Solve Azure VM provisioning problems with restrictive NSGs applied.

Solve Azure VM provisioning problems with restrictive NSGs applied.

Q. I created a Network Security Group on my subnet but now VMs will not provision correctly, why?

A. I have seen environments create super restrictive Network Security Groups that basically block every communication except between machines within the subnet. When this happens creating a VM takes a very long amount of time and if you look in detail you will see that the deployment gets stuck provisioning the extensions as they require HTTPS outbound. Therefore always enable an outbound HTTPS rule at minimum to enable full provisioning (and this will also allow the VMs to update from the Internet). Also remember you will need to be able to manage and communicate so you will likely want to enable WS-Man and maybe even RDP from a set of IP addresses where you will manage from. More detail on the problem associated with a deny all for outbound can be found at https://blogs.msdn.microsoft.com/mast/2016/04/27/vm-stuck-in-updating-when-nsg-rule-restricts-outbound-internet-connectivity/.

Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish