aks-preview: Support BYO VNet for --enable-hosted-system automatic clusters + --disable-hosted-system#9812
Open
wenhug wants to merge 11 commits intoAzure:mainfrom
Open
aks-preview: Support BYO VNet for --enable-hosted-system automatic clusters + --disable-hosted-system#9812wenhug wants to merge 11 commits intoAzure:mainfrom
wenhug wants to merge 11 commits intoAzure:mainfrom
Conversation
|
| rule | cmd_name | rule_message | suggest_message |
|---|---|---|---|
| aks create | cmd aks create added parameter disable_hosted_system |
||
| aks create | cmd aks create added parameter node_subnet_id |
||
| aks create | cmd aks create added parameter system_node_subnet_id |
|
Hi @wenhug, |
Collaborator
|
Thank you for your contribution! We will review the pull request and get back to you soon. |
Contributor
|
The git hooks are available for azure-cli and azure-cli-extensions repos. They could help you run required checks before creating the PR. Please sync the latest code with latest dev branch (for azure-cli) or main branch (for azure-cli-extensions). pip install azdev --upgrade
azdev setup -c <your azure-cli repo path> -r <your azure-cli-extensions repo path>
|
microsoft-github-policy-service
Bot
requested review from
yanzhudd,
yonzhan and
zhoxing-ms
Contributor
CodeGen Tools Feedback CollectionThank you for using our CodeGen tool. We value your feedback, and we would like to know how we can improve our product. Please take a few minutes to fill our codegen survey |
Contributor
|
Hi @wenhug Release SuggestionsModule: aks-preview
Notes
|
Contributor
There was a problem hiding this comment.
Pull request overview
Adds aks-preview CLI support for hosted-system (HOBO) automatic clusters to cover both BYO VNet scenarios (with new subnet flags) and a deterministic opt-out via --disable-hosted-system, along with plumbing fixes needed for outbound type defaults, API server access profile wiring, and subnet role assignments.
Changes:
- Add new
az aks createflags:--system-node-vnet-subnet-id,--node-vnet-subnet-id, and--disable-hosted-system, plus client-side validation for HOBO BYO subnet combinations. - Update managed cluster decorator logic for outbound type defaulting, hosted system profile wiring, API server access profile setup (typed fields), and role assignment across HOBO subnets.
- Add live-only scenario tests for BYO VNet HOBO (NATGW + SLB) and
--disable-hosted-system, and update docs/changelog.
Reviewed changes
Copilot reviewed 7 out of 7 changed files in this pull request and generated 7 comments.
Show a summary per file
| File | Description |
|---|---|
src/aks-preview/azext_aks_preview/tests/latest/test_aks_commands.py |
Adds/updates live-only tests for HOBO automatic scenarios (BYO VNet + SLB/NATGW, disable hosted system). |
src/aks-preview/azext_aks_preview/managed_cluster_decorator.py |
Implements new flag validation/plumbing, outbound-type defaulting adjustment, typed API server access profile setup, and extended subnet role assignment. |
src/aks-preview/azext_aks_preview/custom.py |
Extends aks_create function signature to accept new CLI parameters. |
src/aks-preview/azext_aks_preview/_validators.py |
Adds resource ID validators for the new HOBO subnet flags. |
src/aks-preview/azext_aks_preview/_params.py |
Wires new CLI arguments into aks create. |
src/aks-preview/azext_aks_preview/_help.py |
Documents new flags and adds examples for HOBO BYO VNet and opt-out flows. |
src/aks-preview/HISTORY.rst |
Notes the new CLI surface and behavior in the pending changelog. |
…usters + --disable-hosted-system Adds CLI surface for BYO VNet HOBO (hosted system pool) automatic clusters: * `--system-node-vnet-subnet-id` and `--node-vnet-subnet-id` on `az aks create` to bring your own VNet for the hosted system pool and user node pool. Must be used together with `--apiserver-subnet-id` and `--enable-hosted-system`. * `--disable-hosted-system` on `az aks create` to deterministically opt out of HOBO on automatic clusters (mutually exclusive with `--enable-hosted-system`, both gated to `--sku automatic`). Supported scenarios: 1. az aks create --sku automatic --enable-hosted-system 2. ... + --system-node-vnet-subnet-id --node-vnet-subnet-id --apiserver-subnet-id (NATGW) 3. ... + --outbound-type loadBalancer for BYO VNet with SLB outbound 4. az aks create --sku automatic --disable-hosted-system 5. az aks update --sku base to downgrade an automatic+HOBO cluster Validation (client-side, before PATCH): * --enable-hosted-system and --disable-hosted-system are mutually exclusive. * Both require --sku automatic. * If --enable-hosted-system is set with any of the 3 BYO subnet flags, all three must be provided; otherwise a clear error lists the missing ones. * BYO subnet flags cannot be used without --enable-hosted-system. Live-only E2E tests cover BYO+NATGW, BYO+SLB with downgrade to base SKU, and the disable opt-out path. Signed-off-by: wenhug <50309350+wenhug@users.noreply.github.com>
wenhug
force-pushed
the
wenhug/aks-preview-byo-hobo
branch
from
3bcaac9 to
0e2767b
Compare
* Add short alias --sys-node-subnet-id for --system-node-vnet-subnet-id to satisfy option_length_too_long linter rule. * Rename skuName/isVnetSubnetIdEmpty to snake_case per PEP 8. * Disable too-many-branches pylint warning on _get_outbound_type (overridden from base azure-cli and the preview-specific branches are necessary). * Replace fixed 180s sleep before aks update --sku base with a retry loop that handles the RP's post-create 409 OperationNotAllowed window more robustly. Signed-off-by: wenhug <50309350+wenhug@users.noreply.github.com>
Contributor
Author
|
Thanks for the review. Addressed in 1e4fd37: CI fixes
Copilot comments
|
Include both --system-node-vnet-subnet-id and --sys-node-subnet-id in the help entry name so azdev linter recognizes all option aliases and does not report unrecognized_help_parameter_rule / missing_parameter_help. Signed-off-by: wenhug <50309350+wenhug@users.noreply.github.com>
The azdev linter compares help parameter names against knack's HelpParameter.name which is built by sorting options alphabetically (knack/help.py line 349). Swap the order so --sys-node-subnet-id comes before --system-node-vnet-subnet-id. Signed-off-by: wenhug <50309350+wenhug@users.noreply.github.com>
The _get_outbound_type validation previously required --vnet-subnet-id when outbound_type is userAssignedNATGateway / userDefinedRouting. For BYO HOBO automatic clusters the VNet is provided via --system-node-vnet-subnet-id / --node-vnet-subnet-id instead, so treat those as satisfying the requirement. Signed-off-by: wenhug <50309350+wenhug@users.noreply.github.com>
Adds test_aks_automatic_sku_hosted_system_byovnet_user_natgw covering BYO VNet hosted-system automatic clusters with userAssignedNATGateway outbound type, exercising the _get_outbound_type fix that treats BYO HOBO subnets as satisfying the VNet requirement. Signed-off-by: wenhug <50309350+wenhug@users.noreply.github.com>
Previously _validate_byo_hobo_subnet_trio only ran when set_up_api_server_access_profile invoked get_apiserver_subnet_id, which in the base construct_mc_profile_default flow runs AFTER process_add_role_assignment_for_vnet_subnet. A malformed BYO HOBO create (partial subnet trio, or HOBO subnet flags without --enable-hosted-system) could therefore leave residual Network Contributor grants on customer subnets before the CLI surface-level validation fired. Move trio validation to the start of the role-assignment override so misuse fails before any RBAC mutation happens. Signed-off-by: wenhug <50309350+wenhug@users.noreply.github.com>
Refactor-only (no behavior change): introduce public AKSPreviewManagedClusterContext.has_byo_hobo_subnets() and replace three inline duplicate 'system_node_vnet_subnet_id or node_vnet_subnet_id' checks (in _get_outbound_type default-completion, _get_outbound_type validation, and get_api_server_access_profile validation) with calls to it. Also rename _validate_byo_hobo_subnet_trio to validate_byo_hobo_subnet_trio (drop the leading underscore) so the CreateDecorator override can call it directly without a pylint protected-access exception. Signed-off-by: wenhug <50309350+wenhug@users.noreply.github.com>
zqingqing1
reviewed
Apr 22, 2026
Rename --system-node-vnet-subnet-id -> --system-node-subnet-id and --node-vnet-subnet-id -> --node-subnet-id (with Python identifiers system_node_subnet_id / node_subnet_id) per @zqingqing1 review feedback on PR Azure#9812. The --sys-node-subnet-id alias is retained. Also drop the BYO VNet combination paragraph from the --enable-hosted-system long-summary per PM guidance. Signed-off-by: wenhug <50309350+wenhug@users.noreply.github.com>
RP rejects the combination of BYO VNet + managedNATGateway with "Outbound type is managedNATGateway but agent pool 'hostedpool' is using custom VNet, which is not allowed" (by design, enforced in natgatewayv2.go). For BYO VNet the RP auto-defaults outboundType to loadBalancer and only accepts loadBalancer or userAssignedNATGateway. The byovnet_slb and byovnet_user_natgw tests already cover the two supported BYO HOBO outbound modes, so this test was attempting an unsupported scenario and is removed. Signed-off-by: wenhug <50309350+wenhug@users.noreply.github.com>
Contributor
Author
|
@zhoxing-ms , @yanzhudd , could you help review this PR? |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds CLI surface in the
aks-previewextension so customers can drive all five HOBO (hosted system pool) scenarios for--sku automaticclusters backed by the 2026-02-02-preview API:az aks create --sku automatic --enable-hosted-system(non-BYO, baseline)az aks create --sku automatic --enable-hosted-system --system-node-vnet-subnet-id <A> --node-vnet-subnet-id <B> --apiserver-subnet-id <C>(BYO VNet, default managedNATGateway outbound)--outbound-type loadBalancer(BYO VNet + SLB outbound)az aks create --sku automatic --disable-hosted-system(deterministic opt-out once HOBO becomes the regional default for automatic)az aks update --sku base(downgrade an automatic+HOBO cluster to base)New flags
--system-node-vnet-subnet-id/--node-vnet-subnet-idonaz aks create: bring your own subnets for the hosted system pool and the user node pool. Must be set together with--apiserver-subnet-idand--enable-hosted-system. Values go toManagedClusterHostedSystemProfile.{systemNodeSubnetId, nodeSubnetId}.--disable-hosted-systemonaz aks create: mutually exclusive with--enable-hosted-system; both are gated to--sku automatic. WritesHostedSystemProfile.enabled=falsewithout clearingagentPoolProfilesso customers keep real agent pools.Validation (client-side, before PATCH)
--enable-hosted-systemand--disable-hosted-systemare mutually exclusive.--sku automatic.--enable-hosted-system; omitting one of the three raises a clear error listing the missing ones.--system-node-vnet-subnet-id/--node-vnet-subnet-idare validated through the existingvalidate_vnet_subnet_idresource-ID validator.Plumbing fixes needed to make the BYO path actually work
_get_outbound_typeused to unconditionally flip automatic-SKU outbound tomanagedNATGatewaywhen--vnet-subnet-idwas empty. That silently overwrote--outbound-type loadBalanceron BYO HOBO (which uses the two new subnet flags instead of--vnet-subnet-id). The override now only forces managedNATGateway when the user did NOT explicitly pass--outbound-type.process_add_role_assignment_for_vnet_subnetto also grant Network Contributor on each of the three HOBO BYO subnets to the cluster identity (SP or UAMI). Without this RP returnedResourceMissingPermissionErroron every BYO create.set_up_api_server_access_profileis replaced by a full override (not asuper()-and-patch) because base acs writessubnetId/enableVnetIntegrationvia msrest-styleadditional_properties, which the 2026-02-02-preview SDK (azure.core Model) does not expose; the override assigns typed fields instead.Test plan
test_aks_automatic_sku_hosted_system_byovnet_slb(live_only): creates BYO VNet + 3 subnets + UAMI, creates automatic HOBO with--outbound-type loadBalancer, assertsprovisioningState, SKU,hostedSystemProfile.enabled,hostedSystemProfile.systemNodeSubnetId,hostedSystemProfile.nodeSubnetId,apiServerAccessProfile.subnetId,networkProfile.outboundType, then downgrades to Base.test_aks_automatic_sku_with_hosted_system_disabled(live_only):--disable-hosted-systemassertshostedSystemProfile.enabled=Falseand agent pools remain.test_aks_automatic_sku_hosted_system_byovnet_natgw(live_only): BYO + default managedNATGateway outbound. Requires the RP-side HOBO support (ADO PR 15102840) before it can go green end-to-end; CLI request body validated manually.eastus2euapagainst AKS Standalone Sub 1 exercised scenarios 3, 4, and 5 end-to-end.Signed-off-by: wenhug 50309350+wenhug@users.noreply.github.com