Check if network connectivity for Azure Connected Machine Agent is blocked - Azure Arc
In this blog I look at tools that can help you troubleshoot Azure Arc agent network connectivity issues.
To onboard a server to Azure Arc and utilise its capabilities you need to install the Azure Connected Machine agent.
The Azure Connected Machine agent communicates from your non-Azure environment to Azure using several URLs. For more information on those URLs please refer to the official documentation.
If outbound connectivity from your environment is restricted by your firewall or proxy server, you need to ensure that the correct URLs are not blocked.
At the very minimum, the agent needs to be able to communicate with URLs such as:
- *.guestconfiguration.azure.com (Extension management and guest configuration services)
- *his.arc.azure.com (Metadata and Hybrid Identity Service)
- login.microsoftonline.com (Microsoft Entra ID)
- login.windows.net (Microsoft Entra ID)
- pas.windows.net (Microsoft Entra ID)
- management.azure.com (Azure Resource Manager)
To check if network connectivity for the Azure Connected Machine agent is blocked you can use the azcmagent CLI tool.
The azcmagent CLI is installed with the Azure Connected Machine agent and controls actions specific to the server where it's running.
One of the switches available with the azcmagent is check. This runs a series of network connectivity checks to see if the agent can successfully communicate with required network endpoints.
Check Azure Arc connectivity using public endpoints
To use the azcmagent CLI tool log onto a server that has the Azure Connected Machine agent installed on it.
Launch a command prompt or PowerShell terminal window.
Type in
azcmagent check --location “ukwest”
The command outputs a table showing connectivity test results for each required endpoint. In this example, all URLs are reachable and are going directly to the URLs.
Check Azure Arc connectivity using private endpoints
If you are using private endpoints for connectivity you can use the following command to check:
azcmagent check --location "useast" --enable-pls-check
Check Azure Arc connectivity using a proxy
If you are using a proxy to route traffic the command you would check network connectivity is the same as if you are using public endpoints.
azcmagent check –location “westeurope”
In this example, you can see from the table the traffic is going through a proxy server and some of the URLs are unreachable.
Check for Azure Arc-enabled SQL network connectivity
With the introduction of the agent version 1.41 you can now check for networking issues involved in the SQL management components. This is through the new --extensions flag.
The command you use is:
azcmagent check --extensions sql --location uksouth
You can see in this example all necessary URLs are accessible both for the Azure Arc agent and the SQL components.
If you'd like to see a video of Azure Arc troubleshooting steps you can watch here:
Conclusion
In conclusion, ensuring seamless connectivity for the Azure Connected Machine agent is crucial for a successful onboarding process to Azure Arc.
This involves verifying the accessibility of specific URLs through either public or private endpoints, with additional considerations for environments employing proxy servers.
Utilizing the azcmagent CLI tool provides a straightforward means to conduct network connectivity checks, allowing users to address any potential restrictions or blockages, and ensuring a smooth integration of servers into the Azure Arc ecosystem.