AKS cluster upgrade fails because of NSG rules

This article discusses how to resolve issues if your Azure Kubernetes Service (AKS) cluster upgrade fails because of network security group (NSG) rules.

Prerequisites

This article requires Azure CLI version 2.0.65 or a later version. To find the version number, run az --version. If you have to install or upgrade Azure CLI, see How to install the Azure CLI.

For more detailed information about the upgrade process, see the "Upgrade an AKS cluster" section in Upgrade an Azure Kubernetes Service (AKS) cluster.

Symptoms

An AKS cluster upgrade fails, and you receive an error message that indicates that an NSG rule is involved.

Cause

An NSG rule is blocking the cluster from downloading required resources.

Solution

To resolve this issue, follow these steps:

  1. Run az network nsg list -o table, and then locate the NSG that's linked to your cluster. The NSG is typically located in the infrastructure or node resource group, by convention named MC_<RG name>_<your AKS cluster name>_<location code>.

  2. Run the following command to view the NSG rules:

    az network nsg rule list --resource-group <Rg name> --nsg-name <nsg name> --include-default -o table
    

    The following screenshot shows the default rules.

    Screenshot of the default NSG rules.

  3. If you have the default rules, skip this step. Otherwise, revise and remove the rules that are blocking the internet traffic. Then, run the following command to upgrade the AKS cluster to the same version that you previously tried to upgrade to. This process will trigger a reconciliation.

    az aks upgrade --resource-group <ResourceGroupName> --name <AKSClusterName> --kubernetes-version <KUBERNETES_VERSION>
    

Contact us for help

If you have questions or need help, create a support request, or ask Azure community support. You can also submit product feedback to Azure feedback community.