AKS Custom Private DNS Zone

We got the below errors when trying to use a pre-created Private DNS Zone for the AKS cluster.

  • Pre-created below resources before deploying AKS
    • vNet and subnets
    • User Assigned Managed identity
    • Private DNS zone is created
  • Deploying Private AKS cluster using Terraform


  1. Error: creating Managed Kubernetes Cluster “<aks cluster name>” (Resource Group “<rg name>”): containerservice.ManagedClustersClient#CreateOrUpdate: Failure sending request: StatusCode=400 — Original Error: Code=”CustomPrivateDNSZoneMissingPermissionError” Message=”Service principal or user assigned identity must be given permission to read and write to custom private dns zone /subscriptions/<subid>/resourceGroups/<rg name>/providers/Microsoft.Network/privateDnsZones/privatelink.eastus2.azmk8s.io. Check access result not allowed for action Microsoft.Network/privateDnsZones/read.
  1. Error: waiting for creation of Managed Kubernetes Cluster “<clustername>” (Resource Group “<rgname>”): Code=”ReconcilePrivateDNS” Message=”Reconcile private dns failed. Details: Code=\”LinkedAuthorizationFailed\” Message=\”The client ‘e7fb6da5-7811-4897-a819-c0e442df5fec’ with object id ‘e7fb6da5-7811-4897-a819-c0e442df5fec’ has permission to perform action ‘Microsoft.Network/privateDnsZones/virtualNetworkLinks/write’ on scope ‘/subscriptions/<subscriptionid>/resourceGroups/<rgname>/providers/Microsoft.Network/privateDnsZones/privatelink.eastus2.azmk8s.io/virtualNetworkLinks/<aksclustername>’; however, it does not have permission to perform action ‘Microsoft.Network/virtualNetworks/join/action’ on the linked scope(s) ‘/subscriptions/<subscriptionid>/resourceGroups/<rgname>/providers/Microsoft.Network/virtualNetworks/<vnet name>’ or the linked scope(s) are invalid.\””


  • For issue 1: we need to provide Private DNS Contributor role for the AKS user identity to the Private DNS zone.
az role assignment create --assignee <aks user managed identity> --scope "/subscriptions/<subscription id>/resourceGroups/<rg name>/providers/Microsoft.Network/privateDnsZones/privatelink.eastus2.azmk8s.io" --role "private dns zone contributor"