Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
This article describes common AKS errors and how to resolve them.
A-K error codes
| Error code | Description | Details and mitigation |
|---|---|---|
| AADSTS7000222 - BadRequest or InvalidClientSecret | Authentication failure with Azure Active Directory. | This involves invalid or expired service principal credentials. For more information, see AADSTS7000222 - BadRequest or InvalidClientSecret error. |
| AKSCapacityError | Regional capacity constraints. | There's insufficient Azure capacity in the target region. For more information, see Troubleshoot the AksCapacityHeavyUsage error code. |
| AksCapacityHeavyUsage | Insufficient capacity in the Azure region. | There's high demand or limited resources in the selected region. For more information, see Troubleshoot the AksCapacityHeavyUsage error code. |
| AKSOperationPreempted | Cluster operation is interrupted by a higher priority operation. | There are concurrent operations on the cluster, causing conflicts. For more information, see AKSOperationPreempted or AKSOperationPreemptedByDelete error when performing a new operation. |
| AKS upgrade blocked | Upgrade fails due to version compatibility issues. | There's version skew, incompatibility, or an unsupported upgrade path. For more information, see Troubleshoot AKS upgrade errors because of version skew, incompatibility, or lack of support. |
| Argument list too long | Application fails due to command line argument limitations. | The command line arguments exceed system limits in containerized applications. For more information, see Application failures caused by the "argument list too long" error message. |
| AvailabilityZoneNotSupported | Selected availability zone isn't supported. | the virtual machine (VM) size or region doesn't support the specified availability zone. For more information, see Troubleshoot the AvailabilityZoneNotSupported error code. |
| BadRequest or InvalidClientSecret | Authentication or request validation failed. | This involves an invalid service principal credentials or a malformed request. For more information, see Error AADSTS7000222 - BadRequest or InvalidClientSecret. |
| CannotDeleteLoadBalancerWithPrivateLinkService or PrivateLinkServiceWithPrivateEndpointConnectionsCannotBeDeleted | Unable to delete load balancer with active private link connections. | The load balancer has active private endpoint connections that must be removed first. For more information, see Cluster autoscaler fails to scale with "cannot scale cluster autoscaler enabled node pool" error. |
| Can't scale cluster autoscaler-enabled node pool | Manual scaling conflicts with autoscaler. | This happens when attempting a manual scaling on a node pool with autoscaler enabled. For more information, see A load balancer with a private link service or a private link service with private endpoint connections cannot be deleted. |
| Changing property "imageReference" is not allowed | Unable to modify the VM image reference. | This happens when attempting to change immutable VM properties on existing nodes. For more information, see "Changing property 'imageReference' is not allowed" error message while upgrading or scaling an AKS cluster. |
| CniDownloadTimeoutVMExtensionError (41) | Container Network Interface (CNI) download times out. | There are network connectivity issues preventing the CNI plugin download. For more information, see Troubleshoot Container Network Interface download failures. |
| CreateOrUpdateVirtualNetworkLinkFailed | Failed to create or update DNS zone virtual network link. | Insufficient permissions or networking conflicts with private DNS zones. For more information, see CreateOrUpdateVirtualNetworkLinkFailed error when updating or upgrading an AKS cluster. |
| CustomPrivateDNSZoneMissingPermissionError | Permissions missing for custom private DNS zone. | The service principal lacks required permissions on the private DNS zone. For more information, see Troubleshoot the CustomPrivateDNSZoneMissingPermissionError error code. |
| DnsServiceIpOutOfServiceCidr | DNS service IP is outside the service CIDR range. | The configured DNS service IP doesn't fall within the Kubernetes service CIDR. For more information, see Troubleshoot the DnsServiceIpOutOfServiceCidr error code. |
| ERR_VHD_FILE_NOT_FOUND (65) | Virtual hard disk file not found during provisioning. | The node image virtual hard disk is unavailable or inaccessible. For more information, see Troubleshoot the ERR_VHD_FILE_NOT_FOUND error code (65). |
| Error from server - error dialing backend - dial tcp | API server connectivity issues. | There are network connectivity problems between components and the API server. For more information, see "Error from server: error dialing backend: dial tcp" message. |
| Failed to fix node group sizes | Cluster autoscaler unable to reconcile node pool sizes. | There are autoscaler configuration issues or Azure API failures. For more information, see Cluster autoscaler fails to scale with "failed to fix node group sizes" error. |
| InsufficientSubnetSize | Subnet has insufficient IP addresses. | There aren't enough available IPs in the subnet for the requested nodes. For more information, see InsufficientSubnetSize error code. |
| InUseRouteTableCannotBeDeleted | Route table is in use and can't be deleted. | The route table is associated with subnets and must be disassociated. For more information, see Troubleshoot InUseRouteTableCannotBeDeleted error code. |
| InvalidLoadBalancerProfileAllocatedOutboundPorts | Invalid outbound port allocation in load balancer profile. | The outbound port configuration exceeds limits or is invalid. For more information, see InvalidLoadBalancerProfileAllocatedOutboundPorts error when creating or updating an AKS cluster. |
| InvalidParameter | One or more parameters are invalid. | The request contains invalid or conflicting parameter values. For more information, see Troubleshoot the InvalidParameter error. |
| InvalidResourceReference | Referenced resource is invalid or inaccessible. | The resource ID is malformed or the resource doesn't exist. For more information, see Troubleshoot the InvalidResourceReference error code. |
| K8SAPIServerConnFailVMExtensionError (51) | Node can't connect to Kubernetes API server. | Network connectivity or a firewall is blocking API server access. For more information, see Troubleshoot the K8SAPIServerConnFailVMExtensionError error code (51). |
| K8SAPIServerDNSLookupFailVMExtensionError (52) | DNS lookup for API server failed. | DNS resolution issues prevent API server discovery. For more information, see Troubleshoot the K8SAPIServerDNSLookupFailVMExtensionError error code (52). |
| Known issues - Custom kubelet configuration on Windows | Issues with custom kubelet settings on Windows nodes. | There are specific limitations and issues with Windows node kubelet customization. For more information, see Known issues: Custom kubelet configuration on Windows nodes in AKS. |
L-S error codes
| Error code | Description | Details and mitigation |
|---|---|---|
| LB/PvtLinkSvcWithPvtEndptConn deletion error | Can't delete resources with active private endpoint connections. | Private link services have active connections that prevent deletion. For more information, see A load balancer with a private link service or a private link service with private endpoint connections can't be deleted. |
| LinkedAuthorizationFailed | Authorization fails for linked resources. | There are insufficient permissions for a resource in another subscription or a resource group. For more information, see Troubleshoot the LinkedAuthorizationFailed error code. |
| LoadBalancerInUseByVirtualMachineScaleSet | Can't modify load balancer currently in use. | The load balancer is actively being used by VM scale sets. For more information, see Troubleshoot the LoadBalancerInUseByVirtualMachineScaleSet or NetworkSecurityGroupInUseByVirtualMachineScaleSet error code. |
| LoadBalancerInUseByVirtualMachineScaleSet or NetworkSecurityGroupInUseByVirtualMachineScaleSet | Network resources are in use by scale sets. | The load balancer or network security group (NSG) is attached to active VM scale sets. For more information, see Troubleshoot LoadBalancerInUseByVirtualMachineScaleSet or NetworkSecurityGroupInUseByVirtualMachineScaleSet error code. |
| Missing or invalid service principal | Service principal credentials are missing or invalid. | The service principal either doesn't exist, is expired, or lacks the required permissions. For more information, see Missing or invalid service principal when creating an AKS cluster. |
| MissingSubscriptionRegistration | Required resource provider aren't registered. | The Azure subscription is missing registration information for required resource providers. For more information, see Troubleshoot the MissingSubscriptionRegistration error code. |
| NetworkSecurityGroupInUseByVirtualMachineScaleSet | Network security group (NSG) is in use by VM scale sets. | The NSG cannot be modified while attached to scale sets. For more information, see Troubleshoot the LoadBalancerInUseByVirtualMachineScaleSet or NetworkSecurityGroupInUseByVirtualMachineScaleSet error code. |
| NodePoolMcVersionIncompatible | Node pool version incompatible with control plane. | The node pool Kubernetes version isn't compatible with the control plane version. For more information, see Can't upgrade AKS cluster because of the NodePoolMcVersionIncompatible error. |
| OperationIsNotAllowed | Operation not permitted in current state. | The requested operation conflicts with cluster state or configuration. For more information, see Cluster pending operation (OperationNotAllowed) errors. |
| OperationNotAllowed or PublicIPCountLimitReached | Operation blocked or public IP limit reached. | The public IP quota is exceeded or the operation isn't allowed by policy. For more information, see Troubleshoot the OperationNotAllowed or PublicIPCountLimitReached quota error. |
| OrasPullNetworkTimeoutVMExtensionError | ORAS pull operation timed out. | There's a network timeout when you try to create and deploy an AKS cluster. For more information, see OrasPullNetworkTimeoutVMExtensionError error code (211) when deploying an AKS cluster. |
| OrasPullUnauthorizedVMExtensionError | Not authorized to pull artifacts from registry. | Authentication fails when you try to create and deploy an AKS cluster. For more information, see OrasPullUnauthorizedVMExtensionError error code (212) when deploying an AKS cluster. |
| OutboundConnFailVMExtensionError (50) | Node can't establish outbound connectivity. | A firewall, network security group (NSG), or routing prevents outbound connections. For more information, see Troubleshoot the OutboundConnFailVMExtensionError error code (50). |
| PublicIPAddr/InUseSubnet/NetSecGrp deletion error | Can't delete in-use networking resources. | Resources have active dependencies that must be removed. For more information, see A public IP address/subnet/network security group in use can't be deleted. |
| PublicIPAddressCannotBeDeleted, InUseSubnetCannotBeDeleted, or InUseNetworkSecurityGroupCannotBeDeleted | Networking resources have active dependencies. | Network resources are in use and can't be deleted without removing dependencies. For more information, see A public IP address/subnet/network security group in use cannot be deleted. |
| PublicIPCountLimitReached | Public IP address quota exceeded. | The subscription or region has reached the public IP address limit. For more information, see Troubleshoot the PublicIPCountLimitReached error code. |
| QuotaExceeded or InsufficientVCPUQuota | Virtual machine quota exceeded | There's insufficient vCPU quota for the requested VM sizes or count. For more information, see Troubleshoot the "Quotaexceeded" error code. |
| QuotaExceeded or InsufficientVCPUQuota (creation/upgrade) | Quota limit prevents cluster operation. | The vCPU quota is insufficient for cluster creation or upgrade. For more information, see "QuotaExceeded" or "InsufficientVCPUQuota" error during AKS creation or upgrade. |
| RequestDisallowedByPolicy | Azure policy blocks the request. | The request violates assigned Azure policy definitions. For more information, see RequestDisallowedByPolicy error when deploying an AKS cluster. |
| ServiceCidrOverlapExistingSubnetsCidr | Service Classless Inter-Domain Routing (CIDR) overlaps with subnet CIDR | The Kubernetes service CIDR conflicts with the existing subnet address space. For more information, see Troubleshoot the ServiceCidrOverlapExistingSubnetsCidr error during an AKS cluster upgrade. |
| ServicePrincipalValidationClientError | Service principal validation fails. | There's a client-side error when validating service principal credentials. For more information, see Troubleshoot the ServicePrincipalValidationClientError error code. |
| SubnetIsDelegated | Subnet is delegated to another service. | The subnet has a delegation that conflicts with AKS requirements. For more information, see Troubleshoot the SubnetIsDelegated error code. |
| SubnetIsFull | No available IP addresses in subnet. | All IP addresses in the subnet are allocated. For more information, see Troubleshoot the SubnetIsFull error code during an AKS cluster upgrade. |
| SubnetIsFull (upgrade) | Insufficient IPs for upgrade operation. | There aren't enough free IP addresses to perform the node pool upgrade. For more information, see Troubleshoot the "SubnetIsFull" error code during an AKS cluster upgrade. |
| SubnetWithExternalResourcesCannotBeUsedByOtherResources | Subnet contains external resources. | The subnet has resources from other services preventing AKS usage. For more information, see Troubleshoot the SubnetWithExternalResourcesCannotBeUsedByOtherResources error code. |
| SubscriptionRequestsThrottled | Subscription-level throttling active. | Too many requests at the subscription level causes rate limiting. For more information, see Troubleshoot the SubscriptionRequestsThrottled error code (429). |
| SubscriptionRequestsThrottled (429) | Rate limit exceeded for subscription. | The request rate exceeds subscription-level throttling limits. For more information, see Troubleshoot SubscriptionRequestsThrottled error code (429). |
T-Z error codes
| Error code | Description | Details and mitigation |
|---|---|---|
| TCP time-outs such as 10250 I/O | TCP connection timeouts on kubelet port. | There are network connectivity issues or a firewall is blocking port 10250. For more information, see 10250 I/O timeouts error when running kubectl log command. |
| Throttled | API requests are being throttled. | The request rate exceeds Azure Resource Manager limits. For more information, see Troubleshoot the Throttled error code (429). |
| Throttled (429) | HTTP 429 rate limiting in effect | Too many requests causes Azure API throttling. For more information, see Troubleshoot Throttled error code (429). |
| tls - client offered only unsupported versions | Transport Layer Security (TLS) version mismatch | The client attempts connection with unsupported TLS versions. For more information, see "TLS: client offered only unsupported versions" error on client when connecting to the AKS API server. |
| TooManyRequestsReceived or SubscriptionRequestsThrottled | Request throttling active. | An excessive request volume triggers rate limiting. For more information, see Troubleshoot TooManyRequestsReceived or SubscriptionRequestsThrottled error code. |
| UnsatisfiablePDB | Pod Disruption Budget (PDB) can't be satisfied. | PDB constraints prevent required node operations. For more information, see Error "UnsatisfiablePDB" when upgrading an AKS cluster. |
| Upgrade issues with Gen2 VMs on Windows AKS cluster | Node pools not upgraded to Gen2 during image upgrade. | There's a known limitation with Windows node pool Gen2 migration. For more information, see Windows Server node pools not upgraded to Gen2 during cluster node image upgrade. |
| VirtualNetworkNotInSucceededState | Virtual network (VNet) not in successful provisioning state | VNet is in failed, updating, or other non-successful state. For more information, see Troubleshoot the VirtualNetworkNotInSucceededState error code. |
| VMExtensionError_CniDownloadTimeout | Container Network Interface (CNI) plugin download timeout. | There are network issues preventing a CNI plugin download. For more information, see Troubleshoot the VMExtensionError_CniDownloadTimeout error code (41). |
| VMExtensionError_OutboundConnFail | VM extension can't establish outbound connection. | Outbound connectivity is blocked by network configuration. For more information, see Troubleshoot the VMExtensionError_OutboundConnFail error code (50). |
| VMExtensionError_K8SAPIServerConnFail | Can't connect to Kubernetes API server. | The network or a firewall prevents API server connectivity. For more information, see Troubleshoot the VMExtensionError_K8SAPIServerConnFail error code (51). |
| VMExtensionError_K8SAPIServerDNSLookupFail | DNS lookup failure for API server. | There are DNS resolution issues for the API server endpoint. For more information, see Troubleshoot the VMExtensionError_K8SAPIServerDNSLookupFail error code (52). |
| VMExtensionError_VHDFileNotFound | Virtual hard disk (VHD) file not found. | The node image VHD is missing or inaccessible. For more information, see VMExtensionError_VHDFileNotFound error code (65) when deploying an AKS cluster. |
| VMExtensionProvisioningTimeout | VM extension provisioning times out. | The extension installation exceeded the timeout period. For more information, see Troubleshoot the VMExtensionProvisioningTimeout error. |
| VMExtensionError_ProvisioningTimeout | Extension provisioning timeout error. | The VM extension fails to provision within the time limit. For more information, see Troubleshoot the VMExtensionProvisioningTimeout error code. |
| WINDOWS_CSE_ERROR_CHECK_API_SERVER_CONNECTIVITY | Windows node can't verify API server connectivity. | The Windows-specific API server connectivity check fails. For more information, see Troubleshoot WINDOWS_CSE_ERROR_CHECK_API_SERVER_CONNECTIVITY error code (5). |
| WINDOWS_CSE_ERROR_CHECK_API_SERVER_CONNECTIVITY (5) | Windows Custom Script Extension API connectivity error. | Windows node provisioning fails due to API server connectivity. For more information, see Troubleshoot WINDOWS_CSE_ERROR_CHECK_API_SERVER_CONNECTIVITY error (5). |
| ZonalAllocationFailed, AllocationFailed, or OverconstrainedAllocationRequest | VM allocation fails. | You're unable to allocate VMs due to capacity, zone, or constraint issues. For more information, see Troubleshoot the ZonalAllocationFailed, AllocationFailed, or OverconstrainedAllocationRequest error code. |
References
Contact us for help
If you have questions, you can ask Azure community support. You can also submit product feedback to Azure feedback community.
Third-party information disclaimer
The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, about the performance or reliability of these products.