1# Load Balancer And Ingress Troubleshooting
2 
3Use this guide when AKS networking symptoms point at Azure load balancer provisioning, ingress controller behavior, or backend routing.
4 
5## Load Balancer Stuck In Pending
6 
7**Diagnostics:**
8 
9```bash
10kubectl describe svc <svc> -n <ns>
11# Events section reveals the actual Azure error
12 
13kubectl logs -n kube-system -l component=cloud-controller-manager --tail=100
14```
15 
16**Error decision table:**
17 
18| Error in Events / CCM Logs                             | Cause                                  | Fix                                                                          |
19| ------------------------------------------------------ | -------------------------------------- | ---------------------------------------------------------------------------- |
20| `InsufficientFreeAddresses`                            | Subnet has no free IPs                 | Expand subnet CIDR; use Azure CNI Overlay; use NAT gateway instead           |
21| `ensure(default/svc): failed... PublicIPAddress quota` | Public IP quota exhausted              | Request quota increase for Public IP Addresses in the region                 |
22| `cannot find NSG`                                      | NSG name changed or detached           | Re-associate NSG to the AKS subnet; check `az aks show` for NSG name         |
23| `reconciling NSG rules: failed`                        | NSG is locked or has conflicting rules | Remove resource lock; check for deny-all rules above AKS-managed rules       |
24| `subnet not found`                                     | Wrong subnet name in annotation        | Verify subnet name: `az network vnet subnet list -g <rg> --vnet-name <vnet>` |
25| No events, stuck Pending                               | CCM can't authenticate to Azure        | Check cluster managed identity access on the VNet resource group             |
26 
27---
28 
29## Ingress Not Routing Traffic
30 
31**Diagnostics:**
32 
33```bash
34# Confirm controller is running
35kubectl get pods -n <ingress-ns> -l 'app.kubernetes.io/name in (ingress-nginx,nginx-ingress)'
36kubectl logs -n <ingress-ns> -l app.kubernetes.io/name=ingress-nginx --tail=100
37 
38# Check the ingress resource state
39kubectl describe ingress <name> -n <ns>
40kubectl get ingress <name> -n <ns>
41 
42# Check backend
43kubectl get endpoints <backend-svc> -n <ns>
44```
45 
46**Ingress failure patterns:**
47 
48| Symptom                          | Cause                                          | Fix                                                          |
49| -------------------------------- | ---------------------------------------------- | ------------------------------------------------------------ |
50| ADDRESS empty                    | LB not provisioned or wrong `ingressClassName` | Check controller service; set correct `ingressClassName`     |
51| 404 for all paths                | No matching host rule                          | Check `host` field; `pathType: Prefix` vs `Exact`            |
52| 404 for some paths               | Trailing slash mismatch                        | `Prefix /api` matches `/api/foo` not `/api` - add both       |
53| 502 Bad Gateway                  | Backend pods unhealthy or wrong port           | Verify Endpoints has IPs; confirm `targetPort` and readiness |
54| 503 Service Unavailable          | All backend pods down                          | Check pod restarts and readiness probe                       |
55| TLS handshake fail               | cert-manager not issuing                       | Check certificate status and ACME challenge                  |
56| Works for host-a, 404 for host-b | DNS not pointing to ingress IP                 | Verify `nslookup <host>` resolves to the ingress address     |
57