Not working if Private Link scope is in use

[Wiszanyel]

After following the procedure, the servers are not getting connected. When I check the azcmagent log, I see the following:

time="2023-05-05T10:25:32+01:00" level=debug msg="Status Message received" time="2023-05-05T10:25:32+01:00" level=debug msg="Cancelled change token" time="2023-05-05T10:25:32+01:00" level=info msg="Exit Code: AZCM0026: Network Error" time="2023-05-05T10:25:32+01:00" level=info msg="For troubleshooting, see https://aka.ms/arc/azcmerror" time="2023-05-05T10:25:32+01:00" level=fatal msg="Private Link Scope resource ID must be provided as endpoint gbl.his.arc.azure.com is configured private"

I'm using Private Link Scope.

After running the azcmagent connect and passing the --private-link-scope parameter in the command, the server gets registered successfully.

Without this, the GPO is only installing the ARC Agent.

---

Document Details

⚠ Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.

• ID: 6ae288ed-d6fe-6337-482c-8e11cc5ec18b
• Version Independent ID: 5b1ec441-86a2-1040-28da-d6f249d1e01e
• Content: Connect machines at scale using Group Policy with a PowerShell script - Azure Arc
• Content Source: articles/azure-arc/servers/onboard-group-policy-powershell.md
• Service: azure-arc
• Sub-service: azure-arc-servers
• GitHub Login: @johnmarco
• Microsoft Alias: johnmarc

[ManoharLakkoju-MSFT]

@Wiszanyel Thanks for your feedback! We will investigate and update as appropriate.

[SwathiDhanwada-MSFT]

@Wiszanyel Thanks for your question. Kindly check your on-premises DNS server(s) to verify it is either forwarding to Azure DNS or is configured with appropriate A records in your private link zone. These lookup commands should return private IP addresses in your Azure virtual network. If they resolve public IP addresses, double check your machine or server and network's DNS configuration.

nslookup gbl.his.arc.azure.com
nslookup agentserviceapi.guestconfiguration.azure.com

If you are having trouble onboarding a machine or server, confirm that you've added the Azure Active Directory and Azure Resource Manager service tags to your local network firewall. The agent needs to communicate with these services over the internet until private endpoints are available for these services.

[Wiszanyel]

Hi, is not that, I already fixed the issue by using the azcmagent connect command with the parameter --private-link-scope.

The issue here is that on the .\Deploy.ps1 script, the connection using private link scope doesn't exist.

---

Wiszanyel Becerra La Cruz

---

From: SwathiDhanwada-MSFT @.> Sent: Tuesday, May 9, 2023 2:00:33 PM To: MicrosoftDocs/azure-docs @.> Cc: Wiszanyel Cruz @.>; Mention @.> Subject: Re: [MicrosoftDocs/azure-docs] Not working if Private Link scope is in use (Issue #109136)

@Wiszanyelhttps://github.com/Wiszanyel Thanks for your question. Kindly check your on-premises DNS server(s) to verify it is either forwarding to Azure DNS or is configured with appropriate A records in your private link zone. These lookup commands should return private IP addresses in your Azure virtual network. If they resolve public IP addresses, double check your machine or server and network's DNS configuration.

nslookup gbl.his.arc.azure.com nslookup agentserviceapi.guestconfiguration.azure.com

If you are having trouble onboarding a machine or server, confirm that you've added the Azure Active Directory and Azure Resource Manager service tags to your local network firewall. The agent needs to communicate with these services over the internet until private endpoints are available for these services.

— Reply to this email directly, view it on GitHubhttps://github.com/MicrosoftDocs/azure-docs/issues/109136#issuecomment-1540080433, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AR3W776QN6BRJEPOOH64CMTXFI5XDANCNFSM6AAAAAAXW34FTE. You are receiving this because you were mentioned.Message ID: @.***>

[SwathiDhanwada-MSFT]

@Wiszanyel I have reached out to product team on this issue. They are working on it. I will post here once I have an update about the fix.

[danido95]

@SwathiDhanwada-MSFT: Hello, are there any news on this case, because we want do deploy the arc agent on around 100-200 servers and we need the private link scope too.

[SwathiDhanwada-MSFT]

@Wiszanyel @danido95 This issue has been fixed in the latest release. We will close the issue for now. If there are further questions , please revert and we will be glad to assist you.