Quickstart: Deploy an Azure Linux with OS Guard (preview) Azure Kubernetes Service (AKS) cluster using an Azure Resource Manager (ARM) template

Note

Azure Linux with OS Guard (preview) is being replaced by Azure Container Linux (ACL).

Azure Container Linux is the long‑term, immutable, container‑optimized Linux operating system (OS) for Azure Kubernetes Service (AKS). It provides a secure, minimal, and operationally consistent host OS designed to run containerized workloads at scale.

For more information, see the Azure Container Linux (ACL) overview.

Get started with the Azure Linux Container Host by using an Azure Resource Manager (ARM) template to deploy an Azure Linux with OS Guard (preview) cluster on AKS.

In this quickstart, you learn how to:

• Install the aks-preview Azure CLI extension.
• Register the AzureLinuxOSGuardPreview feature flag.
• Install the Kubernetes CLI, kubectl.
• Create an SSH key pair.
• Review the ARM template.
• Deploy the ARM template and validate it.
• Deploy a sample application to the cluster.

An Azure Resource Manager template is a JavaScript Object Notation (JSON) file that defines the infrastructure and configuration for your project. The template uses declarative syntax. You describe your intended deployment without writing the sequence of programming commands to create the deployment.

Prerequisites

• If you don't have an Azure account, create a free account before you begin.

• Use the Bash environment in Azure Cloud Shell. For more information, see Azure Cloud Shell Quickstart - Bash.

  

• If you prefer to run CLI reference commands locally, install the Azure CLI. If you're running on Windows or macOS, consider running Azure CLI in a Docker container. For more information, see How to run the Azure CLI in a Docker container.

  • If you're using a local installation, sign in to the Azure CLI using the az login command. To finish the authentication process, follow the steps displayed in your terminal. For other sign-in options, see Sign in with the Azure CLI.

  • When you're prompted, install the Azure CLI extension on first use. For more information about extensions, see Use extensions with the Azure CLI.

  • Run az version to find the version and dependent libraries that are installed. To upgrade to the latest version, run az upgrade.

• If you don't already have kubectl installed, install it through Azure CLI using the az aks install-cli command or follow the upstream instructions.

• To create an AKS cluster using an ARM template, you provide an SSH public key. If you need this resource, see the following section; otherwise skip to the Review the template section.

• The identity you're using to create your cluster has the appropriate minimum permissions. For more information on access and identity for AKS, see Access and identity options for Azure Kubernetes Service (AKS).

• To deploy a Bicep file or ARM template, you need write access on the resources you're deploying and access to all operations on the Microsoft.Resources/deployments resource type. For example, to deploy a virtual machine (VM), you need Microsoft.Compute/virtualMachines/write and Microsoft.Resources/deployments/* permissions. For a list of roles and permissions, see Azure built-in roles.

Azure Linux with OS Guard considerations and limitations

Before you begin, review the following considerations and limitations for Azure Linux with OS Guard (preview):

• Kubernetes version 1.32.0 or higher is required for Azure Linux with OS Guard.
• All Azure Linux with OS Guard images have Federal Information Process Standard (FIPS) and Trusted Launch enabled.
• Azure CLI and ARM templates are the only supported deployment methods for Azure Linux with OS Guard on AKS in preview. PowerShell and Terraform aren't supported.
• Arm64 images aren't supported with Azure Linux with OS Guard on AKS in preview.
• NodeImage and None are the only supported operating system (OS) upgrade channels for Azure Linux with OS Guard on AKS. Unmanaged and SecurityPatch are incompatible with Azure Linux with OS Guard due to the immutable /usr directory.
• Artifact Streaming isn't supported.
• Pod Sandboxing isn't supported.
• Confidential Virtual Machines (CVMs) aren't supported.
• Gen 1 virtual machines (VMs) aren't supported.

Install the aks-preview Azure CLI extension

Important

AKS preview features are available on a self-service, opt-in basis. Previews are provided "as is" and "as available," and they're excluded from the service-level agreements and limited warranty. AKS previews are partially covered by customer support on a best-effort basis. As such, these features aren't meant for production use. For more information, see the following support articles:

• AKS support policies
• Azure support FAQ

Install the aks-preview extension using the az extension add command.

az extension add --name aks-preview

Update the aks-preview extension to the latest version using the az extension update command.

az extension update --name aks-preview

Register the AzureLinuxOSGuardPreview feature flag

1. Register the AzureLinuxOSGuardPreview feature flag using the az feature register command.

   az feature register --namespace "Microsoft.ContainerService" --name "AzureLinuxOSGuardPreview"
   

   It takes a few minutes for the status to show Registered.

2. Verify the registration status using the az feature show command.

   az feature show --namespace "Microsoft.ContainerService" --name "AzureLinuxOSGuardPreview"
   

3. When the status reflects Registered, refresh the registration of the Microsoft.ContainerService resource provider using the az provider register command.

   az provider register --namespace "Microsoft.ContainerService"
   

Create an SSH key pair

To access AKS nodes, you connect using an SSH key pair (public and private), which you generate using the ssh-keygen command. By default, these files are created in the ~/.ssh directory. Running the ssh-keygen command overwrites any SSH key pair with the same name already existing in the given location.

1. Navigate to https://shell.azure.com to open Cloud Shell in your browser.

2. Run the ssh-keygen command. The following example creates an SSH key pair using RSA encryption and a bit length of 4096:

   ssh-keygen -t rsa -b 4096
   

For more information about creating SSH keys, see Create and manage SSH keys for authentication in Azure.

Review the template

The following deployment uses an ARM template from Azure Quickstart Templates:

{
    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.1",
    "parameters": {
        "clusterName": {
            "defaultValue": "osguardakscluster",
            "type": "String",
            "metadata": {
                "description": "The name of the Managed Cluster resource."
            }
        },
        "location": {
            "defaultValue": "[resourceGroup().location]",
            "type": "String",
            "metadata": {
                "description": "The location of the Managed Cluster resource."
            }
        },
        "dnsPrefix": {
            "type": "String",
            "metadata": {
                "description": "Optional DNS prefix to use with hosted Kubernetes API server FQDN."
            }
        },
        "agentCount": {
            "defaultValue": 3,
            "minValue": 1,
            "maxValue": 50,
            "type": "Int",
            "metadata": {
                "description": "The number of nodes for the cluster."
            }
        },
        "agentVMSize": {
            "defaultValue": "Standard_DS2_v2",
            "type": "String",
            "metadata": {
                "description": "The size of the Virtual Machine."
            }
        },
        "osSKU": {
            "defaultValue": "AzureLinuxOSGuard",
            "allowedValues": [
                "AzureLinuxOSGuard",
                "AzureLinux3OSGuard"
            ],
            "type": "String",
            "metadata": {
                "description": "The Linux SKU to use."
            }
        }
    },
    "resources": [
        {
            "type": "Microsoft.ContainerService/managedClusters",
            "apiVersion": "2025-05-01",
            "name": "[parameters('clusterName')]",
            "location": "[parameters('location')]",
            "identity": {
                "type": "SystemAssigned"
            },
            "properties": {
                "dnsPrefix": "[parameters('dnsPrefix')]",
                "agentPoolProfiles": [
                    {
                        "name": "agentpool",
                        "mode": "System",
                        "count": "[parameters('agentCount')]",
                        "vmSize": "[parameters('agentVMSize')]",
                        "osType": "Linux",
                        "osSKU": "[parameters('osSKU')]",
                        "osDiskType": "Managed",
                        "enableFIPS": true,
                        "securityProfile": {
                            "enableSecureBoot": true,
                            "enableVTPM": true
                        },
                    }
                ]
            }
        }
    ],
    "outputs": {
        "controlPlaneFQDN": {
            "type": "String",
            "value": "[reference(parameters('clusterName')).fqdn]"
        }
    }
}

To add Azure Linux with OS Guard to an existing ARM template, you need to add the following properties to the agentPoolProfiles section of your template:

• "osSKU": "AzureLinuxOSGuard"
• "mode": "System" to agentPoolProfiles
• "osDiskType": "Managed" to agentPoolProfiles
• "enableFIPS": true to agentPoolProfiles
• "securityProfile": {enableSecureBoot: true enableVTPM: true} to agentPoolProfiles
• Set the apiVersion to 2025-05-01 or newer ("apiVersion": "2025-05-01").

Deploy the template

1. In the Azure Portal, select Deploy a custom template > Build your own template, and then paste the ARM template into the template editor.

2. Configure the template parameters in the Custom deployment page. For this quickstart, leave the default values for the OS Disk Size GB, Agent Count, Agent VM Size, OS Type, and Kubernetes Version. Provide your own values for the following template parameters:

   • Subscription: Select an Azure subscription.
   • Resource group: Select Create new. Enter a unique name for the resource group, such as ttestAzureLinuxOSGuardResourceGroup, then choose OK.
   • Location: Select a location, such as East US.
   • Cluster name: Enter a unique name for the AKS cluster, such as testAzureLinuxOSGuardCluster.
   • DNS prefix: Enter a unique DNS prefix for your cluster, such as myAzureLinuxOSGuardCluster.
   • Linux Admin Username: Enter a username to connect using SSH, such as azureUser.
   • SSH RSA Public Key: Copy and paste the public part of your SSH key pair (by default, the contents of ~/.ssh/id_rsa.pub).

3. Select Review + Create.

It takes a few minutes to create the Azure Linux Container Host cluster. Wait for the cluster to be successfully deployed before you move on to the next step.

Connect to the cluster

To manage a Kubernetes cluster, use the Kubernetes command-line client, kubectl.

1. Install kubectl locally using the az aks install-cli command. If you're using Azure Cloud Shell, kubectl is already installed.

   az aks install-cli
   

2. Configure kubectl to connect to your Kubernetes cluster using the az aks get-credentials command. This command downloads credentials and configures the Kubernetes CLI to use them.

   az aks get-credentials --resource-group testAzureLinuxOSGuardResourceGroup --name testAzureLinuxCluster
   

3. Verify the connection to your cluster using the kubectl get command. This command returns a list of the cluster nodes.

   kubectl get nodes
   

   The following output example shows the three nodes created in the previous steps. Make sure the node status is Ready:

   NAME                       STATUS   ROLES   AGE     VERSION
   aks-agentpool-12345678-0   Ready    agent   6m44s   v1.12.6
   aks-agentpool-12345678-1   Ready    agent   6m46s   v1.12.6
   aks-agentpool-12345678-2   Ready    agent   6m45s   v1.12.6
   

Delete the cluster

If you no longer need them, you can clean up unnecessary resources to avoid Azure charges.

Delete the Azure resource group and all related resources using the az group delete command.

az group delete --name $RESOURCE_GROUP --yes --no-wait

Related content

In this quickstart, you deployed an Azure Linux with OS Guard cluster. To learn more about Azure Linux with OS Guard, see the following resources:

• Azure Linux OS Guard tutorial series: Part 1
• Overview of Azure Linux OS Guard for AKS