The Azure Load Balancer is not accepting external connections for the Nginx service despite reporting its backend nodes as healthy via health probes.

Question

The Azure Load Balancer is not accepting external connections for the Nginx service despite reporting its backend nodes as healthy via health probes.

Gav Sturm 20

Hello,

I'm encountering a persistent issue with external connectivity to an Nginx Ingress controller service exposed via a standard Azure Load Balancer on my AKS cluster.

The Problem:

External connection attempts (e.g., curl) to the Load Balancer's public IP on port 80 consistently time out before establishing a TCP connection. This happens from multiple external networks (tested locally and from AWS Lambda).

The Puzzle:

This timeout occurs despite the following configurations and checks appearing correct:

Azure Load Balancer Rules: The LB (kubernetes in node RG) has rules correctly mapping Frontend Port 80 -> Backend Port 31965 and Frontend Port 443 -> Backend Port 30429. (These are the NodePorts assigned to the ingress-nginx/ingress-nginx-controller service).
Azure Load Balancer Health Probes: Configured TCP probes targeting the backend NodePorts (31965 and 30429) are consistently reporting as Healthy in the Azure Portal.
NSG Rules: The associated NSG has rules allowing inbound traffic from Internet to port 80/443 (via AKS default rules) and explicitly allows AzureLoadBalancer source to the NodePorts (31965, 30429).
Internal Connectivity: Tests performed from within the AKS cluster using kubectl exec into a pod and curling the node's private IP directly on the NodePorts (curl -k https://) connect successfully and receive the expected 404 response from the Nginx pod.
Kubernetes State: The Nginx Ingress controller pod (ingress-nginx namespace) is Running/Ready. kube-proxy pods (kube-system namespace) are Running/Ready and logs show successful rule syncing. The relevant node is Ready. Node reboots and pod restarts have been attempted.

Summary: Everything up to the Azure Load Balancer seems functional. Internal routing via NodePorts works, and the Load Balancer itself reports the backend nodes as healthy via TCP probes to those NodePorts. However, external traffic directed to the Load Balancer's public IP fails to connect.

Question:

Has anyone encountered a similar situation where an Azure Load Balancer fails to accept external connections despite having healthy probes and seemingly correct LB/NSG rules? Are there any other diagnostic steps recommended for AKS LB connectivity issues, particularly when standard checks pass and Azure support is not available? Could this point to an underlying Azure platform issue with the LB instance or network path?

Any insights or suggestions would be greatly appreciated!

Vamsi Ram Annepu 640 Reputation points Microsoft External Staff

2025-04-26T01:13:05.6666667+00:00
Hi Gav Sturm,
Can you provide us with the below information so that we can help you troubleshoot properly

Is the Load Balancer using a "Basic" or "Standard" SKU.

Does the Load Balancer or NSG have any "source IP filtering" or "expectation" around reverse DNS.

Is this a new issue or an ongoing issue .

Is either the load balancer or the Nginx Ingress controller service newly added.

If you recently moved from a Basic LB to a Standard LB.

when Load Balancer fails to accept external connections does it gives you any error message? If yes do share detail on it.

Feel free to reach out if you have any further queries.
LISBOA-4826 240 Reputation points

2025-04-26T12:31:40.96+00:00

Hi Gav Sturm •

Welcome to our MS Q&A community.

I'd like to add one more information on the info shared by Vamsi.

We have an initial start and documentation to help on the troubleshooting steps for LB.

https://learn.microsoft.com/en-us/azure/load-balancer/load-balancer-troubleshoot

Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

If you have any other questions or are still running into more issues, let me know in the "comments" and I would be happy to help you.

Thank You.

Lisboa
Gav Sturm 20 Reputation points

2025-04-26T18:28:06.4966667+00:00

The Load Balancer is the default Standard SKU automatically provisioned by AKS.

There's no specific source IP filtering configured in the NSG rules for incoming internet traffic on ports 80/443, nor are there any reverse DNS expectations.

This connection timeout issue emerged recently during the setup and troubleshooting of the Nginx Ingress controller and KEDA, specifically after correcting initial Load Balancer rule and health probe misconfigurations. The Nginx Ingress controller components were newly added/reconfigured during this process.

There was no migration from a Basic to Standard Load Balancer.

The error received externally is a TCP connection timeout (e.g., curl fails with Couldn't connect to server or Operation timed out) before any HTTP data is exchanged. This happens even though internal tests connect successfully and the Azure health probes report the backend as healthy.

Thanks.
Arko 2,130 Reputation points Microsoft External Staff

2025-04-28T08:45:58.6866667+00:00

Hope I was able to clear your query here Gav Sturm.
Arko 2,130 Reputation points Microsoft External Staff

2025-04-29T06:41:20.9466667+00:00

Following up on this Gav Sturm, Hope your query has been resolved.
Gav Sturm 20 Reputation points

2025-04-29T15:34:38.7266667+00:00

Hi Arko yes this definitly helped and now my load balancer is in much better shape. thank you
Arko 2,130 Reputation points Microsoft External Staff

2025-04-29T15:56:23.9+00:00

Glad to hear that Gav Sturm, I have updated the same as answer for you to accept it so that anyone else in the MS QnA community having similar query can refer to it. Thanks

Accepted answer

0 additional answers

Your answer

Vamsi Ram Annepu 640 Reputation points Microsoft External Staff

2025-04-26T01:13:05.6666667+00:00

Hi Gav Sturm,
Can you provide us with the below information so that we can help you troubleshoot properly

Is the Load Balancer using a "Basic" or "Standard" SKU.

Does the Load Balancer or NSG have any "source IP filtering" or "expectation" around reverse DNS.

Is this a new issue or an ongoing issue .

Is either the load balancer or the Nginx Ingress controller service newly added.

If you recently moved from a Basic LB to a Standard LB.

when Load Balancer fails to accept external connections does it gives you any error message? If yes do share detail on it.

Feel free to reach out if you have any further queries.
LISBOA-4826 240 Reputation points

2025-04-26T12:31:40.96+00:00

Hi Gav Sturm •

Welcome to our MS Q&A community.

I'd like to add one more information on the info shared by Vamsi.

We have an initial start and documentation to help on the troubleshooting steps for LB.

https://learn.microsoft.com/en-us/azure/load-balancer/load-balancer-troubleshoot

Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

If you have any other questions or are still running into more issues, let me know in the "comments" and I would be happy to help you.

Thank You.

Lisboa
Gav Sturm 20 Reputation points

2025-04-26T18:28:06.4966667+00:00

The Load Balancer is the default Standard SKU automatically provisioned by AKS.

There's no specific source IP filtering configured in the NSG rules for incoming internet traffic on ports 80/443, nor are there any reverse DNS expectations.

This connection timeout issue emerged recently during the setup and troubleshooting of the Nginx Ingress controller and KEDA, specifically after correcting initial Load Balancer rule and health probe misconfigurations. The Nginx Ingress controller components were newly added/reconfigured during this process.

There was no migration from a Basic to Standard Load Balancer.

The error received externally is a TCP connection timeout (e.g., curl fails with Couldn't connect to server or Operation timed out) before any HTTP data is exchanged. This happens even though internal tests connect successfully and the Azure health probes report the backend as healthy.

Thanks.
Arko 2,130 Reputation points Microsoft External Staff

2025-04-28T08:45:58.6866667+00:00

Hope I was able to clear your query here Gav Sturm.
Arko 2,130 Reputation points Microsoft External Staff

2025-04-29T06:41:20.9466667+00:00

Following up on this Gav Sturm, Hope your query has been resolved.
Gav Sturm 20 Reputation points

2025-04-29T15:34:38.7266667+00:00

Hi Arko yes this definitly helped and now my load balancer is in much better shape. thank you
Arko 2,130 Reputation points Microsoft External Staff

2025-04-29T15:56:23.9+00:00

Glad to hear that Gav Sturm, I have updated the same as answer for you to accept it so that anyone else in the MS QnA community having similar query can refer to it. Thanks

Answer 1

Hello Gav Sturm,

Even though Azure Load Balancer health probes report "Healthy" and NodePort traffic works internally inside AKS, external connectivity (curl to Load Balancer Public IP) times out because there is no frontend rule properly linking the Load Balancer public IP to the backend NodePorts. This typically happens when you use a service of type NodePort without creating an AKS-managed LoadBalancer type service.

Why?

Ans- In AKS with a standard SKU Azure Load Balancer, health probes only check TCP connectivity to backend NodePorts. They do not guarantee that the frontend rule is correctly mapping external traffic. When you expose nginx using a NodePort service type, Azure does not automatically create a frontend listener rule for port 80/443 on the Load Balancer. Therefore, external packets hitting the Load Balancer public IP timeout, even though the backend NodePort service works fine internally. NSG rules alone are not enough. The Load Balancer needs frontend rules + probes bound correctly. This behavior is by design with NodePort services in AKS and they require manual Load Balancer configuration if you don't use Service type LoadBalancer.

I was checking the same from my end by creating a cluster with standard load balancer and deploying nginx ingress controller with a Service of type NodePort and exposed ports 32080 (HTTP) and 32443 (HTTPS) and I observed the same error as yours.

How to fix it?

Ans- Delete the NodePort service and recreate the nginx service as type: LoadBalancer instead of NodePort, which automatically configures Azure Load Balancer frontend rules, backend pools, and probes correctly.

enter image description here


apiVersion: v1

kind: Service

metadata:

  name: ingress-nginx-controller

  namespace: ingress-nginx

spec:

  type: LoadBalancer

  selector:

    app: ingress-nginx

  ports:

  - name: http

    port: 80

    targetPort: 80

  - name: https

    port: 443

    targetPort: 443

You won't need to manually configure frontend rules when using Service type LoadBalancer as AKS automatically handles the Azure Load Balancer wiring for you.

After applying this, a new external IP will be assigned to the service. Load Balancer frontend rules and health probes will be created properly. External access on port 80 will start working immediately.

enter image description here

References Docs:

Arko 2,130 Reputation points Microsoft External Staff

2025-04-29T16:56:45.33+00:00

Hello Gav Sturm, please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, as this can be beneficial to other community members.

Share via

The Azure Load Balancer is not accepting external connections for the Nginx service despite reporting its backend nodes as healthy via health probes.

0 additional answers

Your answer