Merge pull request #9499 from MicrosoftDocs/main

Auto Publish – main to live - 2025-08-11 18:00 UTC

Author: learn-build-service-prod[bot]

support/azure/azure-kubernetes/error-codes/subnetisdelegated-error.md

@@ -0,0 +1,71 @@
+---
+title: Troubleshoot the SubnetIsDelegated error code
+description: Learn how to troubleshoot the SubnetIsDelegated error when you try to create a node pool.
+ms.date: 08/07/2025
+editor: v-jsitser
+ms.reviewer: v-liuamson
+ms.service: azure-kubernetes-service
+#Customer intent: As an Azure Kubernetes user, I want to troubleshoot the SubnetIsDelegated error so that I can successfully create a node pool.
+ms.custom: sap:Create, Upgrade, Scale and Delete operations (cluster or nodepool)
+---
+# Troubleshoot the SubnetIsDelegated error code
+
+This article discusses how to identify and resolve the SubnetIsDelegated error that occurs when you try to create a node pool.
+
+## Prerequisites
+
+- Azure CLI (version 2.0.59 or a later version)
+
+## Symptoms  
+
+When you try to create a node pool in an AKS cluster, you receive the following error message:
+
+> **Code:** **SubnetIsDelegated**
+>
+> **Message:** `AgentPoolProfile` subnet with id \<subnet-id\> cannot be used as it\'s a delegated subnet. Please check <https://aka.ms/adv-network-prerequest> for more details.
+
+## Cause
+
+If you try to create a node pool by using a subnet, and the subnet is delegation-enabled for a particular Azure service, the new node pool can't be integrated with the AKS service.
+
+## Resolution
+
+To resolve this issue, follow these steps:
+
+1. Verify that the subnet is correctly delegated:
+
+      ```bash
+      az network vnet subnet show \
+        --resource-group $RESOURCE_GROUP \
+        --vnet-name $VNET_NAME \
+        --name $SUBNET_NAME \
+        --query delegations
+      ```
+
+1. Make sure that the output shows **Microsoft.ContainerService/managedClusters** as the delegated service or no delegated service. If the output shows any other Azure service delegation, remove it by running the following command:
+
+   ```bash
+   az network vnet subnet update \
+     --resource-group $RESOURCE_GROUP \
+     --vnet-name $VNET_NAME \
+     --name $SUBNET_NAME \
+     --remove delegations 0
+   ```
+
+1. Run the following command to add Managed Cluster delegation:
+
+   ```bash
+   az network vnet subnet update \
+     --resource-group $RESOURCE_GROUP \
+     --vnet-name $VNET_NAME \
+     --name $SUBNET_NAME \
+     --delegations Microsoft.ContainerService/managedClusters
+   ```
+
+1. After the subnet delegation is removed, try again to create the node pool by using the `az aks nodepool add` command.
+
+## References
+
+- [az aks node pool examples](/cli/azure/aks/nodepool?view=azure-cli-latest#az-aks-nodepool-add-examples&preserve-view=true)
+
+[!INCLUDE [azure-help-support](../../../includes/azure-help-support.md)]

support/azure/azure-kubernetes/error-codes/virtualnetworknotinsucceededstate-error.md

@@ -0,0 +1,43 @@
+---
+title: Troubleshoot the VirtualNetworkNotInSucceededState error code
+description: Learn how to troubleshoot the VirtualNetworkNotInSucceededState error when you create, upgrade, or scale an Azure Kubernetes Service (AKS) cluster or node pool.
+ms.date: 08/07/2025
+editor: v-jsitser
+ms.reviewer: v-liuamson
+ms.service: azure-kubernetes-service
+#Customer intent: As an Azure Kubernetes user, I want to troubleshoot the VirtualNetworkNotInSucceededState error so that I can successfully create, upgrade, or scale an Azure Kubernetes Service (AKS) cluster or node pool.
+ms.custom: sap:Create, Upgrade, Scale and Delete operations (cluster or nodepool)
+---
+# Troubleshoot the VirtualNetworkNotInSucceededState error code
+
+## Symptoms
+
+When you create, upgrade, or scale an Azure Kubernetes Service (AKS) cluster or node pool, the deployment fails and returns an error message that resembles the following message:
+
+*Status=400 Code=\"VirtualNetworkNotInSucceededState\"*
+
+*Message=\"Set virtual network ownership failed. Subscription: \<SUBSCRIPTION\>; resource group: \<RESOURCE GROUP\>; virtual network name: \<VNET NAME\>. autorest/azure: Service returned an error.
+Status=400 Code=\"VirtualNetworkNotInSucceededState\" Message=\"Virtual network /subscriptions/\<SUBSCRIPTION\>/resourceGroups/\<RESOURCE
+GROUP\>/providers/Microsoft.Network/virtualNetworks/\<VNET\> is in Updating state. It needs to be in Succeeded state in order to set resource ownership.*
+
+## Cause
+
+AKS can set ownership on a virtual network only if the `provisioningState` of the VNet is **Succeeded**. The request fails if the VNet is in the **Updating**, **Deleting**, or **Failed** state. Common causes for this condition include:
+
+- Another create, update, or delete operation is still running on the VNet.
+
+- A previous network operation failed and left the VNet in the **Failed** state.
+
+- Multiple parallel cluster or node pool deployments are trying to modify the same VNet at the same time.
+
+## Resolution
+
+Check the current provisioning state of the VNet:
+
+```dotnetcli
+az network vnet show -g \<resource-group\> -n \<vnet-name\> \--query \"provisioningState\" -o tsv
+```
+
+If the command returns **Succeeded**, the VNet is fully set up and ready for use, and you can retry your AKS operation. If it returns any other value, the VNet might be in a failed or pending state that requires manual intervention. For more guidance, follow the troubleshooting steps in [Troubleshoot Azure Microsoft.Network failed provisioning state](/azure/networking/troubleshoot-failed-state).
+
+[!INCLUDE [azure-help-support](../../../includes/azure-help-support.md)]

support/azure/azure-kubernetes/toc.yml

@@ -455,3 +455,7 @@
     href: error-codes/windows-cse-error-check-api-server-connectivity-error.md
   - name: ZonalAllocationFailed, AllocationFailed, or OverconstrainedAllocationRequest error
     href: error-codes/zonalallocation-allocationfailed-error.md
+  - name: SubnetIsDelegated error
+    href: error-codes/subnetisdelegated-error.md
+  - name: VirtualNetworkNotInSucceededState error 
+    href: error-codes/virtualnetworknotinsucceededstate-error.md

support/azure/virtual-machines/linux/serial-console-linux.md

@@ -12,7 +12,7 @@ ms.collection: linux
 ms.topic: article
 ms.tgt_pltfrm: vm-linux
 ms.workload: infrastructure-services
-ms.date: 03/11/2025
+ms.date: 07/29/2025
 ms.author: mbifeld
 ---
 
@@ -89,6 +89,13 @@ By default, all subscriptions have serial console access enabled. You can disabl
 
 ### Use Serial Console with custom boot diagnostics storage account firewall enabled
 
+> [!CAUTION]
+> There is a known issue where Azure Serial Console may fail to connect when a custom boot diagnostics storage account has firewall restrictions. This occurs because Azure Serial Console runs in Microsoft’s internal tenant, and firewall rules on the customer-managed storage account may block its access, even with correct permissions.
+> To avoid connectivity issues, either [switch to managed boot diagnostics](../windows/boot-diagnostics.md#enable-boot-diagnostics-on-existing-virtual-machine) (recommended) or remove the firewall on the custom boot diagnostics storage account.
+
+> [!IMPORTANT]
+> By the end of 2025, Azure Serial Console will no longer utilize boot diagnostics storage accounts for establishing a connection. No customer action is required for this change. This change does not affect serial logs or screenshots.
+
 Serial Console uses the storage account configured for boot diagnostics in its connection workflow. When a firewall is enabled on this storage account, the Serial Console service IPs must be added as exclusions. To do this, follow these steps:
 
 1. Navigate to the settings of the custom boot diagnostics storage account firewall you have enabled.

support/azure/virtual-machines/windows/serial-console-errors.md

@@ -10,7 +10,7 @@ ms.service: azure-virtual-machines
 ms.topic: article
 ms.tgt_pltfrm: vm
 ms.workload: infrastructure-services
-ms.date: 04/07/2025
+ms.date: 07/29/2025
 ms.author: jarrettr
 ms.custom: sap:VM Admin - Windows (Guest OS)
 ---
@@ -33,7 +33,7 @@ Error                             |   Mitigation
 "Azure Serial Console requires boot diagnostics to be enabled. Click here to configure boot diagnostics for your virtual machine." | Ensure that the virtual machine (VM) or virtual machine scale set has [boot diagnostics](boot-diagnostics.md) enabled. When using serial console on a virtual machine scale set instance, ensure that your instance has the latest model.
 "Azure Serial Console requires a virtual machine to be running. Use the Start button to start your virtual machine."  | The VM or virtual machine scale set instance must be in a started state to access the serial console (your VM must not be stopped or deallocated). Ensure your VM or virtual machine scale set instance is running and try again.
 "Azure Serial Console is not enabled for this subscription, contact your subscription administrator to enable." | The Azure Serial Console can be disabled at a subscription level. If you're a subscription administrator, you may [enable and disable the Azure Serial Console](./serial-console-enable-disable.md). If you aren't a subscription administrator, you should reach out to your subscription administrator for next steps.
-A "Forbidden" response was encountered when accessing this VM's boot diagnostic storage account. | This error is often caused by enabling a storage account firewall on the custom boot diagnostics account. If you're using a storage account firewall on this account, follow [Storage Account firewall configuration instructions](../linux/serial-console-linux.md#serial-console-security).
+A "Forbidden" response was encountered when accessing this VM's boot diagnostic storage account. | There is a known issue where Azure Serial Console may fail to connect when a custom boot diagnostics storage account has firewall restrictions. This occurs because Azure Serial Console runs in Microsoft’s internal tenant, and firewall rules on the customer-managed storage account may block its access, even with correct permissions. To avoid connectivity issues, either [switch to managed boot diagnostics](boot-diagnostics.md#enable-boot-diagnostics-on-existing-virtual-machine) (recommended) or remove the firewall on the custom boot diagnostics storage account.
 You don't have the required permissions to use this VM with the serial console. Ensure you have at least Virtual Machine Contributor role permissions.| The serial console access requires you to have contributor level access on your VM or virtual machine scale set. For more information, see the [overview page](serial-console-overview.md).
 The storage account '' used for boot diagnostics on this VM couldn't be found. Verify that boot diagnostics is enabled for this VM, this storage account has not been deleted, and you have access to this storage account. | Double check that you have not deleted the boot diagnostics storage account for your VM or virtual machine scale set
 The serial console connection to the VM encountered an error: 'Bad Request' (400) | This can happen if your boot diagnostics URI is incorrect. For example, "http://" was used instead of "https://". The boot diagnostics URI can be fixed with this command: `az vm boot-diagnostics enable --name vmName --resource-group rgName --storage https://<storageAccountUri>.blob.core.windows.net/`

support/azure/virtual-machines/windows/serial-console-overview.md

@@ -9,7 +9,7 @@ ms.service: azure-virtual-machines
 ms.topic: article
 ms.tgt_pltfrm: vm
 ms.workload: infrastructure-services
-ms.date: 07/23/2025
+ms.date: 07/29/2025
 ms.reviewer: mbifeld, v-weizhu
 ms.custom: sap:VM Admin - Windows (Guest OS)
 ---
@@ -99,7 +99,7 @@ To access the Serial Console on your VM or virtual machine scale set instance, y
 - Serial Console is not supported when the storage account has **Allow storage account key access** disabled.
 
 > [!IMPORTANT]
-> Serial Console is now compatible with [managed boot diagnostics storage accounts](boot-diagnostics.md) and custom storage account firewalls.
+> By the end of 2025, Azure Serial Console will no longer utilize boot diagnostics storage accounts for establishing a connection. This change does not affect serial logs or screenshots.
 
 ## Get started with Serial Console
 

support/azure/virtual-machines/windows/serial-console-windows.md

@@ -11,7 +11,7 @@ ms.collection: windows
 ms.topic: article
 ms.tgt_pltfrm: vm-windows
 ms.workload: infrastructure-services
-ms.date: 04/29/2025
+ms.date: 07/29/2025
 ms.author: mbifeld
 ms.custom: sap:VM Admin - Windows (Guest OS)
 ---
@@ -142,6 +142,13 @@ By default, all subscriptions have serial console access enabled. You can disabl
 
 ### Use Serial Console with custom boot diagnostics storage account firewall enabled
 
+> [!CAUTION]
+> There is a known issue where Azure Serial Console may fail to connect when a custom boot diagnostics storage account has firewall restrictions. This occurs because Azure Serial Console runs in Microsoft’s internal tenant, and firewall rules on the customer-managed storage account may block its access, even with correct permissions.
+> To avoid connectivity issues, either [switch to managed boot diagnostics](boot-diagnostics.md#enable-boot-diagnostics-on-existing-virtual-machine) (recommended) or remove the firewall on the custom boot diagnostics storage account.
+
+> [!IMPORTANT]
+> By the end of 2025, Azure Serial Console will no longer utilize boot diagnostics storage accounts for establishing a connection. No customer action is required for this change. This change does not affect serial logs or screenshots.
+
 Serial Console uses the storage account configured for boot diagnostics in its connection workflow. When a firewall is enabled on this storage account, the Serial Console service IPs must be added as exclusions. To do this, follow these steps:
 
 1. Navigate to the settings of the custom boot diagnostics storage account firewall you have enabled.