Microsoft.ContainerService managedClusters/agentPools

Bicep resource definition

The managedClusters/agentPools resource type can be deployed with operations that target:

For a list of changed properties in each API version, see change log.

Resource format

To create a Microsoft.ContainerService/managedClusters/agentPools resource, add the following Bicep to your template.

resource symbolicname 'Microsoft.ContainerService/managedClusters/agentPools@2024-03-02-preview' = {
  name: 'string'
  parent: resourceSymbolicName
  properties: {
    artifactStreamingProfile: {
      enabled: bool
    availabilityZones: [
    capacityReservationGroupID: 'string'
    count: int
    creationData: {
      sourceResourceId: 'string'
    enableAutoScaling: bool
    enableCustomCATrust: bool
    enableEncryptionAtHost: bool
    enableFIPS: bool
    enableNodePublicIP: bool
    enableUltraSSD: bool
    gatewayProfile: {
      publicIPPrefixSize: int
    gpuInstanceProfile: 'string'
    gpuProfile: {
      installGPUDriver: bool
    hostGroupID: 'string'
    kubeletConfig: {
      allowedUnsafeSysctls: [
      containerLogMaxFiles: int
      containerLogMaxSizeMB: int
      cpuCfsQuota: bool
      cpuCfsQuotaPeriod: 'string'
      cpuManagerPolicy: 'string'
      failSwapOn: bool
      imageGcHighThreshold: int
      imageGcLowThreshold: int
      podMaxPids: int
      topologyManagerPolicy: 'string'
    kubeletDiskType: 'string'
    linuxOSConfig: {
      swapFileSizeMB: int
      sysctls: {
        fsAioMaxNr: int
        fsFileMax: int
        fsInotifyMaxUserWatches: int
        fsNrOpen: int
        kernelThreadsMax: int
        netCoreNetdevMaxBacklog: int
        netCoreOptmemMax: int
        netCoreRmemDefault: int
        netCoreRmemMax: int
        netCoreSomaxconn: int
        netCoreWmemDefault: int
        netCoreWmemMax: int
        netIpv4IpLocalPortRange: 'string'
        netIpv4NeighDefaultGcThresh1: int
        netIpv4NeighDefaultGcThresh2: int
        netIpv4NeighDefaultGcThresh3: int
        netIpv4TcpFinTimeout: int
        netIpv4TcpkeepaliveIntvl: int
        netIpv4TcpKeepaliveProbes: int
        netIpv4TcpKeepaliveTime: int
        netIpv4TcpMaxSynBacklog: int
        netIpv4TcpMaxTwBuckets: int
        netIpv4TcpTwReuse: bool
        netNetfilterNfConntrackBuckets: int
        netNetfilterNfConntrackMax: int
        vmMaxMapCount: int
        vmSwappiness: int
        vmVfsCachePressure: int
      transparentHugePageDefrag: 'string'
      transparentHugePageEnabled: 'string'
    maxCount: int
    maxPods: int
    messageOfTheDay: 'string'
    minCount: int
    mode: 'string'
    networkProfile: {
      allowedHostPorts: [
          portEnd: int
          portStart: int
          protocol: 'string'
      applicationSecurityGroups: [
      nodePublicIPTags: [
          ipTagType: 'string'
          tag: 'string'
    nodeInitializationTaints: [
    nodeLabels: {
      {customized property}: 'string'
    nodePublicIPPrefixID: 'string'
    nodeTaints: [
    orchestratorVersion: 'string'
    osDiskSizeGB: int
    osDiskType: 'string'
    osSKU: 'string'
    osType: 'string'
    podIPAllocationMode: 'string'
    podSubnetID: 'string'
    powerState: {
      code: 'string'
    proximityPlacementGroupID: 'string'
    scaleDownMode: 'string'
    scaleSetEvictionPolicy: 'string'
    scaleSetPriority: 'string'
    securityProfile: {
      enableSecureBoot: bool
      enableVTPM: bool
      sshAccess: 'string'
    spotMaxPrice: int
    tags: {}
    type: 'string'
    upgradeSettings: {
      drainTimeoutInMinutes: int
      maxSurge: 'string'
      nodeSoakDurationInMinutes: int
    virtualMachineNodesStatus: [
        count: int
        size: 'string'
    virtualMachinesProfile: {
      scale: {
        manual: [
            count: int
            sizes: [
    vmSize: 'string'
    vnetSubnetID: 'string'
    windowsProfile: {
      disableOutboundNat: bool
    workloadRuntime: 'string'

Property values


Name Description Value
name The resource name

See how to set names and types for child resources in Bicep.
string (required)

Character limit: 1-12 for Linux
1-6 for Windows

Valid characters:
Lowercase letters and numbers.

Can't start with a number.
parent In Bicep, you can specify the parent resource for a child resource. You only need to add this property when the child resource is declared outside of the parent resource.

For more information, see Child resource outside parent resource.
Symbolic name for resource of type: managedClusters
properties Properties of an agent pool. ManagedClusterAgentPoolProfileProperties


Name Description Value
artifactStreamingProfile Configuration for using artifact streaming on AKS. AgentPoolArtifactStreamingProfile
availabilityZones The list of Availability zones to use for nodes. This can only be specified if the AgentPoolType property is 'VirtualMachineScaleSets'. string[]
capacityReservationGroupID AKS will associate the specified agent pool with the Capacity Reservation Group. string
count Number of agents (VMs) to host docker containers. Allowed values must be in the range of 0 to 1000 (inclusive) for user pools and in the range of 1 to 1000 (inclusive) for system pools. The default value is 1. int
creationData CreationData to be used to specify the source Snapshot ID if the node pool will be created/upgraded using a snapshot. CreationData
enableAutoScaling Whether to enable auto-scaler bool
enableCustomCATrust When set to true, AKS adds a label to the node indicating that the feature is enabled and deploys a daemonset along with host services to sync custom certificate authorities from user-provided list of base64 encoded certificates into node trust stores. Defaults to false. bool
enableEncryptionAtHost This is only supported on certain VM sizes and in certain Azure regions. For more information, see: /azure/aks/enable-host-encryption bool
enableFIPS See Add a FIPS-enabled node pool for more details. bool
enableNodePublicIP Some scenarios may require nodes in a node pool to receive their own dedicated public IP addresses. A common scenario is for gaming workloads, where a console needs to make a direct connection to a cloud virtual machine to minimize hops. For more information see assigning a public IP per node. The default is false. bool
enableUltraSSD Whether to enable UltraSSD bool
gatewayProfile Profile specific to a managed agent pool in Gateway mode. This field cannot be set if agent pool mode is not Gateway. AgentPoolGatewayProfile
gpuInstanceProfile GPUInstanceProfile to be used to specify GPU MIG instance profile for supported GPU VM SKU. 'MIG1g'
gpuProfile The GPU settings of an agent pool. AgentPoolGPUProfile
hostGroupID This is of the form: /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Compute/hostGroups/{hostGroupName}. For more information see Azure dedicated hosts. string
kubeletConfig The Kubelet configuration on the agent pool nodes. KubeletConfig
kubeletDiskType Determines the placement of emptyDir volumes, container runtime data root, and Kubelet ephemeral storage. 'OS'
linuxOSConfig The OS configuration of Linux agent nodes. LinuxOSConfig
maxCount The maximum number of nodes for auto-scaling int
maxPods The maximum number of pods that can run on a node. int
messageOfTheDay A base64-encoded string which will be written to /etc/motd after decoding. This allows customization of the message of the day for Linux nodes. It must not be specified for Windows nodes. It must be a static string (i.e., will be printed raw and not be executed as a script). string
minCount The minimum number of nodes for auto-scaling int
mode A cluster must have at least one 'System' Agent Pool at all times. For additional information on agent pool restrictions and best practices, see: /azure/aks/use-system-pools 'Gateway'
networkProfile Network-related settings of an agent pool. AgentPoolNetworkProfile
nodeInitializationTaints These taints will not be reconciled by AKS and can be removed with a kubectl call. This field can be modified after node pool is created, but nodes will not be recreated with new taints until another operation that requires recreation (e.g. node image upgrade) happens. These taints allow for required configuration to run before the node is ready to accept workloads, for example 'key1=value1:NoSchedule' that then can be removed with kubectl taint nodes node1 key1=value1:NoSchedule- string[]
nodeLabels The node labels to be persisted across all nodes in agent pool. ManagedClusterAgentPoolProfilePropertiesNodeLabels
nodePublicIPPrefixID This is of the form: /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/publicIPPrefixes/{publicIPPrefixName} string
nodeTaints The taints added to new nodes during node pool create and scale. For example, key=value:NoSchedule. string[]
orchestratorVersion Both patch version {major.minor.patch} and {major.minor} are supported. When {major.minor} is specified, the latest supported patch version is chosen automatically. Updating the agent pool with the same {major.minor} once it has been created will not trigger an upgrade, even if a newer patch version is available. As a best practice, you should upgrade all node pools in an AKS cluster to the same Kubernetes version. The node pool version must have the same major version as the control plane. The node pool minor version must be within two minor versions of the control plane version. The node pool version cannot be greater than the control plane version. For more information see upgrading a node pool. string
osDiskSizeGB OS Disk Size in GB to be used to specify the disk size for every machine in the master/agent pool. If you specify 0, it will apply the default osDisk size according to the vmSize specified. int

Min value = 0
Max value = 2048
osDiskType The default is 'Ephemeral' if the VM supports it and has a cache disk larger than the requested OSDiskSizeGB. Otherwise, defaults to 'Managed'. May not be changed after creation. For more information see Ephemeral OS. 'Ephemeral'
osSKU Specifies the OS SKU used by the agent pool. If not specified, the default is Ubuntu if OSType=Linux or Windows2019 if OSType=Windows. And the default Windows OSSKU will be changed to Windows2022 after Windows2019 is deprecated. 'AzureLinux'
osType The operating system type. The default is Linux. 'Linux'
podIPAllocationMode The IP allocation mode for pods in the agent pool. Must be used with podSubnetId. The default is 'DynamicIndividual'. 'DynamicIndividual'
podSubnetID If omitted, pod IPs are statically assigned on the node subnet (see vnetSubnetID for more details). This is of the form: /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/virtualNetworks/{virtualNetworkName}/subnets/{subnetName} string
powerState When an Agent Pool is first created it is initially Running. The Agent Pool can be stopped by setting this field to Stopped. A stopped Agent Pool stops all of its VMs and does not accrue billing charges. An Agent Pool can only be stopped if it is Running and provisioning state is Succeeded PowerState
proximityPlacementGroupID The ID for Proximity Placement Group. string
scaleDownMode This also effects the cluster autoscaler behavior. If not specified, it defaults to Delete. 'Deallocate'
scaleSetEvictionPolicy This cannot be specified unless the scaleSetPriority is 'Spot'. If not specified, the default is 'Delete'. 'Deallocate'
scaleSetPriority The Virtual Machine Scale Set priority. If not specified, the default is 'Regular'. 'Regular'
securityProfile The security settings of an agent pool. AgentPoolSecurityProfile
spotMaxPrice Possible values are any decimal value greater than zero or -1 which indicates the willingness to pay any on-demand price. For more details on spot pricing, see spot VMs pricing int
tags The tags to be persisted on the agent pool virtual machine scale set. object
type The type of Agent Pool. 'AvailabilitySet'
upgradeSettings Settings for upgrading the agentpool AgentPoolUpgradeSettings
virtualMachineNodesStatus The status of nodes in a VirtualMachines agent pool. VirtualMachineNodes[]
virtualMachinesProfile Specifications on VirtualMachines agent pool. VirtualMachinesProfile
vmSize VM size availability varies by region. If a node contains insufficient compute resources (memory, cpu, etc) pods might fail to run correctly. For more details on restricted VM sizes, see: /azure/aks/quotas-skus-regions string
vnetSubnetID If this is not specified, a VNET and subnet will be generated and used. If no podSubnetID is specified, this applies to nodes and pods, otherwise it applies to just nodes. This is of the form: /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/virtualNetworks/{virtualNetworkName}/subnets/{subnetName} string
windowsProfile The Windows agent pool's specific profile. AgentPoolWindowsProfile
workloadRuntime Determines the type of workload a node can run. 'KataMshvVmIsolation'


Name Description Value
enabled Artifact streaming speeds up the cold-start of containers on a node through on-demand image loading. To use this feature, container images must also enable artifact streaming on ACR. If not specified, the default is false. bool


Name Description Value
sourceResourceId This is the ARM ID of the source object to be used to create the target object. string


Name Description Value
publicIPPrefixSize The Gateway agent pool associates one public IPPrefix for each static egress gateway to provide public egress. The size of Public IPPrefix should be selected by the user. Each node in the agent pool is assigned with one IP from the IPPrefix. The IPPrefix size thus serves as a cap on the size of the Gateway agent pool. Due to Azure public IPPrefix size limitation, the valid value range is [28, 31] (/31 = 2 nodes/IPs, /30 = 4 nodes/IPs, /29 = 8 nodes/IPs, /28 = 16 nodes/IPs). The default value is 31. int

Min value = 28
Max value = 31


Name Description Value
installGPUDriver The default value is true when the vmSize of the agent pool contains a GPU, false otherwise. GPU Driver Installation can only be set true when VM has an associated GPU resource. Setting this field to false prevents automatic GPU driver installation. In that case, in order for the GPU to be usable, the user must perform GPU driver installation themselves. bool


Name Description Value
allowedUnsafeSysctls Allowed list of unsafe sysctls or unsafe sysctl patterns (ending in *). string[]
containerLogMaxFiles The maximum number of container log files that can be present for a container. The number must be ≥ 2. int

Min value = 2
containerLogMaxSizeMB The maximum size (e.g. 10Mi) of container log file before it is rotated. int
cpuCfsQuota The default is true. bool
cpuCfsQuotaPeriod The default is '100ms.' Valid values are a sequence of decimal numbers with an optional fraction and a unit suffix. For example: '300ms', '2h45m'. Supported units are 'ns', 'us', 'ms', 's', 'm', and 'h'. string
cpuManagerPolicy The default is 'none'. See Kubernetes CPU management policies for more information. Allowed values are 'none' and 'static'. string
failSwapOn If set to true it will make the Kubelet fail to start if swap is enabled on the node. bool
imageGcHighThreshold To disable image garbage collection, set to 100. The default is 85% int
imageGcLowThreshold This cannot be set higher than imageGcHighThreshold. The default is 80% int
podMaxPids The maximum number of processes per pod. int
topologyManagerPolicy For more information see Kubernetes Topology Manager. The default is 'none'. Allowed values are 'none', 'best-effort', 'restricted', and 'single-numa-node'. string


Name Description Value
swapFileSizeMB The size in MB of a swap file that will be created on each node. int
sysctls Sysctl settings for Linux agent nodes. SysctlConfig
transparentHugePageDefrag Valid values are 'always', 'defer', 'defer+madvise', 'madvise' and 'never'. The default is 'madvise'. For more information see Transparent Hugepages. string
transparentHugePageEnabled Valid values are 'always', 'madvise', and 'never'. The default is 'always'. For more information see Transparent Hugepages. string


Name Description Value
fsAioMaxNr Sysctl setting fs.aio-max-nr. int
fsFileMax Sysctl setting fs.file-max. int
fsInotifyMaxUserWatches Sysctl setting fs.inotify.max_user_watches. int
fsNrOpen Sysctl setting fs.nr_open. int
kernelThreadsMax Sysctl setting kernel.threads-max. int
netCoreNetdevMaxBacklog Sysctl setting net.core.netdev_max_backlog. int
netCoreOptmemMax Sysctl setting net.core.optmem_max. int
netCoreRmemDefault Sysctl setting net.core.rmem_default. int
netCoreRmemMax Sysctl setting net.core.rmem_max. int
netCoreSomaxconn Sysctl setting net.core.somaxconn. int
netCoreWmemDefault Sysctl setting net.core.wmem_default. int
netCoreWmemMax Sysctl setting net.core.wmem_max. int
netIpv4IpLocalPortRange Sysctl setting net.ipv4.ip_local_port_range. string
netIpv4NeighDefaultGcThresh1 Sysctl setting net.ipv4.neigh.default.gc_thresh1. int
netIpv4NeighDefaultGcThresh2 Sysctl setting net.ipv4.neigh.default.gc_thresh2. int
netIpv4NeighDefaultGcThresh3 Sysctl setting net.ipv4.neigh.default.gc_thresh3. int
netIpv4TcpFinTimeout Sysctl setting net.ipv4.tcp_fin_timeout. int
netIpv4TcpkeepaliveIntvl Sysctl setting net.ipv4.tcp_keepalive_intvl. int

Min value = 10
Max value = 90
netIpv4TcpKeepaliveProbes Sysctl setting net.ipv4.tcp_keepalive_probes. int
netIpv4TcpKeepaliveTime Sysctl setting net.ipv4.tcp_keepalive_time. int
netIpv4TcpMaxSynBacklog Sysctl setting net.ipv4.tcp_max_syn_backlog. int
netIpv4TcpMaxTwBuckets Sysctl setting net.ipv4.tcp_max_tw_buckets. int
netIpv4TcpTwReuse Sysctl setting net.ipv4.tcp_tw_reuse. bool
netNetfilterNfConntrackBuckets Sysctl setting net.netfilter.nf_conntrack_buckets. int

Min value = 65536
Max value = 524288
netNetfilterNfConntrackMax Sysctl setting net.netfilter.nf_conntrack_max. int

Min value = 131072
Max value = 2097152
vmMaxMapCount Sysctl setting vm.max_map_count. int
vmSwappiness Sysctl setting vm.swappiness. int
vmVfsCachePressure Sysctl setting vm.vfs_cache_pressure. int


Name Description Value
allowedHostPorts The port ranges that are allowed to access. The specified ranges are allowed to overlap. PortRange[]
applicationSecurityGroups The IDs of the application security groups which agent pool will associate when created. string[]
nodePublicIPTags IPTags of instance-level public IPs. IPTag[]


Name Description Value
portEnd The maximum port that is included in the range. It should be ranged from 1 to 65535, and be greater than or equal to portStart. int

Min value = 1
Max value = 65535
portStart The minimum port that is included in the range. It should be ranged from 1 to 65535, and be less than or equal to portEnd. int

Min value = 1
Max value = 65535
protocol The network protocol of the port. 'TCP'


Name Description Value
ipTagType The IP tag type. Example: RoutingPreference. string
tag The value of the IP tag associated with the public IP. Example: Internet. string


Name Description Value
{customized property} string


Name Description Value
code Tells whether the cluster is Running or Stopped 'Running'


Name Description Value
enableSecureBoot Secure Boot is a feature of Trusted Launch which ensures that only signed operating systems and drivers can boot. For more details, see If not specified, the default is false. bool
enableVTPM vTPM is a Trusted Launch feature for configuring a dedicated secure vault for keys and measurements held locally on the node. For more details, see If not specified, the default is false. bool
sshAccess SSH access method of an agent pool. 'Disabled'


Name Description Value
drainTimeoutInMinutes The amount of time (in minutes) to wait on eviction of pods and graceful termination per node. This eviction wait time honors waiting on pod disruption budgets. If this time is exceeded, the upgrade fails. If not specified, the default is 30 minutes. int

Min value = 1
Max value = 1440
maxSurge This can either be set to an integer (e.g. '5') or a percentage (e.g. '50%'). If a percentage is specified, it is the percentage of the total agent pool size at the time of the upgrade. For percentages, fractional nodes are rounded up. If not specified, the default is 1. For more information, including best practices, see: /azure/aks/upgrade-cluster#customize-node-surge-upgrade string
nodeSoakDurationInMinutes The amount of time (in minutes) to wait after draining a node and before reimaging it and moving on to next node. If not specified, the default is 0 minutes. int

Min value = 0
Max value = 30


Name Description Value
count Number of nodes. int
size The VM size of the agents used to host this group of nodes. string


Name Description Value
scale Specifications on how to scale a VirtualMachines agent pool. ScaleProfile


Name Description Value
manual Specifications on how to scale the VirtualMachines agent pool to a fixed size. ManualScaleProfile[]


Name Description Value
count Number of nodes. int

Min value = 0
Max value = 1000
sizes The list of allowed vm sizes. AKS will use the first available one when scaling. If a VM size is unavailable (e.g. due to quota or regional capacity reasons), AKS will use the next size. string[]


Name Description Value
disableOutboundNat The default value is false. Outbound NAT can only be disabled if the cluster outboundType is NAT Gateway and the Windows agent pool does not have node public IP enabled. bool

ARM template resource definition

The managedClusters/agentPools resource type can be deployed with operations that target:

For a list of changed properties in each API version, see change log.

Resource format

To create a Microsoft.ContainerService/managedClusters/agentPools resource, add the following JSON to your template.

  "type": "Microsoft.ContainerService/managedClusters/agentPools",
  "apiVersion": "2024-03-02-preview",
  "name": "string",
  "properties": {
    "artifactStreamingProfile": {
      "enabled": "bool"
    "availabilityZones": [ "string" ],
    "capacityReservationGroupID": "string",
    "count": "int",
    "creationData": {
      "sourceResourceId": "string"
    "enableAutoScaling": "bool",
    "enableCustomCATrust": "bool",
    "enableEncryptionAtHost": "bool",
    "enableFIPS": "bool",
    "enableNodePublicIP": "bool",
    "enableUltraSSD": "bool",
    "gatewayProfile": {
      "publicIPPrefixSize": "int"
    "gpuInstanceProfile": "string",
    "gpuProfile": {
      "installGPUDriver": "bool"
    "hostGroupID": "string",
    "kubeletConfig": {
      "allowedUnsafeSysctls": [ "string" ],
      "containerLogMaxFiles": "int",
      "containerLogMaxSizeMB": "int",
      "cpuCfsQuota": "bool",
      "cpuCfsQuotaPeriod": "string",
      "cpuManagerPolicy": "string",
      "failSwapOn": "bool",
      "imageGcHighThreshold": "int",
      "imageGcLowThreshold": "int",
      "podMaxPids": "int",
      "topologyManagerPolicy": "string"
    "kubeletDiskType": "string",
    "linuxOSConfig": {
      "swapFileSizeMB": "int",
      "sysctls": {
        "fsAioMaxNr": "int",
        "fsFileMax": "int",
        "fsInotifyMaxUserWatches": "int",
        "fsNrOpen": "int",
        "kernelThreadsMax": "int",
        "netCoreNetdevMaxBacklog": "int",
        "netCoreOptmemMax": "int",
        "netCoreRmemDefault": "int",
        "netCoreRmemMax": "int",
        "netCoreSomaxconn": "int",
        "netCoreWmemDefault": "int",
        "netCoreWmemMax": "int",
        "netIpv4IpLocalPortRange": "string",
        "netIpv4NeighDefaultGcThresh1": "int",
        "netIpv4NeighDefaultGcThresh2": "int",
        "netIpv4NeighDefaultGcThresh3": "int",
        "netIpv4TcpFinTimeout": "int",
        "netIpv4TcpkeepaliveIntvl": "int",
        "netIpv4TcpKeepaliveProbes": "int",
        "netIpv4TcpKeepaliveTime": "int",
        "netIpv4TcpMaxSynBacklog": "int",
        "netIpv4TcpMaxTwBuckets": "int",
        "netIpv4TcpTwReuse": "bool",
        "netNetfilterNfConntrackBuckets": "int",
        "netNetfilterNfConntrackMax": "int",
        "vmMaxMapCount": "int",
        "vmSwappiness": "int",
        "vmVfsCachePressure": "int"
      "transparentHugePageDefrag": "string",
      "transparentHugePageEnabled": "string"
    "maxCount": "int",
    "maxPods": "int",
    "messageOfTheDay": "string",
    "minCount": "int",
    "mode": "string",
    "networkProfile": {
      "allowedHostPorts": [
          "portEnd": "int",
          "portStart": "int",
          "protocol": "string"
      "applicationSecurityGroups": [ "string" ],
      "nodePublicIPTags": [
          "ipTagType": "string",
          "tag": "string"
    "nodeInitializationTaints": [ "string" ],
    "nodeLabels": {
      "{customized property}": "string"
    "nodePublicIPPrefixID": "string",
    "nodeTaints": [ "string" ],
    "orchestratorVersion": "string",
    "osDiskSizeGB": "int",
    "osDiskType": "string",
    "osSKU": "string",
    "osType": "string",
    "podIPAllocationMode": "string",
    "podSubnetID": "string",
    "powerState": {
      "code": "string"
    "proximityPlacementGroupID": "string",
    "scaleDownMode": "string",
    "scaleSetEvictionPolicy": "string",
    "scaleSetPriority": "string",
    "securityProfile": {
      "enableSecureBoot": "bool",
      "enableVTPM": "bool",
      "sshAccess": "string"
    "spotMaxPrice": "int",
    "tags": {},
    "type": "string",
    "upgradeSettings": {
      "drainTimeoutInMinutes": "int",
      "maxSurge": "string",
      "nodeSoakDurationInMinutes": "int"
    "virtualMachineNodesStatus": [
        "count": "int",
        "size": "string"
    "virtualMachinesProfile": {
      "scale": {
        "manual": [
            "count": "int",
            "sizes": [ "string" ]
    "vmSize": "string",
    "vnetSubnetID": "string",
    "windowsProfile": {
      "disableOutboundNat": "bool"
    "workloadRuntime": "string"

Terraform (AzAPI provider) resource definition

The managedClusters/agentPools resource type can be deployed with operations that target:

  • Resource groups

For a list of changed properties in each API version, see change log.

Resource format

To create a Microsoft.ContainerService/managedClusters/agentPools resource, add the following Terraform to your template.

resource "azapi_resource" "symbolicname" {
  type = "Microsoft.ContainerService/managedClusters/agentPools@2024-03-02-preview"
  name = "string"
  parent_id = "string"
  body = jsonencode({
    properties = {
      artifactStreamingProfile = {
        enabled = bool
      availabilityZones = [
      capacityReservationGroupID = "string"
      count = int
      creationData = {
        sourceResourceId = "string"
      enableAutoScaling = bool
      enableCustomCATrust = bool
      enableEncryptionAtHost = bool
      enableFIPS = bool
      enableNodePublicIP = bool
      enableUltraSSD = bool
      gatewayProfile = {
        publicIPPrefixSize = int
      gpuInstanceProfile = "string"
      gpuProfile = {
        installGPUDriver = bool
      hostGroupID = "string"
      kubeletConfig = {
        allowedUnsafeSysctls = [
        containerLogMaxFiles = int
        containerLogMaxSizeMB = int
        cpuCfsQuota = bool
        cpuCfsQuotaPeriod = "string"
        cpuManagerPolicy = "string"
        failSwapOn = bool
        imageGcHighThreshold = int
        imageGcLowThreshold = int
        podMaxPids = int
        topologyManagerPolicy = "string"
      kubeletDiskType = "string"
      linuxOSConfig = {
        swapFileSizeMB = int
        sysctls = {
          fsAioMaxNr = int
          fsFileMax = int
          fsInotifyMaxUserWatches = int
          fsNrOpen = int
          kernelThreadsMax = int
          netCoreNetdevMaxBacklog = int
          netCoreOptmemMax = int
          netCoreRmemDefault = int
          netCoreRmemMax = int
          netCoreSomaxconn = int
          netCoreWmemDefault = int
          netCoreWmemMax = int
          netIpv4IpLocalPortRange = "string"
          netIpv4NeighDefaultGcThresh1 = int
          netIpv4NeighDefaultGcThresh2 = int
          netIpv4NeighDefaultGcThresh3 = int
          netIpv4TcpFinTimeout = int
          netIpv4TcpkeepaliveIntvl = int
          netIpv4TcpKeepaliveProbes = int
          netIpv4TcpKeepaliveTime = int
          netIpv4TcpMaxSynBacklog = int
          netIpv4TcpMaxTwBuckets = int
          netIpv4TcpTwReuse = bool
          netNetfilterNfConntrackBuckets = int
          netNetfilterNfConntrackMax = int
          vmMaxMapCount = int
          vmSwappiness = int
          vmVfsCachePressure = int
        transparentHugePageDefrag = "string"
        transparentHugePageEnabled = "string"
      maxCount = int
      maxPods = int
      messageOfTheDay = "string"
      minCount = int
      mode = "string"
      networkProfile = {
        allowedHostPorts = [
            portEnd = int
            portStart = int
            protocol = "string"
        applicationSecurityGroups = [
        nodePublicIPTags = [
            ipTagType = "string"
            tag = "string"
      nodeInitializationTaints = [
      nodeLabels = {
        {customized property} = "string"
      nodePublicIPPrefixID = "string"
      nodeTaints = [
      orchestratorVersion = "string"
      osDiskSizeGB = int
      osDiskType = "string"
      osSKU = "string"
      osType = "string"
      podIPAllocationMode = "string"
      podSubnetID = "string"
      powerState = {
        code = "string"
      proximityPlacementGroupID = "string"
      scaleDownMode = "string"
      scaleSetEvictionPolicy = "string"
      scaleSetPriority = "string"
      securityProfile = {
        enableSecureBoot = bool
        enableVTPM = bool
        sshAccess = "string"
      spotMaxPrice = int
      tags = {}
      type = "string"
      upgradeSettings = {
        drainTimeoutInMinutes = int
        maxSurge = "string"
        nodeSoakDurationInMinutes = int
      virtualMachineNodesStatus = [
          count = int
          size = "string"
      virtualMachinesProfile = {
        scale = {
          manual = [
              count = int
              sizes = [
      vmSize = "string"
      vnetSubnetID = "string"
      windowsProfile = {
        disableOutboundNat = bool
      workloadRuntime = "string"

