解決ExpressRoute下agentserviceapi.guestconfiguration.azure.com無法連線造成azcmagent連線失敗

解決ExpressRoute下agentserviceapi.guestconfiguration.azure.com無法連線造成azcmagent連線失敗

前篇(07)(08)提到,不論在 Windows 或 Linux 之下,我們最終都會碰到 AZCM0026: Network Error 錯誤,從錯誤訊息及測試得知 agentserviceapi.guestconfiguration.azure.com 這個端點無法正常連線。

PS C:\> & "$env:ProgramW6432\AzureConnectedMachineAgent\azcmagent.exe" connect --service-principal-id "$ServicePrincipalId" --service-principal-secret "$ServicePrincipalClientSecret" --resource-group "$env:RESOURCE_GROUP" --tenant-id "$env:TENANT_ID" --location "$env:LOCATION" --subscription-id "$env:SUBSCRIPTION_ID" --cloud "$env:CLOUD" --correlation-id "$env:CORRELATION_ID";
INFO    Connecting machine to Azure... This might take a few minutes.
INFO    Testing connectivity to endpoints that are needed to connect to Azure... This might take a few minutes.
INFO    Exit Code:  AZCM0026: Network Error
INFO    For troubleshooting, see https://aka.ms/arc/azcmerror
FATAL   required endpoints unavailable: https://agentserviceapi.guestconfiguration.azure.com

PS C:\> azcmagent.exe check --location "eastasia"
INFO    Testing connectivity to endpoints that are needed to connect to Azure... This might take a few minutes.
ENDPOINT                                              |REACHABLE  |PRIVATE  |TLS      |PROXY
https://agentserviceapi.guestconfiguration.azure.com  |false      |false    |unknown  |not used
https://ea.his.arc.azure.com                          |true       |false    |TLS 1.3  |not used
https://eastasia-gas.guestconfiguration.azure.com     |true       |false    |TLS 1.3  |not used
https://gbl.his.arc.azure.com                         |true       |false    |TLS 1.3  |not used
https://login.microsoftonline.com                     |true       |false    |TLS 1.3  |not used
https://login.windows.net                             |true       |false    |TLS 1.3  |not used
https://management.azure.com                          |true       |false    |TLS 1.3  |not used
https://pas.windows.net                               |true       |false    |TLS 1.2  |not used

後續與微軟技術支援連線查詢問題時,大致確定方向是 ExpressRoute 的設定問題。在 Microsoft Peering 模式下,並沒有任何防火牆設定。技術支援原本是覺得 ExpressRoute 少了 Azure Arc 某組 IP Range 設定,請我們手動匯入設定。

結果是少了某組 IP 設定沒錯,但不能手動匯入。關鍵在同事做了 nslookup 動作:

PS C:\> nslookup agentserviceapi.guestconfiguration.azure.com

Non-authoritative answer:
Name:    kc-gas-cses-1d.koreacentral.cloudapp.azure.com
Address:  20.44.31.37
Aliases:  agentserviceapi.guestconfiguration.azure.com
          agentserviceapi.privatelink.guestconfiguration.azure.com
          agentserviceapi.trafficmanager.net

在 ExpressRoute 的 Microsoft Peering 有個 Route Filters 組態,負責開關 ExpressRoute 的流量能與那些資料中心流通。

簡單來說,有看到 nslookup 裡面 koreacentral 關鍵字嗎?也就是說,eastasia 區域的 agentserviceapi.guestconfiguration.azure.com 會導向 koreacentral 資料中心。因此,我們將 koreacentral 加入到 Route Filters 的允許清單中之後,重新做連線測試:

PS C:\> azcmagent.exe check --location "eastasia"
INFO    Testing connectivity to endpoints that are needed to connect to Azure... This might take a few minutes.
ENDPOINT                                              |REACHABLE  |PRIVATE  |TLS      |PROXY
https://agentserviceapi.guestconfiguration.azure.com  |true       |false    |TLS 1.2  |not used
https://ea.his.arc.azure.com                          |true       |false    |TLS 1.3  |not used
https://eastasia-gas.guestconfiguration.azure.com     |true       |false    |TLS 1.3  |not used
https://gbl.his.arc.azure.com                         |true       |false    |TLS 1.3  |not used
https://login.microsoftonline.com                     |true       |false    |TLS 1.3  |not used
https://login.windows.net                             |true       |false    |TLS 1.3  |not used
https://management.azure.com                          |true       |false    |TLS 1.3  |not used
https://pas.windows.net                               |true       |false    |TLS 1.2  |not used

這樣就打通最後一關,Windows VM 與 Linux VM 們就能正常加入到 Azure Arc 清單中了。

標籤: , , 張貼者:

沒有留言:

張貼留言

感謝您的留言,如果我的文章你喜歡或對你有幫助,按個「讚」或「分享」它,我會很高興的。

訂閱: 張貼留言 (Atom)