This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Download Microsoft Edge
More info about Internet Explorer and Microsoft Edge
This article describes how to identify and resolve the
OutboundConnFailVMExtensionError
error (also known as error code
ERR_OUTBOUND_CONN_FAIL
, error number 50) that might occur if you try to create and deploy a Microsoft Azure Kubernetes Service (AKS) cluster.
Prerequisites
The
Netcat
(nc) command-line tool
The
dig
command-line tool
Symptoms
When you try to create an AKS cluster, you receive the following error message:
Unable to establish outbound connection from agents, please see
https://aka.ms/aks-required-ports-and-addresses
for more information.
Details: Code="VMExtensionProvisioningError"
Message="VM has reported a failure when processing extension 'vmssCSE'.
Error message: "
Enable failed: failed to execute command: command terminated with exit status=50
\n[stdout]\n\n[stderr]\nnc: connect to mcr.microsoft.com port 443 (tcp) failed: Connection timed out\nCommand exited with non-zero status
Cause
The custom script extension that downloads the necessary components to provision the nodes couldn't establish the necessary outbound connectivity to obtain packages. For public clusters, the nodes try to communicate with the Microsoft Container Registry (MCR) endpoint (
mcr.microsoft.com
) on port 443. There are many reasons why the traffic might be blocked. In any of these situations, the best way to test connectivity is to use the Secure Shell protocol (SSH) to connect to the node. To make the connection, follow the instructions in
Connect to Azure Kubernetes Service (AKS) cluster nodes for maintenance or troubleshooting
.
After you connect to the node, run the
nc
and
dig
commands to test the connectivity on the cluster:
nc -vz mcr.microsoft.com 443
dig mcr.microsoft.com 443
Solution
The following table lists specific reasons why traffic might be blocked, and the corresponding solution for each reason.
Issue
Solution
Traffic is blocked by firewall rules
In this scenario, a firewall does egress filtering. To verify that all required domains and ports are allowed, see Control egress traffic for cluster nodes in Azure Kubernetes Service (AKS).
Traffic is blocked by a cluster network security group (NSG)
On any NSGs that are attached to your cluster, verify that there's no blocking on port 443, port 53, or any other port that might have to be used to connect to the endpoint. For more information, see Control egress traffic for cluster nodes in Azure Kubernetes Service (AKS).
The AAAA (IPv6) record is blocked on the firewall
On your firewall, verify that there's nothing that would block the endpoint from resolving in Azure DNS.
Private cluster can't resolve internal Azure resources
In private clusters, the Azure DNS IP address (168.63.129.16) must be added as an upstream DNS server if custom DNS is being used. Verify that the address is set on your DNS servers. For more information, see Create a private AKS cluster and What is IP address 168.63.129.16?
General troubleshooting of AKS cluster creation issues
If you have questions or need help, create a support request, or ask Azure community support. You can also submit product feedback to Azure community support.
Third-party contact disclaimer
Microsoft provides third-party contact information to help you find additional information about this topic. This contact information may change without notice. Microsoft does not guarantee the accuracy of third-party contact information.
