Merge pull request #179345 from phealy/pahealy/aks-nat-gateway

ShannonLeavitt · web-flow · commit 6c53331403a4 · 2021-11-10T11:24:32.000-06:00
AKS NAT Gateway - Add user assigned NAT gateway example
diff --git a/articles/aks/nat-gateway.md b/articles/aks/nat-gateway.md
@@ -55,8 +55,9 @@ az group create --name myresourcegroup --location southcentralus
 ```
 
 ```azurecli-interactive
-az aks create --resource-group myresourcegroup 
-    --name natcluster  \
+az aks create \
+    --resource-group myresourcegroup \
+    --name natcluster \
     --node-count 3 \
     --outbound-type managedNATGateway \ 
     --nat-gateway-managed-outbound-ip-count 2 \
@@ -76,6 +77,76 @@ az aks update \
     --nat-gateway-managed-outbound-ip-count 5
 ```
 
+## Create an AKS cluster with a user-assigned NAT Gateway
+To create an AKS cluster with a user-assigned NAT Gateway, use `--outbound-type userAssignedNATGateway` when running `az aks create`. This configuration requires bring-your-own networking (via [Kubenet][byo-vnet-kubenet] or [Azure CNI][byo-vnet-azure-cni]) and that the NAT Gateway is preconfigured on the subnet. The following commands create the required resources for this scenario. Make sure to run them all in the same session so that the values stored to variables are still available for the `az aks create` command.
+
+1. Create the resource group:
+    ```azurecli-interactive
+    az group create --name myresourcegroup \
+        --location southcentralus
+    ```
+
+2. Create a managed identity for network permissions and store the ID to `$IDENTITY_ID` for later use:
+    ```azurecli-interactive
+    IDENTITY_ID=$(az identity create \
+        --resource-group myresourcegroup \
+        --name natclusterid \
+        --location southcentralus \
+        --query id \
+        --output tsv)
+    ```
+
+3. Create a public IP for the NAT gateway:
+    ```azurecli-interactive
+    az network public-ip create \
+        --resource-group myresourcegroup \
+        --name mynatgatewaypip \
+        --location southcentralus \
+        --sku standard
+    ```
+
+4. Create the NAT gateway:
+    ```azurecli-interactive
+    az network nat gateway create \
+        --resource-group myresourcegroup \
+        --name mynatgateway \
+        --location southcentralus \
+        --public-ip-addresses mynatgatewaypip
+    ```
+
+5. Create a virtual network:
+    ```azurecli-interactive
+    az network vnet create \
+        --resource-group myresourcegroup \
+        --name myvnet \
+        --location southcentralus \
+        --address-prefixes 172.16.0.0/20 
+    ```
+
+6. Create a subnet in the virtual network using the NAT gateway and store the ID to `$SUBNET_ID` for later use:
+    ```azurecli-interactive
+    SUBNET_ID=$(az network vnet subnet create \
+        --resource-group myresourcegroup \
+        --vnet-name myvnet \
+        --name natcluster \
+        --address-prefixes 172.16.0.0/22 \
+        --nat-gateway mynatgateway \
+        --query id \
+        --output tsv)
+    ```
+
+7. Create an AKS cluster using the subnet with the NAT gateway and the managed identity:
+    ```azurecli-interactive
+    az aks create \
+        --resource-group myresourcegroup \
+        --name natcluster \
+        --location southcentralus \
+        --network-plugin azure \
+        --vnet-subnet-id $SUBNET_ID \
+        --outbound-type userAssignedNATGateway \
+        --enable-managed-identity \
+        --assign-identity $IDENTITY_ID
+    ```
 
 ## Next Steps
 - For more information on Azure NAT Gateway, see [Azure NAT Gateway][nat-docs].
@@ -87,3 +158,5 @@ az aks update \
 [nat-docs]: ../virtual-network/nat-gateway/nat-overview.md
 [az-feature-list]: /cli/azure/feature#az_feature_list
 [az-provider-register]: /cli/azure/provider#az_provider_register
+[byo-vnet-azure-cni]: configure-azure-cni.md
+[byo-vnet-kubenet]: configure-kubenet.md
