[AKS] Add --disable-windows-outbound-nat for az aks nodepool add to add a Windows agent pool which the Windows OutboundNAT is disabled (#28806)

Author: ShiqianTao

src/azure-cli/azure/cli/command_modules/acs/_help.py

@@ -1568,6 +1568,9 @@
   - name: --crg-id
     type: string
     short-summary: The crg id used to associate the new nodepool with the existed Capacity Reservation Group resource.
+  - name: --disable-windows-outbound-nat
+    type: bool
+    short-summary: Disable Windows OutboundNAT on Windows agent node pool.
 
 examples:
   - name: Create a nodepool in an existing AKS cluster with ephemeral os enabled.

src/azure-cli/azure/cli/command_modules/acs/_params.py

@@ -88,6 +88,7 @@
     validate_force_upgrade_disable_and_enable_parameters,
     validate_allowed_host_ports, validate_application_security_groups,
     validate_node_public_ip_tags,
+    validate_disable_windows_outbound_nat,
     validate_crg_id,
     validate_azure_service_mesh_revision)
 from azure.cli.core.commands.parameters import (
@@ -706,6 +707,7 @@ def load_arguments(self, _):
         c.argument('enable_encryption_at_host', action='store_true')
         c.argument('enable_ultra_ssd', action='store_true')
         c.argument('enable_fips_image', action='store_true')
+        c.argument("disable_windows_outbound_nat", action="store_true", validator=validate_disable_windows_outbound_nat)
         c.argument('kubelet_config')
         c.argument('linux_os_config')
         c.argument('host_group_id', validator=validate_host_group_id)

src/azure-cli/azure/cli/command_modules/acs/_validators.py

@@ -797,3 +797,11 @@ def validate_azure_service_mesh_revision(namespace):
     found = asm_revision_regex.findall(revision)
     if not found:
         raise InvalidArgumentValueError(f"Revision {revision} is not supported by the service mesh add-on.")
+
+
+def validate_disable_windows_outbound_nat(namespace):
+    """Validates disable_windows_outbound_nat can only be used on Windows."""
+    if namespace.disable_windows_outbound_nat:
+        if hasattr(namespace, 'os_type') and str(namespace.os_type).lower() != "windows":
+            raise ArgumentUsageError(
+                '--disable-windows-outbound-nat can only be set for Windows nodepools')

src/azure-cli/azure/cli/command_modules/acs/agentpool_decorator.py

@@ -1345,6 +1345,34 @@ def get_ip_tags(self) -> Union[List[IPTag], None]:
                 ))
         return res
 
+    def _get_disable_windows_outbound_nat(self) -> bool:
+        """Internal function to obtain the value of disable_windows_outbound_nat.
+
+        :return: bool
+        """
+        # read the original value passed by the command
+        disable_windows_outbound_nat = self.raw_param.get("disable_windows_outbound_nat")
+        # In create mode, try to read the property value corresponding to the parameter from the `agentpool` object
+        if self.decorator_mode == DecoratorMode.CREATE:
+            if (
+                self.agentpool and
+                hasattr(self.agentpool, "windows_profile") and
+                self.agentpool.windows_profile and
+                self.agentpool.windows_profile.disable_windows_outbound_nat is not None
+            ):
+                disable_windows_outbound_nat = self.agentpool.windows_profile.disable_windows_outbound_nat
+
+        # this parameter does not need dynamic completion
+        # this parameter does not need validation
+        return disable_windows_outbound_nat
+
+    def get_disable_windows_outbound_nat(self) -> bool:
+        """Obtain the value of disable_windows_outbound_nat.
+
+        :return: bool
+        """
+        return self._get_disable_windows_outbound_nat()
+
 
 class AKSAgentPoolAddDecorator:
     def __init__(
@@ -1660,6 +1688,23 @@ def set_up_agentpool_network_profile(self, agentpool: AgentPool) -> AgentPool:
 
         return agentpool
 
+    def set_up_agentpool_windows_profile(self, agentpool: AgentPool) -> AgentPool:
+        """Set up windows profile for the AgentPool object.
+
+        :return: the AgentPool object
+        """
+        self._ensure_agentpool(agentpool)
+
+        disable_windows_outbound_nat = self.context.get_disable_windows_outbound_nat()
+
+        # Construct AgentPoolWindowsProfile if one of the fields has been set
+        if disable_windows_outbound_nat:
+            agentpool.windows_profile = self.models.AgentPoolWindowsProfile(  # pylint: disable=no-member
+                disable_outbound_nat=disable_windows_outbound_nat
+            )
+
+        return agentpool
+
     def construct_agentpool_profile_default(self, bypass_restore_defaults: bool = False) -> AgentPool:
         """The overall controller used to construct the AgentPool profile by default.
 
@@ -1696,6 +1741,8 @@ def construct_agentpool_profile_default(self, bypass_restore_defaults: bool = Fa
         agentpool = self.set_up_gpu_properties(agentpool)
         # set up agentpool network profile
         agentpool = self.set_up_agentpool_network_profile(agentpool)
+        # set up agentpool windows profile
+        agentpool = self.set_up_agentpool_windows_profile(agentpool)
         # set up crg id
         agentpool = self.set_up_crg_id(agentpool)
         # restore defaults

src/azure-cli/azure/cli/command_modules/acs/custom.py

@@ -2300,6 +2300,7 @@ def aks_agentpool_add(
     allowed_host_ports=None,
     asg_ids=None,
     node_public_ip_tags=None,
+    disable_windows_outbound_nat=False,
 ):
     # DO NOT MOVE: get all the original parameters and save them as a dictionary
     raw_parameters = locals()

src/azure-cli/azure/cli/command_modules/acs/linter_exclusions.yml

@@ -132,4 +132,9 @@ aks update:
       azure_container_storage_nodepools:
         rule_exclusions:
         - option_length_too_long
+aks nodepool add:
+  parameters:
+      disable_windows_outbound_nat:
+        rule_exclusions:
+        - option_length_too_long
 ...