AKS Custom Private DNS Zone

We got the below errors when trying to use a pre-created Private DNS Zone for the AKS cluster.

  • Pre-created below resources before deploying AKS
    • vNet and subnets
    • User Assigned Managed identity
    • Private DNS zone is created
  • Deploying Private AKS cluster using Terraform


  1. Error: creating Managed Kubernetes Cluster “<aks cluster name>” (Resource Group “<rg name>”): containerservice.ManagedClustersClient#CreateOrUpdate: Failure sending request: StatusCode=400 — Original Error: Code=”CustomPrivateDNSZoneMissingPermissionError” Message=”Service principal or user assigned identity must be given permission to read and write to custom private dns zone /subscriptions/<subid>/resourceGroups/<rg name>/providers/Microsoft.Network/privateDnsZones/privatelink.eastus2.azmk8s.io. Check access result not allowed for action Microsoft.Network/privateDnsZones/read.
  1. Error: waiting for creation of Managed Kubernetes Cluster “<clustername>” (Resource Group “<rgname>”): Code=”ReconcilePrivateDNS” Message=”Reconcile private dns failed. Details: Code=\”LinkedAuthorizationFailed\” Message=\”The client ‘e7fb6da5-7811-4897-a819-c0e442df5fec’ with object id ‘e7fb6da5-7811-4897-a819-c0e442df5fec’ has permission to perform action ‘Microsoft.Network/privateDnsZones/virtualNetworkLinks/write’ on scope ‘/subscriptions/<subscriptionid>/resourceGroups/<rgname>/providers/Microsoft.Network/privateDnsZones/privatelink.eastus2.azmk8s.io/virtualNetworkLinks/<aksclustername>’; however, it does not have permission to perform action ‘Microsoft.Network/virtualNetworks/join/action’ on the linked scope(s) ‘/subscriptions/<subscriptionid>/resourceGroups/<rgname>/providers/Microsoft.Network/virtualNetworks/<vnet name>’ or the linked scope(s) are invalid.\””


  • For issue 1: we need to provide Private DNS Contributor role for the AKS user identity to the Private DNS zone.
az role assignment create --assignee <aks user managed identity> --scope "/subscriptions/<subscription id>/resourceGroups/<rg name>/providers/Microsoft.Network/privateDnsZones/privatelink.eastus2.azmk8s.io" --role "private dns zone contributor"

NGINX Ingress Timeout error

Getting error when creating ingress resource

Ingress Error

Need to wait before creating ingress resource. Added this block after NGINX Ingress deployment

# Checking if  Ingress Controller is ready
echo "Waiting for Ingress Controller to be ready"
kubectl wait --namespace $namespace --for=condition=ready pod --selector=app.kubernetes.io/component=controller --timeout=120s


Create simple NGINX image

This readme we create simple NGINX image and illustrate docker command usage

Create an HTML file with the below content

<h1>Hello Team</h1>

Create a Dockerfile

# Filename: Dockerfile
FROM nginx
COPY index.html /usr/share/nginx/html/

Build the Docker Image

docker build -t zc-content-nginx .

Check the image

docker image ls

Run the container and expose

docker run --name zc-nginx -d -p 8080:80 zc-content-nginx

Test the container, browse to http://localhost:8080

Exec to the container

docker exec -it zc-nginx bash

Stop and delete the container

docker stop zc-nginx
docker rm zc-nginx