Share via

Azure Disk Encryption - Failing due to SSL/TLS secure connection

Ben Woodman 106 Reputation points
2023-07-28T09:13:53.8666667+00:00

Hi All,

Our Azure Disk Encyrption keeps failing to due to an error saying a secure SSL/TLS connection could not be established, from my troubleshooting it seems it is our proxy that is causing it to fail as once uninstalled it works fine.

Does anyone know of any URLs or IP ranges that must be whitelisted to work? I know that login.microsoftonline.com is one of them but does anyone know of any others that must be whitelisted for it to work?

Kind regards,

Ben

Azure Disk Encryption
Azure Disk Encryption
An Azure service for virtual machines (VMs) that helps address organizational security and compliance requirements by encrypting the VM boot and data disks with keys and policies that are controlled in Azure Key Vault.
162 questions
Accepted answer
  1. Sumarigo-MSFT 44,416 Reputation points Microsoft Employee
    2023-08-01T08:05:36.6866667+00:00

    @Ben Woodman I'm glad that you were able to resolve your issue and thank you for posting your solution so that others experiencing the same thing can easily reference this! Since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others ", I'll repost your solution in case you'd like to "Accept " the answer.

    Issue: Azure Disk Encryption - Failing due to SSL/TLS secure connection

    Error : A secure SSL/TLS connection could not be established,

    Solution: The fix for this issue was to whitelist the processes below which were getting tunnelled via our proxy:

    healthagent.exe windowsazureguestagent.exe bitlockeriaasvmextension.exe After whitelisting Azure Disk Encryption started working as expected.

    Please let us know if you have any more questions and we will be glad to assist you further. Thank you!

    Remember:

    Please accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer. Here is how.

    Want a reminder to come back and check responses? Here is how to subscribe to a notification.

    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. SUNOJ KUMAR YELURU 13,996 Reputation points MVP
    2023-07-29T15:49:00.7666667+00:00

    Hello @Ben Woodman

    When encryption is being enabled with Azure AD credentials, the target VM must allow connectivity to both Azure Active Directory endpoints and Key Vault endpoints.

    Current Azure Active Directory authentication endpoints are maintained in sections 56 and 59 of the Microsoft 365 URLs and IP address ranges

    • Make sure the Key Vault exists in the same region and subscription as the Virtual Machine
    • Ensure that you have set key vault advanced access policies properly
    • If you are using KEK, ensure the key exists and is enabled in Key Vault
    • Check VM name, data disks, and keys follow key vault resource naming restrictions
    • Check for any typos in the Key Vault name or KEK name in your PowerShell or CLI command

    refer- Azure Disk Encryption troubleshooting guide

    If the Answer is helpful, please click `Accept Answer` and **up-vote**, so that it can help others in the community looking for help on similar topics.