Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
This article discusses how to troubleshoot issues in network isolated Azure Kubernetes Service (AKS) clusters.
Prerequisites
- The Kubernetes kubectl tool. You can install kubectl by running the Azure CLI command az aks install-cli.
Network isolated cluster support
The network isolated cluster follows a similar support model to other AKS add-ons. When using a network isolated cluster with Azure Container Registry (ACR), you have two options:
- Bring Your Own (BYO) ACR
- AKS-managed ACR
If you choose BYO ACR, you're responsible for configuring your ACR and its associated resources properly.
Issue 1: Cluster image pull fails due to network isolation
Network isolated clusters use ACR cache rules for image pulls. If an image pull fails due to network isolation, follow these steps:
For BYO ACR:
Verify that the private ACR resources are configured, including the cache rule and private endpoints. For more information about how to configure them, see steps 3 and 4 under the Deploy a network isolated cluster with bring your own ACR section.
For AKS-managed ACR:
- By default, only Microsoft Container Registry (MCR) images are supported. If the image pull failure occurs with MCR images, check if the associated ACR and private endpoint resource named with the keyword
bootstrapexist. If they don't exist, reconcile the cluster. - If the image pull failure occurs with images from other registries, create extra cache rules in the private ACR for those images.
- By default, only Microsoft Container Registry (MCR) images are supported. If the image pull failure occurs with MCR images, check if the associated ACR and private endpoint resource named with the keyword
Issue 2: Cluster image pull fails after updating an existing cluster to a network isolated cluster or updating the private ACR resource ID
The failure is an intended behavior. To resolve this issue, reimage the node to update the kubelet configuration in Container Service Extension (CSE) following the update actions in Update your ACR ID.
Issue 3: ACR or associated cache rules, private endpoints, or private DNS zones are deleted
If the cache rule is deleted from the managed ACR accidentally, the mitigation is to delete the ACR and then reconcile the cluster. If the ACR itself, the associated private endpoints, or the associated private DNS zones are deleted accidentally, the mitigation is just to reconcile the cluster.
Third-party information disclaimer
The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, about the performance or reliability of these products.
Contact us for help
If you have questions or need help, create a support request, or ask Azure community support. You can also submit product feedback to Azure feedback community.