AKS Learn feedback: Create AKS cluster with Azure CNI pod subnet without default NSG and only with custom NSG #269
Description
Type of issue
Typo
Feedback
I am looking to deploy an AKS cluster using Azure CNI with pod subnet, but without the default NSG that Azure typically creates. Instead, we want to use a custom NSG assigned directly to the subnet.
I attempted to create the cluster via CLI, following the guidance in the documentation linked below, and assigned a custom NSG to the subnet. However, the deployment still resulted in the creation of a default NSG.
https://learn.microsoft.com/en-us/azure/aks/configure-azure-cni-dynamic-ip-allocation
From my review, I couldn’t find any configuration option that explicitly prevents the default NSG from being created—particularly in the context of Azure CNI with pod subnet.
Could someone please confirm:
• Is it possible to deploy an AKS cluster with only a custom NSG, avoiding the default NSG?
• If yes, could you share the steps or documentation?
• If not, is there any official documentation that outlines this limitation? I’ve reviewed the pod subnet documentation but didn’t find any mention of this behavior.
https://learn.microsoft.com/en-us/azure/aks/configure-azure-cni-dynamic-ip-allocation
Major issue is that with the default NSG in place AKS is updating the rules in default NSG only for the services created in AKS as type "LoadBalancer"
If this is a limitation, kindly help in updating the public document mentioning we can't ignore creation of default NSG.
FYI,
There is a similar line in kubenet documentation under limitation but his too doesn't talk about creating cluster without default NSG.
Kindly assist.
Page URL
https://learn.microsoft.com/en-us/azure/aks/configure-azure-cni-dynamic-ip-allocation
Content source URL
Author
Document Id
f30f2e39-6ceb-7555-197e-8cd48763117d
Platform Id
5f7851f7-bbe7-11fa-92e0-2bee0872f5ea