Azure · bcho · Mar 5, 2026 · Mar 5, 2026 · Mar 5, 2026 · Mar 5, 2026
diff --git a/cli/README.md b/cli/README.md
@@ -15,7 +15,7 @@ $ aks-flex-cli network deploy
 ## Initializing AKS Cluster
 
 ```
-$ aks-flex-cli aks deploy --cilium --wireguard
+$ aks-flex-cli aks deploy --cilium
 ```
 
 ## Initializing Remote Cloud Network

diff --git a/cli/go.mod b/cli/go.mod
@@ -8,7 +8,6 @@ require (
 	github.com/Azure/aks-flex/plugin v0.0.0-00010101000000-000000000000
 	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.21.0
 	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.13.1
-	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/network/armnetwork/v8 v8.0.0
 	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resources/armresources/v2 v2.1.0
 	github.com/joho/godotenv v1.5.1
 	github.com/nebius/gosdk v0.0.0-20260218100913-7fb27c45819a
@@ -27,6 +26,7 @@ require (
 	github.com/Azure/azure-sdk-for-go/sdk/internal v1.11.2 // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/compute/armcompute/v7 v7.3.0 // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/containerservice/armcontainerservice/v8 v8.2.0 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/network/armnetwork/v8 v8.0.0 // indirect
 	github.com/AzureAD/microsoft-authentication-library-for-go v1.6.0 // indirect
 	github.com/aws/aws-sdk-go-v2 v1.41.1 // indirect
 	github.com/aws/aws-sdk-go-v2/config v1.32.9 // indirect

diff --git a/cli/internal/aks/deploy/assets/aks.json b/cli/internal/aks/deploy/assets/aks.json
@@ -22,10 +22,6 @@
 			"type": "string",
 			"defaultValue": "Standard_D16ds_v5"
 		},
-		"deployWireguard": {
-			"type": "bool",
-			"defaultValue": false
-		},
 		"deployUnboundedCNI": {
 			"type": "bool",
 			"defaultValue": false
@@ -171,81 +167,6 @@
 				"[variables('karpenterMIId')]"
 			]
 		},
-		{
-			"condition": "[parameters('deployWireguard')]",
-			"apiVersion": "2023-09-01",
-			"type": "Microsoft.Network/networkSecurityGroups/securityRules",
-			"name": "nsg/AllowWireGuard",
-			"properties": {
-				"priority": 100,
-				"direction": "Inbound",
-				"access": "Allow",
-				"protocol": "Udp",
-				"sourcePortRange": "*",
-				"destinationPortRange": "51820",
-				"sourceAddressPrefix": "*",
-				"destinationAddressPrefix": "*"
-			}
-		},
-		{
-			"condition": "[parameters('deployWireguard')]",
-			"apiVersion": "2023-09-01",
-			"type": "Microsoft.Network/publicIPPrefixes",
-			"name": "wg-pips",
-			"location": "[resourceGroup().location]",
-			"sku": {
-				"name": "Standard"
-			},
-			"properties": {
-				"prefixLength": 31,
-				"publicIPAddressVersion": "IPv4"
-			}
-		},
-		{
-			"condition": "[parameters('deployWireguard')]",
-			"apiVersion": "2025-10-01",
-			"type": "Microsoft.ContainerService/managedClusters/agentPools",
-			"name": "[concat(parameters('clusterName'), '/wireguard')]",
-			"properties": {
-				"count": 1,
-				"vmSize": "[parameters('gatewayVMSize')]",
-				"mode": "User",
-				"osType": "Linux",
-				"vnetSubnetId": "[resourceId('Microsoft.Network/virtualNetworks/subnets', 'vnet', 'nodes')]",
-				"enableNodePublicIP": true,
-				"nodePublicIPPrefixID": "[resourceId('Microsoft.Network/publicIPPrefixes', 'wg-pips')]",
-				"networkProfile": {
-					"allowedHostPorts": [
-						{
-							"portStart": 51820,
-							"portEnd": 51820,
-							"protocol": "UDP"
-						}
-					]
-				},
-				"nodeLabels": {
-					"stretch.azure.com/wireguard-gateway": "true",
-					"stretch.azure.com/wireguard-hub": "true"
-				},
-				"nodeTaints": [
-					"stretch.azure.com/wireguard-gateway=true:NoSchedule"
-				]
-			},
-			"dependsOn": [
-				"[resourceId('Microsoft.ContainerService/managedClusters', parameters('clusterName'))]",
-				"[resourceId('Microsoft.Network/publicIPPrefixes', 'wg-pips')]"
-			]
-		},
-		{
-			"condition": "[parameters('deployWireguard')]",
-			"apiVersion": "2023-09-01",
-			"type": "Microsoft.Network/routeTables",
-			"name": "wg-routes",
-			"location": "[resourceGroup().location]",
-			"properties": {
-				"routes": []
-			}
-		},
 		{
 			"condition": "[parameters('deployUnboundedCNI')]",
 			"apiVersion": "2023-09-01",
@@ -321,21 +242,6 @@
 		"oidcIssuerUrl": {
 			"type": "string",
 			"value": "[reference(variables('aksClusterId'), '2024-01-01').oidcIssuerProfile.issuerUrl]"
-		},
-		"nodePoolName": {
-			"condition": "[parameters('deployWireguard')]",
-			"type": "string",
-			"value": "wireguard"
-		},
-		"publicIpPrefixId": {
-			"condition": "[parameters('deployWireguard')]",
-			"type": "string",
-			"value": "[resourceId('Microsoft.Network/publicIPPrefixes', 'wg-pips')]"
-		},
-		"routeTableId": {
-			"condition": "[parameters('deployWireguard')]",
-			"type": "string",
-			"value": "[resourceId('Microsoft.Network/routeTables', 'wg-routes')]"
 		}
 	}
 }
diff --git a/cli/internal/aks/deploy/assets/wireguard-deployment.yaml b/cli/internal/aks/deploy/assets/wireguard-deployment.yaml
diff --git a/cli/internal/aks/deploy/deploy.go b/cli/internal/aks/deploy/deploy.go
@@ -27,9 +27,6 @@ var (
 				if deploycilium {
 					return fmt.Errorf("--cilium cannot be used with --unbounded-cni")
 				}
-				if deployWireguard {
-					return fmt.Errorf("--wireguard cannot be used with --unbounded-cni")
-				}
 			}
 			return nil
 		},
@@ -39,7 +36,6 @@ var (
 	}
 
 	deploycilium          bool
-	deployWireguard       bool
 	unboundedCNI          bool
 	deployGPUOperator     bool
 	deployGPUDevicePlugin bool
@@ -52,8 +48,7 @@ var (
 
 func init() {
 	Command.Flags().BoolVar(&deploycilium, "cilium", false, "deploy Cilium CNI") // default to true to allow minimal networking to work
-	Command.Flags().BoolVar(&deployWireguard, "wireguard", false, "deploy WireGuard gateway node pool and DaemonSet")
-	Command.Flags().BoolVar(&unboundedCNI, "unbounded-cni", false, "deploy unbounded cni (mutually exclusive with --cilium and --wireguard)")
+	Command.Flags().BoolVar(&unboundedCNI, "unbounded-cni", false, "deploy unbounded cni (mutually exclusive with --cilium)")
 	Command.Flags().BoolVar(&deployGPUOperator, "gpu-operator", false, "install NVIDIA GPU Operator via Helm")
 	Command.Flags().BoolVar(&deployGPUDevicePlugin, "gpu-device-plugin", false, "install NVIDIA GPU Device Plugin via Helm")
 	Command.Flags().BoolVar(&skipARM, "skip-arm", false, "skip the ARM template deployment step")
@@ -116,12 +111,6 @@ func run(ctx context.Context) error {
 			"vmSize": {
 				Value: cfg.SystemVMSize,
 			},
-			"gatewayVMSize": {
-				Value: cfg.GatewayVMSize,
-			},
-			"deployWireguard": {
-				Value: deployWireguard,
-			},
 			"deployUnboundedCNI": {
 				Value: unboundedCNI,
 			},
@@ -150,13 +139,6 @@ func run(ctx context.Context) error {
 		log.Printf("Cilium deployment complete")
 	}
 
-	if deployWireguard {
-		if err := deployWireGuard(ctx, credentials, cfg); err != nil {
-			return err
-		}
-		log.Printf("WireGuard deployment complete")
-	}
-
 	if unboundedCNI {
 		if err := unboundedcni.Deploy(ctx, kubeconfigPath, cfg); err != nil {
 			return err