Azure · wangzelin007 · Apr 28, 2026 · Mar 19, 2026 · Mar 20, 2026 · Mar 20, 2026
@@ -252,6 +252,8 @@
 CONST_AZURE_SERVICE_MESH_UPGRADE_COMMAND_ROLLBACK = "Rollback"
 CONST_AZURE_SERVICE_MESH_DEFAULT_EGRESS_NAMESPACE = "aks-istio-egress"
 CONST_AZURE_SERVICE_MESH_MAX_EGRESS_NAME_LENGTH = 63
+CONST_AZURE_SERVICE_MESH_PROXY_REDIRECTION_INIT_CONTAINERS = "InitContainers"
+CONST_AZURE_SERVICE_MESH_PROXY_REDIRECTION_CNI_CHAINING = "CNIChaining"
 
 # Dns zone contributor role
 CONST_PRIVATE_DNS_ZONE_CONTRIBUTOR_ROLE = "Private DNS Zone Contributor"

@@ -2736,11 +2736,17 @@
       - name: --root-cert-object-name
         type: string
         short-summary: Root cert object name in the Azure Keyvault.
+      - name: --proxy-redirection-mechanism
+        type: string
+        short-summary: Set the proxy redirection mechanism.
+        long-summary: Allowed values are "CNIChaining" which uses CNI plugins for traffic redirection, and "InitContainers" which uses privileged init containers.
     examples:
       - name: Enable Azure Service Mesh with selfsigned CA.
         text: az aks mesh enable --resource-group MyResourceGroup --name MyManagedCluster
       - name: Enable Azure Service Mesh with plugin CA.
         text: az aks mesh enable --resource-group MyResourceGroup --name MyManagedCluster --key-vault-id /subscriptions/00000/resourceGroups/foo/providers/Microsoft.KeyVault/vaults/foo --ca-cert-object-name my-ca-cert --ca-key-object-name my-ca-key --cert-chain-object-name my-cert-chain --root-cert-object-name my-root-cert
+      - name: Enable Azure Service Mesh with CNI chaining.
+        text: az aks mesh enable --resource-group MyResourceGroup --name MyManagedCluster --proxy-redirection-mechanism CNIChaining
 """
 
 helps["aks mesh disable"] = """
@@ -2873,6 +2879,24 @@
         text: az aks mesh upgrade rollback --resource-group MyResourceGroup --name MyManagedCluster
 """
 
+helps['aks mesh proxy-redirection-mechanism'] = """
+    type: command
+    short-summary: Set the proxy redirection mechanism for Azure Service Mesh.
+    long-summary: >
+      This command sets the proxy redirection mechanism for Azure Service Mesh
+      on a cluster that already has the service mesh enabled.
+    parameters:
+      - name: --mechanism
+        type: string
+        short-summary: The proxy redirection mechanism.
+        long-summary: Allowed values are "CNIChaining" which uses CNI plugins for traffic redirection, and "InitContainers" which uses privileged init containers.
+    examples:
+      - name: Set proxy redirection mechanism to CNI chaining.
+        text: az aks mesh proxy-redirection-mechanism --resource-group MyResourceGroup --name MyManagedCluster --mechanism CNIChaining
+      - name: Set proxy redirection mechanism to init containers.
+        text: az aks mesh proxy-redirection-mechanism --resource-group MyResourceGroup --name MyManagedCluster --mechanism InitContainers
+"""
+
 helps["aks approuting"] = """
     type: group
     short-summary: Commands to manage App Routing addon.

@@ -1252,6 +1252,15 @@ def load_arguments(self, _):
         c.argument('ca_key_object_name')
         c.argument('root_cert_object_name')
         c.argument('cert_chain_object_name')
+        c.argument('proxy_redirection_mechanism',
+                   arg_type=get_enum_type(["CNIChaining", "InitContainers"]),
+                   help='Set the proxy redirection mechanism for Azure Service Mesh.')
+
+    with self.argument_context('aks mesh proxy-redirection-mechanism') as c:
+        c.argument('mechanism',
+                   arg_type=get_enum_type(["CNIChaining", "InitContainers"]),
+                   required=True,
+                   help='The proxy redirection mechanism for Azure Service Mesh.')
 
     with self.argument_context('aks mesh get-revisions') as c:
         c.argument('location', required=True, help='Location in which to discover available Azure Service Mesh revisions.')

@@ -299,6 +299,11 @@ def load_command_table(self, _):
             'get-upgrades',
             'aks_mesh_get_upgrades',
             table_transformer=aks_mesh_upgrades_table_format)
+        g.custom_command(
+            "proxy-redirection-mechanism",
+            "aks_mesh_proxy_redirection_mechanism",
+            supports_no_wait=True,
+        )
 
     # AKS mesh upgrade commands
     with self.command_group('aks mesh upgrade', managed_clusters_sdk, client_factory=cf_managed_clusters) as g:

@@ -3658,7 +3658,8 @@ def aks_mesh_enable(
         ca_cert_object_name=None,
         ca_key_object_name=None,
         root_cert_object_name=None,
-        cert_chain_object_name=None
+        cert_chain_object_name=None,
+        proxy_redirection_mechanism=None,
 ):
     instance = client.get(resource_group_name, name)
     addon_profiles = instance.addon_profiles
@@ -3677,7 +3678,8 @@ def aks_mesh_enable(
                             root_cert_object_name,
                             cert_chain_object_name,
                             revision=revision,
-                            enable_azure_service_mesh=True)
+                            enable_azure_service_mesh=True,
+                            proxy_redirection_mechanism=proxy_redirection_mechanism)
 
 
 def aks_mesh_disable(
@@ -3856,6 +3858,23 @@ def aks_mesh_upgrade_rollback(
         mesh_upgrade_command=CONST_AZURE_SERVICE_MESH_UPGRADE_COMMAND_ROLLBACK)
 
 
+def aks_mesh_proxy_redirection_mechanism(
+        cmd,
+        client,
+        resource_group_name,
+        name,
+        mechanism,
+):
+    """Set the proxy redirection mechanism for Azure Service Mesh."""
+    return _aks_mesh_update(
+        cmd,
+        client,
+        resource_group_name,
+        name,
+        proxy_redirection_mechanism=mechanism,
+    )
+
+
 def _aks_mesh_get_supported_revisions(
         cmd,
         client,
@@ -3889,6 +3908,7 @@ def _aks_mesh_update(
         revision=None,
         yes=False,
         mesh_upgrade_command=None,
+        proxy_redirection_mechanism=None,
 ):
     raw_parameters = locals()
 

@@ -254,4 +254,9 @@ aks nodepool upgrade:
       undrainable_node_behavior:
         rule_exclusions:
         - option_length_too_long
+aks mesh enable:
+  parameters:
+      proxy_redirection_mechanism:
+        rule_exclusions:
+        - option_length_too_long
 ...
@@ -5034,6 +5034,45 @@ def _handle_enable_disable_asm(self, new_profile: ServiceMeshProfile) -> Tuple[S
 
         return new_profile, updated
 
+    def _handle_istio_cni_asm(self, new_profile: ServiceMeshProfile) -> Tuple[ServiceMeshProfile, bool]:
+        """Handle proxy redirection mechanism for Azure Service Mesh."""
+        updated = False
+        proxy_redirection_mechanism = self.raw_param.get("proxy_redirection_mechanism", None)
+
+        if proxy_redirection_mechanism is None:
+            return new_profile, updated
+
+        # Check if service mesh is enabled before allowing changes
+        if new_profile is None or new_profile.mode == CONST_AZURE_SERVICE_MESH_MODE_DISABLED:
+            raise ArgumentUsageError(
+                "Istio has not been enabled for this cluster, please refer to https://aka.ms/asm-aks-addon-docs "
+                "for more details on enabling Azure Service Mesh."
+            )
+
+        # Ensure istio profile exists
+        if new_profile.istio is None:
+            new_profile.istio = self.models.IstioServiceMesh()  # pylint: disable=no-member
+
+        # Ensure components exist
+        if new_profile.istio.components is None:
+            new_profile.istio.components = self.models.IstioComponents()  # pylint: disable=no-member
+
+        current_mechanism = getattr(
+            new_profile.istio.components,
+            "proxy_redirection_mechanism",
+            None,
+        )
+
+        if current_mechanism == proxy_redirection_mechanism:
+            raise ArgumentUsageError(
+                f"Proxy redirection mechanism is already set to '{proxy_redirection_mechanism}' for this cluster."
+            )
+
+        new_profile.istio.components.proxy_redirection_mechanism = proxy_redirection_mechanism
+        updated = True
+
+        return new_profile, updated
+
     # pylint: disable=too-many-branches,too-many-locals,too-many-statements
     def update_azure_service_mesh_profile(self) -> ServiceMeshProfile:
         """ Update azure service mesh profile.
@@ -5068,6 +5107,9 @@ def update_azure_service_mesh_profile(self) -> ServiceMeshProfile:
         new_profile, updated_upgrade_asm = self._handle_upgrade_asm(new_profile)
         updated |= updated_upgrade_asm
 
+        new_profile, updated_istio_cni = self._handle_istio_cni_asm(new_profile)
+        updated |= updated_istio_cni
+
         if updated:
             return new_profile
         return self.mc.service_mesh_profile