Use a static public IP address and DNS label with the Azure Kubernetes Service (AKS) load balancer

When you create a load balancer resource in an Azure Kubernetes Service (AKS) cluster, the public IP address assigned to it is only valid for the lifespan of that resource. If you delete the Kubernetes service, the associated load balancer and IP address are also deleted. If you want to assign a specific IP address or retain an IP address for redeployed Kubernetes services, you can create and use a static public IP address.

This article shows you how to create a static public IP address and assign it to your Kubernetes service.

Before you begin

• This article assumes that you have an existing AKS cluster. If you need an AKS cluster, see the AKS quickstart using the Azure CLI, using Azure PowerShell, or using the Azure portal.
• You need the Azure CLI version 2.0.59 or later installed and configured. Run az --version to find the version. If you need to install or upgrade, see Install Azure CLI.
• This article covers using a Standard SKU IP with a Standard SKU load balancer. For more information, see IP address types and allocation methods in Azure.

Create a static IP address

1. Use the az aks showaz-aks-show command to get the node resource group name of your AKS cluster, which follows this format: MC_<resource group name>_<AKS cluster name>_<region>.

   az aks show \
       --resource-group myResourceGroup \
       --name myAKSCluster
       --query nodeResourceGroup
       --output tsv
   

2. Use the az network public ip create command to create a static public IP address. The following example creates a static IP resource named myAKSPublicIP in the MC_myResourceGroup_myAKSCluster_eastus node resource group.

   az network public-ip create \
       --resource-group MC_myResourceGroup_myAKSCluster_eastus \
       --name myAKSPublicIP \
       --sku Standard \
       --allocation-method static
   

   Note

   If you're using a Basic SKU load balancer in your AKS cluster, use Basic for the --sku parameter when defining a public IP. Only Basic SKU IPs work with the Basic SKU load balancer and only Standard SKU IPs work with Standard SKU load balancers.

3. After you create the static public IP address, use the az network public-ip list command to get the IP address. Specify the name of the node resource group and public IP address you created, and query for the ipAddress.

   az network public-ip show --resource-group MC_myResourceGroup_myAKSCluster_eastus --name myAKSPublicIP --query ipAddress --output tsv
   

Create a service using the static IP address

1. Before creating a service, use the az role assignment create command to ensure the cluster identity used by the AKS cluster has delegated permissions to the node resource group.

   az role assignment create \
       --assignee <Client ID> \
       --role "Network Contributor" \
       --scope /subscriptions/<subscription id>/resourceGroups/<MC_myResourceGroup_myAKSCluster_eastus>
   

   Important

   If you customized your outbound IP, make sure your cluster identity has permissions to both the outbound public IP and the inbound public IP.

2. Create a file named load-balancer-service.yaml and copy in the contents of the following YAML file, providing your own public IP address created in the previous step and the node resource group name.

   apiVersion: v1
   kind: Service
   metadata:
     annotations:
       service.beta.kubernetes.io/azure-load-balancer-resource-group: MC_myResourceGroup_myAKSCluster_eastus
     name: azure-load-balancer
   spec:
     loadBalancerIP: 40.121.183.52
     type: LoadBalancer
     ports:
    - port: 80
     selector:
       app: azure-load-balancer
   

3. Use the kubectl apply command to create the service and deployment.

kubectl apply -f load-balancer-service.yaml

Apply a DNS label to the service

If your service uses a dynamic or static public IP address, you can use the service.beta.kubernetes.io/azure-dns-label-name service annotation to set a public-facing DNS label. This publishes a fully qualified domain name (FQDN) for your service using Azure's public DNS servers and top-level domain. The annotation value must be unique within the Azure location, so it's recommended to use a sufficiently qualified label. Azure automatically appends a default suffix in the location you selected, such as <location>.cloudapp.azure.com, to the name you provide, creating the FQDN.

apiVersion: v1
kind: Service
metadata:
  annotations:
    service.beta.kubernetes.io/azure-dns-label-name: myserviceuniquelabel
  name: azure-load-balancer
spec:
  type: LoadBalancer
  ports:
  - port: 80
  selector:
    app: azure-load-balancer

To see the DNS label for your load balancer, run the following command:

kubectl describe service azure-load-balancer

The DNS label will be listed under the Annotations, as shown in the following condensed example output:

Name:                    azure-load-balancer
Namespace:               default
Labels:                  <none>
Annotations:             service.beta.kuberenetes.io/azure-dns-label-name: myserviceuniquelabel
...

Note

To publish the service on your own domain, see Azure DNS and the external-dns project.

Troubleshoot

If the static IP address defined in the loadBalancerIP property of the Kubernetes service manifest doesn't exist or hasn't been created in the node resource group and there are no additional delegations configured, the load balancer service creation fails. To troubleshoot, review the service creation events using the kubectl describe command. Provide the name of the service specified in the YAML manifest, as shown in the following example:

kubectl describe service azure-load-balancer

The output will show you information about the Kubernetes service resource. The following example output shows a Warning in the Events: "user supplied IP address was not found." In this scenario, make sure you've created the static public IP address in the node resource group and that the IP address specified in the Kubernetes service manifest is correct.

Name:                     azure-load-balancer
Namespace:                default
Labels:                   <none>
Annotations:              <none>
Selector:                 app=azure-load-balancer
Type:                     LoadBalancer
IP:                       10.0.18.125
IP:                       40.121.183.52
Port:                     <unset>  80/TCP
TargetPort:               80/TCP
NodePort:                 <unset>  32582/TCP
Endpoints:                <none>
Session Affinity:         None
External Traffic Policy:  Cluster
Events:
  Type     Reason                      Age               From                Message
  ----     ------                      ----              ----                -------
  Normal   CreatingLoadBalancer        7s (x2 over 22s)  service-controller  Creating load balancer
  Warning  CreatingLoadBalancerFailed  6s (x2 over 12s)  service-controller  Error creating load balancer (will retry): Failed to create load balancer for service default/azure-load-balancer: user supplied IP Address 40.121.183.52 was not found

Next steps

For additional control over the network traffic to your applications, you may want to create an ingress controller. You can also create an ingress controller with a static public IP address.