IBM Cloud Docs
Why does the Network status show an NHC010 error?

Why does the Network status show an NHC010 error?

Virtual Private Cloud

When you check the status of your cluster's health by running the ibmcloud ksks cluster health issues --cluster <CLUSTER_ID>, you see an error similar to the following example.

ID       Component   Severity   Description
NHC010   Network     Error      Exceeded security group rules related quota.

IBM Cloud VPC infrastructure enforces limits for security group rules per security group in production environments. If this limit is exceeded, it can prevent your cluster from creating or updating required security group rules. So it means for example you cannot create another cluster.

Review and adjust your cluster's security group rules.

  1. There are multiple security groups associated with a VPC cluster that need to be checked. One example is a shared security group named in the format kube-vpegw-<VPC_ID>. Each associated security group typically includes the CLUSTER_ID in its name, making it easier to identify which cluster it belongs to. The shared security group has remote security group rules referencing these associated groups, and it cannot have more than 15 such remote rules. Each cluster in the same VPC has an entry, and once it reaches 15, you cannot create more clusters. To check the number of remote rules, first retrieve the security group ID (SECURITY_GROUP_ID) for the shared security group by running:

    ibmcloud is security-groups <VPC_ID> --output json | jq -r '.[] | select(.name=="kube-vpegw-<VPC_ID>") | .id'

  2. Count how many remote security group rules are associated with this group:

    ibmcloud is security-group-rules <SECURITY_GROUP_ID> | grep -c <CLUSTER_ID>

  3. If the count reaches the limit. To resolve this:

    • Use different VPC or cleanup unused clusters in the VPC.
    • Or if you have added custom remote rules earlier, than you can review them:
      • Reduce the number of custom individual rules.
      • Remove duplicate custom rules that point to the same remote group or IP addresses.
      • Review and clean up any unnecessary custom rules.

  4. For IBM Cloud enforced limits, see VPC Security Group Rule Limits & Quotas.

  5. For general best practices, see the Security Group Guidelines.

  6. For command references, see the Security Group Rule CLI Reference.

  7. After making adjustments, wait a few minutes and check if the warning clears.

  8. If the issue persists, contact support for further assistance. Open a support case. In the case details, be sure to include any relevant log files, error messages, or command outputs.