I have been struggling for the better part of a week to figure out how to enable snapshot debugging with an on premise c# app service. The app is already reporting to application insights, and capturing failures. However, no debugging images are showing up.
- I have followed these instructions to add snapshot debugging:
However, this has had no effect.
- One possible issue is that our firewall normally blocks outbound connections from our servers, and addresses / ips have to be whitelisted. Looking over the documentation here, do I need to whitelist all of these addresses for snapshot debugging? Also, I have been told that our firewall does not allow wildcards.
https://learn.microsoft.com/en-us/azure/azure-monitor/app/ip-addresses#snapshot-debugger
- I have also read about a snapshot debugger uploader that is referenced in several articles, but I can not find out where to download it, or how to configure it.
Can someone please help me figure out how to get this working? Or is there some kind of log that can tell me what’s going wrong?
- More information
The app is compiled with .net core 7, and I am using Visual Studio 2022.
2
Answers
I was able to talk with someone on the Azure Snapshot team. Turns out that the firewall was indeed the issue.
He pointed me to this article https://learn.microsoft.com/en-us/azure/virtual-network/service-tags-overview#service-tags-on-premises
The article details how to get the list of ips needed to update a firewall with to allow traffic through. He told us that we would need to allow for Storage tags for the snapshot debugger to work.
I wrote this code to take a look at the address ranges:
There were two problems with this for our scenario:
Neither of these options are very great for us, so we have decided to move our app services to the cloud (finally, yay) while using private links to connect back to our on premise databases.
TYVM to Paul @pharring for being so patient and gracious to answer all of my questions.
The Snapshot Debugger connects to endpoints in the AzureMonitor Service Tag range. See https://learn.microsoft.com/azure/azure-monitor/snapshot-debugger/snapshot-debugger-troubleshoot#edit-network-proxy-or-firewall-rules
You will need to modify the rules on your firewall to allow traffic to all IP addresses within the AzureMonitor ranges. See https://learn.microsoft.com/azure/virtual-network/service-tags-overview#service-tags-on-premises for instructions.
In addition to AzureMonitor, you’ll also need to allow the Storage Service Tag because snapshots (memory dumps and symbols) are uploaded to blob storage.