Private endpoint as cloud witness for clustering supported ?

Andrei Bathory 0 Reputation points
2023-09-14T19:07:44.4666667+00:00

Windows cluster in Azure , two VMS ( for now )

Storage account standard gen 2 with min TLS 1.0 ( just in case ) and network access cut ( only to be done via PE)

Private endpoint lies in a nearby subnet of the source, auto approved, dns registered.

Tests

  • tcp ping to private endpoint FQDN ( xxx.privatelink.blob.core.windows.net) -P 443 --> works

-tcp ping to storage account FQDN (xxx.core.windows.net) -P 443 --> also works


This means there is no issue with DNS Resolution or Network

Now when I try to add the Private endpoint as Cloud witness ( SA name, -->

  • An error occurred while validating access to Azure from cluster node 'localhost'. Verify the Azure storage account name, storage account type, storage account key, and network connectivity over HTTPS.

I see no resource online on how to set this up , if it is supported or anything in between.

Any ideas ?

Azure Storage Accounts
Azure Storage Accounts
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
3,164 questions
Azure Private Link
Azure Private Link
An Azure service that provides private connectivity from a virtual network to Azure platform as a service, customer-owned, or Microsoft partner services.
506 questions
SQL Server
SQL Server
A family of Microsoft relational database management and analysis systems for e-commerce, line-of-business, and data warehousing solutions.
13,817 questions
Windows Server Clustering
Windows Server Clustering
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Clustering: The grouping of multiple servers in a way that allows them to appear to be a single unit to client computers on a network. Clustering is a means of increasing network capacity, providing live backup in case one of the servers fails, and improving data security.
998 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Ramya Harinarthini_MSFT 5,351 Reputation points Microsoft Employee
    2023-09-20T15:58:02.4033333+00:00

    Andrei Bathory Apologies for the delay in response!!

    Setting up a Windows cluster in Azure with a private endpoint as a cloud witness is a valid configuration, but it does require careful configuration and troubleshooting, especially if you encounter below error. Here are some steps to troubleshoot and resolve the issue:

    An error occurred while validating access to Azure from cluster node 'localhost'. Verify the Azure storage account name, storage account type, storage account key, and network connectivity over HTTPS.

    Step1: Check Azure Storage Account Configuration:

    • Verify that the Azure Storage Account (SA) you are using for the cloud witness is correctly configured.
    • Ensure that the storage account name and key you provided during the witness setup are accurate. You may want to regenerate the storage account key to make sure you are using the correct one.
    •  Confirm that the storage account is in the same Azure region as your cluster or at least in a region that allows cross-region replication.
    • Make Sure to provide correct Azure service endpoint as core.windows.net not privatelink.blob.core.windows.net

    User's image

    Step:2 Network Configuration:

    • Verify that the private endpoint you created is correctly configured, auto-approved, and DNS registered.
    • Double-check the subnet configuration of the private endpoint. It should be in the same virtual network and subnet as your cluster nodes.
    • Ensure that the private endpoint's DNS settings are correctly configured to resolve the storage account's FQDN (xxx.privatelink.blob.core.windows.net) to the private IP address of the private endpoint.
    • Ensure that there are no network security group (NSG) rules, route tables and No Network policy on the on Private Endpoint Subnet User's image
    • Confirm that your cluster nodes have internet connectivity or access to Azure services over HTTPS. If you've restricted outbound traffic, make sure that the private endpoint is exempt from these restrictions.

    Step:3 TLS Version:

    • Azure requires TLS 1.2 for secure communication. While you mentioned TLS 1.0 for your storage account, ensure that TLS 1.2 is also enabled and supported for secure communication.
      • Also make sure to enable Secure transfer protocol.

    User's image

    Source Link: https://learn.microsoft.com/en-us/windows-server/failover-clustering/deploy-cloud-witness#azure-storage-account-considerations-with-cloud-witness

    Hope this helps!
    Kindly let us know if the above helps or you need further assistance on this issue.


    Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.