Merge pull request #9290 from MicrosoftDocs/main

Deland-Han · web-flow · commit e21964fb32b4 · 2025-07-09T02:07:53.000+08:00
Auto push to live 2025-07-08 18:07:46
diff --git a/support/azure/azure-kubernetes/create-upgrade-delete/error-code-cnidownloadtimeoutvmextensionerror.md b/support/azure/azure-kubernetes/create-upgrade-delete/error-code-cnidownloadtimeoutvmextensionerror.md
@@ -6,15 +6,17 @@ editor: v-jsitser
 ms.reviewer: axelg, chiragpa, mariochaves, v-weizhu, v-leedennis
 ms.service: azure-kubernetes-service
 #Customer intent: As an Azure Kubernetes user, I want to troubleshoot the container network interface download failures so that I can successfully create and deploy an Azure Kubernetes Service (AKS) cluster.
-ms.custom: sap:Create, Upgrade, Scale and Delete operations (cluster or nodepool)
+ms.custom: sap:Create, Upgrade, Scale and Delete operations (cluster or nodepool), innovation-engine
 ---
+
 # Troubleshoot Container Network Interface download failures
 
 This article discusses how to identify and resolve the `CniDownloadTimeoutVMExtensionError` error code (also known as error code `ERR_CNI_DOWNLOAD_TIMEOUT`, error number 41) or the `WINDOWS_CSE_ERROR_DOWNLOAD_CNI_PACKAGE` error code (error number 35) that occurs when you try to create and deploy a Microsoft Azure Kubernetes Service (AKS) cluster.
 
 ## Prerequisites
 
 - The [Curl](https://curl.se/download.html) command-line tool
+- Network access from the same environment where AKS nodes will be deployed (same VNet, firewall rules, etc.)
 
 ## Symptoms
 
@@ -46,10 +48,76 @@ Your cluster nodes can't connect to the endpoint that's used to download the Con
 
 Run a Curl command to verify that your nodes can download the binaries:
 
+First, attempt a test download of the Azure CNI package for Linux from the official mirror endpoint.
+
+```bash
+curl -I https://acs-mirror.azureedge.net/cni/azure-vnet-cni-linux-amd64-v1.0.25.tgz
+```
+
+Results:
+
+<!-- expected_similarity=0.3 -->
+
+```output
+HTTP/2 200 
+content-length: 970752
+content-type: application/x-gzip
+last-modified: Wed, 22 Jun 2022 00:00:00 GMT
+etag: "0x8DA53F1234567"
+server: ECAcc (dab/4B9E)
+x-cache: HIT
+cache-control: public, max-age=86400
+accept-ranges: bytes
+date: Thu, 05 Jun 2025 00:00:00 GMT
+```
+
+This command checks if the endpoint is reachable and returns the HTTP headers. If you see a `200 OK` response, it indicates that the endpoint is accessible.
+
+Next, attempt a download with validation and save the file locally for further troubleshooting. This will help determine if SSL or outbound connectivity is correctly configured.
+
 ```bash
-curl https://acs-mirror.azureedge.net/cni/azure-vnet-cni-linux-amd64-v1.0.25.tgz
+# Create a temporary directory for testing
+mkdir -p /tmp/cni-test
+
+# Download the CNI package to the temp directory
+curl -L --fail https://acs-mirror.azureedge.net/cni/azure-vnet-cni-linux-amd64-v1.0.25.tgz --output /tmp/cni-test/azure-vnet-cni-linux-amd64-v1.0.25.tgz && echo "Download successful" || echo "Download failed"
+```
+
+Results:
+
+<!-- expected_similarity=0.3 -->
 
-curl --fail --ssl https://acs-mirror.azureedge.net/cni/azure-vnet-cni-linux-amd64-v1.0.25.tgz  --output /opt/cni/downloads/azure-vnet-cni-linux-amd64-v1.0.25.tgz
+```output
+  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
+                                 Dload  Upload   Total   Spent    Left  Speed
+100 6495k  100 6495k    0     0  8234k      0 --:--:-- --:--:-- --:--:-- 8230k
+Download successful
+```
+
+Verify the downloaded file:
+
+```bash
+ls -la /tmp/cni-test/
+file /tmp/cni-test/azure-vnet-cni-linux-amd64-v1.0.25.tgz
+```
+
+Results:
+
+<!-- expected_similarity=0.3 -->
+
+```output
+total 6500
+drwxr-xr-x 2 user user    4096 Jun 20 10:30 .
+drwxrwxrwt 8 root root    4096 Jun 20 10:30 ..
+-rw-r--r-- 1 user user 6651392 Jun 20 10:30 azure-vnet-cni-linux-amd64-v1.0.25.tgz
+
+/tmp/cni-test/azure-vnet-cni-linux-amd64-v1.0.25.tgz: gzip compressed data, from Unix, original size modulo 2^32 20070400
+```
+
+Clean up the test files:
+
+```bash
+rm -rf /tmp/cni-test/
 ```
 
 If you can't download these files, make sure that traffic is allowed to the downloading endpoint. For more information, see [Azure Global required FQDN/application rules](/azure/aks/outbound-rules-control-egress#azure-global-required-fqdn--application-rules).
diff --git a/support/azure/azure-kubernetes/create-upgrade-delete/error-code-k8sapiserverdnslookupfailvmextensionerror.md b/support/azure/azure-kubernetes/create-upgrade-delete/error-code-k8sapiserverdnslookupfailvmextensionerror.md
@@ -5,8 +5,9 @@ ms.date: 01/24/2024
 ms.reviewer: rissing, chiragpa, erbookbi, v-leedennis, jovieir
 ms.service: azure-kubernetes-service
 #Customer intent: As an Azure Kubernetes user, I want to troubleshoot the K8SAPIServerDNSLookupFailVMExtensionError error code (or error code ERR_K8S_API_SERVER_DNS_LOOKUP_FAIL, error number 52) so that I can successfully start or create and deploy an Azure Kubernetes Service (AKS) cluster.
-ms.custom: sap:Create, Upgrade, Scale and Delete operations (cluster or nodepool)
+ms.custom: sap:Create, Upgrade, Scale and Delete operations (cluster or nodepool),  innovation-engine
 ---
+
 # Troubleshoot the K8SAPIServerDNSLookupFailVMExtensionError error code (52)
 
 This article discusses how to identify and resolve the `K8SAPIServerDNSLookupFailVMExtensionError` error (also known as error code ERR_K8S_API_SERVER_DNS_LOOKUP_FAIL, error number 52) that occurs when you try to start or create and deploy a Microsoft Azure Kubernetes Service (AKS) cluster.
@@ -32,6 +33,7 @@ When you try to start or create an AKS cluster, you receive the following error
 > "ExitCode": "52",
 >
 > "Output": "Fri Oct 15 10:06:00 UTC 2021,aks- nodepool1-36696444-vmss000000\\nConnection to mcr.microsoft.com 443 port [tcp/https]
+
 ## Cause
 
 The cluster nodes can't resolve the cluster's fully qualified domain name (FQDN) in Azure DNS. Run the following DNS lookup command on the failed cluster node to find DNS resolutions that are valid.
@@ -51,19 +53,39 @@ On your DNS servers and firewall, make sure that nothing blocks the resolution t
 
 When you use a private cluster that has a custom DNS, a DNS zone is created. The DNS zone must be linked to the virtual network. This occurs after the cluster is created. Creating a private cluster that has a custom DNS fails during creation. However, you can restore the creation process to a "success" state by reconciling the cluster. To do this, run the [az resource update](/cli/azure/resource#az-resource-update) command in Azure CLI, as follows:
 
+Below, set your AKS cluster and resource group names, then run the update command to reconcile the cluster. The environment variables will make your resource names unique and are declared just before use.
+
 ```azurecli-interactive
-az resource update --resource-group <resource-group-name> \
-    --name <cluster-name> \
+az resource update --resource-group $RESOURCE_GROUP_NAME \
+    --name $CLUSTER_NAME \
     --namespace Microsoft.ContainerService \
     --resource-type ManagedClusters
 ```
 
+Results: 
+
+<!-- expected_similarity=0.3 -->
+
+```output
+{
+  "id": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/myResourceGroupxxx/providers/Microsoft.ContainerService/ManagedClusters/myAksClusterxxx",
+  "location": "eastus",
+  "name": "myAksClusterxxx",
+  "properties": {
+      // ...other properties...
+  },
+  "resourceGroup": "myResourceGroupxxx",
+  "type": "Microsoft.ContainerService/ManagedClusters"
+}
+```
+
 Also verify that your DNS server is configured correctly for your private cluster, as described earlier.
 
 > [!NOTE]
 > Conditional Forwarding doesn't support subdomains.
+
 ## More information
 
 - [General troubleshooting of AKS cluster creation issues](troubleshoot-aks-cluster-creation-issues.md)
 
-[!INCLUDE [Azure Help Support](../../../includes/azure-help-support.md)]
+[!INCLUDE [Azure Help Support](../../../includes/azure-help-support.md)]
