Networking errors when enabling SQL Server by Azure Arc
When onboarding your SQL Server instance to Azure Arc, there are some networking prerequisites that need to be met. The prerequisites are documented here in detail Prerequisites – SQL Server enabled by Azure Arc | Microsoft Learn
Some common errors when the prerequisites are not met are:
SSL Errors:
System.Net.Http.HttpRequestException: The SSL connection could not be established, see inner exception.
—> System.IO.IOException: Unable to read data from the transport connection:
A connection attempt failed because the connected party did not properly respond after a period of time, or established connection
failed because connected host has failed to respond.. —> System.Net.Sockets.SocketException (10060)A connection attempt failed
because the connected party did not properly respond after a period of time, or established connection failed because connected host
has failed to respond
The SSL connection could not be established, see inner exception.
—> System.IO.IOException: Unable to read data from the transport connection: An existing connection was forcibly closed by the
remote host.. —> System.Net.Sockets.SocketException (10054 An existing connection was forcibly closed by the remote host.
— End of inner exception stack trace —
at System.Net.Sockets.Socket.AwaitableSocketAsyncEventArgs.ThrowException(SocketError error, CancellationToken cancellationToken)
at System.Net.Sockets.Socket.AwaitableSocketAsyncEventArgs.System.Threading.Tasks.Sources.IValueTaskSource<System.Int32>.GetResult(Int16 token)
at System.Net.Security.SslStream.<FillHandshakeBufferAsync>g__InternalFillHandshakeBufferAsync|189_0[TIOAdapter](TIOAdapter adap, ValueTask`1 task, Int32 minSize)
SSL Error Causes:
1. Check if URLs listed on the prerequisites are blocked in the environment. Connectivity to URLs listed on this document Troubleshoot connectivity to data processing service and telemetry endpoints – SQL Server enabled by Azure Arc | Microsoft Learn are necessary for onboarding to succeed.
2. Check to see if there are any proxies or firewalls in the network path. Proxies or firewalls have the ability to do TLS inspection which can affect SSL/TLS connections. If browser, curl, or openssl is showing a third party software that does TLS inspection or similar, and the client does not trust the firewall certificates, it can lead to TLS/SSL issues.
Some tools to use to collect traces:
1. Test-NetConnection should succeed
Example: Test-NetConnection to test DPS endpointTest-NetConnection -ComputerName san-af-yourregion-prod.azurewebsites.net -Port 443
2. Invoke-WebRequest should succeed
Example: Invoke-WebRequest -Uri san-af-yourregion-prod.azurewebsites.net
3. If connectivity tests fail, review your network configuration for any blocked URLs, proxies, firewall, TLS inspection as described above. Network tracing tools would also help narrow down any networking config issues, How to collect a network trace | Microsoft Learn
Microsoft Tech Community – Latest Blogs –Read More