AKS LoadBalancer External-IP stuck on <pending>

I've created a Kubernetes cluster in Azure using the following Terraform. Azure Kubernetes Service Cluster got created with Application Gateway as I wanted to use Application Gateway as the Ingress controller.

Note : I could also see that still it creates the Loadbalancer with Public IP. I was not expecting the Loadbalancer to be created.

and the System Assigned Identity has the Contributor access on the Load Balancer

However, External-IP is stuck on "pending".

data "azurerm_subnet" "aks-subnet" {
  name                 = "aks-subnet"
  virtual_network_name = "np-dat-spoke-vnet"
  resource_group_name  = "ipz12-dat-np-connect-rg"

data "azurerm_subnet" "appgateway-subnet" {
  name                 = "appgateway-subnet"
  virtual_network_name = "np-dat-spoke-vnet"
  resource_group_name  = "ipz12-dat-np-connect-rg"

locals {
  backend_address_pool_name      = "appgateway-beap"
  frontend_port_name             = "appgateway-feport"
  frontend_ip_configuration_name = "appgateway-feip"
  http_setting_name              = "appgateway-be-htst"
  listener_name                  = "appgateway-httplstn"
  request_routing_rule_name      = "appgateway-rqrt"
  app_gateway_subnet_name        = "appgateway-subnet"

# Create the Container Registry
module "container_registry" {
  source                        = "./modules/container_registry"
  count                         = var.enable_container_registry == true ? 1 : 0
  #name_override                = "crprjxhubprodwestus3001"
  app_or_service_name           = "prjx"                                                             # var.app_or_service_name
  subscription_type             = var.subscription_type                                               # "hub" 
  environment                   = var.environment                                                     # "prod"
  location                      = var.location                                                        # "westus3"
  instance_number               = var.instance_number                                                 # "001"
  tags                          = var.tags              
  resource_group_name           = module.resource_group_container_registry[0].name                    # "rg-cr-hub-prod-westus3-001"
  sku                           = "Premium"
  admin_enabled                 = false
  public_network_access_enabled = false

# Create Resource Group for Kubernetes Cluster
module "resource_group_kubernetes_cluster" {
  source                  = "./modules/resource_group"
  count                   = var.enable_kubernetes == true ? 1 : 0
  #name_override          = "rg-aks-spoke-dev-westus3-001"
  app_or_service_name     = "aks"                                   # var.app_or_service_name
  subscription_type       = var.subscription_type                   # "spoke"   
  environment             = var.environment                         # "dev"    
  location                = var.location                            # "westus3"
  instance_number         = var.instance_number                     # "001"    
  tags                    = var.tags

# Application Gateway Public Ip 
resource "azurerm_public_ip" "test" {
  name                = "publicIp1"
  location            = var.location
  resource_group_name = module.resource_group_kubernetes_cluster[0].name
  allocation_method   = "Static"
  sku                 = "Standard"

resource "azurerm_user_assigned_identity" "identity_uami" {
  location            = var.location
  name                = "appgw-uami"
  resource_group_name = module.resource_group_kubernetes_cluster[0].name

resource "azurerm_application_gateway" "network" {
  name                = var.app_gateway_name
  resource_group_name = module.resource_group_kubernetes_cluster[0].name
  location            = var.location

  sku {
    name     = var.app_gateway_sku
    tier     = "Standard_v2"
    capacity = 2

  identity {
    type = "UserAssigned"
    identity_ids = [

  gateway_ip_configuration {
    name      = "appGatewayIpConfig"
    subnet_id =

  frontend_port {
    name = local.frontend_port_name
    port = 80

  frontend_port {
    name = "httpsPort"
    port = 443

  frontend_ip_configuration {
    name                 = local.frontend_ip_configuration_name
    public_ip_address_id =

  backend_address_pool {
    name = local.backend_address_pool_name

  backend_http_settings {
    name                  = local.http_setting_name
    cookie_based_affinity = "Disabled"
    port                  = 80
    protocol              = "Http"
    request_timeout       = 1

  http_listener {
    name                           = local.listener_name
    frontend_ip_configuration_name = local.frontend_ip_configuration_name
    frontend_port_name             = local.frontend_port_name
    protocol                       = "Http"

  request_routing_rule {
    name                       = local.request_routing_rule_name
    rule_type                  = "Basic"
    http_listener_name         = local.listener_name
    backend_address_pool_name  = local.backend_address_pool_name
    backend_http_settings_name = local.http_setting_name
    priority                   = 100

  tags = var.tags

  depends_on = [azurerm_public_ip.test]

  lifecycle {
    ignore_changes = [

# Create the Azure Kubernetes Service (AKS) Cluster
resource "azurerm_kubernetes_cluster" "kubernetes_cluster" {
  count                         = var.enable_kubernetes == true ? 1 : 0
  name                          = "aks-prjx-${var.subscription_type}-${var.environment}-${var.location}-${var.instance_number}"    
  location                      = var.location
  resource_group_name           = module.resource_group_kubernetes_cluster[0].name  # "rg-aks-spoke-dev-westus3-001"
  dns_prefix                    = "dns-aks-prjx-${var.subscription_type}-${var.environment}-${var.location}-${var.instance_number}" #"dns-prjxcluster"
  private_cluster_enabled       = false
  local_account_disabled        = true

  default_node_pool {
    name                        = "npprjx${var.subscription_type}" #"prjxsyspool" # NOTE: "name must start with a lowercase letter, have max length of 12, and only have characters a-z0-9."
    vm_size                     = "Standard_B2ms"
    vnet_subnet_id              =
    # zones                     = ["1", "2", "3"]
    enable_auto_scaling         = true
    max_count                   = 3
    min_count                   = 1
    # node_count                = 3
    os_disk_size_gb             = 50
    type                        = "VirtualMachineScaleSets"
    enable_node_public_ip       = false
    enable_host_encryption      = false

    node_labels = {
      "node_pool_type"          = "npprjx${var.subscription_type}"
      "node_pool_os"            = "linux"
      "environment"             = "${var.environment}"
      "app"                     = "prjx_${var.subscription_type}_app"
    tags = var.tags

  ingress_application_gateway {
    gateway_id =

  # Enabled the cluster configuration to the Azure kubernets with RBAC
  azure_active_directory_role_based_access_control { 
    managed                     = true
    admin_group_object_ids      = var.active_directory_role_based_access_control_admin_group_object_ids
    azure_rbac_enabled          = true #false

  network_profile {
    network_plugin              = "azure"
    network_policy              = "azure"
    outbound_type               = "userDefinedRouting"

  # service_principal {
    # client_id                   = var.client_id
    # client_secret               = var.client_secret
  # }

  identity {
    type = "SystemAssigned"

  oms_agent {
    log_analytics_workspace_id  = module.log_analytics_workspace[0].id

  timeouts {
    create = "20m"
    delete = "20m"

  depends_on = [

# Get the AKS SystemAssigned Identity
data "azurerm_user_assigned_identity" "aks-identity" {
  name                = "${azurerm_kubernetes_cluster.kubernetes_cluster[0].name}-agentpool"
  resource_group_name = "MC_${module.resource_group_kubernetes_cluster[0].name}_aks-prjx-spoke-dev-eastus-001_eastus"

  depends_on          = [module.resource_group_kubernetes_cluster]  

# Provide ACR Pull permission to AKS SystemAssigned Identity
resource "azurerm_role_assignment" "acrpull_role" {
  scope                            = module.container_registry[0].id
  role_definition_name             = "AcrPull"
  principal_id                     = data.azurerm_user_assigned_identity.aks-identity.principal_id
  skip_service_principal_aad_check = true

  depends_on                       = [

resource "azurerm_role_assignment" "aks_id_network_contributor_subnet" {
  scope                =
  role_definition_name = "Network Contributor"
  principal_id         = data.azurerm_user_assigned_identity.aks-identity.principal_id

  depends_on = [data.azurerm_user_assigned_identity.aks-identity]

resource "azurerm_role_assignment" "aks_id_contributor_agw" {
  scope                =
  role_definition_name = "Network Contributor"
  principal_id         = data.azurerm_user_assigned_identity.aks-identity.principal_id

  depends_on = [data.azurerm_user_assigned_identity.aks-identity]

resource "azurerm_role_assignment" "aks_ingressid_contributor_on_agw" {
  scope                            =
  role_definition_name             = "Contributor"
  principal_id                     = azurerm_kubernetes_cluster.kubernetes_cluster[0].ingress_application_gateway[0].ingress_application_gateway_identity[0].object_id
  depends_on                       = [,azurerm_kubernetes_cluster.kubernetes_cluster]
  skip_service_principal_aad_check = true

resource "azurerm_role_assignment" "aks_ingressid_contributor_on_uami" {
  scope                            =
  role_definition_name             = "Contributor"
  principal_id                     = azurerm_kubernetes_cluster.kubernetes_cluster[0].ingress_application_gateway[0].ingress_application_gateway_identity[0].object_id
  depends_on                       = [,azurerm_kubernetes_cluster.kubernetes_cluster]
  skip_service_principal_aad_check = true

resource "azurerm_role_assignment" "uami_contributor_on_agw" {
  scope                            =
  role_definition_name             = "Contributor"
  principal_id                     = azurerm_user_assigned_identity.identity_uami.principal_id
  depends_on                       = [,azurerm_user_assigned_identity.identity_uami]
  skip_service_principal_aad_check = true

Provisioning state - Failed

In case your system's Node pool of Kubernetes service failed to provision, recreate it by creating system backup node pool (as a temporary measure), then delete the failed one, then creating the main one again (e.g. by re-running Terraform or manually). If provisioning is successful this time, delete the newly created backup node.

Azure - Node pools - Provisioning state - Failed

Azure - Node pools - Provisioning state - Created system backup

Role access

Ensure your SP (Service Principle) has Network Contributor or Contributor role assigned in Access control (IAM) for your Subscription.


Check if you haven't reached the quota using the following command:

az network list-usages -l your-region -o table

I was missing a permission and fixed it like mentioned below

# Get the AKS SystemAssigned Identity
data "azuread_service_principal" "aks-sp" {
  display_name  = azurerm_kubernetes_cluster.kubernetes_cluster[0].name

resource "azurerm_role_assignment" "akssp_network_contributor_subnet" {
  scope                =
  role_definition_name = "Network Contributor"
  principal_id         = data.azuread_service_principal.aks-sp.object_id

  depends_on = [data.azuread_service_principal.aks-sp]

I have followed the below steps to create Azure Kubernetes Service Cluster with Application Gateway:

Follow the document to create Kubernetes Service Cluster with Application Gateway with terraform.

Verify the AKS Cluster once it has provisioned in Azure portal.

Azure Portal > Search for Kubernetes services > Select your Kubernetes Cluster > Networking.

We have tried deploying a sample application and exposed to the internet with the service type Load Balancer

Successfully created resources once ran the code.

Note: Load Balancer will create when you define type: Load Balancer in Service mainfest file.

apiVersion: v1  
kind: Service  
 name: test-service  
  type: LoadBalancer  
  - port: 80  
  app: testapp

Assuming one of the below reasons you were facing the error Pending Load Balancer-Public IP:

  1. Verify you have configured valid service principal. If the service principal got expired the cluster will not be able to create the Load Balancer and the external IP of the service remained in the pending state.
  2. Make sure you have sufficient quota to provision Public IPs for external Public IP issues.

