diff --git a/src/k8s-extension/azext_k8s_extension/partner_extensions/AzureMLKubernetes.py b/src/k8s-extension/azext_k8s_extension/partner_extensions/AzureMLKubernetes.py
index 229abcb7492..d724822e57f 100644
--- a/src/k8s-extension/azext_k8s_extension/partner_extensions/AzureMLKubernetes.py
+++ b/src/k8s-extension/azext_k8s_extension/partner_extensions/AzureMLKubernetes.py
@@ -71,6 +71,7 @@ def __init__(self):
         self.sslCertPemFile = 'sslCertPemFile'
         self.allowInsecureConnections = 'allowInsecureConnections'
         self.privateEndpointILB = 'privateEndpointILB'
+        self.privateEndpointNodeport  = 'privateEndpointNodeport'
 
         # reference mapping
         self.reference_mapping = {
@@ -189,7 +190,7 @@ def __validate_config(self, configuration_settings, configuration_protected_sett
 
     def __validate_scoring_fe_settings(self, configuration_settings, configuration_protected_settings):
         experimentalCluster = _get_value_from_config_protected_config(
-            'experimental', configuration_settings, configuration_protected_settings)
+            'inferenceLoadBalancerHA', configuration_settings, configuration_protected_settings)
         experimentalCluster = str(experimentalCluster).lower() == 'true'
         if experimentalCluster:
             configuration_settings['clusterPurpose'] = 'DevTest'
@@ -206,13 +207,23 @@ def __validate_scoring_fe_settings(self, configuration_settings, configuration_p
                 "Otherwise explicitly allow insecure connection by specifying "
                 "'--configuration-settings allowInsecureConnections=true'")
 
+        feIsNodePort = _get_value_from_config_protected_config(
+            self.privateEndpointNodeport, configuration_settings, configuration_protected_settings)
+        feIsNodePort = str(feIsNodePort).lower() == 'true'
         feIsInternalLoadBalancer = _get_value_from_config_protected_config(
             self.privateEndpointILB, configuration_settings, configuration_protected_settings)
         feIsInternalLoadBalancer = str(feIsInternalLoadBalancer).lower() == 'true'
-        if feIsInternalLoadBalancer:
+
+        if feIsNodePort and feIsInternalLoadBalancer:
+            raise InvalidArgumentValueError(
+                "Specify either privateEndpointNodeport=true or privateEndpointILB=true, but not both.")
+        elif feIsNodePort:
+            configuration_settings['scoringFe.serviceType.nodePort'] = feIsNodePort
+        elif feIsInternalLoadBalancer:
+            configuration_settings['scoringFe.serviceType.internalLoadBalancer'] = feIsInternalLoadBalancer
             logger.warning(
                 'Internal load balancer only supported on AKS and AKS Engine Clusters.')
-            configuration_protected_settings['scoringFe.%s' % self.privateEndpointILB] = feIsInternalLoadBalancer
+            
 
     def __set_up_inference_ssl(self, configuration_settings, configuration_protected_settings):
         allowInsecureConnections = _get_value_from_config_protected_config(
@@ -225,12 +236,12 @@ def __set_up_inference_ssl(self, configuration_settings, configuration_protected
             with open(feSslCertFile) as f:
                 cert_data = f.read()
                 cert_data_bytes = cert_data.encode("ascii")
-                ssl_cert = base64.b64encode(cert_data_bytes)
+                ssl_cert = base64.b64encode(cert_data_bytes).decode()
                 configuration_protected_settings['scoringFe.sslCert'] = ssl_cert
             with open(feSslKeyFile) as f:
                 key_data = f.read()
                 key_data_bytes = key_data.encode("ascii")
-                ssl_key = base64.b64encode(key_data_bytes)
+                ssl_key = base64.b64encode(key_data_bytes).decode()
                 configuration_protected_settings['scoringFe.sslKey'] = ssl_key
         else:
             logger.warning(
diff --git a/src/k8s-extension/azext_k8s_extension/tests/latest/test_azureml_extension.py b/src/k8s-extension/azext_k8s_extension/tests/latest/test_azureml_extension.py
index 26d0b85abfb..6814a578398 100644
--- a/src/k8s-extension/azext_k8s_extension/tests/latest/test_azureml_extension.py
+++ b/src/k8s-extension/azext_k8s_extension/tests/latest/test_azureml_extension.py
@@ -25,7 +25,7 @@ def test_set_up_inference_ssl(self):
         self.assertTrue('scoringFe.sslCert' in protected_config)
         self.assertTrue('scoringFe.sslKey' in protected_config)
         encoded_cert_and_key_file = os.path.join(TEST_DIR, 'data', 'azure_ml', 'cert_and_key_encoded.txt')
-        with open(encoded_cert_and_key_file, "rb") as text_file:
+        with open(encoded_cert_and_key_file, "r") as text_file:
             cert = text_file.readline().rstrip()
             self.assertEquals(cert, protected_config['scoringFe.sslCert'])
             key = text_file.readline()
diff --git a/testing/test/extensions/public/AzureMLKubernetes.Tests.ps1 b/testing/test/extensions/public/AzureMLKubernetes.Tests.ps1
index 77b1cbdb343..ac5573ad955 100644
--- a/testing/test/extensions/public/AzureMLKubernetes.Tests.ps1
+++ b/testing/test/extensions/public/AzureMLKubernetes.Tests.ps1
@@ -107,7 +107,7 @@ Describe 'AzureML Kubernetes Testing' {
     }
 
     It 'Creates the extension and checks that it onboards correctly with inference enabled' {
-        Invoke-Expression "az $Env:K8sExtensionName create -c $($ENVCONFIG.arcClusterName) -g $($ENVCONFIG.resourceGroup) --cluster-type connectedClusters --extension-type $extensionType -n $extensionName --release-train staging --config enableInference=true identity.proxy.remoteEnabled=True identity.proxy.remoteHost=https://master.experiments.azureml-test.net allowInsecureConnections=True clusterPurpose=DevTest" -ErrorVariable badOut
+        Invoke-Expression "az $Env:K8sExtensionName create -c $($ENVCONFIG.arcClusterName) -g $($ENVCONFIG.resourceGroup) --cluster-type connectedClusters --extension-type $extensionType -n $extensionName --release-train staging --config enableInference=true identity.proxy.remoteEnabled=True identity.proxy.remoteHost=https://master.experiments.azureml-test.net allowInsecureConnections=True inferenceLoadBalancerHA=true" -ErrorVariable badOut
         $badOut | Should -BeNullOrEmpty        
 
         $output = Invoke-Expression "az $Env:K8sExtensionName show -c $($ENVCONFIG.arcClusterName) -g $($ENVCONFIG.resourceGroup) --cluster-type connectedClusters -n $extensionName" -ErrorVariable badOut
@@ -154,7 +154,7 @@ Describe 'AzureML Kubernetes Testing' {
     It 'Creates the extension and checks that it onboards correctly with inference and SSL enabled' {
         $sslKeyPemFile = Join-Path (Join-Path (Join-Path (Split-Path $PSScriptRoot -Parent) "data") "azure_ml") "test_key.pem"
         $sslCertPemFile = Join-Path (Join-Path (Join-Path (Split-Path $PSScriptRoot -Parent) "data") "azure_ml") "test_cert.pem"
-        Invoke-Expression "az $Env:K8sExtensionName create -c $($ENVCONFIG.arcClusterName) -g $($ENVCONFIG.resourceGroup) --cluster-type connectedClusters --extension-type $extensionType -n $extensionName --release-train staging --config enableInference=true identity.proxy.remoteEnabled=True identity.proxy.remoteHost=https://master.experiments.azureml-test.net experimental=True --config-protected sslKeyPemFile=$sslKeyPemFile sslCertPemFile=$sslCertPemFile" -ErrorVariable badOut
+        Invoke-Expression "az $Env:K8sExtensionName create -c $($ENVCONFIG.arcClusterName) -g $($ENVCONFIG.resourceGroup) --cluster-type connectedClusters --extension-type $extensionType -n $extensionName --release-train staging --config enableInference=true identity.proxy.remoteEnabled=True identity.proxy.remoteHost=https://master.experiments.azureml-test.net inferenceLoadBalancerHA=True --config-protected sslKeyPemFile=$sslKeyPemFile sslCertPemFile=$sslCertPemFile" -ErrorVariable badOut
         $badOut | Should -BeNullOrEmpty        
 
         $output = Invoke-Expression "az $Env:K8sExtensionName show -c $($ENVCONFIG.arcClusterName) -g $($ENVCONFIG.resourceGroup) --cluster-type connectedClusters -n $extensionName" -ErrorVariable badOut