This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(182.40000000000003, 28.000000000000004%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGV%3C/text%3E%3C/svg%3E)
Hi,
I am working on to create a kubernetes cluster in Azure. The whole infrastructure must be coded in terraform. This is fine. However, when I deploy the AKS cluster, the VMSS creation is always failing with the following error in the activity log:
{
"status": "Failed",
"error": {
"code": "ResourceOperationFailure",
"message": "The resource operation completed with terminal provisioning state 'Failed'.",
"details": [
{
"code": "VMExtensionProvisioningError",
"target": "0", "message": "VM has reported a failure when processing extension 'vmssCSE' (publisher 'Microsoft.Azure.Extensions' and type 'CustomScript'). Error message: \"Enable failed: failed to execute command: command terminated with exit status=124\\\\n[stdout]\\\\n{ \"ExitCode\": \"124\", \"Output\": \"0i.privatelink.westeurope.azmk8s.io 443\\\\\\\\n+ '[' 62 -eq 100 ']'\\\\\\\\n+ sleep 1\\\\\\\\n+ for i in $(seq 1 $retries)\\\\\\\\n+ timeout 10 nc -vz clus-non-prod-cluster-cdyrgl0i.privatelink.westeurope.azmk8s.io 443\\\\\\\\n+ '[' 63 -eq 100 ']'\\\\\\\\n+ sleep 1\\\\\\\\n+ for i in $(seq 1 $retries)\\\\\\\\n+ timeout 10 nc -vz clus-non-prod-cluster-cdyrgl0i.privatelink.westeurope.azmk8s.io 443\\\\\\\\n+ '[' 64 -eq 100 ']'\\\\\\\\n+ sleep 1\\\\\\\\n+ for i in $(seq 1 $retries)\\\\\\\\n+ timeout 10 nc -vz clus-non-prod-cluster-cdyrgl0i.privatelink.westeurope.azmk8s.io 443\\\\\\\\n+ '[' 65 -eq 100 ']'\\\\\\\\n+ sleep 1\\\\\\\\n+ for i in $(seq 1 $retries)\\\\\\\\n+ timeout 10 nc -vz clus-non-prod-cluster-cdyrgl0i.privatelink.westeurope.azmk8s.io 443\\\\\\\\n+ '[' 66 -eq 100 ']'\\\\\\\\n+ sleep 1\\\\\\\\n+ for i in $(seq 1 $retries)\\\\\\\\n+ timeout 10 nc -vz clus-non-prod-cluster-cdyrgl0i.privatelink.westeurope.azmk8s.io 443\\\\\\\\n+ '[' 67 -eq 100 ']'\\\\\\\\n+ sleep 1\\\\\\\\n+ for i in $(seq 1 $retries)\\\\\\\\n+ timeout 10 nc -vz clus-non-prod-cluster-cdyrgl0i.privatelink.westeurope.azmk8s.io 443\\\\\\\\n+ '[' 68 -eq 100 ']'\\\\\\\\n+ sleep 1\\\\\\\\n+ for i in $(seq 1 $retries)\\\\\\\\n+ timeout 10 nc -vz clus-non-prod-cluster-cdyrgl0i.privatelink.westeurope.azmk8s.io 443\\\\\\\\n+ '[' 69 -eq 100 ']'\\\\\\\\n+ sleep 1\\\\\\\\n+ for i in $(seq 1 $retries)\\\\\\\\n+ timeout 10 nc -vz clus-non-prod-cluster-cdyrgl0i.privatelink.westeurope.azmk8s.io 443\\\\\\\\n+ '[' 70 -eq 100 ']'\\\\\\\\n+ sleep 1\\\\\\\\n+ for i in $(seq 1 $retries)\\\\\\\\n+ timeout 10 nc -vz clus-non-prod-cluster-cdyrgl0i.privatelink.westeurope.azmk8s.io 443\\\\\\\\n+ '[' 71 -eq 100 ']'\\\\\\\\n+ sleep 1\\\\\\\\n+ for i in $(seq 1 $retries)\\\\\\\\n+ timeout 10 nc -vz clus-non-prod-cluster-cdyrgl0i.privatelink.westeurope.azmk8s.io 443\\\\\\\\n+ '[' 72 -eq 100 ']'\\\\\\\\n+ sleep 1\\\\\\\\n+ for i in $(seq 1 $retries)\\\\\\\\n+ timeout 10 nc -vz clus-non-prod-cluster-cdyrgl0i.privatelink.westeurope.azmk8s.io 443\\\\\\\\n+ '[' 73 -eq 100 ']'\\\\\\\\n+ sleep 1\\\\\\\\n+ for i in $(seq 1 $retries)\\\\\\\\n+ timeout 10 nc -vz clus-non-prod-cluster-cdyrgl0i.privatelink.westeurope.azmk8s.io 443\\\\\\\\n+ '[' 74 -eq 100 ']'\\\\\\\\n+ sleep 1\\\\\\\\n+ for i in $(seq 1 $retries)\\\\\\\\n+ timeout 10 nc -vz clus-non-prod-cluster-cdyrgl0i.privatelink.westeurope.azmk8s.io 443\\\\\\\\n+ '[' 75 -eq 100 ']'\\\\\\\\n+ sleep 1\\\\\\\\n+ for i in $(seq 1 $retries)\\\\\\\\n+ timeout 10 nc -vz clus-non-prod-cluster-cdyrgl0i.privatelink.westeurope.azmk8s.io 443\\\\\\\\n+ '[' 76 -eq 100 ']'\\\\\\\\n+ sleep 1\\\\\\\\n+ for i in $(seq 1 $retries)\\\\\\\\n+ timeout 10 nc -vz clus-non-prod-cluster-cdyrgl0i.privatelink.westeurope.azmk8s.io 443\\\\\\\\n+ '[' 77 -eq 100 ']'\\\\\\\\n+ sleep 1\\\\\\\\n+ for i in $(seq 1 $retries)\\\\\\\\n+ timeout 10 nc -vz clus-non-prod-cluster-cdyrgl0i.privatelink.westeurope.azmk8s.io 443\\\\\\\\n+ '[' 78 -eq 100 ']'\\\\\\\\n+ sleep 1\\\\\\\\n+ for i in $(seq 1 $retries)\\\\\\\\n+ timeout 10 nc -vz clus-non-prod-cluster-cdyrgl0i.privatelink.westeurope.azmk8s.io 443\\\\\\\\n+ '[' 79 -eq 100 ']'\\\\\\\\n+ sleep 1\\\\\\\\n+ for i in $(seq 1 $retries)\\\\\\\\n+ timeout 10 nc -vz clus-non-prod-cluster-cdyrgl0i.privatelink.westeurope.azmk8s.io 443\\\\\\\\n+ '[' 80 -eq 100 ']'\\\\\\\\n+ sleep 1\\\\\\\\n+ for i in $(seq 1 $retries)\\\\\\\\n+ timeout 10 nc -vz clus-non-prod-cluster-cdyrgl0i.privatelink.westeurope.azmk8s.io 443\\\\\\\\n+ '[' 81 -eq 100 ']'\\\\\\\\n+ sleep 1\\\\\\\\n+ for i in $(seq 1 $retries)\\\\\\\\n+ timeout 10 nc -vz clus-non-prod-cluster-cdyrgl0i.privatelink.westeurope.azmk8s.io 443\", \"Error\": \"\", \"ExecDuration\": \"900\", \"KernelStartTime\": \"Wed 2023-10-25 16:32:41 UTC\", \"CloudInitLocalStartTime\": \"Wed 2023-10-25 16:32:45 UTC\", \"CloudInitStartTime\": \"Wed 2023-10-25 16:32:48 UTC\", \"CloudFinalStartTime\": \"Wed 2023-10-25 16:32:56 UTC\", \"NetworkdStartTime\": \"Wed 2023-10-25 16:32:46 UTC\", \"CSEStartTime\": \"Wed Oct 25 16:33:02 UTC 2023\", \"GuestAgentStartTime\": \"Wed 2023-10-25 16:32:55 UTC\", \"SystemdSummary\": \"Startup finished in 2.546s (kernel) + 1min 30.260s (userspace) = 1min 32.807s \\\\\\\\ngraphical.target reached after 12.209s in userspace\", \"BootDatapoints\": { \"KernelStartTime\": \"Wed 2023-10-25 16:32:41 UTC\", \"CSEStartTime\": \"Wed Oct 25 16:33:02 UTC 2023\", \"GuestAgentStartTime\": \"Wed 2023-10-25 16:32:55 UTC\", \"KubeletStartTime\": \"Wed 2023-10-25 16:33:05 UTC\" } }\\\\n\\\\n[stderr]\\\\n\". More information on troubleshooting is available at https://aka.ms/VMExtensionCSELinuxTroubleshoot. "
}
]
}
}
The same issue happening when I want to create the cluster manually without terraform code.
Some words about the infra:
Anyone any idea?
Thanks!
G
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(249.60000000000002, 98%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESP%3C/text%3E%3C/svg%3E)
Can you also check for any NSG rules ?
If you are using Custom DNS server, do you have the Conditional Forwarder configured in that custom DNS server to redirect the traffic to Azure Provided DNS ?
Also , As per the error message you are trying to create the Private AKS cluster - can you also make sure the private link is getting resolved from the nodes or test VM ?
Check whether the Private FQDN link clus-non-prod-cluster-cdyrgl0i.privatelink.westeurope.azmk8s.io is resolving or not from the test VM which is in the same VNET as that of AKS cluster.
Regards,
Shiva.
DNS is working fine. In the current configuration the Azure Firewall is acting as a DNS server (DNS Proxy feature using Azure DNS server as forwarder), and all private DNS zones are linked to the VNET of Firewall. From test machine from same subnet of AKS I can properly resolve the API server address (see on picture):
The problem is that it seems the api server is not responding to HTTPS queries on its internal ip address:
There is only one NSG, which is created by kubernetes itself. I do not know if it can cause the problem...
On the log of firewall, I see a lot of traffic from VMSS to internet, which is fine.
G
Hi @Gabor Varga
it seems there is connectivity issue from worker node to outbound that prevent the VMs to get provisioned
do you have rout table + firewall in the AKS node subnet ?
can you run this command from cloud shell ?
# Get the VMSS instance IDs.
az vmss list-instances --resource-group <mc-resource-group-name> \
--name <vmss-name> \
--output table
# Use an instance ID to test outbound connectivity.
az vmss run-command invoke --resource-group <mc-resource-group-name> \
--name <vmss-name> \
--command-id RunShellScript \
--instance-id <vmss-instance-id> \
--output json \
--scripts "nc -vz mcr.microsoft.com 443"
and send the results
refer to :
Hi,
Meanwhile the issue was found.
Root cause: I added the following route in the subnet's route table:
This routing setup caused some problem because if this route is configured, then the nodes cannot connect to the cluster api server.
The default route (0.0.0.0/0) is pointing to the Azure firewall directly.
DNS server is also the Azure firewall.
I added the route mentioned above to all vnet-internal traffic bypass the firewall. But it seems it causes issues to accessing to api server.
All other services works fine with this setup, except AKS api server.
G
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(118.4, 98%, 21%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKM%3C/text%3E%3C/svg%3E)
@Gabor Varga Thanks for sharing the update.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(188.79999999999998, 57.99999999999999%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EHB%3C/text%3E%3C/svg%3E)
Hi Gabor, did you found a solution ? We're facing something similar, AKS with vnet integration, and I can't re route this particular subnet over hub's firewall. Once default route 0.0.0.0 towards firewall IP is set, the whole cluster breaks. I've tested every CNI available with the same results.