How to deploy azure aks on private subnet without internet and allow the public access for the specific IPaddress

Question

How to deploy azure aks on private subnet without internet and allow the public access for the specific IPaddress

Ekambaram 0

We have deployed the AKS in private subnet without internet and below outbound rule in our NSG.
443 - azure cloud  
443 - mcr.microsoft.com (allowed these 2 ips 150.171.70.10,150.171.69.10) for coredns, kubeproxy

I believe these two IP addresses will change in the future. What would be the best approach to add rules for CoreDNS and kube-proxy? Could you please share your insights?

Please share the step by steps details to do it in Azure console.

Dharani Reguri 425 Reputation points Microsoft External Staff

2025-04-23T13:32:09.3366667+00:00
Hi Ekambaram,

I understand that you are trying to deploy an Azure Kubernetes Service (AKS) cluster on a private subnet without internet access and you want to allow egress traffic to mcr.microsoft.com over port 443 so that the nodes can pull these required images.

Here are the steps for creating private AKS cluster:

Create a VNET, Subnet and also create a Network Security Group with outbound access rules to Azure container registry and Azure cloud using the service tags.

We use Azure cloud service tag to allows your AKS cluster to communicate with various Azure services, including CoreDNS and kube-proxy and AzureContainerRegistry ensures that your AKS cluster can pull images from the Azure Container Registry (mcr.microsoft.com), which is necessary for deploying and running containers.

While creating NSG outbound rules, select the source as VNET and Destination as service tag - AzureContainerRegistry and AzureCloud.

Attach a NSG to the subnet.

Create a private AKS cluster by selecting the "Enabling Private Cluster" and select the VNET and subnet you have created for it.

Please refer to the document below about the private AKS cluster creation.

https://learn.microsoft.com/en-us/azure/aks/private-clusters?tabs=default-basic-networking%2Cazure-portal#options-for-connecting-to-the-private-cluster

Please let me know if you have any questions.

Thank you.
Ekambaram V 0 Reputation points

2025-04-24T09:17:04.41+00:00

Hi Dharani,

Please check the below details and help to solve the problem.

Problem: -

While creating an Azure Kubernetes Service (AKS), we are selecting the option "Public access enabled with listed IPs" (including our local IPs) and configuring it with a private subnet.

NSG: -

Error: -

"code": "VMExtensionProvisioningError",

"message": "CSE failed with 'VMExtensionError_OutBoundConnFail', which means the agents are unable to establish outbound connection, please see https://aka.ms/aks/vmextensionerror_outboundconnfail and https://aka.ms/aks-required-ports-and-addresses for more information."

Your answer

Dharani Reguri 425 Reputation points Microsoft External Staff

2025-04-23T13:32:09.3366667+00:00

Hi Ekambaram,

I understand that you are trying to deploy an Azure Kubernetes Service (AKS) cluster on a private subnet without internet access and you want to allow egress traffic to mcr.microsoft.com over port 443 so that the nodes can pull these required images.

Here are the steps for creating private AKS cluster:

Create a VNET, Subnet and also create a Network Security Group with outbound access rules to Azure container registry and Azure cloud using the service tags.

We use Azure cloud service tag to allows your AKS cluster to communicate with various Azure services, including CoreDNS and kube-proxy and AzureContainerRegistry ensures that your AKS cluster can pull images from the Azure Container Registry (mcr.microsoft.com), which is necessary for deploying and running containers.

While creating NSG outbound rules, select the source as VNET and Destination as service tag - AzureContainerRegistry and AzureCloud.

Attach a NSG to the subnet.

Create a private AKS cluster by selecting the "Enabling Private Cluster" and select the VNET and subnet you have created for it.

Please refer to the document below about the private AKS cluster creation.

https://learn.microsoft.com/en-us/azure/aks/private-clusters?tabs=default-basic-networking%2Cazure-portal#options-for-connecting-to-the-private-cluster

Please let me know if you have any questions.

Thank you.
Ekambaram V 0 Reputation points

2025-04-24T09:17:04.41+00:00

Hi Dharani,

Please check the below details and help to solve the problem.

Problem: -

While creating an Azure Kubernetes Service (AKS), we are selecting the option "Public access enabled with listed IPs" (including our local IPs) and configuring it with a private subnet.

NSG: -

Error: -

"code": "VMExtensionProvisioningError",

"message": "CSE failed with 'VMExtensionError_OutBoundConnFail', which means the agents are unable to establish outbound connection, please see https://aka.ms/aks/vmextensionerror_outboundconnfail and https://aka.ms/aks-required-ports-and-addresses for more information."

Share via

How to deploy azure aks on private subnet without internet and allow the public access for the specific IPaddress

Your answer