This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(48, 15%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EWR%3C/text%3E%3C/svg%3E)
We are using free account to test private cluster used by our case. But we found after we create a private cluster we can't reach to internet from pods . As the document said , All pods in an AKS cluster can send and receive traffic without limitations, by default. And also outbound traffic no limitation, did i miss something here? any suggestion ?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(208, 35%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESM%3C/text%3E%3C/svg%3E)
Hello @Wen Rui Zhao - (OPS) ,
Thanks for reaching out to Microsoft QnA Platform!
There is no limitation on outbound traffic from a private AKS cluster.
In a private cluster, the control plane or API server has internal IP addresses that are defined in the RFC1918 - Address Allocation for Private Internet document. By using a private cluster, you can ensure network traffic between your API server and your node pools remains on the private network only.
Have you followed any specific document to create the private AKS cluster such as this - Create private AKS cluster ?
Yes,we are refer to that document to create private AKS cluster , first time we use network policy none( we have none, Azure network, Calico options) , it's not working to access the internet. And also our subnet in Vnet have none NSG setting and Route.
But second time we are selecting Calico network policy , then we can reach internet from pod , so it's confused to me what's diff here , and what's "none" network policy by default setting ?
Hello @Wen Rui Zhao - (OPS) , Thanks for reaching back. So, when you deploy an AKS cluster and select "None" as network policy, then it means there is no Network Policy Manager deployed. so, even if you have deployed network policies they will not be enforced. This should not affect the connectivity from your Pod. It looks like some infrastructure network issue in this case as to why your Pod was not able to reach the Internet with "None" enabled. Do you still have the same setup? If yes, then can you check if the pod is able to establish connectivity to other pods in the same cluster? It can also be that there might have been some configuration on the load balancer level which is causing this particular issue, or maybe port exhaustion? It is difficult to determine without troubleshooting the infrastructure here.
When you enable Calico network policy, there will be a separate Policy manager for Calico deployed to each worker node in the AKS cluster that will enforce the defined network policies.
I hope this helps?