Download Azure Application Gateway

Author: s | 2025-04-24

A functioning Azure Application Gateway. See Direct web traffic with Azure Application Gateway - Azure CLI. Enable private connectivity to Azure Application Gateway. Follow the steps in Configure Azure Application Gateway Private Link, skipping the last step of creating a

azure-content/articles/application-gateway/application-gateway

Skip to main content This browser is no longer supported. Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support. Tutorial: Enable the ingress controller add-on for a new AKS cluster with a new application gateway instance Article02/04/2025 In this article -->You can use the Azure CLI to enable the application gateway ingress controller (AGIC) add-on for a new Azure Kubernetes Services (AKS) cluster.In this tutorial, you'll create an AKS cluster with the AGIC add-on enabled. Creating the cluster will automatically create an Azure application gateway instance to use. You'll then deploy a sample application that will use the add-on to expose the application through application gateway.The add-on provides a much faster way to deploy AGIC for your AKS cluster than previously through Helm. It also offers a fully managed experience.In this tutorial, you learn how to:Create a resource group.Create a new AKS cluster with the AGIC add-on enabled.Deploy a sample application by using AGIC for ingress on the AKS cluster.Check that the application is reachable through application gateway.If you don't have an Azure subscription, create an Azure free account before you begin.PrerequisitesUse the Bash environment in Azure Cloud Shell. For more information, see Quickstart for Bash in Azure Cloud Shell.If you prefer to run CLI reference commands locally, install the Azure CLI. If you're running on Windows or macOS, consider running Azure CLI in a Docker container. For more information, see How to run the Azure CLI in a Docker container.If you're using a local installation, sign in to the Azure CLI by using the az login command. To finish the authentication process, follow the steps displayed in your terminal. For other sign-in options, see Sign in with the Azure CLI.When you're prompted, install the Azure CLI extension on first use. For more information about extensions, see Use extensions with the Azure CLI.Run az version to find the version and dependent libraries that are installed. To upgrade to the latest version, run az upgrade.Create a resource groupIn Azure, you allocate related resources to a resource group. Create a resource group by using az

OCSP Stapling on Azure Application Gateway and Azure Application

Skip to main content This browser is no longer supported. Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support. Create and use Web Application Firewall v2 custom rules on Application Gateway Article04/06/2023 In this article -->The Web Application Firewall (WAF) v2 on Azure Application Gateway provides protection for web applications. This protection is provided by the Open Web Application Security Project (OWASP) Core Rule Set (CRS). In some cases, you may need to create your own custom rules to meet your specific needs. For more information about WAF custom rules, see Custom web application firewall rules overview.This article shows you some example custom rules that you can create and use with your v2 WAF. To learn how to deploy a WAF with a custom rule using Azure PowerShell, see Configure Web Application Firewall custom rules using Azure PowerShell.The JSON snippets shown in this article are derived from a ApplicationGatewayWebApplicationFirewallPolicies resource.NoteIf your application gateway is not using the WAF tier, the option to upgrade the application gateway to the WAF tier appears in the right pane.Example 1You know there's a bot named evilbot that you want to block from crawling your website. In this case, you block on the User-Agent evilbot in the request headers.Logic: p$variable = New-AzApplicationGatewayFirewallMatchVariable ` -VariableName RequestHeaders ` -Selector User-Agent$condition = New-AzApplicationGatewayFirewallCondition ` -MatchVariable $variable ` -Operator Contains ` -MatchValue "evilbot" ` -Transform Lowercase ` -NegationCondition $False$rule = New-AzApplicationGatewayFirewallCustomRule ` -Name blockEvilBot ` -Priority 2 ` -RuleType MatchRule ` -MatchCondition

What is Azure Application Gateway

Create -g MyResourceGroup -n MyManagedCluster --enable-custom-ca-trust Create a kubernetes cluster with safeguards set to "Warning" az aks create -g MyResourceGroup -n MyManagedCluster --safeguards-level Warning --enable-addons azure-policy Create a kubernetes cluster with safeguards set to "Warning" and some namespaces excluded az aks create -g MyResourceGroup -n MyManagedCluster --safeguards-level Warning --safeguards-excluded-ns ns1,ns2 --enable-addons azure-policy Create a kubernetes cluster with Azure Service Mesh enabled. az aks create -g MyResourceGroup -n MyManagedCluster --enable-azure-service-mesh Create a kubernetes cluster with Azure Monitor Metrics enabled. az aks create -g MyResourceGroup -n MyManagedCluster --enable-azuremonitormetrics Create a kubernetes cluster with Azure Monitor App Monitoring enabled az aks create -g MyResourceGroup -n MyManagedCluster --enable-azure-monitor-app-monitoring Create a kubernetes cluster with a nodepool having ip allocation mode set to "StaticBlock" az aks create -g MyResourceGroup -n MyManagedCluster --os-sku Ubuntu --max-pods MaxPodsPerNode --network-plugin azure --vnet-subnet-id /subscriptions/00000/resourceGroups/AnotherResourceGroup/providers/Microsoft.Network/virtualNetworks/MyVnet/subnets/NodeSubnet --pod-subnet-id /subscriptions/00000/resourceGroups/AnotherResourceGroup/providers/Microsoft.Network/virtualNetworks/MyVnet/subnets/PodSubnet --pod-ip-allocation-mode StaticBlock Create a kubernetes cluster with a VirtualMachines nodepool az aks create -g MyResourceGroup -n MyManagedCluster --vm-set-type VirtualMachines --vm-sizes "VMSize1,VMSize2" --node-count 3 Required Parameters Name of the managed cluster. Name of resource group. You can configure the default group using az configure --defaults group=. Optional Parameters--aad-admin-group-object-ids Comma-separated list of aad group object IDs that will be set as cluster admin. The ID of an Azure Active Directory tenant. The name of a subnet in an existing VNet into which to deploy the virtual nodes. User account to create on node VMs for SSH access. Send custom headers. When specified, format should be Key1=Value1,Key2=Value2. Resource ID of Azure Monitor Private Link scope for Monitoring Addon. --api-server-authorized-ip-ranges Comma-separated list of authorized apiserver IP ranges. Set to 0.0.0.0/32 to restrict apiserver traffic to node pools. The ID of a subnet in an existing VNet into which to assign control plane apiserver pods(requires --enable-apiserver-vnet-integration). --app-routing-default-nginx-controller --ardnc Configure default nginx ingress controller type. Valid values are annotationControlled (default behavior), external, internal, or none. Accepted values: AnnotationControlled, External, Internal, None Resource Id of an existing Application Gateway to use with AGIC. Use with ingress-azure addon. Name of the application gateway to create/use in the node resource group. Use with ingress-azure addon. Subnet CIDR to use for a new subnet created to deploy the Application Gateway. Use with ingress-azure addon. Resource Id of an existing Subnet used to deploy the Application Gateway. Use with ingress-azure addon. Specify the namespace, which AGIC should watch. This could be a single string value, or a comma-separated list of namespaces. Specify an existing user assigned identity to manage cluster resource group. --assign-kubelet-identity Specify an existing user assigned identity for kubelet's usage, which is typically used to pull image from ACR. Grant the 'acrpull' role assignment to the ACR specified by name or resource ID. Specify the upgrade channel for autoupgrade. It could be rapid, stable,. A functioning Azure Application Gateway. See Direct web traffic with Azure Application Gateway - Azure CLI. Enable private connectivity to Azure Application Gateway. Follow the steps in Configure Azure Application Gateway Private Link, skipping the last step of creating a

Was ist Azure Application Gateway?

ID, and the Microsoft application ID. To prevent this, modify your profile configuration .xml file to include both the custom application ID and the Microsoft application ID.NoteThis step is necessary for P2S gateway configurations that use a custom audience value and your registered app is associated with the Microsoft-registered Azure VPN Client app ID. If this doesn't apply to your P2S gateway configuration, you can skip this step.To modify the Azure VPN Client configuration .xml file, open the file using a text editor such as Notepad.Next, add the value for applicationid and save your changes. The following example shows the application ID value c632b3df-fb67-4d84-bdcf-b95ad541b5c8.Example {customAudienceID} ID value}/ ID value}/ c632b3df-fb67-4d84-bdcf-b95ad541b5c8 Import VPN client profile configuration filesNoteWe're in the process of changing the Azure VPN Client fields for Azure Active Directory to Microsoft Entra ID. If you see Microsoft Entra ID fields referenced in this article, but don't yet see those values reflected in the client, select the comparable Azure Active Directory values.On the Azure VPN Client page, select Import.Navigate to the folder containing the file that you want to import, select it, then click Open.On this screen, notice the connection values are populated using the values in the imported VPN client configuration file.Verify that the Certificate Information value shows DigiCert Global Root G2, rather than the default or blank. Adjust the value if necessary.Notice the Client Authentication values align with the values that were used to configure the VPN gateway for Microsoft Entra ID authentication. This field must reflect the

SLA for Application Gateway - Azure

Group create. The following example creates a resource group named myResourceGroup in the East US location (region):az group create --name myResourceGroup --location eastusDeploy an AKS cluster with the add-on enabledYou'll now deploy a new AKS cluster with the AGIC add-on enabled. If you don't provide an existing application gateway instance to use in this process, you'll automatically create and set up a new application gateway instance to serve traffic to the AKS cluster.NoteThe application gateway ingress controller add-on supports only application gateway v2 SKUs (Standard and WAF), and not the application gateway v1 SKUs. When you're deploying a new application gateway instance through the AGIC add-on, you can deploy only an application gateway Standard_v2 SKU. If you want to enable the add-on for an application gateway WAF_v2 SKU, use either of these methods:Enable WAF on application gateway through the portal.Create the WAF_v2 application gateway instance first, and then follow instructions on how to enable the AGIC add-on with an existing AKS cluster and existing application gateway instance.In the following example, you'll deploy a new AKS cluster named myCluster by using Azure CNI and managed identities. The AGIC add-on will be enabled in the resource group that you created, myResourceGroup.Deploying a new AKS cluster with the AGIC add-on enabled without specifying an existing application gateway instance will automatically create a Standard_v2 SKU application gateway instance. You'll need to specify a name and subnet address space for the new application gateway instance. The address space must be from 10.224.0.0/12 prefix used by the AKS virtual network without overlapping with 10.224.0.0/16 prefix used by the AKS subnet. In this tutorial, use myApplicationGateway for the application gateway name and 10.225.0.0/16 for its subnet address space.az aks create -n myCluster -g myResourceGroup --network-plugin azure --enable-managed-identity -a ingress-appgw --appgw-name myApplicationGateway --appgw-subnet-cidr "10.225.0.0/16" --generate-ssh-keysNotePlease ensure the identity used by AGIC has the proper permissions. A list of permissions needed by the identity can be found here: Configure Infrastructure - Permissions. If a custom role is not defined with the required permissions, you may use the Network Contributor role.# Get application gateway id from AKS addon profileappGatewayId=$(az aks

Getting gateway timeout in Azure application gateway

Azure VPN Gateway (obtained during the Azure VPN Gateway setup). Name it Azure-CGW-BGP.Set the BGP ASN for the Customer Gateway to 65010, the same ASN as set in Azure.2.4. Create the site-to-site VPN connection with BGP settingIn AWS Console, go to Site-to-Site VPN Connections > Create VPN Connection.Select the Virtual Private Gateway created earlier.Select the Customer Gateway created earlier.Routing Options: Select Dynamic (requires BGP) to enable dynamic routing with BGP.Tunnels: AWS will automatically create two tunnels for redundancy.2.4.1. Tunnel configuration - optional settingsUnder the Optional Tunnel Settings, configure the Inside IPv4 CIDR for each tunnel:For Tunnel 1: Set the Inside IPv4 CIDR to 169.254.21.0/30.For Tunnel 2: Set the Inside IPv4 CIDR to 169.254.22.0/30.This ensures proper BGP peering between Azure and AWS for both tunnels.2.4.3. Download the VPN configuration fileAfter the VPN is set up, download the configuration file.Select Generic for the platform and Vendor agnostic for the software.Select IKEv2 for the IKE version.3.1. Create two local network gatewaysTo support two tunnels, you will need to create two local network gateways on Azure, one for each tunnel.In the Azure portal, go to local network gateway > Create.Local network gateway 1 (for the first tunnel):ASN: Set to 64512 (AWS ASN).BGP Peer IP Address: Enter 169.254.21.1(AWS BGP peer IP for the first tunnel).Name: AWSLocalNetworkGatewayBGP-Tunnel1Public IP Address: Enter the public IP for the first AWS VPN tunnel (from the configuration file).BGP Settings: Go to the Advanced Tab, select Yes for Configure BGP Settings, then:Note: You do not need to specify an address space when creating the Local Network Gateway. Only the public IP and BGP settings are required. 3. Local network gateway 2 (for the second tunnel):Name: AWSLocalNetworkGatewayBGP-Tunnel2Public IP Address: Enter the public IP for the second AWS VPN tunnel.BGP Settings: Go to the Advanced Tab, select Yes for Configure BGP Settings, then:ASN: Set to 64512 (AWS ASN).BGP Peer IP Address: Enter 169.254.22.1 (AWS BGP peer IP for the second tunnel).Note: Enter the ASN first, followed by the BGP Peer IP Address in this order.3.2. Create the VPN connection for both tunnelsGo to Azure Portal > Virtual Network Gateway > Connections > + Add.For the first tunnel:Primary Custom BGP Address: Enter 169.254.21.2 for Tunnel 1.Name: AzureAWSVPNConnectionBGP-Tunnel1Connection Type: Site-to-site (IPsec).Virtual Network Gateway: Select AzureVPNGatewayBGP.Local Network Gateway: Select AWSLocalNetworkGatewayBGP-Tunnel1.Shared Key (PSK): Use the shared key from the AWS VPN configuration file for tunnel 1.IKE Protocol: Ensure that IKEv2 is selected.Enable BGP: Mark the checkbox to enable.After

Azure Application Gateway - Any alternative in Azure?

Group. You can configure the default group using az configure --defaults group=. Optional Parameters--aad-admin-group-object-ids Comma-separated list of aad group object IDs that will be set as cluster admin. The ID of an Azure Active Directory tenant. The name of a subnet in an existing VNet into which to deploy the virtual nodes. User account to create on node VMs for SSH access. Comma-separated key-value pairs to specify custom headers. Resource ID of Azure Monitor Private Link scope for Monitoring Addon. --api-server-authorized-ip-ranges Comma-separated list of authorized apiserver IP ranges. Set to 0.0.0.0/32 to restrict apiserver traffic to node pools. Resource Id of an existing Application Gateway to use with AGIC. Use with ingress-azure addon. Name of the application gateway to create/use in the node resource group. Use with ingress-azure addon. Subnet CIDR to use for a new subnet created to deploy the Application Gateway. Use with ingress-azure addon. Resource Id of an existing Subnet used to deploy the Application Gateway. Use with ingress-azure addon. Specify the namespace, which AGIC should watch. This could be a single string value, or a comma-separated list of namespaces. Specify an existing user assigned identity for control plane's usage in order to manage cluster resource group. --assign-kubelet-identity Specify an existing user assigned identity for kubelet's usage, which is typically used to pull image from ACR. Grant the 'acrpull' role assignment to the ACR specified by name or resource ID. Specify the upgrade channel for autoupgrade. Accepted values: node-image, none, patch, rapid, stable--azure-keyvault-kms-key-id Identifier of Azure Key Vault key. --azure-keyvault-kms-key-vault-network-access Network Access of Azure Key Vault. Allowed values are "Public", "Private". If not set, defaults to type "Public". Requires --azure-keyvault-kms-key-id to be used. Accepted values: Private, Public--azure-keyvault-kms-key-vault-resource-id Resource ID of Azure Key Vault. --azure-monitor-workspace-resource-id Resource ID of the Azure Monitor Workspace. --ca-profile --cluster-autoscaler-profile Comma-separated list of key=value pairs for configuring cluster autoscaler. Pass an empty string to clear the profile. Secret associated with the service principal. This argument is required if --service-principal is specified. The crg id used to associate the new cluster with the existed Capacity Reservation Group resource. --data-collection-settings Path to JSON file containing data collection settings for Monitoring addon. Path to JSON file containing Microsoft Defender profile configurations. --disable-acns-observability Used to disable advanced networking observability features on a clusters when enabling advanced networking features with "--enable-acns". Used to disable advanced networking security features on a clusters when enabling advanced networking features with "--enable-acns". Disable AzureDisk CSI Driver. Disable AzureFile CSI Driver. If set to true, getting static credential will be disabled for this cluster. Disable public fqdn feature for private cluster. Disable Kubernetes Role-Based Access Control. --disable-snapshot-controller Disable CSI Snapshot Controller. Prefix for hostnames that are created. If not specified, generate a hostname using. A functioning Azure Application Gateway. See Direct web traffic with Azure Application Gateway - Azure CLI. Enable private connectivity to Azure Application Gateway. Follow the steps in Configure Azure Application Gateway Private Link, skipping the last step of creating a I am currently trying to setup an Azure function application that will be accessed through an Application Gateway that restricts the network level access using the Azure WAF. Download Microsoft Edge More info about Internet Explorer and Microsoft Azure Application Gateway. Azure Application Gateway An Azure service that provides a

SAP on Azure: Azure Application Gateway Web

Configure --defaults group=. Optional Parameters Send custom headers. When specified, format should be Key1=Value1,Key2=Value2. Resource ID of Azure Monitor Private Link scope for Monitoring Addon. Resource Id of an existing Application Gateway to use with AGIC. Use with ingress-azure addon. Name of the application gateway to create/use in the node resource group. Use with ingress-azure addon. Subnet CIDR to use for a new subnet created to deploy the Application Gateway. Use with ingress-azure addon. Resource Id of an existing Subnet used to deploy the Application Gateway. Use with ingress-azure addon. Specify the namespace, which AGIC should watch. This could be a single string value, or a comma-separated list of namespaces. Use with ingress-azure addon. --data-collection-settings Path to JSON file containing data collection settings for Monitoring addon. A comma separated list of resource IDs of the DNS zone resource to use with the web_application_routing addon. --enable-high-log-scale-mode Enable High Log Scale Mode for Container Logs. Accepted values: false, true--enable-msi-auth-for-monitoring Send monitoring data to Log Analytics using the cluster's assigned identity (instead of the Log Analytics Workspace's shared key). Accepted values: false, true Enable secret rotation. Use with azure-keyvault-secrets-provider addon. Enable SGX quote helper for confcom addon. Enable syslog data collection for Monitoring addon. Accepted values: false, true Do not wait for the long-running operation to finish. Set interval of rotation poll. Use with azure-keyvault-secrets-provider addon. The subnet name for the virtual node to use. The resource ID of an existing Log Analytics Workspace to use for storing monitoring data. Global Parameters Increase logging verbosity to show all debug logs. Show this help message and exit. Only show errors, suppressing warnings. Output format. Accepted values: json, jsonc, none, table, tsv, yaml, yamlc Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID. Increase logging verbosity. Use --debug for full debug logs. az aks get-credentials Get access credentials for a managed Kubernetes cluster. By default, the credentials are merged into the .kube/config file so kubectl can use them. See -f parameter for details. az aks get-credentials --name --resource-group [--admin] [--context] [--file] [--format] [--overwrite-existing] [--public-fqdn] Examples Get access credentials for a managed Kubernetes cluster. (autogenerated) az aks get-credentials --name MyManagedCluster --resource-group MyResourceGroup Required Parameters Name of the managed cluster. Name of resource group. You can configure the default group using az configure --defaults group=. Optional Parameters Get cluster administrator credentials. Default: cluster user credentials. On clusters with Azure Active Directory integration, this bypasses normal Azure AD authentication and can be used if you're permanently blocked by not having access to a valid Azure AD group with access to your cluster. Requires 'Azure Kubernetes Service Cluster Admin' role. If specified, overwrite the default context name. The --admin parameter takes

azure-docs/articles/application-gateway/how-application-gateway

Transition to another status.Connecting: Azure VPN gateway is trying to reach out to the actual on-premises VPN site.Connected: Connectivity established between Azure VPN gateway and on-premises VPN site.Disconnected: Typically seen if disconnected for any reason (on-premises or in Azure)Download the VPN configuration file and apply it to the on-premises endpoint.On the VPN (Site to site) page, near the top, select Download VPN Config. Azure creates a storage account in the resource group 'microsoft-network-[location]', where location is the location of the WAN. After you apply the configuration to your VPN devices, you can delete this storage account.Once created, select the link to download it.Apply the configuration to your on-premises VPN device.For more information about the configuration file, see About the VPN device configuration file.Patch the Azure VMware Solution ExpressRoute in the Virtual WAN hub.ImportantYou must first have a private cloud created before you can patch the platform.ImportantYou must also have an ExpressRoute Gateway configured as part of your Virtual WAN Hub.In the Azure portal, go to the Azure VMware Solution private cloud.Under Manage, select Connectivity.Select the ExpressRoute tab, and then select + Request an authorization key.Provide a name for the authorization key, and then select Create.It can take about 30 seconds to create the key. After the key is created, it appears in the list of authorization keys for the private cloud.Copy the authorization key and the ExpressRoute ID. You need them to complete the peering. The authorization key disappears after some time, so copy it as soon as it appears.Link Azure VMware Solution and the VPN gateway together in the Virtual WAN hub. You use the authorization key and ExpressRoute ID (peer circuit URI) from the previous step.Select your ExpressRoute gateway and then select Redeem authorization key.Paste the authorization key in the Authorization Key field.Paste the ExpressRoute ID into the Peer circuit URI field.Select Automatically associate this ExpressRoute circuit with the hub check box.Select Add to establish the link.Test your connection by creating an NSX-T Data Center segment and provisioning a VM on the network. Ping both the on-premises and Azure VMware Solution endpoints.NoteWait approximately 5 minutes before you test connectivity from a client behind your ExpressRoute circuit, for example, a VM in the VNet that you created earlier. --> Feedback Additional resources In this article. A functioning Azure Application Gateway. See Direct web traffic with Azure Application Gateway - Azure CLI. Enable private connectivity to Azure Application Gateway. Follow the steps in Configure Azure Application Gateway Private Link, skipping the last step of creating a

SAP on Azure: Azure Application Gateway Web Applic - SAP

Log Analytics monitoring. Uses the Log Analytics Default Workspace if it exists, else creates one. Specify "--workspace-resource-id" to use an existing workspace. If monitoring addon is enabled --no-wait argument will have no effectvirtual-node : enable AKS Virtual Node. Requires --aci-subnet-name to provide the name of an existing subnet for the Virtual Node to use. aci-subnet-name must be in the same vnet which is specified by --vnet-subnet-id (required as well).azure-policy : enable Azure policy. The Azure Policy add-on for AKS enables at-scale enforcements and safeguards on your clusters in a centralized, consistent manner. Required if enabling deployment safeguards. Learn more at aka.ms/aks/policy.ingress-appgw : enable Application Gateway Ingress Controller addon (PREVIEW).confcom : enable confcom addon, this will enable SGX device plugin by default(PREVIEW).open-service-mesh : enable Open Service Mesh addon (PREVIEW).gitops : enable GitOps (PREVIEW).azure-keyvault-secrets-provider : enable Azure Keyvault Secrets Provider addon.web_application_routing : enable Web Application Routing addon (PREVIEW). Specify "--dns-zone-resource-id" to configure DNS. Enable Azure Hybrid User Benefits (AHUB) for Windows VMs. --enable-ai-toolchain-operator Enable AI toolchain operator to the cluster. --enable-apiserver-vnet-integration Enable integration of user vnet with control plane apiserver pods. Enable Application Routing addon. --enable-asm --enable-azure-service-mesh Enable Azure Service Mesh. --enable-azure-container-storage Enable azure container storage and define storage pool type. Accepted values: azureDisk, elasticSan, ephemeralDisk--enable-azure-keyvault-kms Enable Azure KeyVault Key Management Service. --enable-azure-monitor-app-monitoring Enable Azure Monitor Application Monitoring. --enable-azure-monitor-metrics Enable Azure Monitor Metrics Profile. Enable Azure RBAC to control authorization checks on cluster. Enable AzureBlob CSI Driver. --enable-cluster-autoscaler Enable cluster autoscaler, default value is false. If specified, please make sure the kubernetes version is larger than 1.10.6. Enable exporting Kubernetes Namespace and Deployment details to the Cost Analysis views in the Azure portal. For more information see aka.ms/aks/docs/cost-analysis. Enable Custom CA Trust on agent node pool. Enable Microsoft Defender security profile. --enable-encryption-at-host Enable EncryptionAtHost on agent node pool. Use FIPS-enabled OS on agent nodes. --enable-high-log-scale-mode Enable High Log Scale Mode for Container Logs. Accepted values: false, true Enable ImageCleaner Service. Enable ImageIntegrity Service. --enable-imds-restriction Enable IMDS restriction in the cluster. Non-hostNetwork Pods will not be able to access IMDS. Enable KEDA workload auto-scaler. --enable-managed-identity Using managed identity to manage cluster resource group. You can explicitly specify "--service-principal" and "--client-secret" to disable managed identity, otherwise it will be enabled. --enable-msi-auth-for-monitoring Send monitoring data to Log Analytics using the cluster's assigned identity (instead of the Log Analytics Workspace's shared key). Accepted values: false, true Enable VMSS node public IP. (PREVIEW) Enable pod identity addon. --enable-pod-identity-with-kubenet (PREVIEW) Enable pod identity addon for cluster using Kubnet network plugin. Enable secret rotation. Use with azure-keyvault-secrets-provider addon. Enable Secure Boot on all node pools in the cluster. Must use VMSS agent pool type. Enable SGX quote helper for confcom addon. --enable-static-egress-gateway Enable Static Egress Gateway addon to the