This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(259.20000000000005, 18%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ENL%3C/text%3E%3C/svg%3E)
ProvisioningState/failed/VMExtensionProvisioningError
ProvisioningState/failed/VMExtensionProvisioningError
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(294.40000000000003, 47%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMR%3C/text%3E%3C/svg%3E)
Hi Nolan Le,
To troubleshoot your issue effectively, I request you to provide additional information.
How are you deploying AKS? (Azure CLI, Terraform, ARM template, Bicep, Portal)
Network Security Group (NSG) attached?
If you are following any specific documents, please specify.
Is AKS using a Service Principal or Managed Identity?
Does it have Network Contributor on the VNet?
Run this command for deployment logs: az aks show --resource-group <your-rg> --name <your-aks-cluster> --output json
Thank you!
-
Hi @Mounika Reddy Anumandla , thank you for your reply. Currently, I have issues using both Terraform and Az cli to provision the AKS cluster. It take long time, and the node pool in VMSS just a loop creating => Updating => Failed (ProvisioningState/failed/VMExtensionProvisioningError)
"Is AKS using a Service Principal or Managed Identity?" => it's use principal ID
I have created an AKS cluster with the existing Vnet/Subnet, which has attached NSG and routable. But I have removed it, but I still have the error.
Hi @Mounika Reddy Anumandla , thank you for your reply
How are you deploying AKS? (Azure CLI, Terraform, ARM template, Bicep, Portal) => I use both Terraform and Az cli to deploy AKS cluster
Network Security Group (NSG) attached? => Yes, but I have remove it and try to create but still error
I found this issue but seem like cannot resolve https://learn.microsoft.com/en-us/troubleshoot/azure/azure-kubernetes/create-upgrade-delete/error-code-vmextensionprovisioningtimeout?source=recommendationsIs AKS using a Service Principal or Managed Identity? => it's Principal id
Does it have Network Contributor on the VNet? Yes
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(64, 38%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMS%3C/text%3E%3C/svg%3E)
Hi Nolan Le,
In continuation to above, I have tried working in my tenant its working for me as I can able to create aks cluster within existing vnet and subnet and please follow given below steps to resolve the issue -
Ensure your Service Principal have Contributor permission.
Please try to execute below command in Azure Cloud Shell.
az aks create --resource-group <your resource group name> --name <name of your aks cluster> --node-count <node count> --generate-ssh-keys --service-principal <application(client)ID> --client-secret <client secret> --network-plugin azure --vnet-subnet-id <your subnet ID> --service-cidr <service cidr> --dns-service-ip <your dns service ip>
Make sure that service cidr should not overlap with subnet cidr and dns-service-ip is an IP from the range specified in service cidr. https://learn.microsoft.com/en-us/troubleshoot/azure/azure-kubernetes/create-upgrade-delete/error-code-servicecidroverlapexistingsubnetscidr
To find out Subnet ID:
If you encounter any issue during the execution of above command like "Azure subscription is not registered to use the 'Microsoft.ContainerService' namespace" try to execute below command:
az provider register --namespace Microsoft.ContainerService
and wait for some time till the registration is completed, you can check by using below command:
az provider show --namespace Microsoft.ContainerService --query registrationState
If the information is helpful, please click on "Accept Answer" and "Upvote"
If you have any queries, please do let us know, we will help you.
Hi @Markapuram Sudheer Reddy , but the aks use network configuration Azure CNI Overlay
Network configuration
Azure CNI Overlay
Pod CIDR
10.244.0.0/16
Service CIDR
10.0.0.0/16
DNS service IP
10.0.0.10
Hi @Markapuram Sudheer Reddy , but I'm just attach the vnet to aks cluster to create the nodepool inside the subnet. For the cluster I'm using Azure CNI Overlay
Network configuration
Azure CNI Overlay
Pod CIDR
10.244.0.0/16
Service CIDR
10.0.0.0/16
DNS service IP
10.0.0.10
Hi Nolan Le ,
We have noticed that you rated an answer as not helpful. We appreciate your feedback and are committed to improving your experience with the Q&A. I have worked on finding an alternative solution to address your issue.
I tried to reproduce in my lab to create an aks cluster with existing vnet by creating node pool having VMSS (Ubuntu Linux VMs) inside an existing subnet with Azure CNI Overlay network enabled without having any NSG rules.
az aks create --resource-group <your resource group> --name <name of aks cluster> --location <location> --service-principal <service principal id> --client-secret <client secret> --network-plugin azure --network-plugin-mode overlay --pod-cidr <pod cidr address> --service-cidr <service cidr address> --dns-service-ip <dns service ip> --generate-ssh-keys --vnet-subnet-id <subnet id> --node-count <no of nodes in node pool> --vm-set-type VirtualMachineScaleSets
By using above command, I can able to create aks cluster based on above inputs.
If you have any queries, please do let us know, we will assist you.
Hi @Markapuram Sudheer Reddy ,
I have tried this to create the AKS cluster with Nodepool type Vmss. Still, the main issue is the instance in Vmss always loops creating => updating => failed =>recareating due to this error ProvisioningState/failed/VMExtensionProvisioningError. :(
This is my existing vnet/subnet
I think this issue related to the AKSLinuxExtension. Seem like the vmss instance cannot install this extension.