Azure internal load balancer with Azure Kubernetes Service not working

Question

I am trying to connect to internal load balancer using the below link: https://learn.microsoft.com/en-us/azure/aks/internal-lb

I see a non existing user in error message I am receiving:

Warning  CreatingLoadBalancerFailed  3m (x7 over 9m)  service-controller  Error creating load balancer (will retry): failed to ensure load balancer for service default/azure-vote-front: network.SubnetsClient#Get: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="AuthorizationFailed" Message="The client '91c18461-XXXXXXXX---1441d7bcea67' with object id '91c18461-XXXXXXXXX-1441d7bcea67' does not have authorization to perform action 'Microsoft.Network/virtualNetworks/subnets/read' over scope '/subscriptions/996b68c3-ec32-46d4-8d0e-80c6da2c1a3b/resourceGroups/<<resource group>>/providers/Microsoft.Network/virtualNetworks/<<VNET>>/subnets/<<subnet id>>

When I search this user in my azure subscription, I do not find it. Any help shall be highly appreciated

Below is my manifest file

apiVersion: apps/v1beta1
    kind: Deployment
    metadata:
      name: azure-vote-back
    spec:
      replicas: 1
      template:
        metadata:
          labels:
            app: azure-vote-back
        spec:
          containers:
          - name: azure-vote-back
            image: redis
            ports:
            - containerPort: 6379
              name: redis
    ---
    apiVersion: v1
    kind: Service
    metadata:
      name: azure-vote-back
    spec:
      ports:
      - port: 6379
      selector:
        app: azure-vote-back
    ---
    apiVersion: apps/v1beta1
    kind: Deployment
    metadata:
      name: azure-vote-front
    spec:
      replicas: 1
      strategy:
        rollingUpdate:
          maxSurge: 1
          maxUnavailable: 1
      minReadySeconds: 5 
      template:
        metadata:
          labels:
            app: azure-vote-front
        spec:
          containers:
          - name: azure-vote-front
            image: phishbotstagingregistry.azurecr.io/azure-vote-front:v1
            ports:
            - containerPort: 80
            resources:
              requests:
                cpu: 250m
              limits:
                cpu: 500m
            env:
            - name: REDIS
              value: "azure-vote-back"
    ---
    apiVersion: v1
    kind: Service
    metadata:
      name: azure-vote-front
      annotations:
        service.beta.kubernetes.io/azure-load-balancer-internal: "true"
    spec:
      type: LoadBalancer
      ports:
      - port: 80
      selector:
        app: azure-vote-front

Answer 1

For people from the future with the same error: Using service principals is now deprecated in AKS. Now you must instead assign an identity to the cluster.

You have two options to get an identity assigned to the cluster: either create the cluster with the 'system managed identity' option, either with the 'user assigned identity'.

With the former option Azure will create the identity for you and it will be already configured with all the required options, so you won't have the error but lose control of the identity (naming, resource group, etc..).

With the later option, you need to create the identity before creating the cluster, and then assign the identity to the cluster at creation time. It is your responsibility to grant the necessary permissions to the identity. If you forget to grant 'Network Contributor' role to the identity, you will get the error.

Answer 2

When you created AKS you provided wrong credentials (or stripped permissions later). So the service principal AKS is not authorized to create that resource (which the error clearly states).

Code="AuthorizationFailed" Message="The client '91c18461-XXXXXXXX---1441d7bcea67' with object id '91c18461-XXXXXXXXX-1441d7bcea67' does not have authorization to perform action 'Microsoft.Network/virtualNetworks/subnets/read' over scope '/subscriptions/996b68c3-ec32-46d4-8d0e-80c6da2c1a3b/resourceGroups/<>/providers/Microsoft.Network/virtualNetworks/<>/subnets/<>

You can use az aks list --resource-group <your-resource-group> to find your service principal, but the error kinda gives that away.