Merge pull request #1824 from jaewonparkalexander/patch-15

genlin · web-flow · commit 3563efeb9fa9 · 2025-03-31T13:56:12.000+08:00
Update errors-arfter-restricting-egress-traffic.md
diff --git a/support/azure/azure-kubernetes/connectivity/errors-arfter-restricting-egress-traffic.md b/support/azure/azure-kubernetes/connectivity/errors-arfter-restricting-egress-traffic.md
@@ -1,8 +1,8 @@
 ---
 title: Errors after restricting egress traffic
 description: Troubleshoot errors that occur after you restrict egress traffic from an Azure Kubernetes Service (AKS) cluster.
-ms.date: 11/12/2024
-ms.reviewer: chiragpa, nickoman, v-leedennis
+ms.date: 03/20/2025
+ms.reviewer: chiragpa, nickoman, jaewonpark, v-leedennis
 ms.service: azure-kubernetes-service
 keywords:
 #Customer intent: As an Azure Kubernetes user, I want to troubleshoot errors that occur after I restrict egress traffic so that I can access my AKS cluster successfully.
@@ -18,19 +18,21 @@ Certain commands of the [kubectl](https://kubernetes.io/docs/reference/kubectl/)
 
 ## Cause
 
-When you restrict egress traffic from an AKS cluster, your settings must comply with [required Outbound network and FQDN rules for AKS clusters](/azure/aks/outbound-rules-control-egress). If your settings are in conflict with any of these rules, the symptoms of egress traffic restriction issues occur.
+When you restrict egress traffic from an AKS cluster, your settings must comply with required Outbound network and FQDN (fully qualified domain names) rules for AKS clusters. If your settings are in conflict with any of these rules, the egress traffic restriction issues occur.
 
 ## Solution
 
-Verify that your configuration doesn't conflict with any of the [required Outbound network and FQDN rules for AKS clusters](/azure/aks/outbound-rules-control-egress) for the following items:
+Verify that your configuration doesn't conflict with any of the [required Outbound network and FQDN (fully qualified domain names) rules for AKS clusters](/azure/aks/outbound-rules-control-egress) for the following items:
 
 - Outbound ports
 - Network rules
-- Fully qualified domain names (FQDNs)
+- FQDNs
 - Application rules
 
+Check for conflicts with the rules that might occur in the NSG (network security group), firewall, or appliance that AKS traffic passes through according to the configuration.
+
 > [!NOTE]
-> The AKS outbound dependencies are almost entirely defined by using FQDNs. These FQDNs don't have static addresses behind them. The lack of static addresses means that you can't use network security groups (NSGs) to restrict outbound traffic from an AKS cluster.
+> The AKS outbound dependencies are almost entirely defined by using FQDNs. These FQDNs don't have static addresses behind them. The lack of static addresses means that you can't use NSGs to restrict outbound traffic from an AKS cluster. Additionally, scenarios that allow only IPs that are obtained from required FQDNs after all deny in NSG are not enough to restrict outbound traffic. Because the IPs are not static, issues might occur later.
 
 ## More information
 
