The purpose of this post is to provide simple diagrams describing common issues Azure cloud users face when connecting to the Public Cloud Update Infrastructure with PAYG (Pay-As-You-Go) images and the solutions to these issues.
Instead of registering against the SUSE Customer Center like a traditional SUSE Linux Enterprise system, PAYG SLE systems are registered against the Public Cloud Update Infrastructure which is maintained by the SUSE Public Cloud Engineering team.
The Cloud Engineering team sets up access rules to secure and ease management of the Update Infrastructure servers. (Update Infrastructure is a general term which refers to both Update and Region servers. More about these later.) These rules prevent certain access patterns to the infrastructure servers; Connections that originate from an IP address outside of the allowed ranges will fail.
Adding another layer of complexity to this issue, cloud users may “lock-down” their cloud instances and network with security rules or appliances in accordance with their organization’s security practices. These security mechanisms have the potential to prevent connections to the Region and Update servers if they do not account for update infrastructure access. The Update Infrastructure servers are not DNS resolvable, so adding a DNS hostname to a list of “allowed” hosts is not an option.
As a byproduct of the above mentioned access controls, the Azure and SUSE support teams regularly receive support cases from cloud users requesting help with Update Infrastructure connectivity issues. Users often find themselves in this situation during initial deployment which is a critical time for any user as these connection problems may influence their decision to choose SUSE over another open-source alternative.
Before engaging Azure or SUSE support, check whether the problem is described by one of the scenarios outlined below. If so, please read the scenario carefully, review your configuration, and attempt to resolve the issue on your own. If you need further help or if the following scenarios do not describe your connection issue, please contact Azure or SUSE support.
Problem: Cloud user creates a closed network by blocking network traffic to all but a select number of endpoints, causing a connection problem to the Update Infrastructure servers.
Solution: Understand which hosts need to be accessed for SLE instance registration and software updates; Create a new security rule to allow connections from the SLE instance to these specific hosts.
A Pay-As-You-Go SLE instance (client) must be able to connect to a Region (metadata) server during registration. The instance must also connect to an Update server to complete registration and when installing new SUSE software or applying patches.
The IP addresses of the Region servers configured for a SLE instance can be found in the “
regionsrv” parameter which is located in the
/etc/regionserverclnt.cfg file. During instance registration, the client asks a Region server where it can find the Update servers for its local region. The Region server responds to the client with a list of Update servers within or near the instance’s region. The client then attempts a connection to one of these Update servers and registers against the first server to respond. The IP address of the selected Update server is written to the client’s local
/etc/hosts file as the
Any cloud user security measures must allow connections from the SLE instance to the Region and Update server for repository access and instance registration to work correctly.
Problem: Cloud instance network traffic is routed through user’s on-premise datacenter before reaching the Update Infrastructure servers. Region and Update servers do not respond to zypper or registration requests.
Cause: Azure Update Infrastructure servers reject connections from any host whose IP address is not within the specified range of Azure DC subnets published by Microsoft.
Solution: Create a UDR (User Defined Route) for traffic destined for the Update Infrastructure servers to circumvent the externally-bound route. From the perspective of the Region and Update server, a connection through a UDR should appear to come directly from the SLE instance.
If you are not sure whether your instance’s connection is using an valid IP address, you can find the egress IP of your instance’s connection to the Internet with this command.
sles-payg:~ # curl ifconfig.me
: IP ranges currently in use by the Azure Cloud
Public (Global) Cloud: https://www.microsoft.com/en-us/download/confirmation.aspx?id=56519
China Cloud: https://www.microsoft.com/en-us/download/confirmation.aspx?id=57062
Germany Cloud: https://www.microsoft.com/en-us/download/confirmation.aspx?id=57064