Forum Discussion
Private Link/Endpoint and Run Command not working
Hi,
I have setup a private endpoint and it seems to be working. Both existing and new servers are added and reporting as expected over the private endpoint.
But I have issues with the RunCommand function, using PowerShell or AZ CLI.
When I run a script on an server that existing before I added the private end point, the run command works as expected.
But on newly added servers or servers where I reinstall the Arc Agent (testing), the run command just tries and tries and ends up with a timeout. Nothing happens on the server. Command plug isn't installed etc.
In PowerShell, I use Get-AzConnectedMachine to build an object with all machine details returned.
This is then parsed to New-AzConnectedMachineRunCommand, to ensure it (hopefully) knows about the private link scope etc.
Conditional forwarders for his.arc.azure.com, guestconfiguration.azure.com and kubernetesconfiguration.azure.com has been set up.
All FQDNs in "DNS configuration" found in the Private Endpoint Connections for the link also resolves to the expected internal IP.
Any suggestions to what I'm missing or should look at?
Servers (lab) currently have full internet access, so no blockers there.
Thanks,
-Heine
hi,
please execute
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
on Powershell before executing any other command or script. it will work.
Please considering this:
- Command Plug Installation:
- Ensure that the Command Plug is installed on the affected servers. The Arc Agent might not automatically install all required components after reinstallation. You can manually verify or reinstall the Command Plug.
- Private Endpoint Configuration:
- Double-check the Private Endpoint DNS configuration. Ensure that all required FQDNs (e.g., his.arc.azure.com, guestconfiguration.azure.com, kubernetesconfiguration.azure.com) resolve correctly to the private IPs.
- Validate that the Conditional Forwarders are correctly set up and associated with the appropriate virtual network.
- Network Security Groups (NSGs):
- Review the NSG rules for the subnet where the private endpoint is located. Ensure that outbound traffic to the required Azure services is allowed.
- User-Defined Routes (UDRs):
- Verify that the UDRs are correctly configured to route traffic to the private endpoint. Misconfigured routes can cause connectivity issues.
- Arc Agent Logs:
- Check the logs for the Arc Agent on the affected servers. They might provide insights into why the RunCommand function is failing.
- Azure Monitor and Diagnostics:
- Use Azure Monitor to check if data is flowing through the private endpoint. Metrics like "Bytes In" and "Bytes Out" can help confirm connectivity.
- Testing with Network Watcher:
- Use Azure Network Watcher to test connectivity from the affected servers to the private endpoint. This can help identify any DNS or routing issues.
Thanks, but the problem was due to a bug in the Azure end of Arc.
I move the Arc objects from a default resource group to their final destination, as the servers are provisioned.
Once the object got moved in Azure, the property "ProvisioningState" wasn't updated to Successful.
When that state is other than Successful, RunCommand (and many others) doesn't work.
It was fixed by the Azure team in April last year and it's working as expected.
- Command Plug Installation:
