Azure · yanzhudd · Jun 24, 2026 · May 25, 2026 · May 25, 2026 · May 25, 2026
@@ -11,11 +11,15 @@ To release a new version, please select a new version number (usually plus 1 to
 
 Pending
 +++++++
+
+21.0.0b7
+++++++++
 * `az aks create`: Add `--node-disruption-policy` (preview) to set the node disruption policy at cluster creation time. Requires AFEC registration `Microsoft.ContainerService/NodeDisruptionProfile`. This is a cluster-level property that applies to all node pools in the cluster.
-* `az aks maintenancewindow`: Add CRUD commands (`create`, `show`, `list`, `update`, `delete`, `wait`) for the new MaintenanceWindow peer ARM resource. Available with API version `2026-04-02-preview`. Requires the `Microsoft.ContainerService/AKSSharedMaintenanceWindowPreview` feature to be registered on the subscription (auto-approval).
 * `az aks bastion`: Fix failure when the bastion host is in a different subscription than the cluster by using the subscription from the bastion resource ID for the internal `az network bastion tunnel` command.
-* Set `principalType` when creating role assignments to avoid `PrincipalNotFound` failures caused by Microsoft Entra ID replication delay for freshly created identities.
+* `az aks create` and `az aks update`: Add `--enable-backup` (preview) to configure Azure Backup for the AKS cluster in a single command. Supports `--backup-strategy` presets (Week, Month, DisasterRecovery, Custom) and an optional `--backup-configuration` for bring-your-own vault/policy/storage. Requires the `dataprotection` CLI extension.
+* `az aks maintenancewindow`: Add CRUD commands (`create`, `show`, `list`, `update`, `delete`, `wait`) for the new MaintenanceWindow peer ARM resource. Available with API version `2026-04-02-preview`. Requires the `Microsoft.ContainerService/AKSSharedMaintenanceWindowPreview` feature to be registered on the subscription (auto-approval).
 * `az aks update`: Fix misleading error when updating outbound type to `userDefinedRouting` or `userAssignedNATGateway`. For managed VNet clusters (unsupported), a clear error message is now shown instead of asking for `--vnet-subnet-id`. For BYO VNet clusters, the update works correctly without requiring the user to re-specify the subnet.
+* Set `principalType` when creating role assignments to avoid `PrincipalNotFound` failures caused by Microsoft Entra ID replication delay for freshly created identities.
 
 21.0.0b6
 ++++++++

@@ -843,6 +843,8 @@
           text: az aks create -g MyResourceGroup -n MyManagedCluster --control-plane-scaling-size H4
         - name: Create an automatic cluster with hosted system components enabled.
           text: az aks create -g MyResourceGroup -n MyManagedCluster --sku automatic --enable-hosted-system
+        - name: Create a kubernetes cluster with Azure Backup enabled (default Week strategy). Requires the 'dataprotection' extension. Implicitly waits for cluster creation.
+          text: az aks create -g MyResourceGroup -n MyManagedCluster --generate-ssh-keys --enable-backup --yes
 
 """
 
@@ -1613,6 +1615,10 @@
         text: az aks update -g MyResourceGroup -n MyManagedCluster --safeguards-level Warning --safeguards-excluded-ns ns1,ns2
       - name: Enable Azure Monitor logs for a kubernetes cluster
         text: az aks update -g MyResourceGroup -n MyManagedCluster --enable-azure-monitor-logs
+      - name: Enable Azure Backup for a kubernetes cluster (default Week strategy). Requires the 'dataprotection' extension.
+        text: az aks update -g MyResourceGroup -n MyManagedCluster --enable-backup --yes
+      - name: Enable Azure Backup with a custom strategy using an existing vault and policy
+        text: az aks update -g MyResourceGroup -n MyManagedCluster --enable-backup --backup-strategy Custom --backup-configuration @config.json --yes
       - name: Disable Azure Monitor logs for a kubernetes cluster
         text: az aks update -g MyResourceGroup -n MyManagedCluster --disable-azure-monitor-logs
       - name: Update a kubernetes cluster to clear any namespaces excluded from safeguards. Assumes azure policy addon is already enabled

@@ -568,6 +568,10 @@
     CONST_UPGRADE_STRATEGY_BLUE_GREEN,
 ]
 
+# AKS backup strategy presets exposed by --backup-strategy.
+# NOTE: must mirror CONST_AKS_BACKUP_STRATEGIES in azext_dataprotection.manual._consts.
+aks_backup_strategies = ["Week", "Month", "DisasterRecovery", "Custom"]
+
 node_disruption_policies = [
     CONST_NODE_DISRUPTION_POLICY_ALLOW,
     CONST_NODE_DISRUPTION_POLICY_BLOCK,
@@ -1318,6 +1322,34 @@ def load_arguments(self, _):
             is_preview=True,
             help="Enable continuous control plane and addon monitor for the cluster.",
         )
+        # Backup (delegates to the dataprotection extension)
+        c.argument(
+            "enable_backup",
+            action="store_true",
+            is_preview=True,
+            help="Enable Azure Backup for this AKS cluster. Orchestrates the same flow as "
+                 "'az dataprotection enable-backup trigger' (requires the 'dataprotection' extension). "
+                 "Implicitly waits for cluster creation to complete (ignores --no-wait).",
+        )
+        c.argument(
+            "backup_strategy",
+            arg_type=get_enum_type(aks_backup_strategies),
+            is_preview=True,
+            help="Backup strategy preset. Week (default, 7-day operational retention), Month "
+                 "(30-day operational retention), DisasterRecovery (7-day operational + 90-day vault "
+                 "retention), Custom (bring your own vault and policy via --backup-configuration). "
+                 "Only valid with --enable-backup.",
+        )
+        c.argument(
+            "backup_configuration_file",
+            options_list=["--backup-configuration"],
+            type=validate_file_or_dict,
+            is_preview=True,
+            help="Backup configuration as inline JSON string or @file.json. "
+                 "Supports storageAccountResourceId, blobContainerName, backupResourceGroupId, "
+                 "backupVaultId, backupPolicyId, tags. backupVaultId and backupPolicyId are required "
+                 "for Custom strategy. Only valid with --enable-backup.",
+        )
         # prepared image specification
         c.argument(
             'prepared_image_specification_id',
@@ -1989,6 +2021,33 @@ def load_arguments(self, _):
             is_preview=True,
             help="Disable continuous control plane and addon monitor for the cluster.",
         )
+        # Backup (delegates to the dataprotection extension)
+        c.argument(
+            "enable_backup",
+            action="store_true",
+            is_preview=True,
+            help="Enable Azure Backup for this AKS cluster. Orchestrates the same flow as "
+                 "'az dataprotection enable-backup trigger' (requires the 'dataprotection' extension).",
+        )
+        c.argument(
+            "backup_strategy",
+            arg_type=get_enum_type(aks_backup_strategies),
+            is_preview=True,
+            help="Backup strategy preset. Week (default, 7-day operational retention), Month "
+                 "(30-day operational retention), DisasterRecovery (7-day operational + 90-day vault "
+                 "retention), Custom (bring your own vault and policy via --backup-configuration). "
+                 "Only valid with --enable-backup.",
+        )
+        c.argument(
+            "backup_configuration_file",
+            options_list=["--backup-configuration"],
+            type=validate_file_or_dict,
+            is_preview=True,
+            help="Backup configuration as inline JSON string or @file.json. "
+                 "Supports storageAccountResourceId, blobContainerName, backupResourceGroupId, "
+                 "backupVaultId, backupPolicyId, tags. backupVaultId and backupPolicyId are required "
+                 "for Custom strategy. Only valid with --enable-backup.",
+        )
         c.argument(
             "control_plane_scaling_size",
             options_list=["--control-plane-scaling-size", "--cp-scaling-size"],

@@ -0,0 +1,84 @@
+# --------------------------------------------------------------------------------------------
+# Copyright (c) Microsoft Corporation. All rights reserved.
+# Licensed under the MIT License. See License.txt in the project root for license information.
+# --------------------------------------------------------------------------------------------
+
+"""Helpers that delegate AKS backup enablement to the dataprotection extension."""
+
+from knack.log import get_logger
+from knack.prompting import prompt_y_n, NoTTYException
+
+from azure.cli.core.azclierror import RequiredArgumentMissingError
+
+DATAPROTECTION_EXTENSION_NAME = "dataprotection"
+
+logger = get_logger(__name__)
+
+
+def _ensure_dataprotection_extension(cmd, yes):
+    """Make ``azext_dataprotection.manual.aks.aks_helper`` importable.
+
+    If the ``dataprotection`` extension is not installed, prompt the user to
+    install it (or install silently when ``yes`` is True). Raises
+    ``RequiredArgumentMissingError`` if the user declines or the install fails.
+    """
+    from azure.cli.core.extension.operations import add_extension_to_path
+
+    try:
+        add_extension_to_path(DATAPROTECTION_EXTENSION_NAME)
+        from azext_dataprotection.manual.aks.aks_helper import (  # pylint: disable=unused-import,import-error
+            dataprotection_enable_backup_helper,
+        )
+        return
+    except Exception:  # pylint: disable=broad-except
+        pass
+
+    install_msg = (
+        f"The '{DATAPROTECTION_EXTENSION_NAME}' extension is required for "
+        "--enable-backup but is not installed. Install it now?"
+    )
+    proceed = yes
+    if not proceed:
+        try:
+            proceed = prompt_y_n(install_msg, default="y")
+        except NoTTYException:
+            proceed = False
+    if not proceed:
+        raise RequiredArgumentMissingError(
+            f"The '{DATAPROTECTION_EXTENSION_NAME}' extension is required for "
+            "--enable-backup with 'az aks create' / 'az aks update'.\n"
+            f"Run `az extension add --name {DATAPROTECTION_EXTENSION_NAME}` "
+            "and retry, or rerun with --yes to auto-install."
+        )
+
+    logger.warning("Installing extension '%s'...", DATAPROTECTION_EXTENSION_NAME)
+    from azure.cli.core.extension.operations import add_extension
+    add_extension(cmd=cmd, extension_name=DATAPROTECTION_EXTENSION_NAME)
+    add_extension_to_path(DATAPROTECTION_EXTENSION_NAME)
+
+
+def enable_aks_backup(cmd, resource_group_name, cluster_name,  # pylint: disable=too-many-positional-arguments
+                      backup_strategy, backup_configuration_file, yes):
+    """Enable Azure Backup for an AKS cluster by delegating to the
+    ``dataprotection`` extension.
+    """
+    from azure.cli.core.commands.client_factory import get_subscription_id
+
+    _ensure_dataprotection_extension(cmd, yes)
+
+    from azext_dataprotection.manual.aks.aks_helper import (  # pylint: disable=import-error
+        dataprotection_enable_backup_helper,
+    )
+
+    subscription_id = get_subscription_id(cmd.cli_ctx)
+    datasource_id = (
+        f"/subscriptions/{subscription_id}/resourceGroups/{resource_group_name}"
+        f"/providers/Microsoft.ContainerService/managedClusters/{cluster_name}"
+    )
+    dataprotection_enable_backup_helper(
+        cmd,
+        datasource_id,
+        backup_strategy or "Week",
+        backup_configuration_file or {},
+        yes=yes,
+    )
@@ -1440,6 +1440,10 @@ def aks_create(
     control_plane_scaling_size=None,
     # health monitor
     enable_continuous_control_plane_and_addon_monitor=False,
+    # backup (delegates to the dataprotection extension)
+    enable_backup=False,
+    backup_strategy=None,
+    backup_configuration_file=None,
     # prepared image specification
     prepared_image_specification_id=None,
 ):
@@ -1702,6 +1706,10 @@ def aks_update(
     # health monitor
     enable_continuous_control_plane_and_addon_monitor=False,
     disable_continuous_control_plane_and_addon_monitor=False,
+    # backup (delegates to the dataprotection extension)
+    enable_backup=False,
+    backup_strategy=None,
+    backup_configuration_file=None,
     # node disruption policy
     node_disruption_policy=None,
     # control plane scaling

@@ -296,6 +296,9 @@ def external_functions(self) -> SimpleNamespace:
             external_functions["ensure_container_insights_for_monitoring"] = (
                 ensure_container_insights_for_monitoring_preview
             )
+            # AKS backup (delegates to the dataprotection extension)
+            from azext_aks_preview.aks_backup import enable_aks_backup
+            external_functions["enable_aks_backup"] = enable_aks_backup
             self.__external_functions = SimpleNamespace(**external_functions)
         return self.__external_functions
 
@@ -5516,6 +5519,7 @@ def check_is_postprocessing_required(self, mc: ManagedCluster) -> bool:
             "enable_azure_container_storage",
             default_value=False
         )
+        enable_backup = self.context.raw_param.get("enable_backup", False)
 
         # pylint: disable=too-many-boolean-expressions
         if (
@@ -5525,7 +5529,8 @@ def check_is_postprocessing_required(self, mc: ManagedCluster) -> bool:
             azuremonitormetrics_addon_enabled or
             (enable_managed_identity and attach_acr) or
             need_grant_vnet_permission_to_cluster_identity or
-            enable_azure_container_storage
+            enable_azure_container_storage or
+            enable_backup
         ):
             return True
         return False
@@ -5787,6 +5792,17 @@ def postprocessing_after_mc_created(self, cluster: ManagedCluster) -> None:
                     assignee_principal_type="User",
                 )
 
+        # Enable Azure Backup for the AKS cluster (delegates to dataprotection extension)
+        if self.context.raw_param.get("enable_backup", False):
+            self.context.external_functions.enable_aks_backup(
+                self.cmd,
+                self.context.get_resource_group_name(),
+                self.context.get_name(),
+                self.context.raw_param.get("backup_strategy"),
+                self.context.raw_param.get("backup_configuration_file"),
+                self.context.raw_param.get("yes", False),
+            )
+
     def put_mc(self, mc: ManagedCluster) -> ManagedCluster:
         etag, match_condition = _get_etag_match_condition(
             self.context.get_if_match(), self.context.get_if_none_match()
@@ -8512,10 +8528,13 @@ def check_is_postprocessing_required(self, mc: ManagedCluster) -> bool:
             monitoring_addon_postprocessing_required = self.context.get_intermediate(
                 "monitoring_addon_postprocessing_required", default_value=False
             )
+            enable_backup = self.context.raw_param.get("enable_backup", False)
             # Note: monitoring_addon_disable_postprocessing_required is no longer used - cleanup is done upfront
+            # pylint: disable=too-many-boolean-expressions
             if (enable_azure_container_storage or disable_azure_container_storage) or \
                (keyvault_id and enable_azure_keyvault_secrets_provider_addon) or \
-               (monitoring_addon_postprocessing_required):
+               (monitoring_addon_postprocessing_required) or \
+               enable_backup:
                 return True
         return postprocessing_required
 
@@ -8748,6 +8767,17 @@ def postprocessing_after_mc_created(self, cluster: ManagedCluster) -> None:
             else:
                 raise CLIError('Keyvault secrets provider addon must be enabled to attach keyvault.\n')
 
+        # Enable Azure Backup for the AKS cluster (delegates to dataprotection extension)
+        if self.context.raw_param.get("enable_backup", False):
+            self.context.external_functions.enable_aks_backup(
+                self.cmd,
+                self.context.get_resource_group_name(),
+                self.context.get_name(),
+                self.context.raw_param.get("backup_strategy"),
+                self.context.raw_param.get("backup_configuration_file"),
+                self.context.raw_param.get("yes", False),
+            )
+
     def put_mc(self, mc: ManagedCluster) -> ManagedCluster:
         etag, match_condition = _get_etag_match_condition(
             self.context.get_if_match(), self.context.get_if_none_match()