# Create a BYOVNet Cluster on Azure

> For the complete documentation index, see [llms.txt](https://docs.redpanda.com/llms.txt). Component-specific: [cloud-data-platform-full.txt](https://docs.redpanda.com/cloud-data-platform-full.txt)

---
title: Create a BYOVNet Cluster on Azure
page-beta-text: This is a beta feature. Beta features are available for testing and feedback. They are not supported by Redpanda and should not be used in production environments.
latest-operator-version: v26.1.4
latest-console-tag: v3.7.3
latest-connect-version: 4.93.0
latest-redpanda-tag: v26.1.9
docname: cluster-types/byoc/azure/vnet-azure
page-component-name: cloud-data-platform
page-version: master
page-component-version: master
page-component-title: Cloud
page-relative-src-path: cluster-types/byoc/azure/vnet-azure.adoc
page-edit-url: https://github.com/redpanda-data/cloud-docs/edit/main/modules/get-started/pages/cluster-types/byoc/azure/vnet-azure.adoc
description: Use Terraform to deploy a BYOVNet cluster on Azure.
# Beta release status
page-beta: "true"
page-topic-type: how-to
personas: platform_admin
learning-objective-1: Deploy a BYOVNet cluster on Azure using Terraform
learning-objective-2: Configure the Redpanda network and cluster resources using the Cloud API
learning-objective-3: Manage the lifecycle of a BYOVNet cluster, including creation and deletion
page-git-created-date: "2024-11-15"
page-git-modified-date: "2026-03-09"
release-status: beta - This is a beta feature. Beta features are available for testing and feedback. They are not supported by Redpanda and should not be used in production environments.
---

<!-- Source: https://docs.redpanda.com/cloud-data-platform/get-started/cluster-types/byoc/azure/vnet-azure.md -->

> ❗ **IMPORTANT**
>
> BYOVPC/BYOVNet is an add-on feature that requires Premium support. To unlock this feature for your account, contact your Redpanda account team or [Redpanda Sales](https://www.redpanda.com/price-estimator).

A Bring Your Own Virtual Network (BYOVNet) cluster allows you to deploy the Redpanda [data plane](https://docs.redpanda.com/cloud-data-platform/reference/glossary/#data-plane) into your existing VNet and manage the networking lifecycle. Compared to a standard Bring Your Own Cloud (BYOC) setup, where Redpanda manages the networking lifecycle for you, BYOVNet provides more control. For background on the architecture, see [BYOC architecture](https://docs.redpanda.com/cloud-data-platform/get-started/byoc-arch/).

When you create a BYOVNet cluster, you specify your VNet and managed identities. The Redpanda Cloud agent doesn’t create any new resources or alter any settings in your account. With a customer-managed VNet:

-   You provide your own VNet in your Azure account.

-   You maintain more control over your account, because Redpanda requires fewer permissions than standard BYOC clusters.

-   You control your security resources and policies, including subnets, user-assigned identities, IAM roles and assignments, security groups, storage accounts, and key vaults.


The [Redpanda Cloud Examples repository](https://github.com/redpanda-data/cloud-examples/tree/main/customer-managed/azure/README.md) contains [Terraform](https://developer.hashicorp.com/terraform) code that deploys the resources required for a BYOVNet cluster on Azure. You need to create these resources in advance and provide them to Redpanda during cluster creation. Variables are provided in the code so you can exclude resources that already exist in your environment, such as the VNet.

See the code for the complete list of resources required to create and deploy a Redpanda cluster. Customer-managed resources can be broken down into the following groups:

-   Resource group resources

-   User-assigned identities

-   IAM roles and assignments

-   Network

-   Storage

-   Key vaults


## [](#prerequisites)Prerequisites

-   Access to an Azure subscription where you want to create your cluster

-   Knowledge of your internal VNet and subnet configuration

-   Permission to call the [Redpanda Cloud API](https://docs.redpanda.com/api/doc/cloud-controlplane/topic/topic-cloud-api-overview)

-   Permission to create, modify, and delete the resources described by Terraform

-   [Terraform](https://developer.hashicorp.com/terraform/install) version 1.8.5 or later

-   [jq](https://jqlang.org/download/), which is used to parse JSON values from API responses


## [](#limitations)Limitations

-   Existing clusters cannot be moved to a BYOVNet cluster.

-   After creating a BYOVNet cluster, you cannot change to a different VNet.

-   Only primary CIDR ranges are supported for the VNet.


## [](#set-environment-variables)Set environment variables

Set environment variables for the resource group, VNet name, and Azure region. For example:

```bash
export AZURE_RESOURCE_GROUP_NAME=sample-redpanda-rg
export AZURE_VNET_NAME="sample-vnet"
export AZURE_REGION=centralus
```

## [](#create-azure-resource-group-and-vnet)Create Azure resource group and VNet

1.  Create a resource group to contain all resources, and then create a VNet with your address and subnet prefixes.

    The following example uses the environment variables to create the `sample-redpanda-rg` resource group and the `sample-vnet` virtual network with an address space of `10.0.0.0/16`.

    ```bash
    az group create --name ${AZURE_RESOURCE_GROUP_NAME} --location ${AZURE_REGION}

    az network vnet create \
        --name ${AZURE_VNET_NAME} \
        --resource-group ${AZURE_RESOURCE_GROUP_NAME} \
        --location ${AZURE_REGION} \
        --address-prefix 10.0.0.0/16
    ```

2.  Set additional environment variables for Azure resources. For example:

    ```bash
    export AZURE_SUBSCRIPTION_ID=
    export AZURE_TENANT_ID=
    export AZURE_ZONES='["centralus-az1", "centralus-az2", "centralus-az3"]'
    export AZURE_RESOURCE_PREFIX=sample-
    export REDPANDA_CLUSTER_NAME=<Redpanda Cluster Name>
    export REDPANDA_RG_ID=<Redpanda Cloud Resource Group Id>
    export REDPANDA_THROUGHPUT_TIER=tier-1-azure-v3-x86
    export REDPANDA_VERSION=25.2
    export REDPANDA_MANAGEMENT_STORAGE_ACCOUNT_NAME=rpmgmtsa
    export REDPANDA_MANAGEMENT_STORAGE_CONTAINER_NAME=rpmgmtsc
    export REDPANDA_0_PODS_SUBNET_NAME=snet-rp-0-pods
    export REDPANDA_0_VNET_SUBNET_NAME=snet-rp-0-vnet
    export REDPANDA_1_PODS_SUBNET_NAME=snet-rp-1-pods
    export REDPANDA_1_VNET_SUBNET_NAME=snet-rp-1-vnet
    export REDPANDA_2_PODS_SUBNET_NAME=snet-rp-2-pods
    export REDPANDA_2_VNET_SUBNET_NAME=snet-rp-2-vnet
    export REDPANDA_CONNECT_PODS_SUBNET_NAME=snet-connect-pods
    export REDPANDA_CONNECT_VNET_SUBNET_NAME=snet-connect-vnet
    export KAFKA_CONNECT_PODS_SUBNET_NAME=snet-kafka-connect-pods
    export KAFKA_CONNECT_VNET_SUBNET_NAME=snet-kafka-connect-vnet
    export SYSTEM_PODS_SUBNET_NAME=snet-system-pods
    export SYSTEM_VNET_SUBNET_NAME=snet-system-vnet
    export REDPANDA_AGENT_SUBNET_NAME=snet-agent-private
    export REDPANDA_EGRESS_SUBNET_NAME=snet-agent-public
    export REDPANDA_MANAGEMENT_KEY_VAULT_NAME=redpanda-vault
    export REDPANDA_CONSOLE_KEY_VAULT_NAME=rp-console-vault
    export REDPANDA_AKS_SUBNET_CIDR="10.0.15.0/24"
    export REDPANDA_IAM_RESOURCE_GROUP_NAME=sample-redpanda-rg
    export REDPANDA_NETWORK_RESOURCE_GROUP_NAME=sample-redpanda-rg
    export REDPANDA_RESOURCE_GROUP_NAME=sample-redpanda-rg
    export REDPANDA_STORAGE_RESOURCE_GROUP_NAME=sample-redpanda-rg
    export REDPANDA_SECURITY_GROUP_NAME=redpanda-nsg
    export REDPANDA_TIERED_STORAGE_ACCOUNT_NAME=tieredsa
    export REDPANDA_TIERED_STORAGE_CONTAINER_NAME=tieredsc
    export REDPANDA_AGENT_USER_ASSIGNED_IDENTITY_NAME=agent-uai
    export REDPANDA_AKS_USER_ASSIGNED_IDENTITY_NAME=aks-uai
    export REDPANDA_CERT_MANAGER_USER_ASSIGNED_IDENTITY_NAME=cert-manager-uai
    export REDPANDA_EXTERNAL_DNS_USER_ASSIGNED_IDENTITY_NAME=external-dns-uai
    export REDPANDA_CLUSTER_USER_ASSIGNED_IDENTITY_NAME=cluster-uai
    export REDPANDA_CONSOLE_USER_ASSIGNED_IDENTITY_NAME=console-uai
    export KAFKA_CONNECT_USER_ASSIGNED_IDENTITY_NAME=kafka-connect-uai
    export REDPANDA_CONNECT_USER_ASSIGNED_IDENTITY_NAME=redpanda-connect-uai
    export REDPANDA_CONNECT_API_USER_ASSIGNED_IDENTITY_NAME=redpanda-connect-api-uai
    export REDPANDA_OPERATOR_USER_ASSIGNED_IDENTITY_NAME=redpanda-operator-uai
    ```


## [](#configure-terraform)Configure Terraform

> 📝 **NOTE**
>
> For simplicity, these instructions assume that Terraform is configured to use local state. You may want to configure [remote state](https://developer.hashicorp.com/terraform/language/state/remote).

Create a JSON file called `byovnet.auto.tfvars.json` inside the Terraform directory to configure variables for your specific needs:

Show script

```bash
cat > byovnet.auto.tfvars.json <<EOF
{
  "azure_subscription_id": "${AZURE_SUBSCRIPTION_ID}",
  "azure_tenant_id": "${AZURE_TENANT_ID}",
  "azure_use_cli": "true",
  "region": "${AZURE_REGION}",
  "zones": ${AZURE_ZONES},
  "resource_name_prefix": "${AZURE_RESOURCE_PREFIX}",
  "tags": {},
  "create_resource_groups": "false",
  "redpanda_resource_group_name": "${AZURE_RESOURCE_GROUP_NAME}",
  "redpanda_storage_resource_group_name": "${REDPANDA_STORAGE_RESOURCE_GROUP_NAME}",
  "redpanda_network_resource_group_name": "${REDPANDA_NETWORK_RESOURCE_GROUP_NAME}",
  "redpanda_iam_resource_group_name": "${REDPANDA_IAM_RESOURCE_GROUP_NAME}",
  "redpanda_agent_identity_name": "${REDPANDA_AGENT_USER_ASSIGNED_IDENTITY_NAME}",
  "redpanda_agent_role_name": "agent-role",
  "redpanda_cert_manager_identity_name": "${REDPANDA_CERT_MANAGER_USER_ASSIGNED_IDENTITY_NAME}",
  "redpanda_external_dns_identity_name": "${REDPANDA_EXTERNAL_DNS_USER_ASSIGNED_IDENTITY_NAME}",
  "redpanda_cluster_identity_name": "${REDPANDA_CLUSTER_USER_ASSIGNED_IDENTITY_NAME}",
  "aks_identity_name": "${REDPANDA_AKS_USER_ASSIGNED_IDENTITY_NAME}",
  "redpanda_console_identity_name": "${REDPANDA_CONSOLE_USER_ASSIGNED_IDENTITY_NAME}",
  "redpanda_console_role_name": "console-role",
  "kafka_connect_identity_name": "${KAFKA_CONNECT_USER_ASSIGNED_IDENTITY_NAME}",
  "redpanda_connect_identity_name": "${REDPANDA_CONNECT_USER_ASSIGNED_IDENTITY_NAME}",
  "redpanda_connect_api_identity_name": "${REDPANDA_CONNECT_API_USER_ASSIGNED_IDENTITY_NAME}",
  "redpanda_operator_identity_name": "${REDPANDA_OPERATOR_USER_ASSIGNED_IDENTITY_NAME}",
  "redpanda_management_storage_account_name": "${REDPANDA_MANAGEMENT_STORAGE_ACCOUNT_NAME}",
  "redpanda_management_storage_container_name": "${REDPANDA_MANAGEMENT_STORAGE_CONTAINER_NAME}",
  "redpanda_tiered_storage_account_name": "${REDPANDA_TIERED_STORAGE_ACCOUNT_NAME}",
  "redpanda_tiered_storage_container_name": "${REDPANDA_TIERED_STORAGE_CONTAINER_NAME}",
  "redpanda_management_key_vault_name": "${REDPANDA_MANAGEMENT_KEY_VAULT_NAME}",
  "redpanda_console_key_vault_name": "${REDPANDA_CONSOLE_KEY_VAULT_NAME}",
  "redpanda_private_link_role_name": "pl-role",
  "vnet_name": "${AZURE_VNET_NAME}",
  "vnet_addresses": [
    "10.0.0.0/20"
  ],
  "private_subnets": {
    "agent-private": {
      "cidr": "10.0.3.0/24",
      "name": "${REDPANDA_AGENT_SUBNET_NAME}"
    },
    "connect-pod": {
      "cidr": "10.0.10.0/24",
      "name": "${REDPANDA_CONNECT_PODS_SUBNET_NAME}"
    },
    "connect-vnet": {
      "cidr": "10.0.11.0/24",
      "name": "${REDPANDA_CONNECT_VNET_SUBNET_NAME}"
    },
    "kafka-connect-pod": {
      "cidr": "10.0.12.0/24",
      "name": "${KAFKA_CONNECT_PODS_SUBNET_NAME}"
    },
    "kafka-connect-vnet": {
      "cidr": "10.0.13.0/24",
      "name": "${KAFKA_CONNECT_VNET_SUBNET_NAME}"
    },
    "rp-0-pods": {
      "cidr": "10.0.4.0/24",
      "name": "${REDPANDA_0_PODS_SUBNET_NAME}"
    },
    "rp-0-vnet": {
      "cidr": "10.0.5.0/24",
      "name": "${REDPANDA_0_VNET_SUBNET_NAME}"
    },
    "rp-1-pods": {
      "cidr": "10.0.6.0/24",
      "name": "${REDPANDA_1_PODS_SUBNET_NAME}"
    },
    "rp-1-vnet": {
      "cidr": "10.0.7.0/24",
      "name": "${REDPANDA_1_VNET_SUBNET_NAME}"
    },
    "rp-2-pods": {
      "cidr": "10.0.8.0/24",
      "name": "${REDPANDA_2_PODS_SUBNET_NAME}"
    },
    "rp-2-vnet": {
      "cidr": "10.0.9.0/24",
      "name": "${REDPANDA_2_VNET_SUBNET_NAME}"
    },
    "system-pod": {
      "cidr": "10.0.1.0/24",
      "name": "${SYSTEM_PODS_SUBNET_NAME}"
    },
    "system-vnet": {
      "cidr": "10.0.2.0/24",
      "name": "${SYSTEM_VNET_SUBNET_NAME}"
    }
  },
  "egress_subnets": {
    "agent-public": {
      "cidr": "10.0.0.0/24",
      "name": "${REDPANDA_EGRESS_SUBNET_NAME}"
    }
  },
  "reserved_subnet_cidrs": {
    "k8s-service": "${REDPANDA_AKS_SUBNET_CIDR}"
  },
  "redpanda_security_group_name": "${REDPANDA_SECURITY_GROUP_NAME}"
}
EOF
```

## [](#apply-the-terraform-configuration)Apply the Terraform configuration

Initialize, plan, and apply Terraform to set up the Azure infrastructure:

```bash
terraform init &&
terraform plan &&
terraform apply
```

Note the output values that the `terraform apply` command displays. The output values are necessary in later steps. To continue with cluster creation, see [Create Azure VNet Redpanda Cluster](https://github.com/redpanda-data/cloud-examples/tree/main/customer-managed/azure#create-azure-byo-vnet-redpanda-cluster).

You can also get these values by running `terraform output`. For example:

Show output from `terraform output`

```bash
agent_private_subnet_name = "my-snet-agent-private"
agent_user_assigned_identity_name = "my-agent-uai"
aks_user_assigned_identity_name = "my-aks-uai"
cert_manager_user_assigned_identity_name = "my-cert-manager-uai"
cluster_user_assigned_identity_name = "my-cluster-uai"
console_key_vault_name = "my-consolevault"
console_user_assigned_identity_name = "my-console-uai"
egress_subnet_name = "my-snet-agent-public"
external_dns_user_assigned_identity_name = "my-external-dns-uai"
iam_resource_group_name = "my-iam-rg"
kafka_connect_pods_subnet_name = "my-snet-kafka-connect-pods"
kafka_connect_user_assigned_identity_name = "my-kafka-connect-uai"
kafka_connect_vnet_subnet_name = "my-snet-kafka-connect-vnet"
redpanda_connect_user_assigned_identity_name = "my-redpanda-connect-uai"
redpanda_connect_api_user_assigned_identity_name = "my-redpanda-connect-api-uai"
redpanda_operator_user_assigned_identity_name = "my-operator-connect-uai"
management_bucket_storage_account_name = "mymanagement"
management_bucket_storage_container_name = "mymanagement"
management_key_vault_name = "my-redpandavault"
network_resource_group_name = "my-network-rg"
......
redpanda_resource_group_name = "my-redpanda-rg"
redpanda_security_group_name = "my-redpanda-nsg"
......
rp_0_pods_subnet_name = "my-snet-rp-0-pods"
rp_0_vnet_subnet_name = "my-snet-rp-0-vnet"
rp_1_pods_subnet_name = "my-snet-rp-1-pods"
rp_1_vnet_subnet_name = "my-snet-rp-1-vnet"
rp_2_pods_subnet_name = "my-snet-rp-2-pods"
rp_2_vnet_subnet_name = "my-snet-rp-2-vnet"
rp_connect_pods_subnet_name = "my-snet-connect-pods"
rp_connect_vnet_subnet_name = "my-snet-connect-vnet"
......
storage_resource_group_name = "my-storage-rg"
system_pods_subnet_name = "my-snet-system-pods"
system_vnet_subnet_name = "my-snet-system-vnet"
tiered_storage_account_name = "mytieredstorage"
tiered_storage_container_name = "mytieredstorage"
......
vnet_name = "my-rp-vnet"
```

The [Terraform Readme](https://github.com/redpanda-data/cloud-examples/blob/main/customer-managed/azure/terraform/README.md) has more information about variable files:

-   `vars.azure.tf`: Contains the variables related to Azure credentials.

-   `vars.condition.tf`: Contains the conditional variables; for example, on whether to create NAT.

-   `vars.customer_input.tf`: Contains the variables needed to create a cluster with the Cloud API.

-   `vars.iam.tf`: Contains the variables related to IAM roles.

-   `vars.misc.tf`: Contains the variables, regions, zones, tags, and resource name prefix.


## [](#authenticate-with-redpanda-cloud)Authenticate with Redpanda Cloud

Get a [bearer token](https://docs.redpanda.com/cloud-data-platform/reference/glossary/#bearer-token) from the Cloud API authentication endpoint using your Redpanda credentials:

```bash
export REDPANDA_CLIENT_ID=
export REDPANDA_CLIENT_SECRET=

export BEARER_TOKEN=$(curl --request POST \
--url 'https://auth.prd.cloud.redpanda.com/oauth/token' \
--header 'content-type: application/x-www-form-urlencoded' \
--data grant_type=client_credentials \
--data client_id=${REDPANDA_CLIENT_ID} \
--data client_secret=${REDPANDA_CLIENT_SECRET} \
--data audience=cloudv2-production.redpanda.cloud | jq -r '.access_token')
```

> 💡 **TIP**
>
> To get the Redpanda authentication credentials, follow the [authentication guide](https://docs.redpanda.com/api/doc/cloud-controlplane/topic/authentication).

## [](#create-the-network)Create the network

To create the Redpanda network:

1.  Define a JSON file called `redpanda-network.json` to configure the network for Redpanda with details about VNet, subnets, and storage.

    Show script

    ```bash
    cat > redpanda-network.json <<EOF
    {
      "network": {
        "cloud_provider": "CLOUD_PROVIDER_AZURE",
        "cluster_type": "TYPE_BYOC",
        "name": "${REDPANDA_CLUSTER_NAME}",
        "resource_group_id": "${REDPANDA_RG_ID}",
        "region": "${AZURE_REGION}",
        "customer_managed_resources": {
          "azure" : {
            "management_bucket" : {
               "storage_account_name": "${REDPANDA_MANAGEMENT_STORAGE_ACCOUNT_NAME}",
               "storage_container_name": "${REDPANDA_MANAGEMENT_STORAGE_CONTAINER_NAME}",
               "resource_group" : { "name" : "${AZURE_RESOURCE_GROUP_NAME}" }
            },
            "vnet" : {
               "name" : "${AZURE_VNET_NAME}",
               "resource_group" : { "name" : "${AZURE_RESOURCE_GROUP_NAME}" }
            },
            "subnets" : {
              "rp_0_pods" : { "name" : "${REDPANDA_0_PODS_SUBNET_NAME}" },
              "rp_0_vnet" : { "name" : "${REDPANDA_0_VNET_SUBNET_NAME}" },
              "rp_1_pods" : { "name" : "${REDPANDA_1_PODS_SUBNET_NAME}" },
              "rp_1_vnet" : { "name" : "${REDPANDA_1_VNET_SUBNET_NAME}" },
              "rp_2_pods" : { "name" : "${REDPANDA_2_PODS_SUBNET_NAME}" },
              "rp_2_vnet" : { "name" : "${REDPANDA_2_VNET_SUBNET_NAME}" },
              "rp_connect_pods" : { "name" : "${REDPANDA_CONNECT_PODS_SUBNET_NAME}" },
              "rp_connect_vnet" : { "name" : "${REDPANDA_CONNECT_VNET_SUBNET_NAME}" },
              "kafka_connect_pods" : { "name" : "${KAFKA_CONNECT_PODS_SUBNET_NAME}" },
              "kafka_connect_vnet" : { "name" : "${KAFKA_CONNECT_VNET_SUBNET_NAME}" },
              "sys_pods" : { "name" : "${SYSTEM_PODS_SUBNET_NAME}" },
              "sys_vnet" : { "name" : "${SYSTEM_VNET_SUBNET_NAME}" },
              "rp_agent" :  { "name" : "${REDPANDA_AGENT_SUBNET_NAME}" },
              "rp_egress_vnet" : { "name" : "${REDPANDA_EGRESS_SUBNET_NAME}" }
             }
          }
        }
      }
    }
    EOF
    ```

2.  Use the Cloud API to create the network and retrieve the network ID:

    ```bash
    export REDPANDA_NETWORK_ID=$(curl -X POST "https://api.redpanda.com/v1/networks" \
     -H "accept: application/json" \
     -H "content-type: application/json" \
     -H "authorization: Bearer ${BEARER_TOKEN}" \
     --data-binary @redpanda-network.json | jq -r '.operation.resource_id')
    ```


## [](#create-the-cluster)Create the cluster

To create the Redpanda cluster:

1.  Define a JSON file called `redpanda-cluster.json` that includes cluster information:

    Show script

    ```bash
    cat > redpanda-cluster.json <<EOF
    {
      "cluster": {
        "cloud_provider": "CLOUD_PROVIDER_AZURE",
        "connection_type": "CONNECTION_TYPE_PRIVATE",
        "name": "${REDPANDA_CLUSTER_NAME}",
        "resource_group_id": "${REDPANDA_RG_ID}",
        "network_id": "${REDPANDA_NETWORK_ID}",
        "region": "${AZURE_REGION}",
        "zones": ${AZURE_ZONES},
        "throughput_tier": "${REDPANDA_THROUGHPUT_TIER}",
        "type": "TYPE_BYOC",
        "redpanda_version": "${REDPANDA_VERSION}",
        "customer_managed_resources" : {
          "azure" : {
            "cidrs" : {
              "aks_service_cidr" : "${REDPANDA_AKS_SUBNET_CIDR}"
            },
            "key_vaults": {
              "console_vault": { "name": "${REDPANDA_CONSOLE_KEY_VAULT_NAME}" },
              "management_vault": { "name": "${REDPANDA_MANAGEMENT_KEY_VAULT_NAME}" }
            },
            "resource_groups" : {
              "iam_resource_group" : { "name": "${REDPANDA_IAM_RESOURCE_GROUP_NAME}" },
              "redpanda_resource_group" : { "name": "${REDPANDA_CLUSTER_RESOURCE_GROUP_NAME}" },
              "storage_resource_group" : { "name": "${REDPANDA_STORAGE_RESOURCE_GROUP_NAME}" }
            },
            "security_groups" : {
              "redpanda_security_group" : { "name": "${REDPANDA_SECURITY_GROUP_NAME}" }
            },
            "tiered_cloud_storage" : {
              "storage_account_name": "${REDPANDA_TIERED_STORAGE_ACCOUNT_NAME}",
              "storage_container_name": "${REDPANDA_TIERED_STORAGE_CONTAINER_NAME}"
            },
            "user_assigned_identities" : {
              "agent_user_assigned_identity": { "name" : "${REDPANDA_AGENT_USER_ASSIGNED_IDENTITY_NAME}" },
              "aks_user_assigned_identity": { "name" : "${REDPANDA_AKS_USER_ASSIGNED_IDENTITY_NAME}" },
              "cert_manager_assigned_identity": { "name" : "${REDPANDA_CERT_MANAGER_USER_ASSIGNED_IDENTITY_NAME}" },
              "external_dns_assigned_identity": { "name" : "${REDPANDA_EXTERNAL_DNS_USER_ASSIGNED_IDENTITY_NAME}" },
              "redpanda_cluster_assigned_identity": { "name" : "${REDPANDA_CLUSTER_USER_ASSIGNED_IDENTITY_NAME}" },
              "redpanda_console_assigned_identity": { "name" : "${REDPANDA_CONSOLE_USER_ASSIGNED_IDENTITY_NAME}" },
              "kafka_connect_assigned_identity": { "name" : "${KAFKA_CONNECT_USER_ASSIGNED_IDENTITY_NAME}" },
              "redpanda_connect_assigned_identity": { "name" : "${REDPANDA_CONNECT_USER_ASSIGNED_IDENTITY_NAME}" },
              "redpanda_connect_api_assigned_identity": { "name" : "${REDPANDA_CONNECT_API_USER_ASSIGNED_IDENTITY_NAME}" },
              "redpanda_operator_assigned_identity": { "name" : "${REDPANDA_OPERATOR_USER_ASSIGNED_IDENTITY_NAME}" }
            }
          }
        }
      }
    }
    EOF
    ```

    > 💡 **TIP**
    >
    > See the full list of zones and tiers available with each provider in the [Control Plane API reference](https://docs.redpanda.com/api/doc/cloud-controlplane/topic/topic-regions-and-usage-tiers).

2.  Make a Cloud API call to create a Redpanda cluster and get the network ID from the response in JSON `.operation.metadata.network_id`.

    ```bash
    export REDPANDA_ID=$(curl -X POST "https://api.redpanda.com/v1/clusters" \
     -H "accept: application/json"\
     -H "content-type: application/json" \
     -H "authorization: Bearer ${BEARER_TOKEN}" \
     --data-binary @redpanda-cluster.json | jq -r '.operation.resource_id')
    ```


## [](#create-the-cluster-resources)Create the cluster resources

To create the initial cluster resources, first log in to Redpanda Cloud, then run `rpk cloud byoc azure apply`:

```bash
rpk cloud login \
  --save \
  --client-id=${REDPANDA_CLIENT_ID} \
  --client-secret=${REDPANDA_CLIENT_SECRET} \
  --no-profile
```

```bash
rpk cloud byoc azure apply --redpanda-id="${REDPANDA_ID}" --subscription-id="${AZURE_SUBSCRIPTION_ID}"
```

The Redpanda Cloud agent now is running and handles the remaining steps. This can take up to 45 minutes. When provisioning completes, the cluster status updates to `Running`. If the cluster remains in `Creating` status after 45 minutes, contact [Redpanda Support](https://support.redpanda.com/hc/en-us/requests/new).

## [](#check-the-cluster-status)Check the cluster status

Cluster creation is an example of an operation that can take a longer period of time to complete. You can check the operation state with the Cloud API, or check the Redpanda Cloud UI for cluster status.

Example using the returned `operation_id`:

```bash
curl -X GET "https://api.redpanda.com/v1/operations/<operation-id>" \
 -H "accept: application/json"\
 -H "content-type: application/json" \
 -H "authorization: Bearer ${BEARER_TOKEN}"
```

Example retrieving cluster:

```bash
curl -X GET "https://api.redpanda.com/v1/clusters/<resource-id>" \
 -H "accept: application/json"\
 -H "content-type: application/json" \
 -H "authorization: Bearer ${BEARER_TOKEN}"
```

## [](#delete-the-cluster)Delete the cluster

To delete the cluster, first send a DELETE request to the Cloud API, and retrieve the `resource_id` of the DELETE operation. Then run the `rpk` command to destroy the cluster identified by the `resource_id`.

```bash
export REDPANDA_ID=$(curl -X DELETE "https://api.redpanda.com/v1/clusters/${REDPANDA_ID}" \
 -H "accept: application/json"\
 -H "content-type: application/json" \
 -H "authorization: Bearer ${BEARER_TOKEN}" | jq -r '.operation.resource_id')
```

After that completes, run:

```bash
rpk cloud byoc azure destroy --redpanda-id ${REDPANDA_ID}
```

> 📝 **NOTE**
>
> Redpanda Cloud does not support customer access or modifications to any of the internal data plane resources. This restriction allows Redpanda Data to manage all configuration changes internally to ensure a 99.99% service level agreement (SLA) for BYOC clusters.

## [](#manage-custom-tags)Manage custom tags

Your organization might require custom tags for cost allocation, audit compliance, or governance policies. After cluster creation, you can manage tags with the [Cloud Control Plane API](https://docs.redpanda.com/cloud-data-platform/manage/api/cloud-byoc-controlplane-api/). The Control Plane API allows up to 16 custom tags in Azure.

Make sure you have:

-   The cluster ID. You can find this in the Redpanda Cloud UI, in the **Details** section of the cluster overview.

-   A valid bearer token for the Cloud Control Plane API. For details, see [Authenticate to the API](https://docs.redpanda.com/api/doc/cloud-controlplane/authentication).


> ❗ **IMPORTANT**
>
> To unlock this feature for your account, contact [Redpanda Support](https://support.redpanda.com/hc/en-us/requests/new).

1.  To refresh Redpanda agent permissions in the target subscription, run:

    ```bash
    export CLUSTER_ID="<cluster-id>"
    export SUBSCRIPTION_ID="<subscription-id>"

    rpk cloud byoc azure apply --redpanda-id="$CLUSTER_ID" --subscription-id="$SUBSCRIPTION_ID"
    ```

2.  To update tags, invoke the Cloud API.

    First, set your authentication token:

    ```bash
    export AUTH_TOKEN="<your-bearer-token>"
    ```

    The `PATCH` call sets the tags specified under `"cloud_provider_tags"`. It replaces the existing tags with the specified tags. Include all desired tags in the request. To remove a single entry, omit it from the map you send.

    ```bash
    cluster_patch_body=$(cat <<'JSON'
    {
      "cloud_provider_tags": {
        "Environment": "production",
        "CostCenter": "engineering"
      }
    }
    JSON
    )

    curl -X PATCH "https://api.redpanda.com/v1/clusters/$CLUSTER_ID" \
      -H "Content-Type: application/json" \
      -H "Authorization: Bearer $AUTH_TOKEN" \
      -d "$cluster_patch_body"
    ```

    To remove all tags, send an empty `cloud_provider_tags` object:

    ```bash
    cluster_patch_body='{"cloud_provider_tags": {}}'

    curl -X PATCH "https://api.redpanda.com/v1/clusters/$CLUSTER_ID" \
      -H "Content-Type: application/json" \
      -H "Authorization: Bearer $AUTH_TOKEN" \
      -d "$cluster_patch_body"
    ```


### [](#limitations-2)Limitations

-   Nodepool Application Security Groups (ASG): Custom tags are set only when the cluster is created. Tags cannot be updated on these resources after cluster creation.

-   Private Link network interfaces (Kubernetes API server, Tiered Storage, and Private Link service): Custom tags are set only during cluster creation and cannot be changed later.


> 📝 **NOTE**
>
> For BYOVNet clusters, custom tags are not applied to the customer-managed resources that are deployed by the customer.

## [](#next-steps)Next steps

-   [Configure Azure Private Link](https://docs.redpanda.com/cloud-data-platform/networking/azure-private-link/)

-   [Review Azure IAM policies](https://docs.redpanda.com/cloud-data-platform/security/authorization/cloud-iam-policies-azure/)

-   [Learn about `rpk` commands](https://docs.redpanda.com/cloud-data-platform/reference/rpk/)