Merge pull request #8574 from AED1523/win-cse

AB#5364: Update windows-cse-error-check-api-server-connectivity.md

Author: AmandaAZ

support/azure/azure-kubernetes/create-upgrade-delete/windows-cse-error-check-api-server-connectivity.md

@@ -1,8 +1,8 @@
 ---
 title: Troubleshoot WINDOWS_CSE_ERROR_CHECK_API_SERVER_CONNECTIVITY error (5)
 description: Learn how to troubleshoot the WINDOWS_CSE_ERROR_CHECK_API_SERVER_CONNECTIVITY error (5) when you try to add Windows node pools in an AKS cluster.
-ms.date: 10/31/2023
-ms.reviewer: shtao, abelch, junjiezhang, v-weizhu
+ms.date: 04/14/2025
+ms.reviewer: shtao, abelch, junjiezhang, v-weizhu, addobres
 ms.service: azure-kubernetes-service
 #Customer intent: As an Azure Kubernetes user, I want to troubleshoot the WINDOWS_CSE_ERROR_CHECK_API_SERVER_CONNECTIVITY error (5) so that I can successfully add Windows node pools in an Azure Kubernetes Service (AKS) cluster.
 ms.custom: sap:Create, Upgrade, Scale and Delete operations (cluster or nodepool)
@@ -31,7 +31,9 @@ Your cluster nodes can't connect to the cluster API server pod.
 
 ## Troubleshooting steps
 
-1. Verify that your nodes can resolve the cluster's fully qualified domain name (FQDN):
+1. Connect to the respective node by following the steps described in [Windows Server proxy connection for SSH](/azure/aks/node-access#windows-server-proxy-connection-for-ssh):
+
+2. Verify that your nodes can resolve the cluster's fully qualified domain name (FQDN):
 
     On existing Windows nodes, run the following command:
 
@@ -45,15 +47,17 @@ Your cluster nodes can't connect to the cluster API server pod.
     nc -vz <cluster-fqdn> 443
     ```
 
-2. If the command output shows `False` or `Timeout`, check your network configuration. For example, check whether you set "Deny" rules for the API server in network security groups (NSGs) of the virtual network.
+3. If the command output shows `False` or `Timeout`, check your network configuration. For example, check whether you set "Deny" rules for the API server in network security groups (NSGs) of the virtual network.
 
-3. If you're using egress filtering through a firewall, make sure that traffic is allowed to your cluster FQDN.
+4. If you're using egress filtering through a firewall, make sure that traffic is allowed to your cluster FQDN.
 
-4. If you've authorized IP addresses that are enabled on your cluster, the firewall's outbound IP address can be blocked. In this scenario, you must add the outbound IP address of the firewall to the list of authorized IP ranges for the cluster. For more information, see [Secure access to the API server using authorized IP address ranges in AKS](/azure/aks/api-server-authorized-ip-ranges).
+5. If you've authorized IP addresses that are enabled on your cluster, the firewall's outbound IP address can be blocked. In this scenario, you must add the outbound IP address of the firewall to the list of authorized IP ranges for the cluster. For more information, see [Secure access to the API server using authorized IP address ranges in AKS](/azure/aks/api-server-authorized-ip-ranges).
 
 ## References
 
-[General troubleshooting of AKS cluster creation issues](troubleshoot-aks-cluster-creation-issues.md)
+- [General troubleshooting of AKS cluster creation issues](troubleshoot-aks-cluster-creation-issues.md)
+
+- [Exit codes in Windows CSE](https://github.com/Azure/AgentBaker/blob/master/parts/windows/windowscsehelper.ps1)
 
 [!INCLUDE [Third-party disclaimer](../../../includes/third-party-disclaimer.md)]