From 3a4a9b0d5e221f54c9956bcd4520dc5175023b94 Mon Sep 17 00:00:00 2001
From: cdossa <cdossa@microsoft.com>
Date: Tue, 31 Mar 2026 15:56:35 -0700
Subject: [PATCH] aks-preview: Fix managedNATGatewayV2 outbound type being
 overwritten to loadBalancer

The dynamic completion logic in _get_outbound_type() did not include
managedNATGatewayV2 in its list of known outbound types. When a user
specified --outbound-type managedNATGatewayV2, the CLI treated it as
an unrecognized value and silently overwrote it to loadBalancer before
sending the request to the RP.

Fixed in 3 places:
- Dynamic completion list: preserve managedNATGatewayV2 instead of
  overwriting to loadBalancer
- Basic LB SKU validation: reject managedNATGatewayV2 with basic SKU
- Multi-zone warning: show zone-redundancy warning for V2 on update
---
 src/aks-preview/HISTORY.rst                   |  6 +++++-
 .../managed_cluster_decorator.py              |  7 ++++++-
 .../latest/test_managed_cluster_decorator.py  | 19 +++++++++++++++++++
 3 files changed, 30 insertions(+), 2 deletions(-)

diff --git a/src/aks-preview/HISTORY.rst b/src/aks-preview/HISTORY.rst
index 6363e8ac1ad..714897e1790 100644
--- a/src/aks-preview/HISTORY.rst
+++ b/src/aks-preview/HISTORY.rst
@@ -12,9 +12,13 @@ To release a new version, please select a new version number (usually plus 1 to
 Pending
 +++++++
 * Add MIG (Multi-Instance GPU) strategy option to node pool property in `az aks nodepool add` and `az aks nodepool update`.
-* `az aks create/update`: Add `--outbound-type managedNATGatewayV2` support using Azure NAT Gateway Standard V2 SKU with IPv6, user-provided IPs, and IP prefixes.
 * Fix monitoring addon key casing compatibility with azure-cli/acs
 
+19.0.0b29
++++++++
+* `az aks create/update`: Add `--outbound-type managedNATGatewayV2` support using Azure NAT Gateway Standard V2 SKU with IPv6, user-provided IPs, and IP prefixes.
+* `az aks create/update`: Fix `--outbound-type managedNATGatewayV2` being silently overwritten to `loadBalancer` by the dynamic completion logic.
+
 19.0.0b28
 +++++++
 * Fix `match_condition` kwarg leaking to HTTP transport by overriding `put_mc` and `add_agentpool` to pass `if_match` / `if_none_match` directly to the vendored SDK. This change fixes the compatibility issue as azure-cli/acs module adopts TypeSpec emitted SDKs while azure-cli-extensions/aks-preview still uses the autorest emitted SDK.
diff --git a/src/aks-preview/azext_aks_preview/managed_cluster_decorator.py b/src/aks-preview/azext_aks_preview/managed_cluster_decorator.py
index 26dded2e118..d0ccbfb0389 100644
--- a/src/aks-preview/azext_aks_preview/managed_cluster_decorator.py
+++ b/src/aks-preview/azext_aks_preview/managed_cluster_decorator.py
@@ -561,6 +561,7 @@ def _get_outbound_type(
             not read_from_mc and
             outbound_type not in [
                 CONST_OUTBOUND_TYPE_MANAGED_NAT_GATEWAY,
+                CONST_OUTBOUND_TYPE_MANAGED_NAT_GATEWAY_V2,
                 CONST_OUTBOUND_TYPE_USER_ASSIGNED_NAT_GATEWAY,
                 CONST_OUTBOUND_TYPE_USER_DEFINED_ROUTING,
                 CONST_OUTBOUND_TYPE_NONE,
@@ -580,6 +581,7 @@ def _get_outbound_type(
             if outbound_type in [
                 CONST_OUTBOUND_TYPE_USER_DEFINED_ROUTING,
                 CONST_OUTBOUND_TYPE_MANAGED_NAT_GATEWAY,
+                CONST_OUTBOUND_TYPE_MANAGED_NAT_GATEWAY_V2,
                 CONST_OUTBOUND_TYPE_USER_ASSIGNED_NAT_GATEWAY,
             ]:
                 if safe_lower(self._get_load_balancer_sku(enable_validation=False)) == CONST_LOAD_BALANCER_SKU_BASIC:
@@ -622,7 +624,10 @@ def _get_outbound_type(
                                 a standard load balancer with IP addresses"
                             )
             if self.decorator_mode == DecoratorMode.UPDATE:
-                if outbound_type == CONST_OUTBOUND_TYPE_MANAGED_NAT_GATEWAY:
+                if outbound_type in [
+                    CONST_OUTBOUND_TYPE_MANAGED_NAT_GATEWAY,
+                    CONST_OUTBOUND_TYPE_MANAGED_NAT_GATEWAY_V2,
+                ]:
                     if self.mc.agent_pool_profiles is not None and len(self.mc.agent_pool_profiles) > 1:
                         multizoned = False
                         for ap in self.mc.agent_pool_profiles:
diff --git a/src/aks-preview/azext_aks_preview/tests/latest/test_managed_cluster_decorator.py b/src/aks-preview/azext_aks_preview/tests/latest/test_managed_cluster_decorator.py
index 733eabcddd3..f84639fab49 100644
--- a/src/aks-preview/azext_aks_preview/tests/latest/test_managed_cluster_decorator.py
+++ b/src/aks-preview/azext_aks_preview/tests/latest/test_managed_cluster_decorator.py
@@ -102,6 +102,9 @@
     DecoratorEarlyExitException,
     DecoratorMode,
 )
+from azext_aks_preview._consts import (
+    CONST_OUTBOUND_TYPE_MANAGED_NAT_GATEWAY_V2,
+)
 from dateutil.parser import parse
 from deepdiff import DeepDiff
 
@@ -4686,6 +4689,22 @@ def test_get_outbound_type(self):
         expect_outbound_type_4 = CONST_OUTBOUND_TYPE_MANAGED_NAT_GATEWAY
         self.assertEqual(outbound_type_4,expect_outbound_type_4)
 
+        # managedNATGatewayV2 should be preserved, not overwritten to loadBalancer
+        ctx5 = AKSPreviewManagedClusterContext(
+            self.cmd,
+            AKSManagedClusterParamDict(
+                {"outbound_type": "managedNATGatewayV2"}
+            ),
+            self.models,
+            decorator_mode=DecoratorMode.CREATE,
+        )
+        self.create_attach_agentpool_context(ctx5)
+        outbound_type_5 = ctx5._get_outbound_type(False, False, None)
+        self.assertEqual(
+            outbound_type_5,
+            CONST_OUTBOUND_TYPE_MANAGED_NAT_GATEWAY_V2,
+        )
+
     def test_get_enable_gateway_api(self):
         # default value
         ctx_1 = AKSPreviewManagedClusterContext(