the Log Analytics Default Workspace if it exists, else creates one. Specify "--workspace-resource-id" to use an existing workspace. If monitoring addon is enabled --no-wait argument will have no effect
             - virtual-node                    : enable AKS Virtual Node. Requires --aci-subnet-name to provide the name of an existing subnet for the Virtual Node to use. aci-subnet-name must be in the same vnet which is specified by --vnet-subnet-id (required as well).
             - azure-policy                    : enable Azure policy. The Azure Policy add-on for AKS enables at-scale enforcements and safeguards on your clusters in a centralized, consistent manner. Required if enabling deployment safeguards. Learn more at aka.ms/aks/policy.
-            - ingress-appgw                   : enable Application Gateway Ingress Controller addon (PREVIEW).
+            - application-load-balancer       : enable the Application Load Balancer (Application Gateway for Containers) addon (PREVIEW).
+            - ingress-appgw                   : enable Application Gateway Ingress Controller addon.
             - confcom                         : enable confcom addon, this will enable SGX device plugin by default(PREVIEW).
             - open-service-mesh               : enable Open Service Mesh addon (PREVIEW).
             - gitops                          : enable GitOps (PREVIEW).
@@ -635,6 +636,9 @@
               Auto: A standard set of Karpenter NodePools are provisioned.
               None: No Karpenter NodePools are provisioned.
               WARNING: Changing this from Auto to None on an existing cluster will cause the default Karpenter NodePools to be deleted, which will in turn drain and delete the nodes associated with those pools. It is strongly recommended to not do this unless there are idle nodes ready to take the pods evicted by that action.
+        - name: --enable-application-load-balancer
+          type: bool
+          short-summary: Enable Application Load Balancer (Application Gateway for Containers) addon.
         - name: --enable-app-routing
           type: bool
           short-summary: Enable Application Routing addon.
@@ -1417,6 +1421,12 @@
         - name: --disable-gateway-api
           type: bool
           short-summary: Disable managed installation of Gateway API CRDs.
+        - name: --enable-application-load-balancer
+          type: bool
+          short-summary: Enable Application Load Balancer (Application Gateway for Containers) addon.
+        - name: --disable-application-load-balancer
+          type: bool
+          short-summary: Disable Application Load Balancer (Application Gateway for Containers) addon.
     examples:
       - name: Reconcile the cluster back to its current state.
         text: az aks update -g MyResourceGroup -n MyManagedCluster
@@ -2779,7 +2789,8 @@
         virtual-node                    - enable AKS Virtual Node. Requires --subnet-name to provide the name of an existing subnet for the Virtual Node to use.
         azure-policy                    - enable Azure policy. The Azure Policy add-on for AKS enables at-scale enforcements and safeguards on your clusters in a centralized, consistent manner.
                                           Learn more at aka.ms/aks/policy.
-        ingress-appgw                   - enable Application Gateway Ingress Controller addon (PREVIEW).
+        application-load-balancer       - enable the Application Load Balancer (Application Gateway for Containers) addon (PREVIEW).
+        ingress-appgw                   - enable Application Gateway Ingress Controller addon.
         open-service-mesh               - enable Open Service Mesh addon (PREVIEW).
         gitops                          - enable GitOps (PREVIEW).
         azure-keyvault-secrets-provider - enable Azure Keyvault Secrets Provider addon.
@@ -2939,7 +2950,8 @@
         virtual-node                    - enable AKS Virtual Node. Requires --subnet-name to provide the name of an existing subnet for the Virtual Node to use.
         azure-policy                    - enable Azure policy. The Azure Policy add-on for AKS enables at-scale enforcements and safeguards on your clusters in a centralized, consistent manner.
                                           Learn more at aka.ms/aks/policy.
-        ingress-appgw                   - enable Application Gateway Ingress Controller addon (PREVIEW).
+        application-load-balancer       - enable the Application Load Balancer (Application Gateway for Containers) addon (PREVIEW).
+        ingress-appgw                   - enable Application Gateway Ingress Controller addon.
         open-service-mesh               - enable Open Service Mesh addon (PREVIEW).
         gitops                          - enable GitOps (PREVIEW).
         azure-keyvault-secrets-provider - enable Azure Keyvault Secrets Provider addon.
@@ -3612,9 +3624,33 @@
         text: az aks mesh disable-istio-cni --resource-group MyResourceGroup --name MyManagedCluster
 """
 
+helps['aks applicationloadbalancer'] = """
+    type: group
+    short-summary: Commands to manage Application Load Balancer (Application Gateway for Containers) addon.
+    long-summary: A group of commands to manage Application Load Balancer (Application Gateway for Containers) in given cluster.
+"""
+
+helps['aks applicationloadbalancer enable'] = """
+    type: command
+    short-summary: Enable Application Load Balancer (Application Gateway for Containers) addon.
+    long-summary: This command enables Application Load Balancer in given cluster.
+"""
+
+helps['aks applicationloadbalancer update'] = """
+    type: command
+    short-summary: Update Application Load Balancer (Application Gateway for Containers) addon.
+    long-summary: This command is used to make a put operation on the Application Load Balancer in a given cluster.
+"""
+
+helps['aks applicationloadbalancer disable'] = """
+    type: command
+    short-summary: Disable Application Load Balancer (Application Gateway for Containers) addon.
+    long-summary: This command disables Application Load Balancer (Application Gateway for Containers) in given cluster.
+"""
+
 helps['aks approuting'] = """
     type: group
-    short-summary: Commands to manage App Routing aadon.
+    short-summary: Commands to manage App Routing addon.
     long-summary: A group of commands to manage App Routing in given cluster.
 """
 

@@ -782,6 +782,7 @@ def load_arguments(self, _):
         c.argument("enable_secret_rotation", action="store_true")
         c.argument("rotation_poll_interval")
         c.argument("enable_sgxquotehelper", action="store_true")
+        c.argument("enable_application_load_balancer", action="store_true", is_preview=True)
         c.argument("enable_app_routing", action="store_true", is_preview=True)
         c.argument(
             "app_routing_default_nginx_controller",
@@ -1765,6 +1766,18 @@ def load_arguments(self, _):
             action="store_true",
             help="Disable managed installation of Gateway API CRDs."
         )
+        c.argument(
+            "enable_application_load_balancer",
+            action="store_true",
+            is_preview=True,
+            help="Enable Application Load Balancer (Application Gateway for Containers)."
+        )
+        c.argument(
+            "disable_application_load_balancer",
+            action="store_true",
+            is_preview=True,
+            help="Disable Application Load Balancer (Application Gateway for Containers)."
+        )
 
     with self.argument_context("aks upgrade") as c:
         c.argument("kubernetes_version", completer=get_k8s_upgrades_completion_list)

@@ -253,6 +253,11 @@ def update_addons(
         resource_type=CUSTOM_MGMT_AKS_PREVIEW,
         operation_group="managed_clusters",
     )
+    ManagedClusterIngressProfileApplicationLoadBalancer = cmd.get_models(
+        "ManagedClusterIngressProfileApplicationLoadBalancer",
+        resource_type=CUSTOM_MGMT_AKS_PREVIEW,
+        operation_group="managed_clusters",
+    )
     ManagedClusterIngressProfileWebAppRouting = cmd.get_models(
         "ManagedClusterIngressProfileWebAppRouting",
         resource_type=CUSTOM_MGMT_AKS_PREVIEW,
@@ -261,6 +266,19 @@ def update_addons(
 
     # for each addons argument
     for addon_arg in addon_args:
+        if addon_arg == "applicationloadbalancer":
+            # application load balancer settings are in ingress profile, not addon profile
+            if instance.ingress_profile is None:
+                instance.ingress_profile = ManagedClusterIngressProfile()
+            if instance.ingress_profile.application_load_balancer is None:
+                instance.ingress_profile.application_load_balancer = (
+                    ManagedClusterIngressProfileApplicationLoadBalancer()
+                )
+
+            instance.ingress_profile.application_load_balancer.enabled = enable
+
+            continue
+
         if addon_arg == "web_application_routing":
             # web app routing settings are in ingress profile, not addon profile, so deal
             # with it separately

@@ -460,6 +460,14 @@ def load_command_table(self, _):
         g.custom_command("complete", "aks_mesh_upgrade_complete", supports_no_wait=True)
         g.custom_command("rollback", "aks_mesh_upgrade_rollback", supports_no_wait=True)
 
+    # AKS applicationloadbalancer (Application Gateway for Containers) commands
+    with self.command_group(
+        "aks applicationloadbalancer", managed_clusters_sdk, client_factory=cf_managed_clusters
+    ) as g:
+        g.custom_command("enable", "aks_applicationloadbalancer_enable")
+        g.custom_command("disable", "aks_applicationloadbalancer_disable", confirmation=True)
+        g.custom_command("update", "aks_applicationloadbalancer_update")
+
     # AKS approuting commands
     with self.command_group(
         "aks approuting", managed_clusters_sdk, client_factory=cf_managed_clusters

@@ -1025,6 +1025,7 @@ def aks_create(
     enable_sgxquotehelper=False,
     enable_secret_rotation=False,
     rotation_poll_interval=None,
+    enable_application_load_balancer=False,
     enable_app_routing=False,
     app_routing_default_nginx_controller=None,
     # nodepool paramerters
@@ -1399,6 +1400,9 @@ def aks_update(
     # managed gateway installation
     enable_gateway_api=False,
     disable_gateway_api=False,
+    # application load balancer
+    enable_application_load_balancer=False,
+    disable_application_load_balancer=False,
 ):
     # DO NOT MOVE: get all the original parameters and save them as a dictionary
     raw_parameters = locals()
@@ -2665,6 +2669,12 @@ def aks_addon_list(cmd, client, resource_group_name, name):
                 mc.ingress_profile.web_app_routing and
                 mc.ingress_profile.web_app_routing.enabled
             )
+        elif addon_name == "application-load-balancer":
+            enabled = bool(
+                mc.ingress_profile and
+                mc.ingress_profile.application_load_balancer and
+                mc.ingress_profile.application_load_balancer.enabled
+            )
         else:
             if addon_name == "virtual-node":
                 addon_key += os_type
@@ -2701,6 +2711,20 @@ def aks_addon_show(cmd, client, resource_group_name, name, addon):
             "config": mc.ingress_profile.web_app_routing,
         }
 
+    # application-load-balancer is a special case, the configuration is stored in a separate profile
+    if addon == "application-load-balancer":
+        if (
+            not mc.ingress_profile and
+            not mc.ingress_profile.application_load_balancer and
-            not mc.ingress_profile and
-            not mc.ingress_profile.application_load_balancer and
+            not mc.ingress_profile or
+            not mc.ingress_profile.application_load_balancer or
-            not mc.ingress_profile and
-            not mc.ingress_profile.application_load_balancer and
+            not mc.ingress_profile or
+            not mc.ingress_profile.application_load_balancer or
+            not mc.ingress_profile.application_load_balancer.enabled
+        ):
+            raise InvalidArgumentValueError(f'Addon "{addon}" is not enabled in this cluster.')
+        return {
+            "name": addon,
+            "api_key": addon_key,
+            "config": mc.ingress_profile.application_load_balancer,
+        }
+
     # normal addons
     if not mc.addon_profiles or addon_key not in mc.addon_profiles or not mc.addon_profiles[addon_key].enabled:
         raise InvalidArgumentValueError(f'Addon "{addon}" is not enabled in this cluster.')
@@ -3098,6 +3122,11 @@ def _update_addons(cmd,  # pylint: disable=too-many-branches,too-many-statements
         resource_type=CUSTOM_MGMT_AKS_PREVIEW,
         operation_group="managed_clusters",
     )
+    ManagedClusterIngressProfileApplicationLoadBalancer = cmd.get_models(
+        "ManagedClusterIngressProfileApplicationLoadBalancer",
+        resource_type=CUSTOM_MGMT_AKS_PREVIEW,
+        operation_group="managed_clusters",
+    )
     ManagedClusterIngressProfileWebAppRouting = cmd.get_models(
         "ManagedClusterIngressProfileWebAppRouting",
         resource_type=CUSTOM_MGMT_AKS_PREVIEW,
@@ -3113,6 +3142,16 @@ def _update_addons(cmd,  # pylint: disable=too-many-branches,too-many-statements
 
     # for each addons argument
     for addon_arg in addon_args:
+        if addon_arg == "applicationloadbalancer":
+            # application load balancer routing settings are in ingress profile, not addon profile
+            if instance.ingress_profile is None:
+                instance.ingress_profile = ManagedClusterIngressProfile()
+            if instance.ingress_profile.application_load_balancer is None:
+                instance.ingress_profile.application_load_balancer = ManagedClusterIngressProfileApplicationLoadBalancer()
+            instance.ingress_profile.application_load_balancer.enabled = enable
+
+            continue
+
         if addon_arg == "web_application_routing":
             # web app routing settings are in ingress profile, not addon profile, so deal
             # with it separately
@@ -4117,6 +4156,47 @@ def _aks_mesh_update(
     return aks_update_decorator.update_mc(mc)
 
 
+def aks_applicationloadbalancer_enable(
+        cmd,
+        client,
+        resource_group_name,
+        name
+):
+    return _aks_applicationloadbalancer_update(
+        cmd,
+        client,
+        resource_group_name,
+        name,
+        enable_application_load_balancer=True)
+
+
+def aks_applicationloadbalancer_disable(
+        cmd,
+        client,
+        resource_group_name,
+        name
+):
+    return _aks_applicationloadbalancer_update(
+        cmd,
+        client,
+        resource_group_name,
+        name,
+        disable_application_load_balancer=True)
+
+
+def aks_applicationloadbalancer_update(
+        cmd,
+        client,
+        resource_group_name,
+        name
+):
+    return _aks_applicationloadbalancer_update(
+        cmd,
+        client,
+        resource_group_name,
+        name)
+
+
 def aks_approuting_enable(
         cmd,
         client,
@@ -4249,6 +4329,36 @@ def aks_approuting_zone_list(
     raise CLIError('App routing addon is not enabled')
 
 
+# pylint: disable=unused-argument
+def _aks_applicationloadbalancer_update(
+        cmd,
+        client,
+        resource_group_name,
+        name,
+        enable_application_load_balancer=None,
+        disable_application_load_balancer=None
+):
+    from azure.cli.command_modules.acs._consts import DecoratorEarlyExitException
+    from azext_aks_preview.managed_cluster_decorator import AKSPreviewManagedClusterUpdateDecorator
+
+    raw_parameters = locals()
+
+    aks_update_decorator = AKSPreviewManagedClusterUpdateDecorator(
+        cmd=cmd,
+        client=client,
+        raw_parameters=raw_parameters,
+        resource_type=CUSTOM_MGMT_AKS_PREVIEW,
+    )
+
+    try:
+        mc = aks_update_decorator.fetch_mc()
+        mc = aks_update_decorator.update_application_load_balancer_profile(mc)
+    except DecoratorEarlyExitException:
+        return None
+
+    return aks_update_decorator.update_mc(mc)
+
+
 # pylint: disable=unused-argument
 def _aks_approuting_update(
         cmd,