This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(230.39999999999998, 45%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBK%3C/text%3E%3C/svg%3E)
My Requirement - An AKS cluster with public authorised IP api server, but nodes do not have any outbound internet access (due to organisation security). I should be able to run kubectl commands from my local terminal.
Most suggested option is to create a public AKS with outbound type as userdefinedrouting and configure a firewall to allow outbound using Service Tags as required. But this comes with high cost of firewall. I want to avoid Firewall usage.
Network Isolated Cluster is there but in Preview and i feel this is perfect for my usecase.
Questions -
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(35.2, 53%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPY%3C/text%3E%3C/svg%3E)
Hi Balraj Kumar,
Health reporting (node heartbeat, kubelet telemetry)
Managed identity tokens acquisition (MSI endpoints hosted in Azure infra)
Cluster auto-upgrade checks
Node telemetry data pushing
Kubelet metrics ingestion
Azure CNI plugin communication (if you're using Azure CNI)
These services are bundled under the AzureKubernetesService service tag. Without it:
The control plane is deployed inside a Microsoft-managed VNet peered with your VNet.
The necessary Azure services for kubelet, telemetry, MSI, etc., are privately accessible over Azure’s internal backbone network.
Instead of reaching the public endpoints covered by AzureKubernetesService, the required services are made available as private, internal services inside that peered control plane subnet.
So:
No outbound to public IP needed
Private endpoints + internal Azure peering cover all communication channels
That’s why it works even with NSG denying all outbound to internet
Public AKS:
Requires public AzureKubernetesService endpoints because Azure doesn’t expose those same control services as private endpoints for public clusters.
Your API server is public, and so its control plane dependencies remain public.
Even if you disable internet via NSG, you still need to allow outbound to the AzureKubernetesService service tag for those essential operations.
Workaround without Azure Firewall:
Use UserDefinedRouting + NAT Gateway to centralize outbound
Deny all other internet via NSG
Allow outbound:
To private ACR endpoints
To AzureKubernetesService service tag
You can run kubectl from your local PC since API server is public
This avoids Azure Firewall but still gives you controlled, minimal outbound to only what AKS needs.
Please refer the document below:
https://learn.microsoft.com/en-us/azure/aks/outbound-rules-control-egress
https://learn.microsoft.com/en-us/azure/aks/egress-outboundtype
https://learn.microsoft.com/en-us/azure/aks/network-isolated?pivots=aks-managed-acr
https://learn.microsoft.com/en-us/azure/aks/concepts-network-isolated
If you found information helpful, please click "Upvote" on the post to let us know.
If you have any further queries feel free to reach out us.
Thank You.
Just a minor question - the service tag AzureKubernetesService is not available in the NSG. Then how do I allow this specific tag?
Hi Balraj Kumar,
AzureKubernetesService is available, but it’s not listed as a commonly used service tag for general NSG rules (like AzureCloud). You need to create a custom network rule using this tag.
This tag is essential to allow traffic from your AKS nodes to the Kubernetes control plane. If your AKS cluster is private, the nodes still need access to the AKS control plane, and that requires this tag.
Steps to add the AzureKubernetesService tag:
You should add this rule to your Network Security Group (NSG) that's associated with your AKS node pool subnet or VNet to allow traffic from the AKS nodes to Microsoft-managed control plane endpoints.
az network nsg rule create \
--resource-group <your-resource-group> \
--nsg-name <your-nsg-name> \
--name Allow-AKS-API-Server \
--priority 100 \
--direction Inbound \
--access Allow \
--protocol Tcp \
--source-address-prefixes AzureKubernetesService \
--source-port-ranges '*' \
--destination-address-prefixes '*' \
--destination-port-ranges 443
This will allow communication from your AKS nodes to the Kubernetes API server hosted in Microsoft’s infrastructure.
Without the AzureKubernetesService tag, your AKS nodes won't be able to communicate with the managed control plane. Even with private clusters, the control plane is still hosted by Microsoft and outside your VNet, which is why this tag is needed for nodes to reach it.
Please refer the document below:
https://learn.microsoft.com/en-us/azure/aks/outbound-rules-control-egress
If you found information helpful, please click "Upvote" on the post to let us know.
If you have any further queries feel free to reach out us.
Thank You.
I understand your point and the need of the rule using AzureKubernetesService tag in the NSG. The problem is that I do not see this tag at all in the Service Tag dropdown menu while adding the custom rule in the Azure portal.
This link also does not mention the availability of this tag https://learn.microsoft.com/en-us/azure/virtual-network/service-tags-overview
I also tried the cli command you shared and I get this error -
(SecurityRuleInvalidAddressPrefix) Security rule /subscriptions/......./Allow-AKS-API-Server has invalid Address prefix.
Value provided: AzureKubernetesService
Code: SecurityRuleInvalidAddressPrefix
As I understand, nodes need outbound access and AzureCloud service tag is not enough and AzureKubernetesService service tag is also needed (if configure via firewall). But AzureKubernetesService tag is not directly available for use in NSG. As per your recommendation, you are suggesting to use a NAT gateway and force all egress through the NAT gateway. Won't it allow all kinds of outbound via the NAT gateway? How are we blocking unnecessary extra outbound other than those that come under AzureCloud & AzureKubernetesService tags? I wanted to have nodes only minimum outbound access, just enough to function it properly and no extra outbound access.
Hi Balraj Kumar,
NAT Gateway itself allows all outbound traffic. It does not block destinations.
To restrict unnecessary outbound traffic, you must use Network Security Groups (NSG) with carefully designed rules.
You can allow outbound only to the AzureCloud service tag (covers important Azure services like ACR, Storage, etc.), and deny all other general internet access.
However, the AzureKubernetesService service tag is not available for use in NSG — it can only be used in Azure Firewall.
Therefore, using only NAT Gateway + NSG, you can achieve minimum practical outbound access, but perfectly restricting only to AzureCloud + AzureKubernetesService is not possible without Azure Firewall.
I hope this information is helpful, please click "Upvote" on the post to let us know.
Thank You.
Hi Balraj Kumar,
Just checking in to see if you had a chance to review the comment on your question. Feel free to reach out if you have any further queries.
If you found the information helpful, please click "Upvote" on the post to let us know.
Thank You.
Hi
So what I understand is there isn't easy way to replicate my scenario without using firewall. I was allowing just enough outbound using firewall so that nodes could function properly, by only allowing outbound using AzureCloud and AzureKubernetesService service tags (both required).
When we try doing doing the same using NSG rules + NAT gateway, we can allow for AzureCloud but AzureKubernetesService tag is not supported for NSG. Also all rules that are included under the AzureKubernetesService tag is abstracted for us. Since just allowing outbound using AzureCloud tag is not enough for Nodes to works properly, so eventually we would have to allow all outbound via NSG rules.
Hi Balraj Kumar,
Yes — there’s no clean way to replicate your current issue, least-privilege outbound model using just NSGs + NAT Gateway.
To preserve security without fully open outbound:
Stick with Azure Firewall or build a custom UDR-based egress proxy/inspection solution but NSG alone forces you into Allow All.
If you found the information helpful, please click "Upvote" on the post to let us know.
Thank You.
Hi Balraj Kumar,
Just checking in to see if you had a chance to review the latest comment. Feel free to reach out if you have any further queries.
If you found the information helpful, please click "Upvote" on the post to let us know.
Thank You.
Hi Balraj Kumar,
As the information is helpful please "Accept Answer".
Accepted answer will help other community members navigate to the appropriate solutions.
Thank You.
Hi Balraj Kumar,
You can use a combination of other Azure service tags to ensure that your AKS nodes can still communicate with necessary Azure-managed endpoints, like for public AKS clusters, use the AzureCloud service tag to allow outbound communication to Azure's public endpoints, including the AKS control plane, telemetry, and identity services. For private AKS clusters, where the control plane is external to your VNet, you must allow outbound access to the control plane's IP range.
Why it's not available in NSG:
Azure NSGs support a limited subset of service tags, mostly for layer 3/4 network filtering (IP-based).
AzureKubernetesService, on the other hand, involves FQDN-based destinations (like telemetry endpoints, MSI, etc.), which require application-layer filtering (i.e., L7). NSG cannot inspect FQDNs — only IP addresses or IP prefixes, hence it does not support this service tag.
How to allow AzureKubernetesService traffic without Firewall?
To allow AzureKubernetesService egress without NSG support, you need to route outbound traffic through a NAT Gateway, then use a custom route table to:
• Force all egress from your AKS subnet to go through the NAT Gateway.
• Ensure the NAT Gateway’s public IP(s) are allowed to access Azure’s endpoints.
While NSGs can't allow AzureKubernetesService, traffic still flows if not explicitly blocked and routed via NAT Gateway.
For detailed guidance on implementing this setup, refer to the following Microsoft documentation:
https://learn.microsoft.com/en-us/azure/aks/nat-gateway
https://learn.microsoft.com/en-us/azure/aks/egress-outboundtype
Recommendation (without Azure Firewall):
Deny all outbound except: To your NAT Gateway route and Private ACR.
No need to add AzureKubernetesService — just avoid blocking it
If you must restrict domains:
Use Azure Firewall DNS-based filtering or deploy custom DNS + Proxy that allows only required AKS control plane domains (complex and fragile)
I hope this information is helpful, please click "Upvote" on the post to let us know.
Thank You.