aks.azcli

ACR_NAME=
AKS_RESOURCE_GROUP=
AKS_AAD_ADMIN_GROUP=
AKS_CLUSTER_NAME=
AAD_TENANT_ID=
VNET_SUBNET_ID=
VNET_SERVICE_CIDR=
VNET_DNS_SERVICE_IP=
SSH_KEY=
AKS_CLUSTER_IDENTITY_NAME=
LOGANALYTICS_WORKSPACE_RESOURCE_ID=

# create the user defined managed identity that the cluster will run as
az identity create -g $AKS_RESOURCE_GROUP -n AKS_CLUSTER_IDENTITY_NAME

# resource ID from the identity created above 
AKS_IDENTITY_RESOURCE_ID=     

# create the private cluster (note: this should be a fixed 3 node system nodepool for production clusters)
#   this creates the system nodepool first. 
# The secondary nodepool, for application pods, is added a second step. 
# (two nodepools isn’t needed for non-production clusters). 

az aks create \
--resource-group $AKS_RESOURCE_GROUP \
--name $AKS_CLUSTER_NAME \
--node-count 3 \
--ssh-key-value $SSH_KEY \
--enable-private-cluster \
--max-pods 30 \
--node-vm-size standard_b2ms \
--network-plugin azure \
--network-policy calico \
--vnet-subnet-id=$VNET_SUBNET_ID \
--service-cidr=$VNET_SERVICE_CIDR \
--dns-service-ip=$VNET_DNS_SERVICE_IP \
--docker-bridge-address 172.17.0.1/16 \
--outbound-type userDefinedRouting \
--enable-addons monitoring,azure-policy \
--workspace-resource-id=$LOGANALYTICS_WORKSPACE_RESOURCE_ID \
--enable-aad \
--aad-admin-group-object-ids=$AKS_AAD_ADMIN_GROUP \
--aad-tenant-id $AAD_TENANT_ID \
--attach-acr $ACR_NAME \
--assign-identity $AKS_IDENTITY_RESOURCE_ID \
--uptime-sla \
--zones {1, 2, 3}

# For production clusters, assign the application pods to a secondary nodepool. This nodepool has cluster-autoscaler enabled.
az aks nodepool add \
    --resource-group $AKS_RESOURCE_GROUP \
    --cluster-name $AKS_CLUSTER_NAME \
    --name application-nodepool \
    --node-count 1 \
    --min-count 1 \
    --max-count 3 \
    --enable-cluster-autoscaler \
    --zones {1, 2, 3}