From 776e3e00c8df75f5a6fe506ff6bb3d0d508e09de Mon Sep 17 00:00:00 2001
From: Aditya Narayanaswamy <anarayan@redhat.com>
Date: Wed, 4 Mar 2026 16:27:41 -0500
Subject: [PATCH] azure: Create nat rule and associate to NIC

Adding IPv6 NAT rule for bootstrap SSH access and updating
NAT rules to the correct IP version on the bootstrap NIC.
---
 pkg/infrastructure/azure/azure.go | 36 +++++++++++++++++++++++++++++++
 1 file changed, 36 insertions(+)

diff --git a/pkg/infrastructure/azure/azure.go b/pkg/infrastructure/azure/azure.go
index 12afe71bf9e..a1b886ef07a 100644
--- a/pkg/infrastructure/azure/azure.go
+++ b/pkg/infrastructure/azure/azure.go
@@ -578,6 +578,42 @@ func (p *Provider) PostProvision(ctx context.Context, in clusterapi.PostProvisio
 		if err != nil {
 			return fmt.Errorf("failed to associate inbound nat rule to interface: %w", err)
 		}
+
+		if in.InstallConfig.Config.Azure.IPFamily.DualStackEnabled() {
+			frontendIPv6ConfigName := "public-lb-ip-v6"
+			sshRuleNameV6 := fmt.Sprintf("%s_ssh_in_v6", in.InfraID)
+			frontendIPv6ConfigID := fmt.Sprintf("/subscriptions/%s/resourceGroups/%s/providers/Microsoft.Network/loadBalancers/%s/frontendIPConfigurations/%s",
+				subscriptionID,
+				p.ResourceGroupName,
+				loadBalancerName,
+				frontendIPv6ConfigName,
+			)
+
+			inboundNatRuleV6, err := addInboundNatRuleToLoadBalancer(ctx, &inboundNatRuleInput{
+				resourceGroupName:    p.ResourceGroupName,
+				loadBalancerName:     loadBalancerName,
+				frontendIPConfigID:   frontendIPv6ConfigID,
+				inboundNatRuleName:   sshRuleNameV6,
+				inboundNatRulePort:   22,
+				networkClientFactory: p.NetworkClientFactory,
+			})
+			if err != nil {
+				return fmt.Errorf("failed to create IPv6 SSH inbound nat rule: %w", err)
+			}
+			_, err = associateInboundNatRuleToInterface(ctx, &inboundNatRuleInput{
+				resourceGroupName:    p.ResourceGroupName,
+				loadBalancerName:     loadBalancerName,
+				bootstrapNicName:     fmt.Sprintf("%s-bootstrap-nic", in.InfraID),
+				frontendIPConfigID:   frontendIPv6ConfigID,
+				inboundNatRuleID:     *inboundNatRuleV6.ID,
+				inboundNatRuleName:   sshRuleNameV6,
+				inboundNatRulePort:   22,
+				networkClientFactory: p.NetworkClientFactory,
+			})
+			if err != nil {
+				return fmt.Errorf("failed to associate IPv6 SSH inbound nat rule to interface: %w", err)
+			}
+		}
 	}
 
 	return nil