aks-preview: Support BYO VNet for hosted-system automatic clusters#9812
Open
wenhug wants to merge 13 commits into
Open
aks-preview: Support BYO VNet for hosted-system automatic clusters#9812wenhug wants to merge 13 commits into
wenhug wants to merge 13 commits into
Conversation
|
| rule | cmd_name | rule_message | suggest_message |
|---|---|---|---|
| aks create | cmd aks create added parameter node_subnet_id |
||
| aks create | cmd aks create added parameter system_node_subnet_id |
|
Hi @wenhug, |
Collaborator
|
Thank you for your contribution! We will review the pull request and get back to you soon. |
Contributor
|
The git hooks are available for azure-cli and azure-cli-extensions repos. They could help you run required checks before creating the PR. Please sync the latest code with latest dev branch (for azure-cli) or main branch (for azure-cli-extensions). pip install azdev --upgrade
azdev setup -c <your azure-cli repo path> -r <your azure-cli-extensions repo path>
|
microsoft-github-policy-service
Bot
requested review from
yanzhudd,
yonzhan and
zhoxing-ms
Contributor
CodeGen Tools Feedback CollectionThank you for using our CodeGen tool. We value your feedback, and we would like to know how we can improve our product. Please take a few minutes to fill our codegen survey |
Contributor
|
Hi @wenhug Release SuggestionsModule: aks-preview
Notes
|
Contributor
There was a problem hiding this comment.
Pull request overview
Adds aks-preview CLI support for hosted-system (HOBO) automatic clusters to cover both BYO VNet scenarios (with new subnet flags) and a deterministic opt-out via --disable-hosted-system, along with plumbing fixes needed for outbound type defaults, API server access profile wiring, and subnet role assignments.
Changes:
- Add new
az aks createflags:--system-node-vnet-subnet-id,--node-vnet-subnet-id, and--disable-hosted-system, plus client-side validation for HOBO BYO subnet combinations. - Update managed cluster decorator logic for outbound type defaulting, hosted system profile wiring, API server access profile setup (typed fields), and role assignment across HOBO subnets.
- Add live-only scenario tests for BYO VNet HOBO (NATGW + SLB) and
--disable-hosted-system, and update docs/changelog.
Reviewed changes
Copilot reviewed 7 out of 7 changed files in this pull request and generated 7 comments.
Show a summary per file
| File | Description |
|---|---|
src/aks-preview/azext_aks_preview/tests/latest/test_aks_commands.py |
Adds/updates live-only tests for HOBO automatic scenarios (BYO VNet + SLB/NATGW, disable hosted system). |
src/aks-preview/azext_aks_preview/managed_cluster_decorator.py |
Implements new flag validation/plumbing, outbound-type defaulting adjustment, typed API server access profile setup, and extended subnet role assignment. |
src/aks-preview/azext_aks_preview/custom.py |
Extends aks_create function signature to accept new CLI parameters. |
src/aks-preview/azext_aks_preview/_validators.py |
Adds resource ID validators for the new HOBO subnet flags. |
src/aks-preview/azext_aks_preview/_params.py |
Wires new CLI arguments into aks create. |
src/aks-preview/azext_aks_preview/_help.py |
Documents new flags and adds examples for HOBO BYO VNet and opt-out flows. |
src/aks-preview/HISTORY.rst |
Notes the new CLI surface and behavior in the pending changelog. |
wenhug
force-pushed
the
wenhug/aks-preview-byo-hobo
branch
from
3bcaac9 to
0e2767b
Compare
Contributor
Author
|
Thanks for the review. Addressed in 1e4fd37: CI fixes
Copilot comments
|
zqingqing1
reviewed
Apr 22, 2026
wenhug
added a commit
to wenhug/azure-cli-extensions
that referenced
this pull request
Apr 22, 2026
Rename --system-node-vnet-subnet-id -> --system-node-subnet-id and --node-vnet-subnet-id -> --node-subnet-id (with Python identifiers system_node_subnet_id / node_subnet_id) per @zqingqing1 review feedback on PR Azure#9812. The --sys-node-subnet-id alias is retained. Also drop the BYO VNet combination paragraph from the --enable-hosted-system long-summary per PM guidance. Signed-off-by: wenhug <50309350+wenhug@users.noreply.github.com>
Contributor
Author
|
@zhoxing-ms , @yanzhudd , could you help review this PR? |
…usters + --disable-hosted-system Adds CLI surface for BYO VNet HOBO (hosted system pool) automatic clusters: * `--system-node-vnet-subnet-id` and `--node-vnet-subnet-id` on `az aks create` to bring your own VNet for the hosted system pool and user node pool. Must be used together with `--apiserver-subnet-id` and `--enable-hosted-system`. * `--disable-hosted-system` on `az aks create` to deterministically opt out of HOBO on automatic clusters (mutually exclusive with `--enable-hosted-system`, both gated to `--sku automatic`). Supported scenarios: 1. az aks create --sku automatic --enable-hosted-system 2. ... + --system-node-vnet-subnet-id --node-vnet-subnet-id --apiserver-subnet-id (NATGW) 3. ... + --outbound-type loadBalancer for BYO VNet with SLB outbound 4. az aks create --sku automatic --disable-hosted-system 5. az aks update --sku base to downgrade an automatic+HOBO cluster Validation (client-side, before PATCH): * --enable-hosted-system and --disable-hosted-system are mutually exclusive. * Both require --sku automatic. * If --enable-hosted-system is set with any of the 3 BYO subnet flags, all three must be provided; otherwise a clear error lists the missing ones. * BYO subnet flags cannot be used without --enable-hosted-system. Live-only E2E tests cover BYO+NATGW, BYO+SLB with downgrade to base SKU, and the disable opt-out path. Signed-off-by: wenhug <50309350+wenhug@users.noreply.github.com>
* Add short alias --sys-node-subnet-id for --system-node-vnet-subnet-id to satisfy option_length_too_long linter rule. * Rename skuName/isVnetSubnetIdEmpty to snake_case per PEP 8. * Disable too-many-branches pylint warning on _get_outbound_type (overridden from base azure-cli and the preview-specific branches are necessary). * Replace fixed 180s sleep before aks update --sku base with a retry loop that handles the RP's post-create 409 OperationNotAllowed window more robustly. Signed-off-by: wenhug <50309350+wenhug@users.noreply.github.com>
Include both --system-node-vnet-subnet-id and --sys-node-subnet-id in the help entry name so azdev linter recognizes all option aliases and does not report unrecognized_help_parameter_rule / missing_parameter_help. Signed-off-by: wenhug <50309350+wenhug@users.noreply.github.com>
The azdev linter compares help parameter names against knack's HelpParameter.name which is built by sorting options alphabetically (knack/help.py line 349). Swap the order so --sys-node-subnet-id comes before --system-node-vnet-subnet-id. Signed-off-by: wenhug <50309350+wenhug@users.noreply.github.com>
The _get_outbound_type validation previously required --vnet-subnet-id when outbound_type is userAssignedNATGateway / userDefinedRouting. For BYO HOBO automatic clusters the VNet is provided via --system-node-vnet-subnet-id / --node-vnet-subnet-id instead, so treat those as satisfying the requirement. Signed-off-by: wenhug <50309350+wenhug@users.noreply.github.com>
Adds test_aks_automatic_sku_hosted_system_byovnet_user_natgw covering BYO VNet hosted-system automatic clusters with userAssignedNATGateway outbound type, exercising the _get_outbound_type fix that treats BYO HOBO subnets as satisfying the VNet requirement. Signed-off-by: wenhug <50309350+wenhug@users.noreply.github.com>
Previously _validate_byo_hobo_subnet_trio only ran when set_up_api_server_access_profile invoked get_apiserver_subnet_id, which in the base construct_mc_profile_default flow runs AFTER process_add_role_assignment_for_vnet_subnet. A malformed BYO HOBO create (partial subnet trio, or HOBO subnet flags without --enable-hosted-system) could therefore leave residual Network Contributor grants on customer subnets before the CLI surface-level validation fired. Move trio validation to the start of the role-assignment override so misuse fails before any RBAC mutation happens. Signed-off-by: wenhug <50309350+wenhug@users.noreply.github.com>
Refactor-only (no behavior change): introduce public AKSPreviewManagedClusterContext.has_byo_hobo_subnets() and replace three inline duplicate 'system_node_vnet_subnet_id or node_vnet_subnet_id' checks (in _get_outbound_type default-completion, _get_outbound_type validation, and get_api_server_access_profile validation) with calls to it. Also rename _validate_byo_hobo_subnet_trio to validate_byo_hobo_subnet_trio (drop the leading underscore) so the CreateDecorator override can call it directly without a pylint protected-access exception. Signed-off-by: wenhug <50309350+wenhug@users.noreply.github.com>
Rename --system-node-vnet-subnet-id -> --system-node-subnet-id and --node-vnet-subnet-id -> --node-subnet-id (with Python identifiers system_node_subnet_id / node_subnet_id) per @zqingqing1 review feedback on PR Azure#9812. The --sys-node-subnet-id alias is retained. Also drop the BYO VNet combination paragraph from the --enable-hosted-system long-summary per PM guidance. Signed-off-by: wenhug <50309350+wenhug@users.noreply.github.com>
RP rejects the combination of BYO VNet + managedNATGateway with "Outbound type is managedNATGateway but agent pool 'hostedpool' is using custom VNet, which is not allowed" (by design, enforced in natgatewayv2.go). For BYO VNet the RP auto-defaults outboundType to loadBalancer and only accepts loadBalancer or userAssignedNATGateway. The byovnet_slb and byovnet_user_natgw tests already cover the two supported BYO HOBO outbound modes, so this test was attempting an unsupported scenario and is removed. Signed-off-by: wenhug <50309350+wenhug@users.noreply.github.com>
wenhug
force-pushed
the
wenhug/aks-preview-byo-hobo
branch
from
0099e3e to
5bea5f5
Compare
Member
|
Please resolve merge conflict @wenhug |
FumingZhang
reviewed
May 28, 2026
wenhug
changed the title
Contributor
Author
|
@FumingZhang addressed the fixed Log Analytics workspace issue in 8f2ee38. The hosted-system live tests now create a workspace in the prepared test resource group and pass it as |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds CLI surface in the
aks-previewextension for hosted-system automatic clusters backed by the 2026-03-02-preview API:az aks create --sku automatic --enable-hosted-systemfor explicit hosted-system opt-in.az aks create --sku automatic --system-node-subnet-id <A> --node-subnet-id <B> --apiserver-subnet-id <C>for BYO VNet hosted-system clusters. The complete subnet trio implies hosted-system enablement.--outbound-type loadBalancer.--outbound-type userAssignedNATGateway.az aks update --sku basefor downgrading an automatic hosted-system cluster to Base.New flags
--system-node-subnet-id/--sys-node-subnet-idand--node-subnet-idonaz aks create: bring your own subnets for the hosted system pool and user node pools. These must be provided together with--apiserver-subnet-idand--sku automatic. Values map toManagedClusterHostedSystemProfile.{systemNodeSubnetId,nodeSubnetId}.--enable-hosted-systemonaz aks create: explicit hosted-system opt-in for automatic clusters. This is still supported, but the BYO subnet trio also implies hosted-system enablement.Validation and plumbing
--enable-hosted-systemrequires--sku automatic.--system-node-subnet-idor--node-subnet-idrequires the full trio:--system-node-subnet-id,--node-subnet-id, and--apiserver-subnet-id.--sku automaticand automatically enables API server VNet integration.loadBalanceroutbound becausemanagedNATGatewayis not supported with custom VNet subnets.userDefinedRoutinganduserAssignedNATGatewayoutbound validation now accepts BYO hosted-system subnets supplied in the request or already present on an existing hosted-system cluster during update.Test plan
python -m pytest src/aks-preview/azext_aks_preview/tests/latest/test_managed_cluster_decorator.py -qgit diff --checkloadBalanceranduserAssignedNATGatewayoutbound paths.