skip to Main Content

I have been struggling for the better part of a week to figure out how to enable snapshot debugging with an on premise c# app service. The app is already reporting to application insights, and capturing failures. However, no debugging images are showing up.

  1. I have followed these instructions to add snapshot debugging:

https://learn.microsoft.com/en-us/azure/azure-monitor/snapshot-debugger/snapshot-debugger-vm#configure-snapshot-collection-for-other-net-applications

However, this has had no effect.

  1. One possible issue is that our firewall normally blocks outbound connections from our servers, and addresses / ips have to be whitelisted. Looking over the documentation here, do I need to whitelist all of these addresses for snapshot debugging? Also, I have been told that our firewall does not allow wildcards.

https://learn.microsoft.com/en-us/azure/azure-monitor/app/ip-addresses#snapshot-debugger

  1. I have also read about a snapshot debugger uploader that is referenced in several articles, but I can not find out where to download it, or how to configure it.

Can someone please help me figure out how to get this working? Or is there some kind of log that can tell me what’s going wrong?

  1. More information
    The app is compiled with .net core 7, and I am using Visual Studio 2022.

2

Answers


  1. Chosen as BEST ANSWER

    I was able to talk with someone on the Azure Snapshot team. Turns out that the firewall was indeed the issue.

    He pointed me to this article https://learn.microsoft.com/en-us/azure/virtual-network/service-tags-overview#service-tags-on-premises

    The article details how to get the list of ips needed to update a firewall with to allow traffic through. He told us that we would need to allow for Storage tags for the snapshot debugger to work.

    I wrote this code to take a look at the address ranges:

    # run this if not logged in: Connect-AzAccount 
    # depends upon Az.* modules. AzureRM must NOT be installed side by side
    
    $subnets = @{}
    # https://www.cloudaccess.net/cloud-control-panel-ccp/157-dns-management/322-subnet-masks-reference-table.html
    $subnets.Add("/16", "/255.255.0.0") #   0   65534
    $subnets.Add("/17", "/255.255.128.0") # 2   (0) 32766
    $subnets.Add("/18", "/255.255.192.0") # 4   (2) 16382
    $subnets.Add("/19", "/255.255.224.0") # 8   (6) 8190
    $subnets.Add("/20", "/255.255.240.0") # 16  (14)    4094
    $subnets.Add("/21", "/255.255.248.0") # 32  (30)    2046
    $subnets.Add("/22", "/255.255.252.0") # 64  (62)    1022
    $subnets.Add("/23", "/255.255.254.0") # 128 (126)   510
    $subnets.Add("/24", "/255.255.255.0") # 256 (254)   254
    $subnets.Add("/25", "/255.255.255.128") #   512 (510)   126
    $subnets.Add("/26", "/255.255.255.192") #   1024 (1022) 62
    $subnets.Add("/27", "/255.255.255.224") #   2048 (2046) 30
    $subnets.Add("/28", "/255.255.255.240") #   4096 (4094) 14
    $subnets.Add("/29", "/255.255.255.248") #   8192 (8190) 6
    $subnets.Add("/30", "/255.255.255.252") #   16384 (16382)   2
    
    
    $serviceTags = Get-AzNetworkServiceTag -Location eastus2
    $storage = $serviceTags.Values | Where-Object { $_.Name -imatch "Storage..*?US" -and $_.Name -inotmatch "Aust" }
    $storage.Properties.AddressPrefixes | ForEach-Object { 
        $addr = $_
        $subnets.Keys | ForEach-Object { 
            if ($addr -match $_) {
                [PSCustomObject]@{
                    AddrBitMask = $addr
                    AddrSubnet = $addr -replace $_, $subnets[$_]
                }
            }
        }  
    }
    

    There were two problems with this for our scenario:

    • The list is updated daily, and could change daily. That would mean that we would have to write some script to capture the changes and automatically update our FW rules. He also said that he believes some firewall vendors are including modules to account for Azure rules.
    • Many of the addresses returned were subnet wildcards. EX: 20.157.191.0/24. Our FW does allow these types of wildcards but they cause significant CPU strain. The other option would be for us to write code to calculate all of the possible ip values for that subnet, and expand the list to the exact ips.

    Neither of these options are very great for us, so we have decided to move our app services to the cloud (finally, yay) while using private links to connect back to our on premise databases.

    TYVM to Paul @pharring for being so patient and gracious to answer all of my questions.


  2. The Snapshot Debugger connects to endpoints in the AzureMonitor Service Tag range. See https://learn.microsoft.com/azure/azure-monitor/snapshot-debugger/snapshot-debugger-troubleshoot#edit-network-proxy-or-firewall-rules

    You will need to modify the rules on your firewall to allow traffic to all IP addresses within the AzureMonitor ranges. See https://learn.microsoft.com/azure/virtual-network/service-tags-overview#service-tags-on-premises for instructions.

    In addition to AzureMonitor, you’ll also need to allow the Storage Service Tag because snapshots (memory dumps and symbols) are uploaded to blob storage.

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search