AKS cluster cannot create succeed in own vnet/subnet

Question

AKS cluster cannot create succeed in own vnet/subnet

Nolan Le 30

ProvisioningState/failed/VMExtensionProvisioningError

Nolan Le 30 Reputation points

2025-02-12T03:15:51.0333333+00:00

ProvisioningState/failed/VMExtensionProvisioningError
Mounika Reddy Anumandla 6,845 Reputation points Microsoft External Staff Moderator

2025-02-12T03:30:26.5966667+00:00

Hi Nolan Le,

To troubleshoot your issue effectively, I request you to provide additional information.

How are you deploying AKS? (Azure CLI, Terraform, ARM template, Bicep, Portal)

Network Security Group (NSG) attached?

If you are following any specific documents, please specify.

Is AKS using a Service Principal or Managed Identity?

Does it have Network Contributor on the VNet?

Run this command for deployment logs: az aks show --resource-group <your-rg> --name <your-aks-cluster> --output json

Thank you!

-
Nolan Le 30 Reputation points

2025-02-12T04:46:32.7966667+00:00

Hi @Mounika Reddy Anumandla , thank you for your reply. Currently, I have issues using both Terraform and Az cli to provision the AKS cluster. It take long time, and the node pool in VMSS just a loop creating => Updating => Failed (ProvisioningState/failed/VMExtensionProvisioningError)

"Is AKS using a Service Principal or Managed Identity?" => it's use principal ID
I have created an AKS cluster with the existing Vnet/Subnet, which has attached NSG and routable. But I have removed it, but I still have the error.
Nolan Le 30 Reputation points

2025-02-12T04:51:19.9633333+00:00

Hi @Mounika Reddy Anumandla , thank you for your reply
How are you deploying AKS? (Azure CLI, Terraform, ARM template, Bicep, Portal) => I use both Terraform and Az cli to deploy AKS cluster
Network Security Group (NSG) attached? => Yes, but I have remove it and try to create but still error
I found this issue but seem like cannot resolve https://learn.microsoft.com/en-us/troubleshoot/azure/azure-kubernetes/create-upgrade-delete/error-code-vmextensionprovisioningtimeout?source=recommendationsIs AKS using a Service Principal or Managed Identity? => it's Principal id
Does it have Network Contributor on the VNet? Yes
Nolan Le 30 Reputation points

2025-02-15T07:22:35.3433333+00:00

Hi @Sudheer Reddy ,

Can you help and advise me on how to resolve this issue? :(
Sudheer Reddy 2,055 Reputation points Microsoft External Staff Moderator

2025-02-15T08:11:42.1+00:00

Hi Nolan Le,

I appreciate your patience.

When i tried in my lab, i can able to provision VMSS in a node pool.

Meanwhile, can you please check with below documentation for more information regarding troubleshooting steps on VM extension provisioning errors in VMSS.

https://learn.microsoft.com/en-us/troubleshoot/azure/azure-kubernetes/availability-performance/node-not-ready-custom-script-extension-errors

https://learn.microsoft.com/en-us/troubleshoot/azure/virtual-machine-scale-sets/extensions/vm-extension-provisioning-errors#read-logs-on-impacted-instances

If possible, if you have any error logs, can you please share here.

Thank You.
Nolan Le 30 Reputation points

2025-02-17T02:01:45.1733333+00:00

Hi @Sudheer Reddy , I just received this error and cannot create the AKS cluster, I have tried with these documents but cannot resolve the issue.

ProvisioningState/failed/VMExtensionProvisioningError

Accepted answer

1 additional answer

Your answer

Nolan Le 30 Reputation points

2025-02-12T03:15:51.0333333+00:00

ProvisioningState/failed/VMExtensionProvisioningError
Mounika Reddy Anumandla 6,845 Reputation points Microsoft External Staff Moderator

2025-02-12T03:30:26.5966667+00:00

Hi Nolan Le,

To troubleshoot your issue effectively, I request you to provide additional information.

How are you deploying AKS? (Azure CLI, Terraform, ARM template, Bicep, Portal)

Network Security Group (NSG) attached?

If you are following any specific documents, please specify.

Is AKS using a Service Principal or Managed Identity?

Does it have Network Contributor on the VNet?

Run this command for deployment logs: az aks show --resource-group <your-rg> --name <your-aks-cluster> --output json

Thank you!

-
Nolan Le 30 Reputation points

2025-02-12T04:46:32.7966667+00:00

Hi @Mounika Reddy Anumandla , thank you for your reply. Currently, I have issues using both Terraform and Az cli to provision the AKS cluster. It take long time, and the node pool in VMSS just a loop creating => Updating => Failed (ProvisioningState/failed/VMExtensionProvisioningError)

"Is AKS using a Service Principal or Managed Identity?" => it's use principal ID
I have created an AKS cluster with the existing Vnet/Subnet, which has attached NSG and routable. But I have removed it, but I still have the error.
Nolan Le 30 Reputation points

2025-02-12T04:51:19.9633333+00:00

Hi @Mounika Reddy Anumandla , thank you for your reply
How are you deploying AKS? (Azure CLI, Terraform, ARM template, Bicep, Portal) => I use both Terraform and Az cli to deploy AKS cluster
Network Security Group (NSG) attached? => Yes, but I have remove it and try to create but still error
I found this issue but seem like cannot resolve https://learn.microsoft.com/en-us/troubleshoot/azure/azure-kubernetes/create-upgrade-delete/error-code-vmextensionprovisioningtimeout?source=recommendationsIs AKS using a Service Principal or Managed Identity? => it's Principal id
Does it have Network Contributor on the VNet? Yes
Nolan Le 30 Reputation points

2025-02-15T07:22:35.3433333+00:00

Hi @Sudheer Reddy ,

Can you help and advise me on how to resolve this issue? :(
Sudheer Reddy 2,055 Reputation points Microsoft External Staff Moderator

2025-02-15T08:11:42.1+00:00

Hi Nolan Le,

I appreciate your patience.

When i tried in my lab, i can able to provision VMSS in a node pool.

Meanwhile, can you please check with below documentation for more information regarding troubleshooting steps on VM extension provisioning errors in VMSS.

https://learn.microsoft.com/en-us/troubleshoot/azure/azure-kubernetes/availability-performance/node-not-ready-custom-script-extension-errors

https://learn.microsoft.com/en-us/troubleshoot/azure/virtual-machine-scale-sets/extensions/vm-extension-provisioning-errors#read-logs-on-impacted-instances

If possible, if you have any error logs, can you please share here.

Thank You.
Nolan Le 30 Reputation points

2025-02-17T02:01:45.1733333+00:00

Hi @Sudheer Reddy , I just received this error and cannot create the AKS cluster, I have tried with these documents but cannot resolve the issue.

ProvisioningState/failed/VMExtensionProvisioningError

Answer 1

Hi Nolan Le,

Thank you for the patience.

Please try to ensure by whitelisting this address "acs-mirror.azureedge.net" in your firewall as this address is for the repository required to download and install required binaries like kubenet and Azure CNI to overcome VMExtensionProvisioningError issues during aks cluster creation with a VMSS node pool. https://learn.microsoft.com/en-us/azure/aks/outbound-rules-control-egress#azure-global-required-fqdn--application-rules

User's image

Please use below documentation to create a firewall to whitelist the acs-mirror.azureedge.net address. https://learn.microsoft.com/en-us/azure/aks/limit-egress-traffic?tabs=aks-with-system-assigned-identities

Execute a curl command to verify that your nodes can download the binaries: https://learn.microsoft.com/en-us/troubleshoot/azure/azure-kubernetes/create-upgrade-delete/error-code-cnidownloadtimeoutvmextensionerror

curl https://acs-mirror.azureedge.net/cni/azure-vnet-cni-linux-amd64-v1.0.25.tgz

Please refer to the discussion issue on GitHub Tech Community for more information on similar issue VMExtensionProvisioningError for troubleshooting the error:

https://github.com/Azure/AKS/issues/4353

https://github.com/Azure/AKS/issues/4792

Sudheer Reddy 2,055 Reputation points Microsoft External Staff Moderator

2025-02-18T23:15:32.35+00:00

Hi Nolan Le,

I just wanted to follow up and check if you had a chance to review my latest response regarding your query.

If the information is helpful, please click on "Accept Answer" and "Upvote"

If you have any queries, please do let us know, we will help you.
Nolan Le 30 Reputation points

2025-02-19T13:25:43.69+00:00

Hi @Sudheer Reddy ,

Thanks for your help, your solution can help me solve the problem now.

Answer 2

Sudheer Reddy 2,055 Microsoft External Staff Moderator

Hi Nolan Le,

In continuation to above, I have tried working in my tenant its working for me as I can able to create aks cluster within existing vnet and subnet and please follow given below steps to resolve the issue -

Ensure your Service Principal have Contributor permission.

Please try to execute below command in Azure Cloud Shell.

az aks create --resource-group <your resource group name> --name <name of your aks cluster> --node-count <node count> --generate-ssh-keys --service-principal <application(client)ID> --client-secret <client secret> --network-plugin azure --vnet-subnet-id <your subnet ID> --service-cidr <service cidr> --dns-service-ip <your dns service ip>

Make sure that service cidr should not overlap with subnet cidr and dns-service-ip is an IP from the range specified in service cidr. https://learn.microsoft.com/en-us/troubleshoot/azure/azure-kubernetes/create-upgrade-delete/error-code-servicecidroverlapexistingsubnetscidr

To find out Subnet ID: User's image

If you encounter any issue during the execution of above command like "Azure subscription is not registered to use the 'Microsoft.ContainerService' namespace" try to execute below command:

az provider register --namespace Microsoft.ContainerService

and wait for some time till the registration is completed, you can check by using below command:

az provider show --namespace Microsoft.ContainerService --query registrationState

If the information is helpful, please click on "Accept Answer" and "Upvote"

If you have any queries, please do let us know, we will help you.

Nolan Le 30 Reputation points

2025-02-13T02:20:53.91+00:00

Hi @Sudheer Reddy , but the aks use network configuration Azure CNI Overlay
Network configuration

Azure CNI Overlay

Pod CIDR

10.244.0.0/16

Service CIDR

10.0.0.0/16

DNS service IP

10.0.0.10
Nolan Le 30 Reputation points

2025-02-13T02:45:18.7366667+00:00

Hi @Sudheer Reddy , but I'm just attach the vnet to aks cluster to create the nodepool inside the subnet. For the cluster I'm using Azure CNI Overlay
Network configuration

Azure CNI Overlay

Pod CIDR

10.244.0.0/16

Service CIDR

10.0.0.0/16

DNS service IP

10.0.0.10
Sudheer Reddy 2,055 Reputation points Microsoft External Staff Moderator

2025-02-13T14:39:11.39+00:00
Hi Nolan Le ,

We have noticed that you rated an answer as not helpful. We appreciate your feedback and are committed to improving your experience with the Q&A. I have worked on finding an alternative solution to address your issue.

I tried to reproduce in my lab to create an aks cluster with existing vnet by creating node pool having VMSS (Ubuntu Linux VMs) inside an existing subnet with Azure CNI Overlay network enabled without having any NSG rules.

az aks create --resource-group <your resource group> --name <name of aks cluster> --location <location> --service-principal <service principal id> --client-secret <client secret> --network-plugin azure --network-plugin-mode overlay --pod-cidr <pod cidr address> --service-cidr <service cidr address> --dns-service-ip <dns service ip> --generate-ssh-keys --vnet-subnet-id <subnet id> --node-count <no of nodes in node pool> --vm-set-type VirtualMachineScaleSets

By using above command, I can able to create aks cluster based on above inputs.

If you have any queries, please do let us know, we will assist you.
Nolan Le 30 Reputation points

2025-02-14T01:21:18.4433333+00:00

Hi @Sudheer Reddy ,

I have tried this to create the AKS cluster with Nodepool type Vmss. Still, the main issue is the instance in Vmss always loops creating => updating => failed =>recareating due to this error ProvisioningState/failed/VMExtensionProvisioningError. :(
Nolan Le 30 Reputation points

2025-02-14T02:51:00.16+00:00

This is my existing vnet/subnet
Nolan Le 30 Reputation points

2025-02-14T02:56:01.44+00:00

I think this issue related to the AKSLinuxExtension. Seem like the vmss instance cannot install this extension.

Share via

AKS cluster cannot create succeed in own vnet/subnet

1 additional answer

Your answer