Add support for zone-redundant load balancers

[bryan-cox]

What type of PR is this?

/kind feature

What this PR does / why we need it:

This PR implements support for configuring availability zones on Azure load balancers to enable zone-redundant configurations for high availability.

Azure load balancers can be configured as zone-redundant to ensure high availability across multiple availability zones within a region. This feature allows users to specify availability zones (1, 2, 3) on load balancers, which are then set on the frontend IP configurations.

Key changes:

• Added AvailabilityZones field to LoadBalancerSpec API
• Implemented service layer to set zones on frontend IP configurations
• Added webhook validation to enforce Azure's zone immutability requirement
• Integrated zone-redundant LB verification into the existing private cluster E2E test
• Included comprehensive documentation with examples and migration guidance
• Added unit tests

Which issue(s) this PR fixes:
Fixes #5709

Special notes for your reviewer:

Note

This PR was generated with the assistance of AI tooling (Claude Code).

This implementation follows Azure's zone redundancy model:

• For internal load balancers: zones are set directly on frontend IP configurations
• For public load balancers: zones should be set on associated public IP addresses (documented)
• Zones are immutable after creation per Azure platform requirements
• Webhook validation prevents invalid zone modifications

Zone-redundant LB verification is integrated into the private cluster E2E test per reviewer feedback, rather than as a standalone test.

TODOs:

• squashed commits
• includes documentation
• adds unit tests
• cherry-pick candidate

Release note:

Add support for zone-redundant load balancers. Users can now configure availability zones on load balancers (APIServerLB, NodeOutboundLB, ControlPlaneOutboundLB) to enable zone-redundant configurations for high availability across multiple availability zones.

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign jont828 for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 44.03%. Comparing base (1360e4a) to head (6a57e82).
⚠️ Report is 62 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #5944      +/-   ##
==========================================
+ Coverage   43.85%   44.03%   +0.17%     
==========================================
  Files         289      289              
  Lines       25341    25386      +45     
==========================================
+ Hits        11113    11178      +65     
+ Misses      13450    13431      -19     
+ Partials      778      777       -1     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[jackfrancis]

@bryan-cox can you add this new functionality to the existing E2E scenario for a private cluster, which ships with/ an internal LB? E.g.:

$ git diff templates/flavors/private/patches/private-lb.yaml
diff --git a/templates/flavors/private/patches/private-lb.yaml b/templates/flavors/private/patches/private-lb.yaml
index 76e1539df..a2933e299 100644
--- a/templates/flavors/private/patches/private-lb.yaml
+++ b/templates/flavors/private/patches/private-lb.yaml
@@ -7,6 +7,10 @@ spec:
     apiServerLB:
       name: ${CLUSTER_NAME}-internal-lb
       type: Internal
+      availabilityZones:
+        - "1"
+        - "2"
+        - "3"
     nodeOutboundLB:
       frontendIPsCount: 1
     controlPlaneOutboundLB:

After you apply the above changes to the template partial above, render updated templates w/ kustomize by invoking make generate flavors from the git root directory.

cc @nojnhuh @mboersma

[jackfrancis]

/test pull-cluster-api-provider-azure-e2e-optional

[bryan-cox]

/test pull-cluster-api-provider-azure-e2e-optional

[bryan-cox]

/retest

[bryan-cox]

/test pull-cluster-api-provider-azure-e2e-optional

[bryan-cox]

Attempting to get the PR back to its stable state before attempting to address #5944 (comment) again.

[bryan-cox]

/test pull-cluster-api-provider-azure-e2e-optional

[bryan-cox]

/test pull-cluster-api-provider-azure-e2e-optional

[bryan-cox]

/test pull-cluster-api-provider-azure-e2e

[bryan-cox]

/test pull-cluster-api-provider-azure-e2e-optional

[bryan-cox]

Retesting - the previous run failed due to an Azure DNS infrastructure flake. The management cluster API server DNS (capz-e2e-*-public-custom-vnet-*.canadacentral.cloudapp.azure.com) stopped resolving mid-test, causing the private cluster test and 5 other unrelated tests to fail at WaitForKubeadmControlPlaneMachinesToExist. No code changes since last run.

/test pull-cluster-api-provider-azure-e2e-optional

[bryan-cox]

/retest

[k8s-ci-robot]

@bryan-cox: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
pull-cluster-api-provider-azure-capi-e2e	67685f0	link	false	/test pull-cluster-api-provider-azure-capi-e2e

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[bryan-cox]

apiversion-upgrade failure is a pre-existing flake

The pull-cluster-api-provider-azure-apiversion-upgrade test is failing at ~50% rate across all PRs, not specific to this change. Evidence from recent Prow job history:

PR	Author	Change	apiversion-upgrade results
#6262	@mboersma	Bump CAPI to v1.13.1	5 consecutive failures before passing on 6th run
#6287	@willie-yao	Update test metadata/versions	1 fail, 2 passes
#5944	this PR	Zone-redundant LB	2 fails, 2 passes

PR #6262 is a simple dependency bump with no test-affecting changes — the same commit failed 5 times in a row before passing with zero code changes.

All failures share the same pattern: azureserviceoperator-controller-manager deployment timeout after clusterctl upgrade apply, followed by management cluster API server becoming unreachable (DNS resolution failures, TCP timeouts, HTTP/2 connection drops).

/retest pull-cluster-api-provider-azure-apiversion-upgrade

[bryan-cox]

/test pull-cluster-api-provider-azure-apiversion-upgrade

[willie-yao]

@bryan-cox Is this ready for review?

[bryan-cox]

@willie-yao hey 👋🏻 - yeah it is. I forgot to check it after running the test again.