If azure aks kubenet cidr's are internal why shouldn't they overlap with other addresses?

Question

after checking out https://learn.microsoft.com/en-us/azure/aks/configure-kubenet, and following the advice there, it appears that for the services, pods and docker cidr's shouldn't overlap with any other addresses used (presumably within the same vnet), eg.

The --service-cidr is used to assign internal services in the AKS cluster an IP address. This IP address range should be an address space that isn't in use elsewhere in your network environment.

I'm just not sure why this should be. Are these ip's actually accessible on the vnet? I was under the impression that these cidrs were only within aks, and only a cni cluster would allow direct access. Can anyone elucidate on this matter?

And I suppose the next question would be, what happens if they do overlap?

Answer 1

Maybe you are not clear how does the network of AKS work. So that you are confused here.

In kubenet type network, all traffics go to the nodes first, then the kubenet server will route the traffics to the specific services and then to the pods. In this time, if your services have the same IP in the Vnet, where does the traffic go? The services or the other nodes with the same IP in the Vnet? Even if the other resources in the Vnet? In order to route the traffics to the services directly, you'd better not overlap the service cidr Ip address range with the Vnet.