AKS cluster upgrade fails because of NSG rules
This article discusses how to resolve issues if your Azure Kubernetes Service (AKS) cluster upgrade fails because of network security group (NSG) rules.
Prerequisites
This article requires Azure CLI version 2.0.65 or a later version. To find the version number, run az --version. If you have to install or upgrade Azure CLI, see How to install the Azure CLI.
For more detailed information about the upgrade process, see the "Upgrade an AKS cluster" section in Upgrade an Azure Kubernetes Service (AKS) cluster.
Symptoms
An AKS cluster upgrade fails, and you receive an error message that indicates that an NSG rule is involved.
Cause
An NSG rule is blocking the cluster from downloading required resources.
Solution
To resolve this issue, follow these steps:
Run
az network nsg list -o table, and then locate the NSG that's linked to your cluster. The NSG is typically located in the infrastructure or node resource group, by convention namedMC_<RG name>_<your AKS cluster name>_<location code>.Run the following command to view the NSG rules:
az network nsg rule list --resource-group <Rg name> --nsg-name <nsg name> --include-default -o tableThe following screenshot shows the default rules.
If you have the default rules, skip this step. Otherwise, revise and remove the rules that are blocking the internet traffic. Then, run the following command to upgrade the AKS cluster to the same version that you previously tried to upgrade to. This process will trigger a reconciliation.
az aks upgrade --resource-group <ResourceGroupName> --name <AKSClusterName> --kubernetes-version <KUBERNETES_VERSION>
Contact us for help
If you have questions or need help, create a support request, or ask Azure community support. You can also submit product feedback to Azure feedback community.