Use shared health probes for `externalTrafficPolicy: Cluster` Services (preview) in Azure Kubernetes Service (AKS)

This article describes how to enable shared health probe mode (preview) for Services with externalTrafficPolicy: Cluster in Azure Kubernetes Service (AKS). Shared probe mode improves load balancer efficiency, reduces configuration complexity, and provides more accurate node health monitoring.

About shared health probe mode

In clusters that use externalTrafficPolicy: Cluster, Azure Standard Load Balancer (SLB) currently creates a separate probe per Service and targets each Service's nodePort.

This design means SLB infers node health from whichever application pod answers the probe. As clusters grow, this approach leads to several issues, including:

Configuration drift and blind spots: SLB can't detect a failed or misconfigured kube‑proxy if iptables rules are still present.
Duplicate health logic: Readiness must be defined twice. Once in each pod's readinessProbe, and again through SLB annotations.
Operational overhead: Each Service on each node is probed every five seconds, consuming connections, SNAT ports, and SLB rule space.
Feature friction: Customers can't set allocateLoadBalancerNodePorts=false, and workloads like Istio or ingress‑nginx require extra annotations to keep probes working.
Troubleshooting confusion: An unhealthy app, Network Policy rule, or scale‑to‑zero event can make an entire node appear down.

Shared probe mode solves these problems by moving to a single HTTP probe for all externalTrafficPolicy: Cluster Services. In shared probe mode:

SLB probes http://<node‑ip>:10356/healthz, the standard kube‑proxy health endpoint.
A lightweight sidecar runs next to kube‑proxy to relay the probe and handle PROXY protocol when Private Link Service is enabled.

Benefits of shared probe mode

The following table outlines key benefits of using shared probe mode:

Benefit	Why it matters
Accurate node health	SLB now measures `kube‑proxy` directly, not an arbitrary backend pod.
Simpler configuration	No per‑Service probe annotations; readiness lives solely in the pod spec.
Lower traffic overhead	One probe per node instead of Services × (nodes – 1) probes.

Note

Keep the following information in mind when using shared probe mode:

Services that use externalTrafficPolicy: Local are unchanged.
This feature does not address container‑native load balancing.

Before you begin

Install or update the aks-preview Azure CLI extension.
Register the EnableSLBSharedHealthProbePreview feature flag in your Azure subscription.

Install or update the `aks-preview` Azure CLI extension

Important

AKS preview features are available on a self-service, opt-in basis. Previews are provided "as is" and "as available," and they're excluded from the service-level agreements and limited warranty. AKS previews are partially covered by customer support on a best-effort basis. As such, these features aren't meant for production use. For more information, see the following support articles:

Install the aks-preview extension using the az extension add command.
```
az extension add --name aks-preview
```
Update to the latest version of the aks-preview extension using the az extension update command.
```
az extension update --name aks-preview
```

Register the `EnableSLBSharedHealthProbePreview` feature flag

Register the EnableSLBSharedHealthProbePreview feature flag using the az feature register command.
```
az feature register --namespace "Microsoft.ContainerService" --name "EnableSLBSharedHealthProbePreview"
```
It takes a few minutes for the status to show Registered.

Verify the registration status using the az feature show command:

az feature show --namespace "Microsoft.ContainerService" --name "EnableSLBSharedHealthProbePreview"

When the status reflects Registered, refresh the registration of the Microsoft.ContainerService resource provider using the az provider register command.
```
az provider register --namespace Microsoft.ContainerService
```

Enable shared probe mode on an AKS cluster

Create a new cluster with shared probe mode
Update an existing cluster to use shared probe mode

Create a new cluster with shared probe mode using the az aks create command with the --cluster-service-load-balancer-health-probe-mode parameter set to shared.
```
az aks create \
  --resource-group $RESOURCE_GROUP \
  --name $CLUSTER_NAME \
  --cluster-service-load-balancer-health-probe-mode shared
```

Update an existing cluster to use shared probe mode using the az aks update command with the --cluster-service-load-balancer-health-probe-mode parameter set to shared.
```
az aks update \
  --resource-group $RESOURCE_GROUP \
  --name $CLUSTER_NAME \
  --cluster-service-load-balancer-health-probe-mode shared
```

Next steps

To learn more about AKS Standard Load Balancer configuration options, see Configure your public standard load balancer in AKS.

Last updated on 2025-11-20

Use shared health probes for externalTrafficPolicy: Cluster Services (preview) in Azure Kubernetes Service (AKS)