Azure Serial Console stopped working with firewall enabled on storage accounts

Tapan Dewanjee 1 Reputation point
2024-03-20T14:37:41.4333333+00:00

We have setup the Use Serial Console with custom boot diagnostics storage account firewall enabled for a while now but looks something change on MS end. Right now it is not working with firewall enabled. it works only when you allowed the network. anyone have any informaiton on this what is causing this ?

Azure Virtual Machines
Azure Virtual Machines
An Azure service that is used to provision Windows and Linux virtual machines.
7,132 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Sedat SALMAN 13,160 Reputation points
    2024-03-20T14:43:58.69+00:00

    you can establish an Azure Private Link between your virtual network and the boot diagnostics storage account. This keeps traffic within the Azure network, bypassing the need for firewall exceptions while maintaining security. Setup involves some complexity.

    or

    you can add list of IP ranges used by the Serial Console to your allow list

    you can find the ip list below

    https://learn.microsoft.com/en-us/troubleshoot/azure/virtual-machines/serial-console-linux

  2. kobulloc-MSFT 23,416 Reputation points Microsoft Employee
    2024-03-28T21:45:33.6233333+00:00

    Hello, @Tapan Dewanjee ! Thank you very much for following up with the open GitHub issue. I'm going to post the link as well as some comments in case anyone else finds this useful.

    I'd also like to have someone take a closer look at your resources if you are up for it. Please email the following to AzCommunity@microsoft.com and we'll get back to you promptly:

    • Subject: "Attn: kobulloc - Additional support required"
    • Email body: Your Subscription ID
    • Email body: A link to this thread so we can validate and expedite the request

    If you don't receive a response within 24 hours, please reply to the thread so we can investigate.

    If you get a moment, please accept answers as this helps increase visibility of this question for other members of the Microsoft Q&A community. Thank you for helping to improve Microsoft Q&A!

    User's image

    Why has Azure Serial Console stopped working with firewall enabled on storage accounts?

    As pointed out by Tapan Dewanjee, there is an active GitHub thread tracking this issue:

    https://github.com/microsoft/azserialconsole/issues/48

    georgejdli (3/26/24) I noticed that Microsoft added a new IP address for the US regions: 20.83.222.100 https://learn.microsoft.com/en-us/troubleshoot/azure/virtual-machines/serial-console-linux#use-serial-console-with-custom-boot-diagnostics-storage-account-firewall-enabled once I added this new IP address to my Storage Account Firewall I was able to access the serial console for my VM again

    ondrejholas (3/11/24) Same here. It used to work before half of February 2024, then it suddenly started to behave as you described - in SA log there are accesses from private IP address, which is not contained in any of our VNETs, and with SA firewall set up in restrictive mode the serial console does not work, even if appropriate public IP addresses are allowed. We are also in North Europe datacenter.

    kraduk (2/17/24) I saw th same. It's a azure internal infrastructure IP. If they allowed rfc1918 in the ACL all would be good, but alias... I did try with 8.0.0.0/6, and that passed the API tests. The IP was still denied though,

    0 comments