diff --git a/api/v1beta1/azuremanagedcontrolplane_types.go b/api/v1beta1/azuremanagedcontrolplane_types.go
index 72703c53baed..f0957e008570 100644
--- a/api/v1beta1/azuremanagedcontrolplane_types.go
+++ b/api/v1beta1/azuremanagedcontrolplane_types.go
@@ -186,6 +186,23 @@ type AzureManagedControlPlaneSpec struct {
 	// For authentication with Azure Container Registry.
 	// +optional
 	KubeletUserAssignedIdentity string `json:"kubeletUserAssignedIdentity,omitempty"`
+
+	// HTTPProxyConfig is the HTTP proxy configuration for the cluster.
+	// Immutable.
+	// +optional
+	HTTPProxyConfig *HTTPProxyConfig `json:"httpProxyConfig,omitempty"`
+}
+
+// HTTPProxyConfig is the HTTP proxy configuration for the cluster.
+type HTTPProxyConfig struct {
+	// HTTPProxy - The HTTP proxy server endpoint to use.
+	HTTPProxy *string `json:"httpProxy,omitempty"`
+	// HTTPSProxy - The HTTPS proxy server endpoint to use.
+	HTTPSProxy *string `json:"httpsProxy,omitempty"`
+	// NoProxy - The endpoints that should not go through proxy.
+	NoProxy *[]string `json:"noProxy,omitempty"`
+	// TrustedCa - Alternative CA cert to use for connecting to proxy servers.
+	TrustedCa *string `json:"trustedCa,omitempty"`
 }
 
 // AADProfile - AAD integration managed by AKS.
diff --git a/api/v1beta1/azuremanagedcontrolplane_webhook.go b/api/v1beta1/azuremanagedcontrolplane_webhook.go
index c6c399a3d54e..2af389509acb 100644
--- a/api/v1beta1/azuremanagedcontrolplane_webhook.go
+++ b/api/v1beta1/azuremanagedcontrolplane_webhook.go
@@ -199,6 +199,13 @@ func (mw *azureManagedControlPlaneWebhook) ValidateUpdate(ctx context.Context, o
 		allErrs = append(allErrs, err)
 	}
 
+	if err := webhookutils.ValidateImmutable(
+		field.NewPath("Spec", "HTTPProxyConfig"),
+		old.Spec.HTTPProxyConfig,
+		m.Spec.HTTPProxyConfig); err != nil {
+		allErrs = append(allErrs, err)
+	}
+
 	if err := webhookutils.ValidateImmutable(
 		field.NewPath("Spec", "AzureEnvironment"),
 		old.Spec.AzureEnvironment,
diff --git a/api/v1beta1/azuremanagedcontrolplane_webhook_test.go b/api/v1beta1/azuremanagedcontrolplane_webhook_test.go
index 3e11553d02c8..1974fce10d7b 100644
--- a/api/v1beta1/azuremanagedcontrolplane_webhook_test.go
+++ b/api/v1beta1/azuremanagedcontrolplane_webhook_test.go
@@ -1302,6 +1302,36 @@ func TestAzureManagedControlPlane_ValidateUpdate(t *testing.T) {
 			},
 			wantErr: true,
 		},
+		{
+			name: "AzureManagedControlPlane HTTPProxyConfig is immutable",
+			oldAMCP: &AzureManagedControlPlane{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "test-cluster",
+				},
+				Spec: AzureManagedControlPlaneSpec{
+					HTTPProxyConfig: &HTTPProxyConfig{
+						HTTPProxy:  pointer.String("http://1.2.3.4:8080"),
+						HTTPSProxy: pointer.String("https://5.6.7.8:8443"),
+						NoProxy:    &[]string{"endpoint1", "endpoint2"},
+						TrustedCa:  pointer.String("ca"),
+					},
+				},
+			},
+			amcp: &AzureManagedControlPlane{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "test-cluster",
+				},
+				Spec: AzureManagedControlPlaneSpec{
+					HTTPProxyConfig: &HTTPProxyConfig{
+						HTTPProxy:  pointer.String("http://10.20.3.4:8080"),
+						HTTPSProxy: pointer.String("https://5.6.7.8:8443"),
+						NoProxy:    &[]string{"endpoint1", "endpoint2"},
+						TrustedCa:  pointer.String("ca"),
+					},
+				},
+			},
+			wantErr: true,
+		},
 	}
 	for _, tc := range tests {
 		t.Run(tc.name, func(t *testing.T) {
diff --git a/api/v1beta1/zz_generated.deepcopy.go b/api/v1beta1/zz_generated.deepcopy.go
index 9ba0ecc6ce36..53afb5786226 100644
--- a/api/v1beta1/zz_generated.deepcopy.go
+++ b/api/v1beta1/zz_generated.deepcopy.go
@@ -1232,6 +1232,11 @@ func (in *AzureManagedControlPlaneSpec) DeepCopyInto(out *AzureManagedControlPla
 		*out = new(Identity)
 		**out = **in
 	}
+	if in.HTTPProxyConfig != nil {
+		in, out := &in.HTTPProxyConfig, &out.HTTPProxyConfig
+		*out = new(HTTPProxyConfig)
+		(*in).DeepCopyInto(*out)
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AzureManagedControlPlaneSpec.
@@ -1857,6 +1862,45 @@ func (in Futures) DeepCopy() Futures {
 	return *out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *HTTPProxyConfig) DeepCopyInto(out *HTTPProxyConfig) {
+	*out = *in
+	if in.HTTPProxy != nil {
+		in, out := &in.HTTPProxy, &out.HTTPProxy
+		*out = new(string)
+		**out = **in
+	}
+	if in.HTTPSProxy != nil {
+		in, out := &in.HTTPSProxy, &out.HTTPSProxy
+		*out = new(string)
+		**out = **in
+	}
+	if in.NoProxy != nil {
+		in, out := &in.NoProxy, &out.NoProxy
+		*out = new([]string)
+		if **in != nil {
+			in, out := *in, *out
+			*out = make([]string, len(*in))
+			copy(*out, *in)
+		}
+	}
+	if in.TrustedCa != nil {
+		in, out := &in.TrustedCa, &out.TrustedCa
+		*out = new(string)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HTTPProxyConfig.
+func (in *HTTPProxyConfig) DeepCopy() *HTTPProxyConfig {
+	if in == nil {
+		return nil
+	}
+	out := new(HTTPProxyConfig)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *IPTag) DeepCopyInto(out *IPTag) {
 	*out = *in
diff --git a/azure/scope/managedcontrolplane.go b/azure/scope/managedcontrolplane.go
index 9bd328d048fc..f1b751684c66 100644
--- a/azure/scope/managedcontrolplane.go
+++ b/azure/scope/managedcontrolplane.go
@@ -565,6 +565,15 @@ func (s *ManagedControlPlaneScope) ManagedClusterSpec() azure.ResourceSpecGetter
 		}
 	}
 
+	if s.ControlPlane.Spec.HTTPProxyConfig != nil {
+		managedClusterSpec.HTTPProxyConfig = &managedclusters.HTTPProxyConfig{
+			HTTPProxy:  s.ControlPlane.Spec.HTTPProxyConfig.HTTPProxy,
+			HTTPSProxy: s.ControlPlane.Spec.HTTPProxyConfig.HTTPSProxy,
+			NoProxy:    s.ControlPlane.Spec.HTTPProxyConfig.NoProxy,
+			TrustedCa:  s.ControlPlane.Spec.HTTPProxyConfig.TrustedCa,
+		}
+	}
+
 	return &managedClusterSpec
 }
 
diff --git a/azure/services/managedclusters/spec.go b/azure/services/managedclusters/spec.go
index ad2e9c109c93..8c92a37b4372 100644
--- a/azure/services/managedclusters/spec.go
+++ b/azure/services/managedclusters/spec.go
@@ -113,6 +113,21 @@ type ManagedClusterSpec struct {
 
 	// KubeletUserAssignedIdentity is the user-assigned identity for kubelet to authenticate to ACR.
 	KubeletUserAssignedIdentity string
+
+	// HTTPProxyConfig is the HTTP proxy configuration for the cluster.
+	HTTPProxyConfig *HTTPProxyConfig
+}
+
+// HTTPProxyConfig is the HTTP proxy configuration for the cluster.
+type HTTPProxyConfig struct {
+	// HTTPProxy - The HTTP proxy server endpoint to use.
+	HTTPProxy *string `json:"httpProxy,omitempty"`
+	// HTTPSProxy - The HTTPS proxy server endpoint to use.
+	HTTPSProxy *string `json:"httpsProxy,omitempty"`
+	// NoProxy - The endpoints that should not go through proxy.
+	NoProxy *[]string `json:"noProxy,omitempty"`
+	// TrustedCa - Alternative CA cert to use for connecting to proxy servers.
+	TrustedCa *string `json:"trustedCa,omitempty"`
 }
 
 // AADProfile is Azure Active Directory configuration to integrate with AKS, for aad authentication.
@@ -414,6 +429,15 @@ func (s *ManagedClusterSpec) Parameters(ctx context.Context, existing interface{
 		}
 	}
 
+	if s.HTTPProxyConfig != nil {
+		managedCluster.HTTPProxyConfig = &containerservice.ManagedClusterHTTPProxyConfig{
+			HTTPProxy:  s.HTTPProxyConfig.HTTPProxy,
+			HTTPSProxy: s.HTTPProxyConfig.HTTPSProxy,
+			NoProxy:    s.HTTPProxyConfig.NoProxy,
+			TrustedCa:  s.HTTPProxyConfig.TrustedCa,
+		}
+	}
+
 	if existing != nil {
 		existingMC, ok := existing.(containerservice.ManagedCluster)
 		if !ok {
diff --git a/config/crd/bases/infrastructure.cluster.x-k8s.io_azuremanagedcontrolplanes.yaml b/config/crd/bases/infrastructure.cluster.x-k8s.io_azuremanagedcontrolplanes.yaml
index a0a60c332eab..4ae5db714771 100644
--- a/config/crd/bases/infrastructure.cluster.x-k8s.io_azuremanagedcontrolplanes.yaml
+++ b/config/crd/bases/infrastructure.cluster.x-k8s.io_azuremanagedcontrolplanes.yaml
@@ -244,6 +244,27 @@ spec:
                   DNS service. It must be within the Kubernetes service address range
                   specified in serviceCidr. Immutable.
                 type: string
+              httpProxyConfig:
+                description: HTTPProxyConfig is the HTTP proxy configuration for the
+                  cluster. Immutable.
+                properties:
+                  httpProxy:
+                    description: HTTPProxy - The HTTP proxy server endpoint to use.
+                    type: string
+                  httpsProxy:
+                    description: HTTPSProxy - The HTTPS proxy server endpoint to use.
+                    type: string
+                  noProxy:
+                    description: NoProxy - The endpoints that should not go through
+                      proxy.
+                    items:
+                      type: string
+                    type: array
+                  trustedCa:
+                    description: TrustedCa - Alternative CA cert to use for connecting
+                      to proxy servers.
+                    type: string
+                type: object
               identity:
                 description: Identity configuration used by the AKS control plane.
                 properties: