[AKS] Add support for managedNATGateway and userAssignedNATGateway outbound (#3832)

* Add support for outbound types managedNATGateway and userAssignedNATGateway

* Fix azdev style errors

* Fix linter option_length_too_long error

* Add validator for nat-gateway-managed-outbound-ip-count

* Replace CLIError to ArgumentUsageError and InvalidArgumentValueError. Fix an old bug of _set_outbound_type

* Exclude preview test test_aks_create_with_http_proxy_config

* Add unit test for _natgateway.py

* Update aks-preview version

Co-authored-by: Kaiqi Zhang <kaiqzhan@microsoft.com>

linter_exclusions.yml

@@ -61,6 +61,12 @@ aks create:
     load_balancer_outbound_ports:
       rule_exclusions:
       - option_length_too_long
+    nat_gateway_idle_timeout:
+      rule_exclusions:
+      - option_length_too_long
+    nat_gateway_managed_outbound_ip_count:
+      rule_exclusions:
+      - option_length_too_long
     node_osdisk_diskencryptionset_id:
       rule_exclusions:
       - option_length_too_long
@@ -142,6 +148,12 @@ aks update:
     load_balancer_outbound_ports:
       rule_exclusions:
       - option_length_too_long
+    nat_gateway_idle_timeout:
+      rule_exclusions:
+      - option_length_too_long
+    nat_gateway_managed_outbound_ip_count:
+      rule_exclusions:
+      - option_length_too_long
     enable_managed_identity:
       rule_exclusions:
       - option_length_too_long

src/aks-preview/HISTORY.md

@@ -3,6 +3,10 @@
 Release History
 ===============
 
+0.5.31
++++++
+* Add support for new outbound types: 'managedNATGateway' and 'userAssignedNATGateway'
+
 0.5.30
 +++++
 * Add preview support for setting scaleDownMode field on nodepools. Requires registering the feature flag "Microsoft.ContainerService/AKS-ScaleDownModePreview" for setting the value to "Deallocate".

src/aks-preview/azcli_aks_live_test/configs/ext_matrix_default.json

@@ -25,7 +25,9 @@
             "test_aks_create_with_monitoring_aad_auth_msi",
             "test_aks_create_with_monitoring_aad_auth_uai",
             "test_aks_enable_monitoring_with_aad_auth_msi",
-            "test_aks_enable_monitoring_with_aad_auth_uai"
+            "test_aks_enable_monitoring_with_aad_auth_uai",
+            "test_aks_create_and_update_with_managed_nat_gateway_outbound",
+            "test_aks_create_with_http_proxy_config"
         ]
     }
 }

src/aks-preview/azext_aks_preview/_consts.py

@@ -5,6 +5,8 @@
 
 CONST_OUTBOUND_TYPE_LOAD_BALANCER = "loadBalancer"
 CONST_OUTBOUND_TYPE_USER_DEFINED_ROUTING = "userDefinedRouting"
+CONST_OUTBOUND_TYPE_MANAGED_NAT_GATEWAY = "managedNATGateway"
+CONST_OUTBOUND_TYPE_USER_ASSIGNED_NAT_GATEWAY = "userAssignedNATGateway"
 
 CONST_SCALE_SET_PRIORITY_REGULAR = "Regular"
 CONST_SCALE_SET_PRIORITY_SPOT = "Spot"

src/aks-preview/azext_aks_preview/_help.py

@@ -150,10 +150,18 @@ helps['aks create'] = """
           type: int
           short-summary: Load balancer idle timeout in minutes.
           long-summary: Desired idle timeout for load balancer outbound flows, default is 30 minutes. Please specify a value in the range of [4, 100].
+        - name: --nat-gateway-managed-outbound-ip-count
+          type: int
+          short-summary: NAT gateway managed outbound IP count.
+          long-summary: Desired number of managed outbound IPs for NAT gateway outbound connection. Please specify a value in the range of [1, 16]. Valid for Standard SKU load balancer cluster with managedNATGateway outbound type only.
+        - name: --nat-gateway-idle-timeout
+          type: int
+          short-summary: NAT gateway idle timeout in minutes.
+          long-summary: Desired idle timeout for NAT gateway outbound flows, default is 4 minutes. Please specify a value in the range of [4, 120]. Valid for Standard SKU load balancer cluster with managedNATGateway outbound type only.
         - name: --outbound-type
           type: string
           short-summary: How outbound traffic will be configured for a cluster.
-          long-summary: Select between loadBalancer and userDefinedRouting. If not set, defaults to type loadBalancer. Requires --vnet-subnet-id to be provided with a preconfigured route table and --load-balancer-sku to be Standard.
+          long-summary: Select between loadBalancer, userDefinedRouting, managedNATGateway and userAssignedNATGateway. If not set, defaults to type loadBalancer. Requires --vnet-subnet-id to be provided with a preconfigured route table and --load-balancer-sku to be Standard.
         - name: --enable-addons -a
           type: string
           short-summary: Enable the Kubernetes addons in a comma-separated list.
@@ -365,6 +373,8 @@ helps['aks create'] = """
           text: az aks create -g MyResourceGroup -n MyManagedCluster --load-balancer-outbound-ip-prefixes <ip-prefix-resource-id-1,ip-prefix-resource-id-2>
         - name: Create a kubernetes cluster with a standard SKU load balancer, with two outbound AKS managed IPs an idle flow timeout of 5 minutes and 8000 allocated ports per machine
           text: az aks create -g MyResourceGroup -n MyManagedCluster --load-balancer-managed-outbound-ip-count 2 --load-balancer-idle-timeout 5 --load-balancer-outbound-ports 8000
+        - name: Create a kubernetes cluster with a AKS managed NAT gateway, with two outbound AKS managed IPs an idle flow timeout of 4 minutes
+          text: az aks create -g MyResourceGroup -n MyManagedCluster --nat-gateway-managed-outbound-ip-count 2 --nat-gateway-idle-timeout 4
         - name: Create a kubernetes cluster with basic SKU load balancer and AvailabilitySet vm set type.
           text: az aks create -g MyResourceGroup -n MyManagedCluster --load-balancer-sku basic --vm-set-type AvailabilitySet
         - name: Create a kubernetes cluster with authorized apiserver IP ranges.
@@ -471,6 +481,14 @@ helps['aks update'] = """
           type: int
           short-summary: Load balancer idle timeout in minutes.
           long-summary: Desired idle timeout for load balancer outbound flows, default is 30 minutes. Please specify a value in the range of [4, 100].
+        - name: --nat-gateway-managed-outbound-ip-count
+          type: int
+          short-summary: NAT gateway managed outbound IP count.
+          long-summary: Desired number of managed outbound IPs for NAT gateway outbound connection. Please specify a value in the range of [1, 16]. Valid for Standard SKU load balancer cluster with managedNATGateway outbound type only.
+        - name: --nat-gateway-idle-timeout
+          type: int
+          short-summary: NAT gateway idle timeout in minutes.
+          long-summary: Desired idle timeout for NAT gateway outbound flows, default is 4 minutes. Please specify a value in the range of [4, 120]. Valid for Standard SKU load balancer cluster with managedNATGateway outbound type only.
         - name: --enable-pod-security-policy
           type: bool
           short-summary: (PREVIEW) Enable pod security policy.
@@ -582,6 +600,8 @@ helps['aks update'] = """
         text: az aks update -g MyResourceGroup -n MyManagedCluster --load-balancer-outbound-ip-prefixes <ip-prefix-resource-id-1,ip-prefix-resource-id-2>
       - name: Update a kubernetes cluster with two outbound AKS managed IPs an idle flow timeout of 5 minutes and 8000 allocated ports per machine
         text: az aks update -g MyResourceGroup -n MyManagedCluster --load-balancer-managed-outbound-ip-count 2 --load-balancer-idle-timeout 5 --load-balancer-outbound-ports 8000
+      - name: Update a kubernetes cluster of managedNATGateway outbound type with two outbound AKS managed IPs an idle flow timeout of 4 minutes
+        text: az aks update -g MyResourceGroup -n MyManagedCluster --nat-gateway-managed-outbound-ip-count 2 --nat-gateway-idle-timeout 4
       - name: Update a kubernetes cluster with authorized apiserver ip ranges.
         text: az aks update -g MyResourceGroup -n MyManagedCluster --api-server-authorized-ip-ranges 193.168.1.0/24,194.168.1.0/24
       - name: Disable authorized apiserver ip ranges feature for a kubernetes cluster.

src/aks-preview/azext_aks_preview/_helpers.py

@@ -6,11 +6,13 @@
 from distutils.version import StrictVersion  # pylint: disable=no-name-in-module,import-error
 # pylint: disable=no-name-in-module,import-error
 from knack.util import CLIError
+from azure.cli.core.azclierror import ArgumentUsageError
 
 # pylint: disable=no-name-in-module,import-error
 from .vendored_sdks.azure_mgmt_preview_aks.v2021_07_01.models import ManagedClusterAPIServerAccessProfile
 from ._consts import CONST_CONTAINER_NAME_MAX_LENGTH
-from ._consts import CONST_OUTBOUND_TYPE_LOAD_BALANCER, CONST_OUTBOUND_TYPE_USER_DEFINED_ROUTING
+from ._consts import CONST_OUTBOUND_TYPE_LOAD_BALANCER, CONST_OUTBOUND_TYPE_USER_DEFINED_ROUTING, \
+    CONST_OUTBOUND_TYPE_MANAGED_NAT_GATEWAY, CONST_OUTBOUND_TYPE_USER_ASSIGNED_NAT_GATEWAY
 
 
 def _populate_api_server_access_profile(api_server_authorized_ip_ranges, instance=None):
@@ -49,21 +51,42 @@ def _set_vm_set_type(vm_set_type, kubernetes_version):
 
 
 def _set_outbound_type(outbound_type, vnet_subnet_id, load_balancer_sku, load_balancer_profile):
-    if outbound_type != CONST_OUTBOUND_TYPE_USER_DEFINED_ROUTING:
+    if (
+        outbound_type != CONST_OUTBOUND_TYPE_USER_DEFINED_ROUTING and
+        outbound_type != CONST_OUTBOUND_TYPE_MANAGED_NAT_GATEWAY and
+        outbound_type != CONST_OUTBOUND_TYPE_USER_ASSIGNED_NAT_GATEWAY
+    ):
         return CONST_OUTBOUND_TYPE_LOAD_BALANCER
 
+    if outbound_type == CONST_OUTBOUND_TYPE_MANAGED_NAT_GATEWAY:
+        if load_balancer_sku == "basic":
+            raise ArgumentUsageError("managedNATGateway doesn't support basic load balancer sku")
+
+        return CONST_OUTBOUND_TYPE_MANAGED_NAT_GATEWAY
+
+    if outbound_type == CONST_OUTBOUND_TYPE_USER_ASSIGNED_NAT_GATEWAY:
+        if load_balancer_sku == "basic":
+            raise ArgumentUsageError("userAssignedNATGateway doesn't support basic load balancer sku")
+
+        if vnet_subnet_id in ["", None]:
+            raise ArgumentUsageError("--vnet-subnet-id must be specified for userAssignedNATGateway and it must "
+                                     "be pre-associated with a NAT gateway with outbound public IPs or IP prefixes")
+
+        return CONST_OUTBOUND_TYPE_USER_ASSIGNED_NAT_GATEWAY
+
     if vnet_subnet_id in ["", None]:
-        raise CLIError("--vnet-subnet-id must be specified for userDefinedRouting and it must \
-        be pre-configured with a route table with egress rules")
+        raise ArgumentUsageError("--vnet-subnet-id must be specified for userDefinedRouting and it must "
+                                 "be pre-configured with a route table with egress rules")
 
     if load_balancer_sku == "basic":
-        raise CLIError("userDefinedRouting doesn't support basic load balancer sku")
+        raise ArgumentUsageError("userDefinedRouting doesn't support basic load balancer sku")
 
     if load_balancer_profile:
-        if (load_balancer_profile.managed_outbound_ips or
-                load_balancer_profile.outbound_ips or
+        if (load_balancer_profile.managed_outbound_i_ps or
+                load_balancer_profile.outbound_i_ps or
                 load_balancer_profile.outbound_ip_prefixes):
-            raise CLIError("userDefinedRouting doesn't support customizing a standard load balancer with IP addresses")
+            raise ArgumentUsageError("userDefinedRouting doesn't support customizing a standard load balancer "
+                                     "with IP addresses")
 
     return CONST_OUTBOUND_TYPE_USER_DEFINED_ROUTING
 

src/aks-preview/azext_aks_preview/_natgateway.py

@@ -0,0 +1,44 @@
+# --------------------------------------------------------------------------------------------
+# Copyright (c) Microsoft Corporation. All rights reserved.
+# Licensed under the MIT License. See License.txt in the project root for license information.
+# --------------------------------------------------------------------------------------------
+
+from .vendored_sdks.azure_mgmt_preview_aks.v2021_07_01.models import ManagedClusterNATGatewayProfile
+from .vendored_sdks.azure_mgmt_preview_aks.v2021_07_01.models import ManagedClusterManagedOutboundIPProfile
+
+
+def create_nat_gateway_profile(managed_outbound_ip_count, idle_timeout):
+    """parse and build NAT gateway profile"""
+    if not is_nat_gateway_profile_provided(managed_outbound_ip_count, idle_timeout):
+        return None
+
+    profile = ManagedClusterNATGatewayProfile()
+    return configure_nat_gateway_profile(managed_outbound_ip_count, idle_timeout, profile)
+
+
+def update_nat_gateway_profile(managed_outbound_ip_count, idle_timeout, profile):
+    """parse and update an existing NAT gateway profile"""
+    if not is_nat_gateway_profile_provided(managed_outbound_ip_count, idle_timeout):
+        return profile
+
+    return configure_nat_gateway_profile(managed_outbound_ip_count, idle_timeout, profile)
+
+
+def is_nat_gateway_profile_provided(managed_outbound_ip_count, idle_timeout):
+    return any([managed_outbound_ip_count, idle_timeout])
+
+
+def configure_nat_gateway_profile(managed_outbound_ip_count, idle_timeout, profile):
+    """configure a NAT Gateway with customer supplied values"""
+    if not profile:
+        return profile
+
+    if managed_outbound_ip_count:
+        profile.managed_outbound_ip_profile = ManagedClusterManagedOutboundIPProfile(
+            count=managed_outbound_ip_count
+        )
+
+    if idle_timeout:
+        profile.idle_timeout_in_minutes = idle_timeout
+
+    return profile

src/aks-preview/azext_aks_preview/_params.py

@@ -19,13 +19,13 @@ from ._validators import (
     validate_cluster_autoscaler_profile, validate_create_parameters, validate_k8s_version, validate_linux_host_name,
     validate_ssh_key, validate_nodes_count, validate_ip_ranges,
     validate_nodepool_name, validate_vm_set_type, validate_load_balancer_sku,
-    validate_load_balancer_outbound_ips, validate_load_balancer_outbound_ip_prefixes,
+    validate_load_balancer_outbound_ips, validate_load_balancer_outbound_ip_prefixes, validate_nat_gateway_managed_outbound_ip_count,
     validate_taints, validate_priority, validate_eviction_policy, validate_spot_max_price, validate_acr, validate_user,
-    validate_load_balancer_outbound_ports, validate_load_balancer_idle_timeout, validate_nodepool_tags,
+    validate_load_balancer_outbound_ports, validate_load_balancer_idle_timeout, validate_nat_gateway_idle_timeout, validate_nodepool_tags,
     validate_nodepool_labels, validate_vnet_subnet_id, validate_pod_subnet_id, validate_max_surge, validate_assign_identity, validate_addons,
     validate_pod_identity_pod_labels, validate_pod_identity_resource_name, validate_pod_identity_resource_namespace, validate_assign_kubelet_identity)
-from ._consts import CONST_OUTBOUND_TYPE_LOAD_BALANCER, \
-    CONST_OUTBOUND_TYPE_USER_DEFINED_ROUTING, CONST_SCALE_SET_PRIORITY_REGULAR, CONST_SCALE_SET_PRIORITY_SPOT, \
+from ._consts import CONST_OUTBOUND_TYPE_LOAD_BALANCER, CONST_OUTBOUND_TYPE_USER_DEFINED_ROUTING, CONST_OUTBOUND_TYPE_MANAGED_NAT_GATEWAY, \
+    CONST_OUTBOUND_TYPE_USER_ASSIGNED_NAT_GATEWAY, CONST_SCALE_SET_PRIORITY_REGULAR, CONST_SCALE_SET_PRIORITY_SPOT, \
     CONST_SPOT_EVICTION_POLICY_DELETE, CONST_SPOT_EVICTION_POLICY_DEALLOCATE, \
     CONST_SCALE_DOWN_MODE_DELETE, CONST_SCALE_DOWN_MODE_DEALLOCATE, \
     CONST_NODEPOOL_MODE_SYSTEM, CONST_NODEPOOL_MODE_USER, \
@@ -76,8 +76,12 @@ def load_arguments(self, _):
         c.argument('load_balancer_outbound_ip_prefixes', type=str, validator=validate_load_balancer_outbound_ip_prefixes)
         c.argument('load_balancer_outbound_ports', type=int, validator=validate_load_balancer_outbound_ports)
         c.argument('load_balancer_idle_timeout', type=int, validator=validate_load_balancer_idle_timeout)
+        c.argument('nat_gateway_managed_outbound_ip_count', type=int, validator=validate_nat_gateway_managed_outbound_ip_count)
+        c.argument('nat_gateway_idle_timeout', type=int, validator=validate_nat_gateway_idle_timeout)
         c.argument('outbound_type', arg_type=get_enum_type([CONST_OUTBOUND_TYPE_LOAD_BALANCER,
-                                                            CONST_OUTBOUND_TYPE_USER_DEFINED_ROUTING]))
+                                                            CONST_OUTBOUND_TYPE_USER_DEFINED_ROUTING,
+                                                            CONST_OUTBOUND_TYPE_MANAGED_NAT_GATEWAY,
+                                                            CONST_OUTBOUND_TYPE_USER_ASSIGNED_NAT_GATEWAY]))
         c.argument('enable_addons', options_list=['--enable-addons', '-a'], validator=validate_addons)
         c.argument('disable_rbac', action='store_true')
         c.argument('enable_rbac', action='store_true', options_list=['--enable-rbac', '-r'],
@@ -152,6 +156,8 @@ def load_arguments(self, _):
         c.argument('load_balancer_outbound_ip_prefixes', type=str, validator=validate_load_balancer_outbound_ip_prefixes)
         c.argument('load_balancer_outbound_ports', type=int, validator=validate_load_balancer_outbound_ports)
         c.argument('load_balancer_idle_timeout', type=int, validator=validate_load_balancer_idle_timeout)
+        c.argument('nat_gateway_managed_outbound_ip_count', type=int, validator=validate_nat_gateway_managed_outbound_ip_count)
+        c.argument('nat_gateway_idle_timeout', type=int, validator=validate_nat_gateway_idle_timeout)
         c.argument('api_server_authorized_ip_ranges', type=str, validator=validate_ip_ranges)
         c.argument('enable_pod_security_policy', action='store_true')
         c.argument('disable_pod_security_policy', action='store_true')

src/aks-preview/azext_aks_preview/_validators.py

@@ -12,6 +12,7 @@ from ipaddress import ip_network
 
 from knack.log import get_logger
 
+from azure.cli.core.azclierror import InvalidArgumentValueError
 from azure.cli.core.commands.validators import validate_tag
 from azure.cli.core.util import CLIError
 import azure.cli.core.keys as keys
@@ -265,6 +266,20 @@ def validate_load_balancer_idle_timeout(namespace):
             raise CLIError("--load-balancer-idle-timeout must be in the range [4,100]")
 
 
+def validate_nat_gateway_managed_outbound_ip_count(namespace):
+    """validate NAT gateway profile managed outbound IP count"""
+    if namespace.nat_gateway_managed_outbound_ip_count is not None:
+        if namespace.nat_gateway_managed_outbound_ip_count < 1 or namespace.nat_gateway_managed_outbound_ip_count > 16:
+            raise InvalidArgumentValueError("--nat-gateway-managed-outbound-ip-count must be in the range [1,16]")
+
+
+def validate_nat_gateway_idle_timeout(namespace):
+    """validate NAT gateway profile idle timeout"""
+    if namespace.nat_gateway_idle_timeout is not None:
+        if namespace.nat_gateway_idle_timeout < 4 or namespace.nat_gateway_idle_timeout > 120:
+            raise InvalidArgumentValueError("--nat-gateway-idle-timeout must be in the range [4,120]")
+
+
 def validate_nodepool_tags(ns):
     """ Extracts multiple space-separated tags in key[=value] format """
     if isinstance(ns.nodepool_tags, list):

src/aks-preview/azext_aks_preview/custom.py

@@ -95,6 +95,7 @@ from ._helpers import (_populate_api_server_access_profile, _set_vm_set_type,
                        _trim_fqdn_name_containing_hcp)
 from ._loadbalancer import (set_load_balancer_sku, is_load_balancer_profile_provided,
                             update_load_balancer_profile, create_load_balancer_profile)
+from ._natgateway import (create_nat_gateway_profile, update_nat_gateway_profile, is_nat_gateway_profile_provided)
 from ._consts import CONST_HTTP_APPLICATION_ROUTING_ADDON_NAME
 from ._consts import CONST_MONITORING_ADDON_NAME
 from ._consts import CONST_MONITORING_LOG_ANALYTICS_WORKSPACE_RESOURCE_ID
@@ -982,6 +983,8 @@ def aks_create(cmd,     # pylint: disable=too-many-locals,too-many-statements,to
                load_balancer_outbound_ip_prefixes=None,
                load_balancer_outbound_ports=None,
                load_balancer_idle_timeout=None,
+               nat_gateway_managed_outbound_ip_count=None,
+               nat_gateway_idle_timeout=None,
                outbound_type=None,
                enable_addons=None,
                workspace_resource_id=None,
@@ -1210,8 +1213,12 @@ def aks_create(cmd,     # pylint: disable=too-many-locals,too-many-statements,to
         load_balancer_outbound_ports,
         load_balancer_idle_timeout)
 
+    nat_gateway_profile = create_nat_gateway_profile(
+        nat_gateway_managed_outbound_ip_count,
+        nat_gateway_idle_timeout)
+
     outbound_type = _set_outbound_type(
-        outbound_type, network_plugin, load_balancer_sku, load_balancer_profile)
+        outbound_type, vnet_subnet_id, load_balancer_sku, load_balancer_profile)
 
     network_profile = None
     if any([network_plugin,
@@ -1234,14 +1241,16 @@ def aks_create(cmd,     # pylint: disable=too-many-locals,too-many-statements,to
             network_policy=network_policy,
             load_balancer_sku=load_balancer_sku.lower(),
             load_balancer_profile=load_balancer_profile,
+            nat_gateway_profile=nat_gateway_profile,
             outbound_type=outbound_type
         )
     else:
-        if load_balancer_sku.lower() == "standard" or load_balancer_profile:
+        if load_balancer_sku.lower() == "standard" or load_balancer_profile or nat_gateway_profile:
             network_profile = ContainerServiceNetworkProfile(
                 network_plugin="kubenet",
                 load_balancer_sku=load_balancer_sku.lower(),
                 load_balancer_profile=load_balancer_profile,
+                nat_gateway_profile=nat_gateway_profile,
                 outbound_type=outbound_type,
             )
         if load_balancer_sku.lower() == "basic":
@@ -1507,6 +1516,8 @@ def aks_update(cmd,     # pylint: disable=too-many-statements,too-many-branches,
                load_balancer_outbound_ip_prefixes=None,
                load_balancer_outbound_ports=None,
                load_balancer_idle_timeout=None,
+               nat_gateway_managed_outbound_ip_count=None,
+               nat_gateway_idle_timeout=None,
                api_server_authorized_ip_ranges=None,
                enable_pod_security_policy=False,
                disable_pod_security_policy=False,
@@ -1545,6 +1556,7 @@ def aks_update(cmd,     # pylint: disable=too-many-statements,too-many-branches,
                                                           load_balancer_outbound_ip_prefixes,
                                                           load_balancer_outbound_ports,
                                                           load_balancer_idle_timeout)
+    update_natgw_profile = is_nat_gateway_profile_provided(nat_gateway_managed_outbound_ip_count, nat_gateway_idle_timeout)
     update_aad_profile = not (
         aad_tenant_id is None and aad_admin_group_object_ids is None and not enable_azure_rbac and not disable_azure_rbac)
     # pylint: disable=too-many-boolean-expressions
@@ -1555,6 +1567,7 @@ def aks_update(cmd,     # pylint: disable=too-many-statements,too-many-branches,
        and api_server_authorized_ip_ranges is None and \
        not update_pod_security and \
        not update_lb_profile and \
+       not update_natgw_profile and \
        not uptime_sla and \
        not no_uptime_sla and \
        not enable_aad and \
@@ -1588,6 +1601,8 @@ def aks_update(cmd,     # pylint: disable=too-many-statements,too-many-branches,
                        '"--load-balancer-managed-outbound-ip-count" or '
                        '"--load-balancer-outbound-ips" or '
                        '"--load-balancer-outbound-ip-prefixes" or '
+                       '"--nat-gateway-managed-outbound-ip-count" or '
+                       '"--nat-gateway-idle-timeout" or '
                        '"--enable-aad" or '
                        '"--aad-tenant-id" or '
                        '"--aad-admin-group-object-ids" or '
@@ -1689,6 +1704,12 @@ def aks_update(cmd,     # pylint: disable=too-many-statements,too-many-branches,
             load_balancer_idle_timeout,
             instance.network_profile.load_balancer_profile)
 
+    if update_natgw_profile:
+        instance.network_profile.nat_gateway_profile = update_nat_gateway_profile(
+            nat_gateway_managed_outbound_ip_count,
+            nat_gateway_idle_timeout,
+            instance.network_profile.nat_gateway_profile)
+
     if attach_acr and detach_acr:
         raise CLIError(
             'Cannot specify "--attach-acr" and "--detach-acr" at the same time.')

src/aks-preview/azext_aks_preview/tests/latest/test_aks_commands.py

@@ -84,6 +84,35 @@ class AzureKubernetesServiceScenarioTest(ScenarioTest):
                 'type', 'Microsoft.ContainerService/locations/osOptions')
         ])
 
+    @AllowLargeResponse()
+    @AKSCustomResourceGroupPreparer(random_name_length=17, name_prefix='clitest', location='eastus')
+    def test_aks_create_and_update_with_managed_nat_gateway_outbound(self, resource_group, resource_group_location):
+        aks_name = self.create_random_name('cliakstest', 16)
+        self.kwargs.update({
+            'resource_group': resource_group,
+            'name': aks_name,
+            'ssh_key_value': self.generate_ssh_keys()
+        })
+
+        create_cmd = 'aks create --resource-group={resource_group} --name={name} ' \
+                     '--vm-set-type VirtualMachineScaleSets -c 1 ' \
+                     '--outbound-type=managedNATGateway ' \
+                     '--ssh-key-value={ssh_key_value}'
+        self.cmd(create_cmd, checks=[
+            self.check('provisioningState', 'Succeeded'),
+            self.check('networkProfile.outboundType', 'managedNATGateway'),
+        ])
+
+        update_cmd = 'aks update --resource-group={resource_group} --name={name} ' \
+                     '--nat-gateway-managed-outbound-ip-count 2 ' \
+                     '--nat-gateway-idle-timeout 30 '
+        self.cmd(update_cmd, checks=[
+            self.check('provisioningState', 'Succeeded'),
+            self.check('networkProfile.outboundType', 'managedNATGateway'),
+            self.check('networkProfile.natGatewayProfile.idleTimeoutInMinutes', 30),
+            self.check('networkProfile.natGatewayProfile.managedOutboundIpProfile.count', 2),
+        ])
+
     @AllowLargeResponse()
     @AKSCustomResourceGroupPreparer(random_name_length=17, name_prefix='clitest', location='westus2')
     def test_aks_create_and_update_with_managed_aad(self, resource_group, resource_group_location):

src/aks-preview/azext_aks_preview/tests/latest/test_natgateway.py

@@ -0,0 +1,70 @@
+# --------------------------------------------------------------------------------------------
+# Copyright (c) Microsoft Corporation. All rights reserved.
+# Licensed under the MIT License. See License.txt in the project root for license information.
+# --------------------------------------------------------------------------------------------
+import unittest
+import azext_aks_preview._natgateway as natgateway
+from azext_aks_preview.vendored_sdks.azure_mgmt_preview_aks.v2021_07_01.models import ManagedClusterNATGatewayProfile
+from azext_aks_preview.vendored_sdks.azure_mgmt_preview_aks.v2021_07_01.models import ManagedClusterManagedOutboundIPProfile
+
+class TestCreateNatGatewayProfile(unittest.TestCase):
+    def test_empty_arguments(self):
+        profile = natgateway.create_nat_gateway_profile(None, None)
+        self.assertIsNone(profile)
+
+    def test_nonempty_arguments(self):
+        managed_outbound_ip_count = 2
+        idle_timeout = 30
+
+        profile = natgateway.create_nat_gateway_profile(managed_outbound_ip_count, idle_timeout)
+
+        self.assertEqual(profile.managed_outbound_ip_profile.count, managed_outbound_ip_count)
+        self.assertEqual(profile.idle_timeout_in_minutes, idle_timeout)
+
+
+class TestUpdateNatGatewayProfile(unittest.TestCase):
+    def test_empty_arguments(self):
+        origin_profile = ManagedClusterNATGatewayProfile(
+            managed_outbound_ip_profile=ManagedClusterManagedOutboundIPProfile(
+                count=1
+            ),
+            idle_timeout_in_minutes=4
+        )
+
+        profile = natgateway.update_nat_gateway_profile(None, None, origin_profile)
+
+        self.assertEqual(profile.managed_outbound_ip_profile.count, origin_profile.managed_outbound_ip_profile.count)
+        self.assertEqual(profile.idle_timeout_in_minutes, origin_profile.idle_timeout_in_minutes)
+
+    def test_nonempty_arguments(self):
+        origin_profile = ManagedClusterNATGatewayProfile(
+            managed_outbound_ip_profile=ManagedClusterManagedOutboundIPProfile(
+                count=1
+            ),
+            idle_timeout_in_minutes=4
+        )
+        new_managed_outbound_ip_count = 2
+        new_idle_timeout = 30
+
+        profile = natgateway.update_nat_gateway_profile(new_managed_outbound_ip_count, new_idle_timeout, origin_profile)
+
+        self.assertEqual(profile.managed_outbound_ip_profile.count, new_managed_outbound_ip_count)
+        self.assertEqual(profile.idle_timeout_in_minutes, new_idle_timeout)
+
+
+class TestIsNatGatewayProfileProvided(unittest.TestCase):
+    def test_empty_arguments(self):
+        result = natgateway.is_nat_gateway_profile_provided(None, None)
+        self.assertFalse(result)
+
+    def test_nonempty_managed_outbound_ip_count(self):
+        result = natgateway.is_nat_gateway_profile_provided(1, None)
+        self.assertTrue(result)
+
+    def test_nonempty_idle_timeout(self):
+        result = natgateway.is_nat_gateway_profile_provided(None, 4)
+        self.assertTrue(result)
+
+    def test_nonempty_arguments(self):
+        result = natgateway.is_nat_gateway_profile_provided(1, 4)
+        self.assertTrue(result)

src/aks-preview/setup.py

@@ -8,7 +8,7 @@
 from codecs import open as open1
 from setuptools import setup, find_packages
 
-VERSION = "0.5.30"
+VERSION = "0.5.31"
 CLASSIFIERS = [
     'Development Status :: 4 - Beta',
     'Intended Audience :: Developers',