解決ExpressRoute下agentserviceapi.guestconfiguration.azure.com無法連線造成azcmagent連線失敗
前篇(07)(08)提到,不論在 Windows 或 Linux 之下,我們最終都會碰到 AZCM0026: Network Error
錯誤,從錯誤訊息及測試得知 agentserviceapi.guestconfiguration.azure.com
這個端點無法正常連線。
PS C:\> & "$env:ProgramW6432\AzureConnectedMachineAgent\azcmagent.exe" connect --service-principal-id "$ServicePrincipalId" --service-principal-secret "$ServicePrincipalClientSecret" --resource-group "$env:RESOURCE_GROUP" --tenant-id "$env:TENANT_ID" --location "$env:LOCATION" --subscription-id "$env:SUBSCRIPTION_ID" --cloud "$env:CLOUD" --correlation-id "$env:CORRELATION_ID";
INFO Connecting machine to Azure... This might take a few minutes.
INFO Testing connectivity to endpoints that are needed to connect to Azure... This might take a few minutes.
INFO Exit Code: AZCM0026: Network Error
INFO For troubleshooting, see https://aka.ms/arc/azcmerror
FATAL required endpoints unavailable: https://agentserviceapi.guestconfiguration.azure.com
PS C:\> azcmagent.exe check --location "eastasia"
INFO Testing connectivity to endpoints that are needed to connect to Azure... This might take a few minutes.
ENDPOINT |REACHABLE |PRIVATE |TLS |PROXY
https://agentserviceapi.guestconfiguration.azure.com |false |false |unknown |not used
https://ea.his.arc.azure.com |true |false |TLS 1.3 |not used
https://eastasia-gas.guestconfiguration.azure.com |true |false |TLS 1.3 |not used
https://gbl.his.arc.azure.com |true |false |TLS 1.3 |not used
https://login.microsoftonline.com |true |false |TLS 1.3 |not used
https://login.windows.net |true |false |TLS 1.3 |not used
https://management.azure.com |true |false |TLS 1.3 |not used
https://pas.windows.net |true |false |TLS 1.2 |not used
後續與微軟技術支援連線查詢問題時,大致確定方向是 ExpressRoute 的設定問題。在 Microsoft Peering 模式下,並沒有任何防火牆設定。技術支援原本是覺得 ExpressRoute 少了 Azure Arc 某組 IP Range 設定,請我們手動匯入設定。
結果是少了某組 IP 設定沒錯,但不能手動匯入。關鍵在同事做了 nslookup
動作:
PS C:\> nslookup agentserviceapi.guestconfiguration.azure.com
Non-authoritative answer:
Name: kc-gas-cses-1d.koreacentral.cloudapp.azure.com
Address: 20.44.31.37
Aliases: agentserviceapi.guestconfiguration.azure.com
agentserviceapi.privatelink.guestconfiguration.azure.com
agentserviceapi.trafficmanager.net
在 ExpressRoute 的 Microsoft Peering 有個 Route Filters 組態,負責開關 ExpressRoute 的流量能與那些資料中心流通。
簡單來說,有看到 nslookup
裡面 koreacentral
關鍵字嗎?也就是說,eastasia
區域的 agentserviceapi.guestconfiguration.azure.com
會導向 koreacentral
資料中心。因此,我們將 koreacentral
加入到 Route Filters 的允許清單中之後,重新做連線測試:
PS C:\> azcmagent.exe check --location "eastasia"
INFO Testing connectivity to endpoints that are needed to connect to Azure... This might take a few minutes.
ENDPOINT |REACHABLE |PRIVATE |TLS |PROXY
https://agentserviceapi.guestconfiguration.azure.com |true |false |TLS 1.2 |not used
https://ea.his.arc.azure.com |true |false |TLS 1.3 |not used
https://eastasia-gas.guestconfiguration.azure.com |true |false |TLS 1.3 |not used
https://gbl.his.arc.azure.com |true |false |TLS 1.3 |not used
https://login.microsoftonline.com |true |false |TLS 1.3 |not used
https://login.windows.net |true |false |TLS 1.3 |not used
https://management.azure.com |true |false |TLS 1.3 |not used
https://pas.windows.net |true |false |TLS 1.2 |not used
這樣就打通最後一關,Windows VM 與 Linux VM 們就能正常加入到 Azure Arc 清單中了。
沒有留言:
張貼留言
感謝您的留言,如果我的文章你喜歡或對你有幫助,按個「讚」或「分享」它,我會很高興的。