How to reserve a private IP from a virtual networks subnet

Question

How to reserve a private IP from a virtual networks subnet

Justin Obanor 20

I would like to reserve a single IP from a subnet, and only use it explicitly when needed

My kubernetes cluster can get torn down on different occasions, and we have a Kubernetes Service resource of type LoadBalancer

I want to be the one to set the IP for my LoadBalancer for this service, and also ensure the IP stays the same if the Kubernetes cluster gets recreated, or the service itself gets recreated

Is there a way of reserving a single IP from a subnet, which can only later be used explicitly by my resource only when I want

0 comments

Answer accepted by question author

Marcin Policht 89,825 MVP Volunteer Moderator

For an Azure VNet private IP, there isn’t a native concept of “reserving” a single IP in a subnet as a standalone resource the way Public IPs work. Azure only guarantees a private IP is held if it is attached to something like a NIC or a Load Balancer frontend configuration. If nothing owns it, it’s just part of the free pool and can be taken by anything.

So if you want a private IP that survives Kubernetes cluster or Service teardown, you have to anchor that IP to an Azure resource that persists independently of the cluster. The usual pattern is to pre-create an Azure Standard Load Balancer with a frontend IP configuration set to a specific static private IP from your subnet.

Example of creating that frontend IP on a load balancer:

az network lb create \
  --resource-group <rg> \
  --name <lb-name> \
  --sku Standard \
  --vnet-name <vnet> \
  --subnet <subnet> \
  --frontend-ip-name <frontend-name> \
  --private-ip-address 10.0.0.50

That effectively “reserves” 10.0.0.50 because it is now owned by the load balancer frontend config. This resource can live independently of AKS and will not be deleted when the cluster is torn down.

Then, instead of letting Kubernetes create its own load balancer, you make your Service attach to this existing one using annotations:

apiVersion: v1
kind: Service
metadata:
  name: my-service
  annotations:
    service.beta.kubernetes.io/azure-load-balancer-resource-group: <rg>
    service.beta.kubernetes.io/azure-load-balancer-name: <lb-name>
spec:
  type: LoadBalancer
  loadBalancerIP: 10.0.0.50
  ports:
    - port: 80
  selector:
    app: my-app

Now the important behavior is that the IP is not being “reserved by Kubernetes”. It is reserved because the Azure Load Balancer frontend owns it, and Kubernetes is simply reusing that frontend. As long as you do not delete that load balancer resource, the IP will persist across cluster and Service recreation.

If you instead only do:

spec:
  loadBalancerIP: 10.0.0.50

without pre-creating and owning that IP via an Azure resource, there is no guarantee. It will work only if the IP is free at that moment, and it can be lost or reassigned when the Service or cluster is deleted.

So the correct mental model in Azure VNet is that private IP persistence requires binding the IP to a durable Azure resource such as a Load Balancer frontend. Kubernetes alone cannot reserve or hold a private IP across its own lifecycle.

If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

hth

Marcin

Justin Obanor 20 Reputation points

2026-04-10T14:59:36.9833333+00:00
Thanks Marcin for your answer, this is definitely on the right track.

I created a LoadBalancer gateway-ip and attached it to my Service, but it looks like my Service is having troubles using it.

I get this

RESPONSE 400: 400 Bad Request ERROR CODE: PrivateIPAddressIsAllocated IP configuration /subscriptions/sub/resourceGroups/rg/providers/Microsoft.Network/loadBalancers/kubernetes-internal/frontendIPConfigurations/a6d3102e9a6de4f7fb12d3eb8add2f6c is using the private IP address 10.31.149.6 which is already allocated to resource /subscriptions/sub/resourceGroups/rg/providers/Microsoft.Network/loadBalancers/gateway-ip/frontendIPConfigurations/gateway-ip

I've done some reading, and it looks like my AKS cluster only recognises the kubernetes-internal loadbalancer. Does this sound like the case to you?

If that's the case, will it be possible to explore other options? Or would the only option to get this working be to update my AKS cluster to support multiple LoadBalancers?

Thanks
Marcin Policht 89,825 Reputation points MVP Volunteer Moderator

2026-04-10T15:12:18.25+00:00
Yep - what you’re seeing is expected behavior, not a misconfiguration on your part. The error is happening because AKS is trying to create or reconcile its own managed load balancer (the one typically named kubernetes-internal) and assign the IP 10.31.149.6 to it, but that IP is already bound to a different Azure Load Balancer (gateway-ip). Azure does not allow the same private IP to be attached to two different frontend IP configurations, so the request fails.

AKS does not “discover” or reuse arbitrary existing load balancers in the way you’re attempting. The cloud controller manager is opinionated: it manages a specific load balancer resource (or set of them) and expects to fully control the frontend IP configurations it uses. When you specify loadBalancerIP, AKS interprets that as “assign this IP on the load balancer I manage,” not “go find an existing load balancer that already owns this IP.”

So yes, your observation is basically correct. Your cluster is tied to its managed load balancer (kubernetes-internal in this case), and it will not attach Services to a completely separate pre-created load balancer like gateway-ip.

There are a few viable paths forward, but reusing that exact pre-created load balancer as-is is not one of them.

One option is to let AKS own the IP, but make it deterministic. Instead of pre-attaching the IP to a different load balancer, you leave the IP free in the subnet and consistently request it:

spec: type: LoadBalancer loadBalancerIP: 10.31.149.6

This works as long as nothing else grabs that IP, but it is not a true reservation because Azure won’t hold it for you when the Service is deleted.

Another, Azure-native approach is to pre-create a frontend IP configuration on the same load balancer that AKS uses, not a separate one. In practice this means either letting AKS create the load balancer once and then managing it (for example via infrastructure as code), or ensuring your Service always recreates the same frontend config so the IP is reattached. The key constraint is that the IP must belong to the AKS-managed load balancer, not a different resource.

Another possibility is to stop using Service type LoadBalancer for this requirement and move up a layer. For example, using an internal Application Gateway or another ingress solution gives you a stable private IP that is fully independent of the AKS Service lifecycle, and Kubernetes only programs routing rules behind it. In that model, the IP persistence problem is solved outside of the Kubernetes cloud provider entirely.

There is also the possibility of multiple load balancers in AKS, but that does not solve this specific issue the way you might expect. Even with multiple load balancers, AKS still manages them and expects to control their frontend IPs. You still cannot attach a Service to an arbitrary pre-existing load balancer that AKS did not create or does not manage.

If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

hth

Marcin
Ganesh Patapati 11,915 Reputation points Microsoft External Staff Moderator

2026-04-14T18:50:10.8566667+00:00

Hello Justin Obanor

I see Marcin Policht has addressed your queries.

Can you please update us if the action plan provided was helpful?

If these answer your question, click "Accept Answer" which may be beneficial to other community members reading this thread.

1 additional answer

Your answer

Justin Obanor 20 Reputation points

2026-04-10T14:59:36.9833333+00:00

Thanks Marcin for your answer, this is definitely on the right track.

I created a LoadBalancer gateway-ip and attached it to my Service, but it looks like my Service is having troubles using it.

I get this

RESPONSE 400: 400 Bad Request ERROR CODE: PrivateIPAddressIsAllocated IP configuration /subscriptions/sub/resourceGroups/rg/providers/Microsoft.Network/loadBalancers/kubernetes-internal/frontendIPConfigurations/a6d3102e9a6de4f7fb12d3eb8add2f6c is using the private IP address 10.31.149.6 which is already allocated to resource /subscriptions/sub/resourceGroups/rg/providers/Microsoft.Network/loadBalancers/gateway-ip/frontendIPConfigurations/gateway-ip

I've done some reading, and it looks like my AKS cluster only recognises the kubernetes-internal loadbalancer. Does this sound like the case to you?

If that's the case, will it be possible to explore other options? Or would the only option to get this working be to update my AKS cluster to support multiple LoadBalancers?

Thanks
Ganesh Patapati 11,915 Reputation points Microsoft External Staff Moderator

2026-04-14T18:50:10.8566667+00:00

Hello Justin Obanor

I see Marcin Policht has addressed your queries.

Can you please update us if the action plan provided was helpful?

If these answer your question, click "Accept Answer" which may be beneficial to other community members reading this thread.

Answer 1

HI @Justin Obanor,

Welcome to Microsoft Q&A Platform.

It makes sense that you want to “park” a single private IP in your VNet and then hand it to your AKS LoadBalancer only when you need it—so that even if you tear down and rebuild your cluster (and its MC_* resource group), your IP never gets sucked back into the pool.

Pre-create an internal Load Balancer (Standard SKU) in your own resource group and reserve your desired IP as its frontend IP az CLI example:

az network lb create \
  --resource-group MyLBResourceGroup \
  --name myStaticILB \
  --sku Standard \
  --vnet-name MyVnet \
  --subnet MySubnet \
  --private-ip-address 10.0.0.50 \
  --frontend-ip-name myFrontend

This command spins up an internal LB called myStaticILB with frontend IP 10.0.0.50. That IP is now tied to this LB resource and won’t be returned to the subnet’s dynamic pool until you delete the LB or change its IP config.

Tell your Kubernetes Service to use that existing LB (and its IP) instead of letting AKS create one in MC_* In your Service manifest:

apiVersion: v1
kind: Service
metadata:
  name: my-service
  annotations:
    # make it internal
    service.beta.kubernetes.io/azure-load-balancer-internal: 
    # point to your own RG (so the LB isn’t created in the MC_* RG)
    service.beta.kubernetes.io/azure-load-balancer-resource-group: MyLBResourceGroup
spec:
  type: LoadBalancer
  # must match the IP you reserved above
  loadBalancerIP: 10.0.0.50
  ports:
    - port: 80
      targetPort: 80

When you apply this, Kubernetes won’t try to carve a new IP from the subnet. It re-uses the LB + IP you manage in MyLBResourceGroup. If your AKS cluster gets deleted and re-created, you simply re-deploy this Service and it re-attaches to your existing LB+IP.

(Optional) If you need finer-grained IP-reservations in the future, look at Azure Virtual Network Manager’s IPAM feature

You can define an IP address pool and carve out static CIDR blocks (today minimum /28) so that no other resource can consume those addresses.
When you need that IP, you allocate it from the pool via ARM/CLI and attach it to your resource.

Ref:

How Azure assigns private IPs (static vs dynamic)

Assign private IP prefixes as secondary IP configs on a NIC (preview)

Azure Virtual Network Manager IPAM (static CIDR reservations)

Pleaseand “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

Share via

How to reserve a private IP from a virtual networks subnet

1 additional answer

Your answer