Use service tags for API server authorized IP ranges in Azure Kubernetes Service (AKS) (preview)

Service tags for API server authorized IP ranges is a preview feature that allows you to use service tags to specify authorized IP ranges for the API server in Azure Kubernetes Service (AKS). This feature simplifies the management of authorized IP ranges by allowing you to use predefined service tags instead of manually specifying individual IP addresses or CIDR ranges.

Important

AKS preview features are available on a self-service, opt-in basis. Previews are provided "as is" and "as available," and they're excluded from the service-level agreements and limited warranty. AKS previews are partially covered by customer support on a best-effort basis. As such, these features aren't meant for production use. For more information, see the following support articles:

Prerequisites

The Azure CLI version 2.0.76 or later installed and configured. Check your version using the az --version command. If you need to install or upgrade, see Install Azure CLI.
The aks-preview Azure CLI extension installed.
The EnableServiceTagAuthorizedIPPreview feature flag registered in your Azure subscription.

Limitations

This feature isn't compatible with API Server VNet Integration.
Only one service tag is allowed in the --api-server-authorized-ip-ranges parameter. You can't specify multiple service tags.

Install the `aks-preview` Azure CLI extension

Install the Azure CLI preview extension using the az extension add command.
```
az extension add --name aks-preview
```
Update the extension to make sure you have the latest version using the az extension update command.
```
az extension update --name aks-preview
```

Register the service tag authorized IP feature flag

Register the EnableServiceTagAuthorizedIPPreview feature flag using the az feature register command. It takes a few minutes for the registration to complete.

az feature register --namespace "Microsoft.ContainerService" --name "EnableServiceTagAuthorizedIPPreview"

Example output:

{
  "id": "/subscriptions/<subscription-id>/providers/Microsoft.ContainerService/features/EnableServiceTagAuthorizedIPPreview",
  "name": "EnableServiceTagAuthorizedIPPreview",
  "properties": {
    "state": "Registering"
  },
  "type": "Microsoft.ContainerService/features"
}

Once the feature flag state changes from Registering to Registered, refresh the registration of the Microsoft.ContainerService resource provider using the az provider register command.
```
az provider register --namespace "Microsoft.ContainerService"
```

Verify the registration using the az feature show command.

az feature show --namespace "Microsoft.ContainerService" --name "EnableServiceTagAuthorizedIPPreview"

Example output:

{
  "id": "/subscriptions/<subscription-id>/providers/Microsoft.ContainerService/features/EnableServiceTagAuthorizedIPPreview",
  "name": "EnableServiceTagAuthorizedIPPreview",
  "properties": {
    "state": "Registered"
  },
  "type": "Microsoft.ContainerService/features"
}

Create an AKS cluster with service tag authorized IP ranges

Create a cluster with service tag authorized IP ranges using the az aks create command with the --api-server-authorized-ip-ranges parameter. The following example creates a cluster named myAKSCluster in the myResourceGroup resource group and authorizes the AzureCloud service tag to allow all Azure services to access the API server and specify an extra IP address:
```
az aks create --resource-group myResourceGroup --name myAKSCluster --api-server-authorized-ip-ranges AzureCloud,20.20.20.20
```
Note

You should be able to curl the API server from an Azure virtual machine (VM) or Azure service that's part of the AzureCloud service tag.

Feedback

Was this page helpful?

Last updated on 2025-12-30