Azure Kubernetes Service Setup an Internal load balancer with static IP address
Master System Design with Codemia
Enhance your system design skills with over 120 practice problems, detailed solutions, and hands-on exercises.
Introduction
In AKS, an internal load balancer is the standard way to expose services privately inside a virtual network. Assigning a static private IP keeps DNS records, firewall rules, and dependent systems stable across service updates. The setup requires correct subnet planning, service annotations, and permission checks for the AKS managed identity.
Prerequisites
Before creating the service:
- AKS cluster running in the target virtual network.
- A subnet with available private IP addresses.
- Permission for AKS identity to manage load balancer resources.
kubectlconnected to the correct cluster context.
Validate cluster access:
Validate subnet information in Azure:
Kubernetes Service Manifest
Create a service of type LoadBalancer with internal load balancer annotation and static IP.
Apply it:
This requests a private frontend IP on the specified subnet.
Verify Provisioning
Check service status and assigned IP.
If provisioning succeeds, EXTERNAL-IP field shows the private static address, not a public IP.
You can also verify in Azure load balancer resources.
Identity and Permission Issues
If service stays pending, AKS identity may lack network permissions. The managed identity needs at least network contributor access for relevant resource scope.
Check AKS identity:
Assign role if needed:
Permission propagation can take a few minutes.
Static IP Planning Best Practices
Reserve IPs intentionally to avoid collisions and accidental reassignment.
Recommendations:
- Keep an allocation map for service IPs per environment.
- Use subnet ranges dedicated to internal load balancers.
- Avoid manual reuse of addresses still attached to old services.
If address conflicts occur, service events usually show allocation failures.
DNS Integration
After static IP assignment, map an internal DNS record to the service address.
Example private DNS record:
- Host:
api.internal.company.local - Value:
10.20.2.50
Because the IP is static, application clients can keep stable DNS dependencies during rolling updates. This also simplifies allowlists in upstream systems that require fixed source or destination ranges. Stable addressing reduces change-management overhead during controlled releases.
Troubleshooting Checklist
If the internal load balancer is not created:
- Confirm service annotation value is exactly
truestring. - Confirm subnet name exists and is reachable by cluster network config.
- Confirm requested IP belongs to the specified subnet and is free.
- Confirm AKS identity has network permissions.
- Inspect
kubectl describe svcevents for Azure cloud-provider errors.
Most issues are annotation typos, subnet mismatches, or permission gaps.
Common Pitfalls
- Forgetting internal LB annotation. Fix by setting
service.beta.kubernetes.io/azure-load-balancer-internalto"true". - Choosing static IP outside target subnet range. Fix by selecting an unused IP from the configured subnet.
- Missing managed identity permissions. Fix by granting required network role assignments.
- Reusing an IP already bound to another frontend config. Fix by reserving unique addresses and cleaning stale resources.
- Relying on public DNS for private endpoints. Fix by using private DNS zones for internal service names.
Summary
- Internal AKS load balancers provide private service exposure inside the virtual network.
- Static private IP assignment stabilizes integrations and DNS mappings.
- Correct annotations, subnet selection, and identity permissions are required.
- Validate provisioning with
kubectl describe svcand Azure resource checks. - Maintain IP allocation discipline to avoid conflicts and failed deployments.

