How to deploy azure aks on private subnet without internet and allow the public access for the specific IPaddress

Question

How to deploy azure aks on private subnet without internet and allow the public access for the specific IPaddress

Ekambaram 0

We have deployed the AKS in private subnet without internet and below outbound rule in our NSG.
443 - azure cloud  
443 - mcr.microsoft.com (allowed these 2 ips 150.171.70.10,150.171.69.10) for coredns, kubeproxy

I believe these two IP addresses will change in the future. What would be the best approach to add rules for CoreDNS and kube-proxy? Could you please share your insights?

Please share the step by steps details to do it in Azure console.

Dharani Reguri 430 Reputation points Microsoft External Staff

2025-04-23T13:32:09.3366667+00:00
Hi Ekambaram,

I understand that you are trying to deploy an Azure Kubernetes Service (AKS) cluster on a private subnet without internet access and you want to allow egress traffic to mcr.microsoft.com over port 443 so that the nodes can pull these required images.

Here are the steps for creating private AKS cluster:

Create a VNET, Subnet and also create a Network Security Group with outbound access rules to Azure container registry and Azure cloud using the service tags.

We use Azure cloud service tag to allows your AKS cluster to communicate with various Azure services, including CoreDNS and kube-proxy and AzureContainerRegistry ensures that your AKS cluster can pull images from the Azure Container Registry (mcr.microsoft.com), which is necessary for deploying and running containers.

While creating NSG outbound rules, select the source as VNET and Destination as service tag - AzureContainerRegistry and AzureCloud.

Attach a NSG to the subnet.

Create a private AKS cluster by selecting the "Enabling Private Cluster" and select the VNET and subnet you have created for it.

Please refer to the document below about the private AKS cluster creation.

https://learn.microsoft.com/en-us/azure/aks/private-clusters?tabs=default-basic-networking%2Cazure-portal#options-for-connecting-to-the-private-cluster

Please let me know if you have any questions.

Thank you.
Ekambaram V 0 Reputation points

2025-04-24T09:17:04.41+00:00

Hi Dharani,

Please check the below details and help to solve the problem.

Problem: -

While creating an Azure Kubernetes Service (AKS), we are selecting the option "Public access enabled with listed IPs" (including our local IPs) and configuring it with a private subnet.

NSG: -

Error: -

"code": "VMExtensionProvisioningError",

"message": "CSE failed with 'VMExtensionError_OutBoundConnFail', which means the agents are unable to establish outbound connection, please see https://aka.ms/aks/vmextensionerror_outboundconnfail and https://aka.ms/aks-required-ports-and-addresses for more information."
Dharani Reguri 430 Reputation points Microsoft External Staff

2025-04-24T16:10:52.33+00:00

Hi Ekambaram V,

When deploying AKS in a private subnet without internet access, you cannot associate public IP addresses with the node pool. Additionally, if you're using a private cluster, authorized IP ranges are not applicable, as the control plane is not exposed to the public internet.
Ekambaram V 0 Reputation points

2025-04-28T05:04:42.93+00:00

Hi Dharani,

Thanks for your inputs,

But I have tried with private cluster also it failed.

We have added IP address of mcr.microsoft.com(443 to 150.171.70.10, 150.171.69.10) - It is working fine.

We have added service tag azurecloud and azurecontainer registry is not working even with enabling private cluster also.
Dharani Reguri 430 Reputation points Microsoft External Staff

2025-04-28T15:50:32.9166667+00:00
Hi Ekambaram V,

As suggested by Alex Burlachenko, we can use the Azure Firewall with AzureKubernetesService FQDN tags to restricts outbound traffic from the AKS cluster.

Please follow the steps below for creating Firewall with FQDN tag.

Create Azure Firewall and select the VNet where your AKS nodes live and also create one Public IP. Here, we need to create a virtual network with two subnets: one for the cluster and one for the firewall (AzureFirewallSubnet)

Create Route Table (UDR) and add below Route to it. Route Name: <route-name> Address Prefix: 0.0.0.0/0 Next hop type: Virtual appliance Next hop address: Private IP of your Azure Firewall (please see the documentation about create route with next hop to azure-firewall

Then associate Route Table with Node Subnet. Choose your AKS Node pool subnet.

Create FQDN Rules in Azure Firewall policy.

Also create a network rule for DNS traffic (53 TCP/UDP) ➔ Allow to Azure DNS 168.63.129.16

If you use secure access to the AKS API server with authorized IP address ranges, you need to add the firewall public IP into the authorized IP range.

Please refer to the document below for detailed information about Limit network traffic with Azure Firewall in AKS.

https://learn.microsoft.com/en-us/azure/aks/limit-egress-traffic?tabs=aks-with-system-assigned-identities#create-a-route-with-a-hop-to-azure-firewall

Please let me know if you have any questions.
Ekambaram V 0 Reputation points

2025-04-29T06:29:18.2033333+00:00

Hi Dharani,

According to our company policy, an NSG (Network Security Group) must be attached to a subnet. This means traffic goes through the NSG and not directly to the firewall. Even though NSG rules allow traffic to and from the Azure Firewall, AKS (Azure Kubernetes Service) creation is still failing with the same error.

However, if we add the IP addresses of mcr.microsoft.com (150.171.70.10, 150.171.69.10) to the NSG, AKS creation succeeds. Despite using service tags like "Azure Cloud" and "AzureContainer Registry" as you suggested, AKS creation is not working.

Could you please provide further guidance on this issue?
Dharani Reguri 430 Reputation points Microsoft External Staff

2025-04-29T09:49:09.16+00:00

Hi Ekambaram V,

As we know, the IP addresses behind mcr.microsoft.com names can change at any time because of that, we can’t reliably use Network Security Groups (NSGs), which filter traffic based on fixed IP addresses, to control outbound traffic. That’s why AKS allows unrestricted outbound access by default to ensure everything works smoothly.

If you need to restrict this traffic for security reasons, we only recommend using Azure Firewall that can filter by domain name (FQDN) instead of just IP addresses. This allows you to keep the cluster secure while still letting it reach the services it depends on.

Please refer the document about the FQDN and NSG.
https://learn.microsoft.com/en-us/azure/aks/outbound-rules-control-egress#background
Dharani Reguri 430 Reputation points Microsoft External Staff

2025-04-30T09:42:09.84+00:00

Hi Ekambaram V,

Just checking in to see if you have got a chance to see my response to your question in resolving the issue.

If it was helpful, please click "Upvote" on this post and do let us know if you have any further questions.

Thank You.

1 answer

Your answer

Dharani Reguri 430 Reputation points Microsoft External Staff

2025-04-23T13:32:09.3366667+00:00

Hi Ekambaram,

I understand that you are trying to deploy an Azure Kubernetes Service (AKS) cluster on a private subnet without internet access and you want to allow egress traffic to mcr.microsoft.com over port 443 so that the nodes can pull these required images.

Here are the steps for creating private AKS cluster:

Create a VNET, Subnet and also create a Network Security Group with outbound access rules to Azure container registry and Azure cloud using the service tags.

We use Azure cloud service tag to allows your AKS cluster to communicate with various Azure services, including CoreDNS and kube-proxy and AzureContainerRegistry ensures that your AKS cluster can pull images from the Azure Container Registry (mcr.microsoft.com), which is necessary for deploying and running containers.

While creating NSG outbound rules, select the source as VNET and Destination as service tag - AzureContainerRegistry and AzureCloud.

Attach a NSG to the subnet.

Create a private AKS cluster by selecting the "Enabling Private Cluster" and select the VNET and subnet you have created for it.

Please refer to the document below about the private AKS cluster creation.

https://learn.microsoft.com/en-us/azure/aks/private-clusters?tabs=default-basic-networking%2Cazure-portal#options-for-connecting-to-the-private-cluster

Please let me know if you have any questions.

Thank you.
Ekambaram V 0 Reputation points

2025-04-24T09:17:04.41+00:00

Hi Dharani,

Please check the below details and help to solve the problem.

Problem: -

While creating an Azure Kubernetes Service (AKS), we are selecting the option "Public access enabled with listed IPs" (including our local IPs) and configuring it with a private subnet.

NSG: -

Error: -

"code": "VMExtensionProvisioningError",

"message": "CSE failed with 'VMExtensionError_OutBoundConnFail', which means the agents are unable to establish outbound connection, please see https://aka.ms/aks/vmextensionerror_outboundconnfail and https://aka.ms/aks-required-ports-and-addresses for more information."
Dharani Reguri 430 Reputation points Microsoft External Staff

2025-04-24T16:10:52.33+00:00

Hi Ekambaram V,

When deploying AKS in a private subnet without internet access, you cannot associate public IP addresses with the node pool. Additionally, if you're using a private cluster, authorized IP ranges are not applicable, as the control plane is not exposed to the public internet.
Ekambaram V 0 Reputation points

2025-04-28T05:04:42.93+00:00

Hi Dharani,

Thanks for your inputs,

But I have tried with private cluster also it failed.

We have added IP address of mcr.microsoft.com(443 to 150.171.70.10, 150.171.69.10) - It is working fine.

We have added service tag azurecloud and azurecontainer registry is not working even with enabling private cluster also.
Dharani Reguri 430 Reputation points Microsoft External Staff

2025-04-28T15:50:32.9166667+00:00

Hi Ekambaram V,

As suggested by Alex Burlachenko, we can use the Azure Firewall with AzureKubernetesService FQDN tags to restricts outbound traffic from the AKS cluster.

Please follow the steps below for creating Firewall with FQDN tag.

Create Azure Firewall and select the VNet where your AKS nodes live and also create one Public IP. Here, we need to create a virtual network with two subnets: one for the cluster and one for the firewall (AzureFirewallSubnet)

Create Route Table (UDR) and add below Route to it. Route Name: <route-name> Address Prefix: 0.0.0.0/0 Next hop type: Virtual appliance Next hop address: Private IP of your Azure Firewall (please see the documentation about create route with next hop to azure-firewall

Then associate Route Table with Node Subnet. Choose your AKS Node pool subnet.

Create FQDN Rules in Azure Firewall policy.

Also create a network rule for DNS traffic (53 TCP/UDP) ➔ Allow to Azure DNS 168.63.129.16

If you use secure access to the AKS API server with authorized IP address ranges, you need to add the firewall public IP into the authorized IP range.

Please refer to the document below for detailed information about Limit network traffic with Azure Firewall in AKS.

https://learn.microsoft.com/en-us/azure/aks/limit-egress-traffic?tabs=aks-with-system-assigned-identities#create-a-route-with-a-hop-to-azure-firewall

Please let me know if you have any questions.
Ekambaram V 0 Reputation points

2025-04-29T06:29:18.2033333+00:00

Hi Dharani,

According to our company policy, an NSG (Network Security Group) must be attached to a subnet. This means traffic goes through the NSG and not directly to the firewall. Even though NSG rules allow traffic to and from the Azure Firewall, AKS (Azure Kubernetes Service) creation is still failing with the same error.

However, if we add the IP addresses of mcr.microsoft.com (150.171.70.10, 150.171.69.10) to the NSG, AKS creation succeeds. Despite using service tags like "Azure Cloud" and "AzureContainer Registry" as you suggested, AKS creation is not working.

Could you please provide further guidance on this issue?
Dharani Reguri 430 Reputation points Microsoft External Staff

2025-04-29T09:49:09.16+00:00

Hi Ekambaram V,

As we know, the IP addresses behind mcr.microsoft.com names can change at any time because of that, we can’t reliably use Network Security Groups (NSGs), which filter traffic based on fixed IP addresses, to control outbound traffic. That’s why AKS allows unrestricted outbound access by default to ensure everything works smoothly.

If you need to restrict this traffic for security reasons, we only recommend using Azure Firewall that can filter by domain name (FQDN) instead of just IP addresses. This allows you to keep the cluster secure while still letting it reach the services it depends on.

Please refer the document about the FQDN and NSG.
https://learn.microsoft.com/en-us/azure/aks/outbound-rules-control-egress#background
Dharani Reguri 430 Reputation points Microsoft External Staff

2025-04-30T09:42:09.84+00:00

Hi Ekambaram V,

Just checking in to see if you have got a chance to see my response to your question in resolving the issue.

If it was helpful, please click "Upvote" on this post and do let us know if you have any further questions.

Thank You.

Answer 1

Dear Ekambaram,

Thank you for your question here at Q&A Portal. To deploy AKS in a private subnet without internet access while allowing specific public IPs, you can use Azure Private Clusters with restricted egress traffic. For CoreDNS and kube-proxy dependencies, Microsoft recommends using Azure Firewall with FQDN tags or service tags to dynamically manage required endpoints instead of hardcoding IPs.

Private AKS Deployment: Follow Microsoft’s guide for private clusters.

Egress Control: Use Azure Firewall with the AzureKubernetesService FQDN tag (see documentation).

Specific Public IP Access: Configure your NSG/load balancer to allow ingress only from your desired IPs (details here).

For CoreDNS/kube-proxy, avoid IP-based rules—leverage service tags (e.g., AzureContainerRegistry) or managed FQDNs to ensure stability.

Let me know if you need further clarification!

Best regards,

Alex

PS If my answer help to you, please Accept my answer.
PPS .that is my answer and it is not a comment :)

Ekambaram V 0 Reputation points

2025-04-29T06:29:40.08+00:00

Hi Alex,

According to our company policy, an NSG (Network Security Group) must be attached to a subnet. This means traffic goes through the NSG and not directly to the firewall. Even though NSG rules allow traffic to and from the Azure Firewall, AKS (Azure Kubernetes Service) creation is still failing with the same error.

However, if we add the IP addresses of mcr.microsoft.com (150.171.70.10, 150.171.69.10) to the NSG, AKS creation succeeds. Despite using service tags like "Azure Cloud" and "AzureContainer Registry" as you suggested, AKS creation is not working.

Could you please provide further guidance on this issue?

Share via

How to deploy azure aks on private subnet without internet and allow the public access for the specific IPaddress

1 answer

Your answer