![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(22.400000000000002, 1%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECS%3C/text%3E%3C/svg%3E)
Azure Storage Accounts
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
3,190 questions
Hi C Slone,
Thanks for reaching out to Microsoft Q&A.
Pls have the below checked to see all of below parameters looks good.
- DSC Configuration URL Format: Ensure that the URL for the
.ps1.zipfile is correctly formatted to use the private link FQDN. It must follow the private link endpoint's FQDN and include the correct blob path. - Network Security Group (NSG) and Firewall: Double-check the NSG rules applied to the subnet and any firewall rules on the storage account. Even though you've whitelisted the subnet, NSG or firewall rules might still restrict traffic.
- VM System-Assigned Managed Identity (if applicable): If you're using a system-assigned managed identity for the VM to access the storage blob, confirm that the identity has the necessary role assignments (ex., "Storage Blob Data Reader") on the storage account.
- Private Endpoint DNS Resolution: Though you verified the private IP via
nslookup, ensure that the DNS settings on the VM point to the correct DNS server for name resolution, especially if you're using custom DNS configurations. The VM might not be resolving the private endpoint correctly in the DSC extension's context. - DSC VM Extension Logging: Examine the logs for the DSC VM Extension (found under
C:\WindowsAzure\Logs\Plugins\Microsoft.Powershell.DSCon the VM). There might be specific error messages pointing to the issue with retrieving the blob. - Terraform Provisioning Timing: When using Terraform to provision resources, timing issues could arise where the private link or DNS configurations are not fully available when the DSC VM Extension is triggered. Consider adding dependencies or delays to ensure that the network components are fully up before the extension runs.
Possible troubleshooting steps to try:
- Testing Access:
- Since you mentioned that you could download files from the blob using its FQDN, confirm that this access is performed under similar conditions as when DSC attempts to retrieve the files.
- Use tools like
Invoke-WebRequestorcurlwithin your VM to test access to the blob URL directly.
- Logs and Diagnostics:
- Check the logs for the DSC extension in Azure Portal for any error messages that can provide more context on why it fails to retrieve the blob.
- Enable diagnostic logging on both your VM and storage account for more detailed insights.
- Public Network Access:
- Temporarily re-enable public network access for troubleshooting purposes, as you did, to confirm whether this resolves the issue.
Alternative approaches worth trying:
- Azure Automation Account: Using an Azure Automation Account can provide a more secure and robust solution for managing configurations and accessing resources securely. This method may simplify auth and access management.
- Managed Identities: Consider leveraging managed identities for Azure resources, which can simplify authentication when accessing Azure services without needing to manage credentials.
Please 'Upvote'(Thumbs-up) and 'Accept' as an answer if the reply was helpful. This will benefit other community members who face the same issue.