currently we have the following scenario:

We have established our connection (network wise) from on-premise to the Azure Kubernetes Cluster (private cluster!) without any problems.

Ports which are being routed and are allowed

TCP 80
TCP 443

So far, we are in a development environment and test different configurations.

For setting up our AKS, we need to set the virtual network (via CNI) and Service CIDR. We have set the following configuration (just an example)

Virtual Network: 10.2.0.0 /21
Service CIDR: 10.2.8.0 /23

So, our pods are having IPs from our virtual network subnet, the services are getting their IPs from the Service CIDR. So far so good. A route table for the virtual network (subnet has been associated with the route table) is forwarding all traffic to our firewall and vice versa: Interacting with the virtual network is working without any issue. The network team (which is new to Azure cloud stuff as well) has said that the connection and access to the Service CIDR should be working.

Sadly, we are unable to access the Service CIDR.

For example, let's say we want to establish the kubernetes dashboard (web ui) via https://kubernetes.io/docs/tasks/access-application-cluster/web-ui-dashboard/. After running the YAML code, the kubernetes dashboard pod and service is being successfully created. The pod can be pinged and "accessed", but the service, which makes it possible to access the kubernetes dashboard via port 443 cannot be accessed. For example https://10.2.8.42/. My workaround so far is that the kubernetes dashboard (as a Service, type: ClusterIP) is having set an external IP from the virtual network. This sounds all great, but I am not really fond of it, since I have to interact with the virtual network rather than the Service CIDR. Is this really the correct way? Any hints how to make the Service CIDR accessible? What am I missing ?

Any help would be appreciated.