/
How to Reuse a Static Public IP and DNS Label Across AKS Clusters

How to Reuse a Static Public IP and DNS Label Across AKS Clusters

Owned by Daria Samkova, created
Last updated: Jun 02, 2025

Reusing a static Azure Public IP and DNS label across Azure Kubernetes Service (AKS) clusters is possible but requires careful handling to avoid conflicts with Azure's internal DNS tagging system. This guide provides a step-by-step process for safely reassigning a static Public IP and DNS label to a new AKS cluster.

 Instructions

Use Case

You want to:

  • Retain the same Public IP and DNS name for a service deployed to a new AKS cluster.

  • Avoid downtime or DNS propagation delays during cluster upgrades or migrations.

Prerequisites

  • Azure CLI v2.0.59 or later

  • A static Public IP resource already created

  • Access to the old and new AKS clusters

  • Appropriate permissions to assign Azure RBAC roles

Step-by-Step Instructions

1. Clean Up the Old Cluster

  • Delete the Kubernetes Service that was using the static IP and DNS label in the old cluster.

2. Remove the Azure DNS Ownership Tag

  • Go to the Azure Portal or use the CLI to remove the following tag from the Public IP:

    k8s-azure-dns-label-service: <namespace>/<service-name>

  • This tag is added automatically by AKS when using the azure-dns-label-name annotation and must be removed before reuse.

3. Validate the Static Public IP

  • Confirm that the Public IP is:

    • In Standard SKU

    • In a known resource group (either the AKS node RG or a custom RG)

4. Assign RBAC Permissions

  • Grant the new AKS cluster's managed identity Network Contributor role to the resource group containing the Public IP:

    az role assignment create \ --assignee <AKS_CLIENT_ID> \ --role "Network Contributor" \ --scope /subscriptions/<sub-id>/resourceGroups/<ip-resource-group>

5. Deploy the Service in the New Cluster

Create a Kubernetes Service manifest with the following annotations:

apiVersion: v1 kind: Service metadata: name: my-service annotations: service.beta.kubernetes.io/azure-load-balancer-resource-group: <ip-resource-group> service.beta.kubernetes.io/azure-pip-name: <public-ip-name> service.beta.kubernetes.io/azure-dns-label-name: <dns-label> spec: type: LoadBalancer selector: app: my-app ports: - port: 80 targetPort: 80

Apply it with:

kubectl apply -f my-service.yaml

6. Confirm Success

Use the following command to check that the service has been provisioned correctly:

kubectl describe service my-service

Check for:

  • Correct Public IP

  • Correct DNS label

  • No warning events like reconcileDNSSettings

Notes

  • The azure-load-balancer-resource-group annotation is required if your Public IP is not in the AKS node resource group.

  • Removing the DNS label tag manually is essential to avoid conflicts.

  • The HiveMQ platform operator does not create these Azure-specific DNS tags; they are handled by AKS internals.

Troubleshooting

Issue: Error syncing load balancer: failed to reconcileDNSSettings

  • Fix: Manually remove the k8s-azure-dns-label-service tag from the Public IP.

Issue: user supplied IP Address was not found

  • Fix: Ensure the Public IP exists in the correct resource group and is Standard SKU.

How to check your IP SKU

az network public-ip show \ --name my-ip-name \ --resource-group my-rg \ --query sku.name

Expected output for Standard SKU:

"Standard"

 

 Related articles