Azure · yanzhudd · Oct 28, 2025 · Oct 21, 2025 · Oct 22, 2025 · Oct 22, 2025
@@ -12,6 +12,8 @@ To release a new version, please select a new version number (usually plus 1 to
 Pending
 +++++++
 * `az aks get-credentials`: Convert device code mode kubeconfig to Azure CLI token format to bypass conditional access login blocks.
+* `az aks create`: Add new parameter `--enable-container-network-logs` to enable container network logs addon for the cluster and deprecate `--enable-retina-flow-logs`.
+* `az aks update`: Add new parameter `--enable-container-network-logs` and `--disable-container-network-logs` to enable/disable container network logs addon for the cluster and deprecate `--enable-retina-flow-logs` and `--disable-retina-flow-logs`.
 
 19.0.0b4
 +++++++

@@ -239,7 +239,10 @@
           short-summary: Used to set the acceleration mode (None or BpfVeth) on a cluster when enabling advanced networking features with "--enable-acns".
         - name: --enable-retina-flow-logs
           type: bool
-          short-summary: Enable advanced network flow log collection functionalities on a cluster.
+          short-summary: Enable advanced network flow log collection functionalities on a cluster. This flag is deprecated in favor of --enable-container-network-logs.
+        - name: --enable-container-network-logs
+          type: bool
+          short-summary: Enable container network log collection functionalities on a cluster.
         - name: --no-ssh-key -x
           type: string
           short-summary: Do not use or create a local SSH key.
@@ -1337,10 +1340,16 @@
           short-summary: Used to set the acceleration mode (None or BpfVeth) on a cluster when enabling advanced networking features with "--enable-acns".
         - name: --enable-retina-flow-logs
           type: bool
-          short-summary: Enable advanced network flow log collection functionalities on a cluster.
+          short-summary: Enable advanced network flow log collection functionalities on a cluster. This flag is deprecated in favor of --enable-container-network-logs.
+        - name: --enable-container-network-logs
+          type: bool
+          short-summary: Enable container network log collection functionalities on a cluster.
         - name: --disable-retina-flow-logs
           type: bool
-          short-summary: Disable advanced network flow log collection functionalities on a cluster.
+          short-summary: Disable advanced network flow log collection functionalities on a cluster. This flag is deprecated in favor of --disable-container-network-logs.
+        - name: --disable-container-network-logs
+          type: bool
+          short-summary: Disable container network log collection functionalities on a cluster.
         - name: --enable-cost-analysis
           type: bool
           short-summary: Enable exporting Kubernetes Namespace and Deployment details to the Cost Analysis views in the Azure portal. For more information see aka.ms/aks/docs/cost-analysis.

@@ -969,6 +969,15 @@ def load_arguments(self, _):
         c.argument(
             "enable_retina_flow_logs",
             action="store_true",
+            deprecate_info=c.deprecate(
+                target="--enable-retina-flow-logs",
+                redirect="--enable-container-network-logs",
+                hide=True,
+            ),
+        )
+        c.argument(
+            "enable_container_network_logs",
+            action="store_true",
         )
         c.argument(
             "custom_ca_trust_certificates",
@@ -1625,10 +1634,28 @@ def load_arguments(self, _):
         c.argument(
             "enable_retina_flow_logs",
             action="store_true",
+            deprecate_info=c.deprecate(
+                target="--enable-retina-flow-logs",
+                redirect="--enable-container-network-logs",
+                hide=True,
+            ),
+        )
+        c.argument(
+            "enable_container_network_logs",
+            action="store_true",
         )
         c.argument(
             "disable_retina_flow_logs",
             action="store_true",
+            deprecate_info=c.deprecate(
+                target="--disable-retina-flow-logs",
+                redirect="--disable-container-network-logs",
+                hide=True,
+            ),
+        )
+        c.argument(
+            "disable_container_network_logs",
+            action="store_true",
         )
         c.argument("enable_cost_analysis", action="store_true")
         c.argument("disable_cost_analysis", action="store_true")

@@ -1091,6 +1091,7 @@ def aks_create(
     acns_advanced_networkpolicies=None,
     acns_transit_encryption_type=None,
     enable_retina_flow_logs=None,
+    enable_container_network_logs=None,
     acns_datapath_acceleration_mode=None,
     # nodepool
     crg_id=None,
@@ -1360,6 +1361,8 @@ def aks_update(
     acns_transit_encryption_type=None,
     enable_retina_flow_logs=None,
     disable_retina_flow_logs=None,
+    enable_container_network_logs=None,
+    disable_container_network_logs=None,
     acns_datapath_acceleration_mode=None,
     # metrics profile
     enable_cost_analysis=False,

@@ -919,34 +919,40 @@ def get_acns_transit_encryption_type(self) -> Union[str, None]:
                 )
         return self.raw_param.get("acns_transit_encryption_type")
 
-    def get_retina_flow_logs(self, mc: ManagedCluster) -> Union[bool, None]:
-        """Get the enablement of retina flow logs
+    # Container network logs is the new name for retina flow logs.
+    def get_container_network_logs(self, mc: ManagedCluster) -> Union[bool, None]:
+        """Get the enablement of container network logs
 
         :return: bool or None"""
-        enable_retina_flow_logs = self.raw_param.get("enable_retina_flow_logs")
-        disable_retina_flow_logs = self.raw_param.get("disable_retina_flow_logs")
-        if enable_retina_flow_logs is None and disable_retina_flow_logs is None:
+        enable_cnl = (
+            self.raw_param.get("enable_container_network_logs") or
+            self.raw_param.get("enable_retina_flow_logs")
+        )
+        disable_cnl = (
+            self.raw_param.get("disable_container_network_logs") or
+            self.raw_param.get("disable_retina_flow_logs")
+        )
+        if enable_cnl is None and disable_cnl is None:
             return None
-        if enable_retina_flow_logs and disable_retina_flow_logs:
+        if enable_cnl and disable_cnl:
             raise MutuallyExclusiveArgumentError(
-                "Cannot specify --enable-retina-flow-logs and "
-                "--disable-retina-flow-logs at the same time."
+                "Cannot specify --enable-container-network-logs and "
+                "--disable-container-network-logs at the same time."
             )
         if (
-            enable_retina_flow_logs and
+            enable_cnl and
             (not self.raw_param.get("enable_acns", False) and
                 not (mc.network_profile and mc.network_profile.advanced_networking and
                      mc.network_profile.advanced_networking.enabled)) or
             not (mc.addon_profiles and mc.addon_profiles.get("omsagent") and mc.addon_profiles["omsagent"].enabled)
         ):
             raise InvalidArgumentValueError(
-                "Flow logs requires '--enable-acns', advanced networking "
+                "Container network logs requires '--enable-acns', advanced networking "
                 "to be enabled, and the monitoring addon to be enabled."
             )
-        enable_retina_flow_logs = bool(enable_retina_flow_logs) if enable_retina_flow_logs is not None else False
-        disable_retina_flow_logs = bool(disable_retina_flow_logs) if disable_retina_flow_logs is not None else False
-        retina_flow_logs = enable_retina_flow_logs or not disable_retina_flow_logs
-        return retina_flow_logs
+        enable_cnl = bool(enable_cnl) if enable_cnl is not None else False
+        disable_cnl = bool(disable_cnl) if disable_cnl is not None else False
+        return enable_cnl or not disable_cnl
 
     def get_load_balancer_managed_outbound_ip_count(self) -> Union[int, None]:
         """Obtain the value of load_balancer_managed_outbound_ip_count.
@@ -3835,12 +3841,12 @@ def set_up_addon_profiles(self, mc: ManagedCluster) -> ManagedCluster:
                 CONST_GITOPS_ADDON_NAME
             ] = self.build_gitops_addon_profile()
 
-        retina_flow_logs_enabled = self.context.get_retina_flow_logs(mc)
-        if retina_flow_logs_enabled is not None:
+        container_network_logs_enabled = self.context.get_container_network_logs(mc)
+        if container_network_logs_enabled is not None:
             monitoring_addon_profile = addon_profiles.get(addon_consts.get("CONST_MONITORING_ADDON_NAME"))
             if monitoring_addon_profile:
                 config = monitoring_addon_profile.config or {}
-                config["enableRetinaNetworkFlags"] = str(retina_flow_logs_enabled)
+                config["enableRetinaNetworkFlags"] = str(container_network_logs_enabled)
                 monitoring_addon_profile.config = config
 
         mc.addon_profiles = addon_profiles
@@ -5238,15 +5244,15 @@ def update_monitoring_profile_flow_logs(self, mc: ManagedCluster) -> ManagedClus
         """
         self._ensure_mc(mc)
 
-        retina_flow_logs_enabled = self.context.get_retina_flow_logs(mc)
-        if retina_flow_logs_enabled is not None:
+        container_network_logs_enabled = self.context.get_container_network_logs(mc)
+        if container_network_logs_enabled is not None:
             if mc.addon_profiles:
                 addon_consts = self.context.get_addon_consts()
                 CONST_MONITORING_ADDON_NAME = addon_consts.get("CONST_MONITORING_ADDON_NAME")
                 monitoring_addon_profile = mc.addon_profiles.get(CONST_MONITORING_ADDON_NAME)
                 if monitoring_addon_profile:
                     config = monitoring_addon_profile.config or {}
-                    config["enableRetinaNetworkFlags"] = str(retina_flow_logs_enabled)
+                    config["enableRetinaNetworkFlags"] = str(container_network_logs_enabled)
                     mc.addon_profiles[CONST_MONITORING_ADDON_NAME].config = config
         return mc
 

@@ -17484,7 +17484,7 @@ def test_aks_create_acns_with_flow_logs(
             "aks create --resource-group={resource_group} --name={name} --location={location} "
             "--ssh-key-value={ssh_key_value} --node-count=1 --tier standard "
             "--network-plugin azure --network-dataplane=cilium --network-plugin-mode overlay "
-            "--enable-acns --enable-retina-flow-logs --enable-addons monitoring --enable-high-log-scale-mode "
+            "--enable-acns --enable-container-network-logs --enable-addons monitoring --enable-high-log-scale-mode "
             "--aks-custom-headers AKSHTTPCustomFeatures=Microsoft.ContainerService/AdvancedNetworkingFlowLogsPreview "
         )
 
@@ -17516,26 +17516,24 @@ def test_aks_create_acns_with_flow_logs(
             self.check('properties.dataFlows[0].streams[-1]', 'Microsoft-RetinaNetworkFlowLogs'),
         ])
 
-        # Below steps are disabled for now. Confirmed working with local build of cli-extensions, however live recordings are not working properly
-        # # update to disable pfl
-        # disable_cmd = "aks update --resource-group={resource_group} --name={name} --disable-retina-flow-logs -o json"
-        # self.cmd(
-        #     disable_cmd,
-        #     checks=[
-        #         self.check("provisioningState", "Succeeded"),
-        #         self.check("addonProfiles.omsagent.config.enableRetinaNetworkFlags", "False"),
-        #     ],
-        # )
-
-        # # enable update command for pfl
-        # enable_cmd_update = "aks update --resource-group={resource_group} --name={name} --enable-retina-flow-logs -o json"
-        # self.cmd(
-        #     enable_cmd_update,
-        #     checks=[
-        #         self.check("provisioningState", "Succeeded"),
-        #         self.check("addonProfiles.omsagent.config.enableRetinaNetworkFlags", "True"),
-        #     ],
-        # )
+        disable_cmd = "aks update --resource-group={resource_group} --name={name} --disable-container-network-logs -o json"
+        self.cmd(
+            disable_cmd,
+            checks=[
+                self.check("provisioningState", "Succeeded"),
+                self.check("addonProfiles.omsagent.config.enableRetinaNetworkFlags", "False"),
+            ],
+        )
+
+        # enable update command for pfl
+        enable_cmd_update = "aks update --resource-group={resource_group} --name={name} --enable-container-network-logs -o json"
+        self.cmd(
+            enable_cmd_update,
+            checks=[
+                self.check("provisioningState", "Succeeded"),
+                self.check("addonProfiles.omsagent.config.enableRetinaNetworkFlags", "True"),
+            ],
+        )
 
         # delete
         self.cmd(

@@ -11145,13 +11145,13 @@ def test_update_vmas_to_vms(self):
 
 
 
-    def test_enable_retina_network_flow_logs(self):
-        # Case 1: enable_acns, enable monitoring addons_profile, enable retina_network_flow_logs
+    def test_enable_container_network_logs(self):
+        # Case 1: enable_acns, enable monitoring addons_profile, enable container_network_logs
         dec_1 = AKSPreviewManagedClusterUpdateDecorator(
             self.cmd,
             self.client,
             {
-                "enable_retina_flow_logs": True,
+                "enable_container_network_logs": True,
             },
             CUSTOM_MGMT_AKS_PREVIEW,
         )
@@ -11201,7 +11201,7 @@ def test_enable_retina_network_flow_logs(self):
             self.cmd,
             self.client,
             {
-                "disable_retina_flow_logs": True,
+                "disable_container_network_logs": True,
             },
             CUSTOM_MGMT_AKS_PREVIEW,
         )
@@ -11253,7 +11253,7 @@ def test_enable_retina_network_flow_logs(self):
             self.client,
             {
                 "enable_acns": True,
-                "enable_retina_flow_logs": True,
+                "enable_container_network_logs": True,
             },
             CUSTOM_MGMT_AKS_PREVIEW,
         )
@@ -11287,7 +11287,7 @@ def test_enable_retina_network_flow_logs(self):
                 "workspace_resource_id": "test_workspace_resource_id",
                 "enable_msi_auth_for_monitoring": True,
                 "enable_acns": True,
-                "enable_retina_flow_logs": True,
+                "enable_container_network_logs": True,
             },
             CUSTOM_MGMT_AKS_PREVIEW,
         )
@@ -11330,7 +11330,7 @@ def test_enable_retina_network_flow_logs(self):
                 "enable_addons": "",
                 "workspace_resource_id": "test_workspace_resource_id",
                 "enable_acns": True,
-                "enable_retina_flow_logs": True,
+                "enable_container_network_logs": True,
             },
             CUSTOM_MGMT_AKS_PREVIEW,
         )
@@ -11363,7 +11363,7 @@ def test_enable_retina_network_flow_logs(self):
                 "enable_addons": "monitoring",
                 "workspace_resource_id": "test_workspace_resource_id",
                 "enable_msi_auth_for_monitoring": True,
-                "enable_retina_flow_logs": True,
+                "enable_container_network_logs": True,
             },
             CUSTOM_MGMT_AKS_PREVIEW,
         )
@@ -11384,6 +11384,58 @@ def test_enable_retina_network_flow_logs(self):
             with patch.object(external_functions, 'ensure_container_insights_for_monitoring', return_value=None):
                 dec_6.set_up_addon_profiles(mc_6)
 
+        # Case 7: acns is enabled, monitoring is enabled, enable retina network flow logs
+        # Confirms deprecated flag still works
+        dec_7 = AKSPreviewManagedClusterUpdateDecorator(
+            self.cmd,
+            self.client,
+            {
+                "enable_retina_flow_logs": True,
+            },
+            CUSTOM_MGMT_AKS_PREVIEW,
+        )
+        mc_7 = self.models.ManagedCluster(
+            location="test_location",
+            network_profile=self.models.ContainerServiceNetworkProfile(
+                network_plugin="azure",
+                network_plugin_mode="overlay",
+                network_dataplane="cilium",
+                pod_cidr="100.64.0.0/16",
+                service_cidr="192.168.0.0/16",
+                advanced_networking=self.models.AdvancedNetworking(
+                    enabled=True,
+                ),
+            ),
+            addon_profiles={
+                "omsagent": self.models.ManagedClusterAddonProfile(
+                    enabled=True,
+                    config={"enableRetinaNetworkFlags": "True"}
+                )
+            },
+        )
+        dec_7.context.attach_mc(mc_7)
+        dec_mc_7 = dec_7.update_monitoring_profile_flow_logs(mc_7)
+        ground_truth_mc_7 = self.models.ManagedCluster(
+            location="test_location",
+            network_profile=self.models.ContainerServiceNetworkProfile(
+                network_plugin="azure",
+                network_plugin_mode="overlay",
+                network_dataplane="cilium",
+                pod_cidr="100.64.0.0/16",
+                service_cidr="192.168.0.0/16",
+                advanced_networking=self.models.AdvancedNetworking(
+                    enabled=True,
+                ),
+            ),
+            addon_profiles={
+                "omsagent": self.models.ManagedClusterAddonProfile(
+                    enabled=True,
+                    config={"enableRetinaNetworkFlags": "True"}
+                )
+            },
+        )
+        self.assertEqual(dec_mc_7, ground_truth_mc_7)
+
     def test_update_node_provisioning_profile(self):
         dec_0 = AKSPreviewManagedClusterUpdateDecorator(
             self.cmd,
-Original file line number
+Diff line change
@@ Expand Up @@
     Pending
     +++++++
     * `az aks get-credentials`: Convert device code mode kubeconfig to Azure CLI token format to bypass conditional access login blocks.
+    * `az aks create`: Add new parameter `--enable-container-network-logs` to enable container network logs addon for the cluster and deprecate `--enable-retina-flow-logs`.
+    * `az aks update`: Add new parameter `--enable-container-network-logs` and `--disable-container-network-logs` to enable/disable container network logs addon for the cluster and deprecate `--enable-retina-flow-logs` and `--disable-retina-flow-logs`.
 .0.0b4
     +++++++
@@ Expand Down @@