Skip to content

New-AzGalleryApplicationVersion fails with could not establish trust relationship for the SSL/TLS secure channel #27710

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
alvaro-vantis-pt opened this issue May 8, 2025 · 1 comment
Open

New-AzGalleryApplicationVersion fails with could not establish trust relationship for the SSL/TLS secure channel #27710

alvaro-vantis-pt opened this issue May 8, 2025 · 1 comment
Labels
Compute customer-reported Service Attention This issue is responsible by Azure service team.

Comments

@alvaro-vantis-pt
Copy link

I am experiencing the exact same issue as described at #25676 . My blob is accessed only via private endpoints and specific subnets, and I receive the same errors whether I include "privatelink" in the blob URI or not.

In the message from @mayankdaruka-msft, there was a new feature you involving a VNet integration that allows the publishing service "trusted access" to blobs in storage accounts behind a firewall/VNet. This would involve placing a managed identity on the gallery and giving the managed identity read permissions to the blob. the inclusion of "managed identity" in the gallery and granting read permission to the blob via "managed identity." This feature was expected to be available by the end of September 2024. As of today, May 8, 2025, I cannot find this option in any of the commands related to Gallery within the Az.Compute module, neither on Azure Portal.

I tested allowing public access to the blob, and it worked well, but I cannot keep this active due to security concerns. What would be the solution or workaround to make this work without exposing the storage account publicly on the internet?

Thank you for your assistance.

Hi @darrens280,

The issue here is that your storage account is configured to be accessible from only certain virtual networks and/or IP addresses. Even if you are publishing from a machine in the same virtual network as the storage account, the provided SAS will not be accessible by the publishing service used to publish Gallery Applications, hence the error.

We are currently working on a VNet integration feature that allows the publishing service "trusted access" to blobs in storage accounts behind a firewall/VNet. This would involve placing a managed identity on the gallery and giving the managed identity read permissions to the blob.

This feature is currently in progress and should be available by end of September.

Originally posted by @mayankdaruka-msft in #25676
@microsoft-github-policy-service microsoft-github-policy-service bot added customer-reported needs-triage This is a new issue that needs to be triaged to the appropriate team. labels May 8, 2025
@isra-fel isra-fel added Compute Service Attention This issue is responsible by Azure service team. and removed needs-triage This is a new issue that needs to be triaged to the appropriate team. labels May 16, 2025
@microsoft-github-policy-service Microsoft GitHub Policy Service
Copy link
Contributor

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @Drewm3, @TravisCragg-MSFT, @nikhilpatel909, @sandeepraichura, @hilaryw29, @GabstaMSFT, @ramankumarlive, @ushnaarshadkhan.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Compute customer-reported Service Attention This issue is responsible by Azure service team.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@isra-fel @alvaro-vantis-pt