Merge pull request #241095 from allyford/Windows-fixes

Fix windows bugs

Author: prmerger-automator[bot]

articles/aks/use-group-managed-service-accounts.md

@@ -52,6 +52,10 @@ az keyvault secret set --vault-name MyAKSGMSAVault --name "GMSADomainUserCred" -
 
 Your domain controller needs to be configured through DNS so it's reachable by the AKS cluster. You can configure your network and DNS outside of your AKS cluster to allow your cluster to access the domain controller. Alternatively, you can configure a custom VNET with a custom DNS using Azure CNI with your AKS cluster to provide access to your domain controller. For more information, see [Configure Azure CNI networking in Azure Kubernetes Service (AKS)][aks-cni].
 
+## Optional: Configure more than one DNS server
+
+If you want to configure more than one DNS server for Windows GMSA in your AKS cluster, don't specify `--gmsa-dns-server`or `v--gmsa-root-domain-name`. Instead, you can add multiple DNS servers in the vnet by selecting Custom DNS and adding the DNS servers
+
 ## Optional: Use your own kubelet identity for your cluster
 
 To provide the AKS cluster access to your key vault, the cluster kubelet identity needs access to your key vault. By default, when you create a cluster with managed identity enabled, a kubelet identity is automatically created. You can grant access to your key vault for this identity after cluster creation, which is done in a later step.

articles/aks/windows-faq.md

@@ -67,6 +67,10 @@ At this time, [client source IP preservation][client-source-ip] is not supported
 
 Yes. For the implications of making a change and the options that are available, see [Maximum number of pods][maximum-number-of-pods].
 
+## What is the default TCP timeout in Windows OS?
+
+The default TCP timeout in Windows OS is 4 minutes. This value isn't configurable. When an application uses a longer timeout, the TCP connections between different containers in the same node close after four minutes.
+
 ## Why am I seeing an error when I try to create a new Windows agent pool?
 
 If you created your cluster before February 2020 and have never done any cluster upgrade operations, the cluster still uses an old Windows image. You may have seen an error that resembles:
@@ -80,6 +84,21 @@ To fix this error:
 1. Move Windows pods from existing Windows agent pools to new Windows agent pools.
 1. Delete old Windows agent pools.
 
+## Why am I seeing an error when I try to deploy Windows pods?
+
+If you specify a value in `--max-pods` less than the number of pods you want to create, you may see the `No available addresses` error.
+
+To fix this error, use the `az aks nodepool add` command with a high enough `--max-pods` value:
+
+```azurecli
+az aks nodepool add \
+    --cluster-name $CLUSTER_NAME \
+    --resource-group $RESOURCE_GROUP \
+    --name $NODEPOOL_NAME \
+    --max-pods 3
+```
+For more details, see the [`--max-pods` documentation](https://learn.microsoft.com/cli/azure/aks/nodepool?view=azure-cli-latest#az-aks-nodepool-add:~:text=for%20system%20nodepool.-,%2D%2Dmax%2Dpods%20%2Dm,-The%20maximum%20number).
+
 ## Why is there an unexpected user named "sshd" on my VM node?
 
 AKS adds a user named "sshd" when installing the OpenSSH service. This user is not malicious. We recommend that customers update their alerts to ignore this unexpected user account.
@@ -155,7 +174,11 @@ Yes, you can. However, Azure Monitor is in public preview for gathering logs (st
 
 ## Are there any limitations on the number of services on a cluster with Windows nodes?
 
-A cluster with Windows nodes can have approximately 500 services before it encounters port exhaustion.
+A cluster with Windows nodes can have approximately 500 services (sometimes less) before it encounters port exhaustion. This limitation applies to a Kubernetes Service with External Traffic Policy set to “Cluster”. 
+
+When external traffic policy on a Service is configured as Cluster, the traffic undergoes an additional Source NAT on the node which also results in reservation of a port from the TCPIP dynamic port pool. This port pool is a limited resource (~16K ports by default) and many active connections to a Service(s) can lead to dynamic port pool exhaustion resulting in connection drops.
+
+If the Kubernetes Service is configured with External Traffic Policy set to “Local”, port exhaustion problems aren't likely to occur at 500 services.
 
 ## Can I use Azure Hybrid Benefit with Windows nodes?