Share via

Azure AKS Outbound IP Scaling for Dual stack

Rajat Garg 10 Reputation points Microsoft Employee
2026-04-23T05:34:00.22+00:00

Hi,

We have AKS setup where we use Load Balancer as outbound type and have 1 Public IPv4 and 1 Public IPv6. These Public IPs have IP tags(service tag) attached as well.

Now we are looking to scale our system and to avoid SNAT port exhaustion we are trying to add 2 new Public IPv4(I confirm that these two new Public IPv4 are already got created). When we deploy this setup we get the below error

Status: Failed Error: Code: InvalidLoadBalancerProfileAllocatedOutboundPorts Message: Load balancer profile allocated ports 3096 is not in an allowable range given the number of nodes and IPs provisioned. Total node count 62 requires 191952 ports but only 64000 ports are available given 1 outbound public IPs. Refer to https://aka.ms/aks/InvalidLoadBalancerProfileAllocatedOutboundPorts for more details. Surge nodes would also consume additional ports, please consider use smaller maxSurge or use maxUnavailable, details: https://aka.ms/aks/maxUnavailable. Target: networkProfile.loadBalancerProfile.allocatedOutboundPorts Help Link: https://aka.ms/ev2/errors/troubleshooting

Though now we have 3 Public IPv4 and 1 Public IPv6, Resource Provider is still counting as 1 outbound public IPs, Can you let us know the reason for this?

We tried a different approach as well where we replace loadbalancer with NAT Gateway. but we are seeing two limitations.

If we move to NAT Gateway then only StandardV2 NAT Gateway support both IPv4 and IPv6, But there are

  1. Custom IP prefixes (BYOIP public IPs) aren't supported with StandardV2 NAT Gateway - In our service we use Service Tags for Public IPs
  2. StandardV2 is not available in all regions https://learn.microsoft.com/en-us/azure/nat-gateway/nat-sku 

Can you please help with these issues.

Azure Kubernetes Service
Azure Kubernetes Service

An Azure service that provides serverless Kubernetes, an integrated continuous integration and continuous delivery experience, and enterprise-grade security and governance.

Answer recommended by moderator

Rajat Garg 10 Reputation points Microsoft Employee
2026-04-24T10:41:30.8533333+00:00

I checked internally with Microsoft experts, and we identified that IPv6 addresses also need to be included. In a dual-stack setup, the Load Balancer invokes the validation function twice—once for IPv4 and once for IPv6.

After updating the configuration to include 3 public IPv4 and 3 public IPv6 addresses, the deployment completed successfully.

Was this answer helpful?

2 people found this answer helpful.
0 comments

3 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Vinodh247-1375 42,776 Reputation points Volunteer Moderator
    2026-04-23T10:46:04.54+00:00

    Hi ,

    Thanks for reaching out to Microsoft Q&A.

    AKS is still counting only one outbound IPv4 because your additional public IPs are not actually attached to the load balancer outbound rule.

    In AKS with outboundType = loadBalancer, simply creating extra public IPs does not increase SNAT capacity. Those IPs must be explicitly associated in the loadBalancerProfile.outboundIPs or outboundIPPrefixes. If that is not done (or not updated correctly), the resource provider continues to use only the original IP, which is why you see “1 outbound public IP” and only 64,000 ports.

    That error calculation confirms it: 62 nodes × 3096 ports ≈ 191,952 required ports, but only 64,000 available -> exactly one IP worth of SNAT.

    Why your new IPs are ignored?

    • They are created, but not linked to the AKS managed load balancer outbound rule
    • Or you are using managed outbound IPs and did not switch to explicit outbound IP configuration
    • Or the update did not reconcile due to existing LB profile constraints

    Better you update the AKS cluster to explicitly include all 3 IPv4 addresses in the outbound profile. Once correctly attached, SNAT capacity scales linearly (3 IPs ≈ 192,000 ports), and the error will go away.

    On the NAT Gateway side, your observations are correct and this is the tradeoff:

    • Standard NAT Gateway (recommended) -> IPv4 only, supports BYOIP and service tags
    • StandardV2 NAT Gateway -> dual stack (IPv4 + IPv6), but no BYOIP and limited regional availability

    So your decision is architectural:

    • If dual stack + IPv6 outbound is mandatory -> you are constrained to StandardV2 NAT Gateway (with limitations)
    • If SNAT scale and flexibility (BYOIP, service tags) matter more -> stay with Load Balancer or move to standard NAT Gateway (IPv4 only)

    to sum up: your current issue is not a platform bug. It is a configuration gap where AKS is not actually using the additional outbound IPs. Fix the load balancer outbound profile, and your scaling problem will be resolved.

    Please 'Upvote'(Thumbs-up) and 'Accept' as answer if the reply was helpful. This will be benefitting other community members who face the same issue.

    Was this answer helpful?

  2. kagiyama yutaka 3,430 Reputation points
    2026-04-23T09:01:36.8766667+00:00

    I think that… aks only counts the ipv4s u put in node‑rg→LB→OutboundIPs, so add all pips there and Save…if it still won’t update, recreate the LB profile once.

    Was this answer helpful?

    0 comments
  3. Jilakara Hemalatha 13,945 Reputation points Microsoft External Staff Moderator
    2026-04-23T07:23:28.4833333+00:00

    Hello Rajat,

    Based on the information provided, the error you are encountering is related to SNAT port validation in AKS when using the Load Balancer outbound type. In this model, outbound traffic from the cluster uses Source Network Address Translation (SNAT), where each IPv4 public IP provides approximately 64,000 ports. IPv6 traffic is handled separately and does not contribute to the IPv4 SNAT port pool, which is why only IPv4 addresses are considered in this calculation.

    AKS validates whether the combination of node count, number of outbound IPv4 IPs, and allocatedOutboundPorts forms a supported configuration using the following relationship:

    64,000 × (number of outbound IPv4 IPs) ÷ allocatedOutboundPorts ≥ total nodes (including surge)

    The InvalidLoadBalancerProfileAllocatedOutboundPorts error occurs when this condition is not met.

    In addition, we note that the error message indicates only one outbound IPv4 IP is being considered. Since multiple IPv4 IPs are configured in your load balancer profile, this is something we would like to validate further to ensure all IPs are being correctly applied at the Load Balancer level.

    Could you please check in the Azure portal under the cluster’s Load Balancer → Outbound rules and confirm whether all configured IPv4 public IPs are associated, or if only one is visible?

    To move forward, you may consider the following options:

    • Add an additional IPv4 public IP to provide sufficient SNAT capacity and headroom
    • Reduce allocatedOutboundPorts (for example, to ~3000 or lower) so that the current number of IPs can support the effective node count
    • Adjust upgrade strategy by reducing maxSurge or using maxUnavailable to avoid adding temporary nodes during operations

    Regarding NAT Gateway, your understanding is correct. IPv6 support requires StandardV2 NAT Gateway, custom IP prefixes are not currently supported, and availability depends on the region.

    References: Use a public standard load balancer in Azure Kubernetes Service (AKS)

    Use Source Network Address Translation (SNAT) for outbound connections

    https://learn.microsoft.com/en-us/azure/nat-gateway/nat-sku

    Configure a public standard load balancer in Azure Kubernetes Service (AKS)

    Use dual-stack networking in Azure Kubernetes Service (AKS)

    InvalidLoadBalancerProfileAllocatedOutboundPorts error when creating or updating an AKS cluster

    Hope this helps! Please let me know if you have any queries.

    Additionally, could you please check private message and provide the necessary details.

    Was this answer helpful?

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.