Applies to: ✔️ Fleet Manager ✔️ Fleet Manager with hub cluster
Learn how to create an Azure Kubernetes Fleet Manager using Bicep.
Before you begin
If you don't have an Azure account, create a free account before you begin.
Create a Fleet Manager
You can create a Fleet Manager and later add your AKS and Arc-enabled clusters as member clusters. If the Fleet Manager has a hub cluster, more features are enabled, such as Kubernetes object propagation and Managed Fleet Namespaces. For more information, see the conceptual overview of Fleet Manager types, which provides a comparison of different Fleet Manager configurations.
Important
Once a Fleet Manager is created, it's possible to upgrade a Fleet Manager resource without a hub cluster to one with a hub cluster. For Fleet Manager resources with a hub cluster, once private or public is selected it can't be changed.
If you only want to use Fleet Manager for update orchestration, you can create a hubless Fleet Manager with the following Bicep:
Review Bicep
@description('The name of the Fleet resource.')
param fleetName string = 'my-hubless-fleet'
@description('The location of the Fleet resource.')
param location string = resourceGroup().location
resource hubless_fleet 'Microsoft.ContainerService/fleets@2025-03-01' = {
name: fleetName
location: location
}
Deploy the Bicep file using either Azure CLI or Azure PowerShell.
Save the Bicep file as main.bicep to your local computer.
Deploy the Bicep file using either Azure CLI or Azure PowerShell.
az group create --name myResourceGroup --location eastus
az deployment group create --resource-group myResourceGroup --template-file main.bicep'
New-AzResourceGroup -Name myResourceGroup -Location eastus
New-AzResourceGroupDeployment -ResourceGroupName myResourceGroup -TemplateFile ./main.bicep"
If you want to use Fleet Manager for Kubernetes object propagation in addition to update orchestration, then you need to create the Fleet Manager resource with the hub cluster.
Fleet Manager with a hub cluster supports both public and private modes for network access. For more information, see Choose an Azure Kubernetes Fleet Manager option.
Public hub cluster
To create a public Fleet Manager resource with a hub cluster, use the following Bicep
Review Bicep
@description('The name of the Fleet resource.')
param fleetName string = 'my-hubful-fleet'
@description('The location of the Fleet resource.')
param location string = resourceGroup().location
resource hubful_fleet 'Microsoft.ContainerService/fleets@2025-03-01' = {
name: fleetName
location: location
properties: {
hubProfile: {
dnsPrefix: fleetName
}
}
}
Deploy the Bicep file using either Azure CLI or Azure PowerShell.
Save the Bicep file as main.bicep to your local computer.
Deploy the Bicep file using either Azure CLI or Azure PowerShell.
az group create --name myResourceGroup --location eastus
az deployment group create --resource-group myResourceGroup --template-file main.bicep'
New-AzResourceGroup -Name myResourceGroup -Location eastus
New-AzResourceGroupDeployment -ResourceGroupName myResourceGroup -TemplateFile ./main.bicep"
Private hub cluster
When you create a Fleet Manager with a private hub cluster, take these additional considerations into account:
- Fleet Manager requires you to provide the subnet on which the Fleet Manager hub cluster's node Virtual Machine (VM) is placed. This can be done by setting
subnetId in the agentProfile within the Fleet Manager's hubProfile.
- The address prefix of the vnet vnetName must not overlap with the Azure Kubernetes Service's (AKS) default service range of
10.0.0.0/16.
- Private access mode doesn't allow configuring domain names.
- Private access mode requires a
Network Contributor role assignment on the agent subnet for Fleet Manager's first party service principal (Fleet Manager's first party service principal ID varies across different Entra tenants). This role assignment is NOT needed when creating private Fleet Manager using the az fleet create command because the CLI automatically creates the role assignment.
- Fetch Fleet Manager's service principal object ID:
az ad sp list \
--display-name "Azure Kubernetes Service - Fleet RP" \
--query "[].{id:id}" \
--output tsv
xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
- Review Bicep
@description('The name of the vnet.')
param vnetName string = 'myVnet'
@description('The name of the Fleet resource.')
param fleetName string = 'my-private-fleet'
@description('The object id of Fleets Service Principal in your tenant.')
param fleetSpObjectId string = '00000000-0000-0000-0000-000000000000' // Replace with the actual object ID of the Fleets Service Principal
@description('The location of the Fleet resource.')
param location string = resourceGroup().location
resource vnet 'Microsoft.Network/virtualNetworks@2024-05-01' = {
name: vnetName
location: location
properties: {
addressSpace: {
addressPrefixes: [
'192.168.0.0/16'
]
}
}
}
resource hubful_private_fleet 'Microsoft.ContainerService/fleets@2025-03-01' = {
name: fleetName
location: location
properties: {
hubProfile: {
agentProfile: {
subnetId: vnet_subnet.id
}
apiServerAccessProfile: {
enablePrivateCluster: true
enableVnetIntegration: false
}
}
}
dependsOn: [
roleassignment
]
}
resource vnet_subnet 'Microsoft.Network/virtualNetworks/subnets@2024-05-01' = {
name: 'subnet'
properties: {
addressPrefix: '192.168.0.0/24'
delegations: []
privateEndpointNetworkPolicies: 'Disabled'
privateLinkServiceNetworkPolicies: 'Enabled'
}
parent: vnet
}
resource roleassignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
scope: vnet_subnet
name: guid(vnet_subnet.id, fleetSpObjectId)
properties: {
roleDefinitionId: subscriptionResourceId(
'Microsoft.Authorization/roleDefinitions',
'4d97b98b-1d4f-4787-a291-c67834d212e7'
)
principalId: fleetSpObjectId
principalType: 'ServicePrincipal'
}
}
- Deploy the Bicep file using either Azure CLI or Azure PowerShell.
Deploy the Bicep file with service principal object ID from first step:
Next steps