|
| 1 | +--- |
| 2 | +title: Troubleshoot the network isolated Azure Kubernetes Service (AKS) cluster |
| 3 | +description: Learn how to troubleshoot the network isolated cluster to the Azure Kubernetes Service (AKS). |
| 4 | +ms.service: azure-kubernetes-service |
| 5 | +ms.date: 04/09/2025 |
| 6 | +editor: charleswool |
| 7 | +ms.reviewer: chasedmicrosoft |
| 8 | +#Customer intent: As an Azure Kubernetes user, I want to troubleshoot problems that involve the network isolated cluster so that I can successfully use this feature on Azure Kubernetes Service (AKS). |
| 9 | +ms.custom: sap:Extensions, Policies and Add-Ons |
| 10 | +--- |
| 11 | + |
| 12 | +# Troubleshoot the network isolated Azure Kubernetes Service (AKS) cluster |
| 13 | + |
| 14 | +This article discusses how to troubleshoot the [network isolated cluster][network-isolated-cluster] to the Microsoft Azure Kubernetes Service (AKS). |
| 15 | + |
| 16 | +## Prerequisites |
| 17 | + |
| 18 | +- The Kubernetes [kubectl](https://kubernetes.io/docs/reference/kubectl/overview/) tool. To install kubectl by using the [Azure CLI](/cli/azure/install-azure-cli), run the [az aks install-cli](/cli/azure/aks#az-aks-install-cli) command. |
| 19 | + |
| 20 | +## Network isolated cluster support |
| 21 | + |
| 22 | +The network isolated cluster follows a similar support model to other [AKS add-ons](/azure/aks/integrations). There are two options available for the private ACR with network isolated clusters. If you are bringing your own ACR, note that you are reponsible to ensure ACR and associated resources including ACR cache rule, private endpoint, and private DNS zone are properly configured. |
| 23 | + |
| 24 | +## Known issues |
| 25 | + |
| 26 | +### Cluster image pull failed |
| 27 | +Network isolated clusters leverage ACR cache rules for image pulls, when there is an image pull fail error due to network isolation: |
| 28 | +- If you are using BYO ACR, check your private ACR resources, including the cache rule and private endpoints to verify they are configured as recommended by the documentation guidance. You can also try to connect the ACR from node. |
| 29 | +- If you are using AKS Managed ACR, only MCR images are supported by default. Thus, if the image pull failure is on images from other registries, then you need go to the private ACR to create additional cache rule for those images. If the image pull failure is on MCR images, please proceed to check if the associated ACR and private endpoint resource named with keyword `bootstrap` exists. If doesn't exist, please reconcile the cluster. |
| 30 | + |
| 31 | +### Cluster image pull fails after updating the existed cluster to network isolated cluster or updating the private ACR resource ID |
| 32 | +This is a by designed behavior, you need to reimage the node to update the kubelet configuration in cse following the update actions mentioned. |
| 33 | + |
| 34 | +### ACR or associated cache rule, private endpoint and private DNS zone are deleted by accident |
| 35 | +If the cache rule is deleted from the managed ACR by accident, the mitigation is to delete the ACR and then reconcile the cluster. If the ACR itself or private endpoint or private DNS zone is deleted by accident, the mitigation is just to reconcile the cluster. |
| 36 | + |
| 37 | + |
| 38 | + |
| 39 | +[!INCLUDE [Third-party disclaimer](../../../includes/third-party-disclaimer.md)] |
| 40 | + |
| 41 | +[!INCLUDE [Azure Help Support](../../../includes/azure-help-support.md)] |
| 42 | + |
| 43 | +[network-isolated-cluster]: /azure/aks/concepts-network-isolated |
0 commit comments