How to deploy azure aks on private subnet without internet and allow the public access for the specific IPaddress

Question

How to deploy azure aks on private subnet without internet and allow the public access for the specific IPaddress

Ekambaram 0

We have deployed the AKS in private subnet without internet and below outbound rule in our NSG.
443 - azure cloud  
443 - mcr.microsoft.com (allowed these 2 ips 150.171.70.10,150.171.69.10) for coredns, kubeproxy

I believe these two IP addresses will change in the future. What would be the best approach to add rules for CoreDNS and kube-proxy? Could you please share your insights?

Please share the step by steps details to do it in Azure console.

Dharani Reguri 1,175 Reputation points Microsoft External Staff Moderator

2025-04-23T13:32:09.3366667+00:00
Hi Ekambaram,

I understand that you are trying to deploy an Azure Kubernetes Service (AKS) cluster on a private subnet without internet access and you want to allow egress traffic to mcr.microsoft.com over port 443 so that the nodes can pull these required images.

Here are the steps for creating private AKS cluster:

Create a VNET, Subnet and also create a Network Security Group with outbound access rules to Azure container registry and Azure cloud using the service tags.

We use Azure cloud service tag to allows your AKS cluster to communicate with various Azure services, including CoreDNS and kube-proxy and AzureContainerRegistry ensures that your AKS cluster can pull images from the Azure Container Registry (mcr.microsoft.com), which is necessary for deploying and running containers.

While creating NSG outbound rules, select the source as VNET and Destination as service tag - AzureContainerRegistry and AzureCloud.

Attach a NSG to the subnet.

Create a private AKS cluster by selecting the "Enabling Private Cluster" and select the VNET and subnet you have created for it.

Please refer to the document below about the private AKS cluster creation.

https://learn.microsoft.com/en-us/azure/aks/private-clusters?tabs=default-basic-networking%2Cazure-portal#options-for-connecting-to-the-private-cluster

Please let me know if you have any questions.

Thank you.
Ekambaram V 30 Reputation points

2025-04-24T09:17:04.41+00:00

Hi Dharani,

Please check the below details and help to solve the problem.

Problem: -

While creating an Azure Kubernetes Service (AKS), we are selecting the option "Public access enabled with listed IPs" (including our local IPs) and configuring it with a private subnet.

NSG: -

Error: -

"code": "VMExtensionProvisioningError",

"message": "CSE failed with 'VMExtensionError_OutBoundConnFail', which means the agents are unable to establish outbound connection, please see https://aka.ms/aks/vmextensionerror_outboundconnfail and https://aka.ms/aks-required-ports-and-addresses for more information."
Dharani Reguri 1,175 Reputation points Microsoft External Staff Moderator

2025-04-24T16:10:52.33+00:00

Hi Ekambaram V,

When deploying AKS in a private subnet without internet access, you cannot associate public IP addresses with the node pool. Additionally, if you're using a private cluster, authorized IP ranges are not applicable, as the control plane is not exposed to the public internet.
Ekambaram V 30 Reputation points

2025-04-28T05:04:42.93+00:00

Hi Dharani,

Thanks for your inputs,

But I have tried with private cluster also it failed.

We have added IP address of mcr.microsoft.com(443 to 150.171.70.10, 150.171.69.10) - It is working fine.

We have added service tag azurecloud and azurecontainer registry is not working even with enabling private cluster also.
Dharani Reguri 1,175 Reputation points Microsoft External Staff Moderator

2025-04-28T15:50:32.9166667+00:00
Hi Ekambaram V,

As suggested by Alex Burlachenko, we can use the Azure Firewall with AzureKubernetesService FQDN tags to restricts outbound traffic from the AKS cluster.

Please follow the steps below for creating Firewall with FQDN tag.

Create Azure Firewall and select the VNet where your AKS nodes live and also create one Public IP. Here, we need to create a virtual network with two subnets: one for the cluster and one for the firewall (AzureFirewallSubnet)

Create Route Table (UDR) and add below Route to it. Route Name: <route-name> Address Prefix: 0.0.0.0/0 Next hop type: Virtual appliance Next hop address: Private IP of your Azure Firewall (please see the documentation about create route with next hop to azure-firewall

Then associate Route Table with Node Subnet. Choose your AKS Node pool subnet.

Create FQDN Rules in Azure Firewall policy.

Also create a network rule for DNS traffic (53 TCP/UDP) ➔ Allow to Azure DNS 168.63.129.16

If you use secure access to the AKS API server with authorized IP address ranges, you need to add the firewall public IP into the authorized IP range.

Please refer to the document below for detailed information about Limit network traffic with Azure Firewall in AKS.

https://learn.microsoft.com/en-us/azure/aks/limit-egress-traffic?tabs=aks-with-system-assigned-identities#create-a-route-with-a-hop-to-azure-firewall

Please let me know if you have any questions.
Ekambaram V 30 Reputation points

2025-04-29T06:29:18.2033333+00:00

Hi Dharani,

According to our company policy, an NSG (Network Security Group) must be attached to a subnet. This means traffic goes through the NSG and not directly to the firewall. Even though NSG rules allow traffic to and from the Azure Firewall, AKS (Azure Kubernetes Service) creation is still failing with the same error.

However, if we add the IP addresses of mcr.microsoft.com (150.171.70.10, 150.171.69.10) to the NSG, AKS creation succeeds. Despite using service tags like "Azure Cloud" and "AzureContainer Registry" as you suggested, AKS creation is not working.

Could you please provide further guidance on this issue?
Dharani Reguri 1,175 Reputation points Microsoft External Staff Moderator

2025-04-29T09:49:09.16+00:00

Hi Ekambaram V,

As we know, the IP addresses behind mcr.microsoft.com names can change at any time because of that, we can’t reliably use Network Security Groups (NSGs), which filter traffic based on fixed IP addresses, to control outbound traffic. That’s why AKS allows unrestricted outbound access by default to ensure everything works smoothly.

If you need to restrict this traffic for security reasons, we only recommend using Azure Firewall that can filter by domain name (FQDN) instead of just IP addresses. This allows you to keep the cluster secure while still letting it reach the services it depends on.

Please refer the document about the FQDN and NSG.
https://learn.microsoft.com/en-us/azure/aks/outbound-rules-control-egress#background
Dharani Reguri 1,175 Reputation points Microsoft External Staff Moderator

2025-04-30T09:42:09.84+00:00

Hi Ekambaram V,

Just checking in to see if you have got a chance to see my response to your question in resolving the issue.

If it was helpful, please click "Upvote" on this post and do let us know if you have any further questions.

Thank You.

2 answers

Your answer

Dharani Reguri 1,175 Reputation points Microsoft External Staff Moderator

2025-04-23T13:32:09.3366667+00:00

Hi Ekambaram,

I understand that you are trying to deploy an Azure Kubernetes Service (AKS) cluster on a private subnet without internet access and you want to allow egress traffic to mcr.microsoft.com over port 443 so that the nodes can pull these required images.

Here are the steps for creating private AKS cluster:

Create a VNET, Subnet and also create a Network Security Group with outbound access rules to Azure container registry and Azure cloud using the service tags.

We use Azure cloud service tag to allows your AKS cluster to communicate with various Azure services, including CoreDNS and kube-proxy and AzureContainerRegistry ensures that your AKS cluster can pull images from the Azure Container Registry (mcr.microsoft.com), which is necessary for deploying and running containers.

While creating NSG outbound rules, select the source as VNET and Destination as service tag - AzureContainerRegistry and AzureCloud.

Attach a NSG to the subnet.

Create a private AKS cluster by selecting the "Enabling Private Cluster" and select the VNET and subnet you have created for it.

Please refer to the document below about the private AKS cluster creation.

https://learn.microsoft.com/en-us/azure/aks/private-clusters?tabs=default-basic-networking%2Cazure-portal#options-for-connecting-to-the-private-cluster

Please let me know if you have any questions.

Thank you.
Ekambaram V 30 Reputation points

2025-04-24T09:17:04.41+00:00

Hi Dharani,

Please check the below details and help to solve the problem.

Problem: -

While creating an Azure Kubernetes Service (AKS), we are selecting the option "Public access enabled with listed IPs" (including our local IPs) and configuring it with a private subnet.

NSG: -

Error: -

"code": "VMExtensionProvisioningError",

"message": "CSE failed with 'VMExtensionError_OutBoundConnFail', which means the agents are unable to establish outbound connection, please see https://aka.ms/aks/vmextensionerror_outboundconnfail and https://aka.ms/aks-required-ports-and-addresses for more information."
Dharani Reguri 1,175 Reputation points Microsoft External Staff Moderator

2025-04-24T16:10:52.33+00:00

Hi Ekambaram V,

When deploying AKS in a private subnet without internet access, you cannot associate public IP addresses with the node pool. Additionally, if you're using a private cluster, authorized IP ranges are not applicable, as the control plane is not exposed to the public internet.
Ekambaram V 30 Reputation points

2025-04-28T05:04:42.93+00:00

Hi Dharani,

Thanks for your inputs,

But I have tried with private cluster also it failed.

We have added IP address of mcr.microsoft.com(443 to 150.171.70.10, 150.171.69.10) - It is working fine.

We have added service tag azurecloud and azurecontainer registry is not working even with enabling private cluster also.
Dharani Reguri 1,175 Reputation points Microsoft External Staff Moderator

2025-04-28T15:50:32.9166667+00:00

Hi Ekambaram V,

As suggested by Alex Burlachenko, we can use the Azure Firewall with AzureKubernetesService FQDN tags to restricts outbound traffic from the AKS cluster.

Please follow the steps below for creating Firewall with FQDN tag.

Create Azure Firewall and select the VNet where your AKS nodes live and also create one Public IP. Here, we need to create a virtual network with two subnets: one for the cluster and one for the firewall (AzureFirewallSubnet)

Create Route Table (UDR) and add below Route to it. Route Name: <route-name> Address Prefix: 0.0.0.0/0 Next hop type: Virtual appliance Next hop address: Private IP of your Azure Firewall (please see the documentation about create route with next hop to azure-firewall

Then associate Route Table with Node Subnet. Choose your AKS Node pool subnet.

Create FQDN Rules in Azure Firewall policy.

Also create a network rule for DNS traffic (53 TCP/UDP) ➔ Allow to Azure DNS 168.63.129.16

If you use secure access to the AKS API server with authorized IP address ranges, you need to add the firewall public IP into the authorized IP range.

Please refer to the document below for detailed information about Limit network traffic with Azure Firewall in AKS.

https://learn.microsoft.com/en-us/azure/aks/limit-egress-traffic?tabs=aks-with-system-assigned-identities#create-a-route-with-a-hop-to-azure-firewall

Please let me know if you have any questions.
Ekambaram V 30 Reputation points

2025-04-29T06:29:18.2033333+00:00

Hi Dharani,

According to our company policy, an NSG (Network Security Group) must be attached to a subnet. This means traffic goes through the NSG and not directly to the firewall. Even though NSG rules allow traffic to and from the Azure Firewall, AKS (Azure Kubernetes Service) creation is still failing with the same error.

However, if we add the IP addresses of mcr.microsoft.com (150.171.70.10, 150.171.69.10) to the NSG, AKS creation succeeds. Despite using service tags like "Azure Cloud" and "AzureContainer Registry" as you suggested, AKS creation is not working.

Could you please provide further guidance on this issue?
Dharani Reguri 1,175 Reputation points Microsoft External Staff Moderator

2025-04-29T09:49:09.16+00:00

Hi Ekambaram V,

As we know, the IP addresses behind mcr.microsoft.com names can change at any time because of that, we can’t reliably use Network Security Groups (NSGs), which filter traffic based on fixed IP addresses, to control outbound traffic. That’s why AKS allows unrestricted outbound access by default to ensure everything works smoothly.

If you need to restrict this traffic for security reasons, we only recommend using Azure Firewall that can filter by domain name (FQDN) instead of just IP addresses. This allows you to keep the cluster secure while still letting it reach the services it depends on.

Please refer the document about the FQDN and NSG.
https://learn.microsoft.com/en-us/azure/aks/outbound-rules-control-egress#background
Dharani Reguri 1,175 Reputation points Microsoft External Staff Moderator

2025-04-30T09:42:09.84+00:00

Hi Ekambaram V,

Just checking in to see if you have got a chance to see my response to your question in resolving the issue.

If it was helpful, please click "Upvote" on this post and do let us know if you have any further questions.

Thank You.

Answer 1

Alex Burlachenko 9,780

Dear Ekambaram,

Thank you for your question here at Q&A Portal. To deploy AKS in a private subnet without internet access while allowing specific public IPs, you can use Azure Private Clusters with restricted egress traffic. For CoreDNS and kube-proxy dependencies, Microsoft recommends using Azure Firewall with FQDN tags or service tags to dynamically manage required endpoints instead of hardcoding IPs.

Private AKS Deployment: Follow Microsoft’s guide for private clusters.

Egress Control: Use Azure Firewall with the AzureKubernetesService FQDN tag (see documentation).

Specific Public IP Access: Configure your NSG/load balancer to allow ingress only from your desired IPs (details here).

For CoreDNS/kube-proxy, avoid IP-based rules—leverage service tags (e.g., AzureContainerRegistry) or managed FQDNs to ensure stability.

Let me know if you need further clarification!

Best regards,

Alex

PS If my answer help to you, please Accept my answer.
PPS .that is my answer and it is not a comment :)

Ekambaram V 30 Reputation points

2025-04-29T06:29:40.08+00:00

Hi Alex,

According to our company policy, an NSG (Network Security Group) must be attached to a subnet. This means traffic goes through the NSG and not directly to the firewall. Even though NSG rules allow traffic to and from the Azure Firewall, AKS (Azure Kubernetes Service) creation is still failing with the same error.

However, if we add the IP addresses of mcr.microsoft.com (150.171.70.10, 150.171.69.10) to the NSG, AKS creation succeeds. Despite using service tags like "Azure Cloud" and "AzureContainer Registry" as you suggested, AKS creation is not working.

Could you please provide further guidance on this issue?
Alex Burlachenko 9,780 Reputation points

2025-05-13T12:08:08.97+00:00
Dear Ekambaram V ,

thank you again for sharing these details about your AKS deployment challenge. I understand that even after using service tags like Azure Cloud and Azure Container Registry, the AKS creation still fails unless you manually add the IP addresses for mcr.microsoft.com to the Network Security Group.

First, when deploying AKS in a private subnet without internet access, certain outbound connections are still required for the cluster to function properly. Microsoft provides service tags to simplify this process, but sometimes specific endpoints may not be fully covered. For example, the mcr.microsoft.com service, which hosts container images, might use IPs that are not included in the default service tags. You can find the full list of required endpoints in the official Microsoft documentation here: Required outbound network rules for AKS.

If service tags are not working as expected, you can try using Azure Firewall with FQDN tags, which automatically manage the required domains for AKS. This is often more reliable than manually adding IP addresses. The steps to set this up are explained here: Control egress traffic using Azure Firewall.

Another important step is to check if your Network Security Group rules are correctly allowing traffic to and from the Azure Kubernetes Service control plane. Sometimes, missing rules for ports like 443 or 9000 can cause deployment failures. You can verify this by reviewing the recommended NSG rules here: Secure traffic between pods and nodes.

If the issue continues, I recommend enabling NSG flow logs to see which traffic is being blocked. This will help identify any missing rules. You can learn how to set up flow logs here: Monitor network security groups with flow logs.

Finally, if none of these steps resolve the issue, it might be helpful to contact Microsoft Support to investigate whether there are any regional limitations or updates needed for the service tags in your environment.

Let me to know how its goes.

rgds, Alex P.S. If my answer help to you, please Accept my answer PPS That is my Answer and not a Comment https://ctrlaltdel.blog/

Answer 2

Ekambaram V 30

Hi Alex & Dharani,

Thank you for your valuable insights. We successfully created an AKS (Azure Kubernetes Service) for our requirements by following the instructions in the link below:

https://learn.microsoft.com/en-us/azure/aks/network-isolated?pivots=byo-acr

Thank You

Alex Burlachenko 9,780 Reputation points

2025-05-06T09:50:26.63+00:00

Dear Ekambaram V, seems as everything works, I’d really appreciate it if you could accept my answer. Best regards, Alex

Share via

How to deploy azure aks on private subnet without internet and allow the public access for the specific IPaddress

2 answers

Your answer