Troubleshoot Anyscale on Azure cloud creation
Troubleshoot Anyscale on Azure cloud creation
The Anyscale on Azure Public Preview uses the Azure portal to create cloud resources. This page covers the most common problems users hit during the cloud creation flow: clusters missing from the portal dropdown, permission errors, sign-in failures, region rejections, and recovery from operator misconfiguration.
For the canonical setup procedure, see the Anyscale on Azure quickstart.
Single subscription and single tenant requirement
All resources for a single Anyscale cloud must live in the same Azure subscription and the same Entra tenant. If your az commands return resources from the wrong subscription, confirm and switch your active context:
az account show
az account set --subscription <subscription-id>
For the full reference on listing subscriptions and switching context, see Azure CLI account commands.
Your AKS cluster isn't in the portal dropdown
The Anyscale clouds creation form in the Azure portal filters AKS clusters by the Subscription and Region you selected on the Basics tab. If your cluster doesn't appear:
- Confirm the Subscription matches the subscription where the cluster lives.
- Confirm the Region matches the cluster's region. Anyscale on Azure is region-scoped. See Supported regions for the available regions.
- Confirm the Entra identity you signed in with has Reader on the AKS resource group. The portal form uses Azure CheckAccess to enumerate visible resources. Without Reader on the resource group, the cluster is invisible to the form even if you can see it through the Azure CLI.
Cloud creation fails with AuthorizationFailed
AKS cluster creation and Anyscale cloud resource creation both require permissions beyond the built-in AKS Contributor role. Use Contributor or Owner on the target resource group, or Contributor plus User Access Administrator. AKS Contributor alone can create the cluster but can't create the role assignments that the Anyscale operator and cluster managed identities need.
For the full setup permission table, see Azure role requirements for setup.
You can't sign in to the Anyscale console
Sign-in to console.azure.anyscale.com requires at least the Anyscale Platform Reader role on the Anyscale cloud resource through Azure RBAC. If you signed in with an account that holds no Anyscale platform role, the Entra ID flow completes but you can't access any Anyscale resources.
Assign the role on the Anyscale cloud resource:
- Navigate to the Anyscale cloud resource in the Azure portal.
- Select Access control (IAM) > Add > Add role assignment.
- Assign Anyscale Platform Reader to the user, group, or service principal that needs sign-in access.
For the three Anyscale built-in Azure roles and what they grant, see Azure built-in roles for Anyscale.
Cloud already exists when re-submitting the portal form
Cloud names are unique within an Anyscale organization. If you previously created a cloud with the same name and removed it through the Anyscale console, the underlying Azure resources stay in place. Pick a new name, or delete the prior cloud resource through the Azure portal before re-submitting.
Removing a cloud from the Anyscale console doesn't delete the AKS cluster, storage account, managed identities, or container registry created during cloud creation. Clean up those resources directly through the Azure portal or the Azure CLI if you want a full reset.
Cloud creation fails with LocationNotAvailableForResourceType or NoRegisteredProviderFound
Anyscale on Azure is available in a limited set of regions during Public Preview. If you select a region outside that list, the Azure Resource Manager rejects the request with one of these error codes. See Supported regions for the current list, and confirm both your AKS cluster region and your Anyscale cloud region match.
The resource providers the quickstart registers in Step 0b must also be registered in your subscription. If you see NoRegisteredProviderFound after picking a supported region, re-run the provider registration loop from Step 0b.
Recovery from operator misconfiguration
If you changed the Control plane URL or Authentication audience values during operator configuration and the operator can't register, restore the defaults. The Azure portal cloud creation flow installs the operator as an AKS extension. Use az k8s-extension update --configuration-settings to update settings rather than the Helm CLI.
The supported defaults are:
- Control plane URL:
https://console.azure.anyscale.com - Authentication audience:
api://086bc555-6989-4362-ba30-fded273e432b/.default
For the full extension update syntax and an example of updating gateway settings, see Step 3f of the quickstart.
Related Azure docs
- Quickstart: Deploy Anyscale on Azure with Envoy Gateway is the canonical setup procedure.
- Identity and access covers the role requirements, managed identities, and the three built-in roles in detail.
- Supported regions lists the regions where Anyscale on Azure is available during Public Preview.
- Azure Resource Manager error codes covers the broader catalog of deployment error codes including
LocationNotAvailableForResourceTypeandNoRegisteredProviderFound.