Diagnosing Intermittent Connectivity Issues to Specific External Endpoint from AKS Cluster

Question

Diagnosing Intermittent Connectivity Issues to Specific External Endpoint from AKS Cluster

Piotr Grochowski 0

We have an AKS cluster experiencing intermittent connection timeouts (30-35 seconds) when connecting to a specific external HTTPS endpoint, while all other external endpoints work perfectly. We have a second AKS cluster with identical configuration that connects to the same endpoint without issues.

Environment:

Azure Kubernetes Service (AKS)
Network: Azure CNI with Overlay mode
Outbound: NAT Gateway
Region: UK South
8 nodes across multiple node pools

Symptoms:

~50% of requests timeout after 30-35 seconds
DNS resolution is fast (<20ms)
TCP connection establishes quickly (<20ms)
SSL/TLS handshake completes successfully
Data transfer phase either times out or takes 3-30+ seconds
Other external endpoints (Google, GitHub, etc.) work consistently with 50-70ms response times

What We've Tried:

Increased NAT Gateway idle timeout to 30 minutes
Verified no SNAT port exhaustion
Tested from multiple pods across different nodes
Confirmed the endpoint works from our other AKS cluster
Ruled out application-level issues (same code works on other cluster)

Question: Since traditional network diagnostic tools like traceroute and mtr don't work well from within containers/Kubernetes, what Azure-native tools or methods can we use to:

Trace the network path from AKS pods to external endpoints?
Identify where packet loss or delays occur?
Determine if there's an Azure networking layer issue between our cluster and this specific destination?

Are there Azure Network Watcher tools, diagnostic logs, or specific kubectl/Azure CLI commands that would help diagnose this type of intermittent connectivity issue to a specific external endpoint?

Ankit Yadav 14,005 Reputation points Microsoft External Staff Moderator

2025-12-16T12:14:42.5366667+00:00
Hello @Piotr Grochowski ,

While we’re checking out networking options and troubleshooting connectivity, could you run the commands below to verify if the AKS network configurations look good (in case you haven’t tried them yet).

From inside your cluster, try below commands for pod-level diagnosis:

# Test DNS resolution kubectl run -it --image=busybox --restart=Never -- nslookup <external-endpoint> # Test connectivity with detailed output kubectl run -it --image=curlimages/curl --restart=Never -- curl -v -I --connect-timeout 10 --max-time 45 https://<external-endpoint> # Monitor TCP connection states during timeout kubectl exec <pod-name> -- watch -n 1 'netstat -an | grep <external-endpoint-ip>'

Can you spin up a test VM in the same virtual network as your AKS cluster and then use it to test connectivity to the external endpoint. This can help determine if the issue is network-related or specific to the AKS pods.

curl -Iv https://<your-external-endpoint>

Try AKS Diagnostics tool in Azure Portal and review it's report to see if it helps to resolve the issue. For more details, kindly refer the example scenario on how to use it as shown here: https://learn.microsoft.com/en-us/azure/aks/aks-diagnostics#example-scenario-diagnose-connectivity-issues

3 answers

Your answer

Ankit Yadav 14,005 Reputation points Microsoft External Staff Moderator

2025-12-16T12:14:42.5366667+00:00

Hello @Piotr Grochowski ,

While we’re checking out networking options and troubleshooting connectivity, could you run the commands below to verify if the AKS network configurations look good (in case you haven’t tried them yet).

From inside your cluster, try below commands for pod-level diagnosis:

# Test DNS resolution kubectl run -it --image=busybox --restart=Never -- nslookup <external-endpoint> # Test connectivity with detailed output kubectl run -it --image=curlimages/curl --restart=Never -- curl -v -I --connect-timeout 10 --max-time 45 https://<external-endpoint> # Monitor TCP connection states during timeout kubectl exec <pod-name> -- watch -n 1 'netstat -an | grep <external-endpoint-ip>'

Can you spin up a test VM in the same virtual network as your AKS cluster and then use it to test connectivity to the external endpoint. This can help determine if the issue is network-related or specific to the AKS pods.

curl -Iv https://<your-external-endpoint>

Try AKS Diagnostics tool in Azure Portal and review it's report to see if it helps to resolve the issue. For more details, kindly refer the example scenario on how to use it as shown here: https://learn.microsoft.com/en-us/azure/aks/aks-diagnostics#example-scenario-diagnose-connectivity-issues

Answer 1

Hello @Piotr Grochowski

The AKS cluster is experiencing intermittent timeouts only when connecting to a specific external HTTPS endpoint, while all other endpoints (Google, GitHub, etc.) respond normally.

This usually happens due to underlying Azure networking components such as:

NAT Gateway flow issues
Overlay + CNI datapath inefficiencies
Asymmetric routing
MTU / packet fragmentation issues
SNAT port behavior with intermittent flows

Your second identical AKS cluster connects perfectly, which proves the external service is not the problem — it's specific to the networking path of this one cluster.

Steps to Diagnose & Resolve

Step 1 : Validate Basic Pod‑Level Connectivity

Run tests from multiple pods across node pools:

kubectl run -it --image=busybox --restart=Never -- nslookup <external-endpoint>
kubectl run -it --image=curlimages/curl --restart=Never -- curl -v -I --connect-timeout 10 --max-time 45 https://<external-endpoint>
kubectl exec <pod-name> -- watch -n 1 'netstat -an | grep <endpoint-ip>'

Step 2: Compare Traffic Flow From a VM in Same VNet

Spin up a small test VM in the same subnet/VNet and run:

curl -v https://endpoint
mtr or traceroute

Step 3: Use Azure Network Watcher Tools

verify IP Flow

Checks whether traffic is allowed or blocked.

Troubleshoot Connectivity:
Shows full hops, packet behavior, and delay points.

Packet capture (Pcaps)(Vm or Vnet level)
Used when user insist on deep inspection.(Mostly Used)

**NSG flow and Insights
**To track whether flow resets or drops are occurring.

Step 4: Check NAT Gateway Behavior

Raise idle timeout to 30 minutes (already verified)
Validate SNAT ports are not getting reused
Validate no asymmetric routing

Step 5: MTU / Fragmentation Testing

Commands to test:

ping <endpoint-ip> -M do -s 1350

If failures begin at higher payloads > MTU mismatch likely.

Step 6: Compare with any Known Good Cluster

Since a second AKS cluster works fine, compare:

Node pool OS versions
Underlying VNet/subnet routing tables
NAT Gateway associations
UDRs
Network policies

This comparison has solved multiple internal cases.

Reference links

https://learn.microsoft.com/en-us/azure/aks/aks-diagnostics#example-scenario-diagnose-connectivity-issues
https://github.com/MicrosoftDocs/SupportArticles-docs/blob/main/support/azure/azure-kubernetes/connectivity/basic-troubleshooting-outbound-connections.md

https://learn.microsoft.com/en-us/azure/architecture/operator-guides/aks/troubleshoot-network-aks

https://docs.azure.cn/en-us/aks/aks-diagnostics

Thanks,
Manish Deshpande

Answer 2

Piotr Grochowski 0

as I shared earlier, we're not experiencing any DNS issues and AKS Diagnostics tool is showing there's no problems within the cluster

Ankit Yadav 14,005 Reputation points Microsoft External Staff Moderator

2025-12-16T18:15:14.1933333+00:00
Hey @Piotr Grochowski , Thanks for sharing your feedback, could you please answer our below queries that could help us understand more about your cluster.

Please confirm if this suddenly started in a pre-working setup after some updates/changes to the cluster or it's a new setup where you are observing the intermittent timeouts?

Also, were you able to test out the same from a test VM to the external IP address? Did it throw any timeout?

What kind of application you are running inside the AKS cluster? Does it store logs/exceptions while the timeout throws?

How frequent are the timeouts? Are they random or periodic in nature?

Please confirm if you are you using Azure CNI in your AKS setup?
Manish Deshpande 5,745 Reputation points Microsoft External Staff Moderator

2025-12-22T09:01:16.43+00:00

Hello @Piotr Grochowski

I just wanted to kindly follow up to check if you had a chance to review the earlier response. Please feel free to reach out if you have any additional questions or need further clarification. This information can help us to understand the issue better.
Manish Deshpande 5,745 Reputation points Microsoft External Staff Moderator

2025-12-23T02:41:10.2666667+00:00

Hello @Piotr Grochowski

I just wanted to kindly follow up to check if you had a chance to review the earlier response. Please feel free to reach out if you have any additional questions or need further clarification. This information can help us to understand the issue better. Can we connect over a call to fix this issue. I have requested few details over the private message.

Answer 3

To diagnose intermittent connectivity issues from your AKS cluster to a specific external endpoint, you can utilize several Azure-native tools and methods:

Azure Network Watcher: This service provides various tools to monitor and diagnose network issues in Azure. You can use the following features:
- Connection Troubleshoot: This tool helps you check the connectivity between your AKS pods and external endpoints. You can specify the source (your AKS cluster) and the destination (the external endpoint) to see if the connection is successful.
- Network Performance Monitor: This tool can help you monitor the performance of your network and identify any latency or packet loss issues over time.
Diagnosing Packet Loss or Delays: You can use the Network Watcher to run a Packet Capture on your AKS cluster. This will allow you to capture packets and analyze them for any signs of loss or delays. You can also check the Network Security Group (NSG) flow logs to see if any traffic is being blocked or dropped.
Azure CLI Commands: You can use the Azure CLI to run commands that provide insights into your network setup. For example:
- Use az network watcher show-subscription-flow-log to check the flow logs for your subscription, which can help identify issues in the network path.
- Use az aks show to verify the configuration of your AKS cluster and ensure that the outbound type and NAT Gateway settings are correct.
Kubernetes Commands: You can also run diagnostics from within your AKS pods:
- Use kubectl exec to run commands like curl or nslookup from within your pods to test connectivity and DNS resolution directly.
- Consider deploying a debugging pod with tools like tcpdump or iperf to gather more detailed network metrics.

These tools and methods should help you trace the network path, identify packet loss or delays, and determine if there are any Azure networking layer issues affecting your connectivity to the specific external endpoint.

References:

Share via

Diagnosing Intermittent Connectivity Issues to Specific External Endpoint from AKS Cluster

3 answers

Your answer