Creation of AKS cluster is prevented by policy.

IniobongNkanga-8038 296 Reputation points
2024-06-27T10:47:41.7833333+00:00

Hello 

 

Please i need your help on this issue.

 

One of my customer is having an issue with creation of an AKS (Azure Kubernetes Service) cluster being prevented by a policy. The specific resource 'aks-agentpool-19603827-vmss' was disallowed by the policy.

 

Resource 'aks-agentpool-19603827-vmss' was disallowed by policy. Policy identifiers: '[{\"policyAssignment\":{\"name\":\"Prevent deployment of virtual machines scale sets\",\"id\":\"/subscriptions/18e46390-beb4-40e1-97ed-7b8691a58516/providers/Microsoft.Authorization/policyAssignments/

Azure Virtual Machines
Azure Virtual Machines
An Azure service that is used to provision Windows and Linux virtual machines.
7,471 questions
Azure Kubernetes Service (AKS)
Azure Kubernetes Service (AKS)
An Azure service that provides serverless Kubernetes, an integrated continuous integration and continuous delivery experience, and enterprise-grade security and governance.
1,961 questions
Azure Virtual Desktop
Azure Virtual Desktop
A Microsoft desktop and app virtualization service that runs on Azure. Previously known as Windows Virtual Desktop.
1,429 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Adharsh Santhanam 2,320 Reputation points
    2024-06-27T11:04:58.34+00:00

    Hello IniobongNkanga-8038, it seems that the creation of your AKS cluster is being blocked by a specific policy. There are a couple of ways in which you can resolve this.

    1. Find the Policy - The error message lists the Azure policy that is blocking the action. Look for the specific policy that disallows the resource "aks-agentpool-19603827-vmss". You should be able to find this information in the error message itself
    2. Policy limitations - Review the limitations of the policy. If possible, adjust your deployment to meet the policy's requirements. Sometimes, changing the configuration or settings can resolve the issue
    3. Exception or Disable - Depending on your situation, you can also
      1. Add an Exception - If you need to create the resource despite the policy, consider adding an exception to the policy specifically for this resource
      2. Disable the Policy - If the policy is too restrictive and doesn't align with your requirements, you can disable it. However, be cautious while doing this, as it might impact compliance

    Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

  2. KarishmaTiwari-MSFT 18,747 Reputation points Microsoft Employee
    2024-07-03T00:58:57.75+00:00

    @IniobongNkanga-8038

    Please refer to these documents and see if this helps.

    1. Add an exception to the policy.
    2. Disable the policy.

    To get details about the policy that blocked your cluster deployment operation, see RequestDisallowedByPolicy error with Azure resource policy.

    To resolve the RequestDisallowedByPolicy error when deploying an ARM template or Bicep file, you need to find which policy is blocking the deployment. Within that policy, you need to review the rules so you can update your deployment to comply with the policy.

    The error message includes the names of the policy definition and policy assignment that caused the error. You need these names to get more information about the policy.

    To get more information about a policy definition, use az policy definition show.

    az policy definition show --name

    To get more information about a policy assignment, use az policy assignment show.

    az policy assignment show --name

    Within the policy definition, you see a description of the policy and the rules that are applied. Review the rules and update your ARM template or Bicep file to comply with the rules. For example, if the rule states the public network access is disabled, you need to update the corresponding resource properties.

    Let me know in the comments if this doesn't help and I can involve the right teams for investigation.

    Thanks.

    0 comments