Remove or Mitigate DNS Dependency for Custom Script Extension
The custom script extension appears to have a dependency on DNS in order to connect to a storage account endpoint to download the specified script. I found that if I configure a VM into a virtual network with a non-existent DNS server specified, the VM has no DNS resolution and therefore the custom scripts fail to download with "The remote name could not be resolved" errors for the storage endpoint. Granted, if one is careful to make DNS available, this could be avoided, but there are a variety of (mainly unintended) scenarios where DNS might not work in a new VM, and therefore break CSE. At the very least, some validation would help to warn or prevent deployment in detectable scenarios.
Andrew Herbert commented
This scenario can also fail if there are internet-traffic-limiting NSG rules and/or local firewall rules (for example when a VM is domain-joined, which pushes local firewall rules via Group Policy)