Azure VM Agent proxy support/config
The Azure VM agent currently uses the system account proxy settings for communication to Azure infrastructure services.
I prefer not to give servers internet access so am requesting the ability to configure the Azure VM agent to use a specified proxy, rather than giving the system account internet access.
Also the ability to use a pac file would be advantageous.
More and more useful services use the VM agent for communication so is getting more of an issues, to name a few:
- Azure Security Center
- Azure Recovery Services
- VM Diagnostics
You can now set a network security group which will block outbound access to the internet while still allowing access to specific Azure services. This is available through the feature known as Service Tags: https://docs.microsoft.com/en-us/azure/virtual-network/security-overview#service-tags
Owen Davies commented
Is there still no update on this?
Adrian Walker commented
This still isn't even under review????
I found a great article on the VM agent (http://www.deployazure.com/compute/virtual-machines/azure-vm-agent-extensions-deep-dive-part-3/), even listing the special IP address you use (188.8.131.52), however when I go to add it as a user defined route (184.108.40.206/32), I get the error:
"Failed to add route 'DirectRouteToVMAgent' to route table 'XYZ'. Error: AddressPrefix 220.127.116.11/32 for route DirectRouteToVMAgent is not allowed because its in restricted address space."
Aaaaahhhhhhhhhhhhhhhhhhhh!!!!!! Why Microsoft, why. Every which way I turn, you throw a spanner in the works. You really do want use to move to AWS don't you?
Paul Mooij commented
Likewise the Microsoft Monitoring Agent is supporting a Proxy Server
Please enhance Azure VM Agent accordingly!
Adrian Walker commented
Come on MS. This is CRITICAL. A MASSIVE failing that there is no way to configure proxies in the agent BEFORE the VM is stood up. It is a legal requirement for organisation in the UK to monitor internet traffic. I expect this extends to the US too. Therefore companies are obligated to direct all internet traffic.
If the Azure VM agent must go out to the internet to do it's job and as it is so important to automation, you need to get this sorted ASAP. It should be at the very top of your list. In fact it should have been done from the outset. It;s such a massive failing, I can't understand why it hasn't been done.