Hi C Slone,
Thanks for reaching out to Microsoft Q&A.
Pls have the below checked to see all of below parameters looks good.
- DSC Configuration URL Format: Ensure that the URL for the
.ps1.zip
file is correctly formatted to use the private link FQDN. It must follow the private link endpoint's FQDN and include the correct blob path. - Network Security Group (NSG) and Firewall: Double-check the NSG rules applied to the subnet and any firewall rules on the storage account. Even though you've whitelisted the subnet, NSG or firewall rules might still restrict traffic.
- VM System-Assigned Managed Identity (if applicable): If you're using a system-assigned managed identity for the VM to access the storage blob, confirm that the identity has the necessary role assignments (ex., "Storage Blob Data Reader") on the storage account.
- Private Endpoint DNS Resolution: Though you verified the private IP via
nslookup
, ensure that the DNS settings on the VM point to the correct DNS server for name resolution, especially if you're using custom DNS configurations. The VM might not be resolving the private endpoint correctly in the DSC extension's context. - DSC VM Extension Logging: Examine the logs for the DSC VM Extension (found under
C:\WindowsAzure\Logs\Plugins\Microsoft.Powershell.DSC
on the VM). There might be specific error messages pointing to the issue with retrieving the blob. - Terraform Provisioning Timing: When using Terraform to provision resources, timing issues could arise where the private link or DNS configurations are not fully available when the DSC VM Extension is triggered. Consider adding dependencies or delays to ensure that the network components are fully up before the extension runs.
Possible troubleshooting steps to try:
- Testing Access:
- Since you mentioned that you could download files from the blob using its FQDN, confirm that this access is performed under similar conditions as when DSC attempts to retrieve the files.
- Use tools like
Invoke-WebRequest
orcurl
within your VM to test access to the blob URL directly.
- Logs and Diagnostics:
- Check the logs for the DSC extension in Azure Portal for any error messages that can provide more context on why it fails to retrieve the blob.
- Enable diagnostic logging on both your VM and storage account for more detailed insights.
- Public Network Access:
- Temporarily re-enable public network access for troubleshooting purposes, as you did, to confirm whether this resolves the issue.
Alternative approaches worth trying:
- Azure Automation Account: Using an Azure Automation Account can provide a more secure and robust solution for managing configurations and accessing resources securely. This method may simplify auth and access management.
- Managed Identities: Consider leveraging managed identities for Azure resources, which can simplify authentication when accessing Azure services without needing to manage credentials.
Please 'Upvote'(Thumbs-up) and 'Accept' as an answer if the reply was helpful. This will benefit other community members who face the same issue.