Problem

Azure application has code that talks to Storage services/AppFabric services/SQL Azure is encountering exception similar to below

"A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond 10.10.10.10:443"

or

"A network-related or instance-specific error occurred while establishing a connection to SQL Server. The server was not found or was not accessible. Verify that the instance name is correct and that SQL Server is configured to allow remote connections. (provider: TCP Provider, error: 0 - A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.)"

Note: Ip address, port number could be any combination depending on "service", the application is trying to connect to

 

Symptoms

  • You are running the Windows Azure Service in Compute Emulator environment
  • Application is talking to Storage service or other Azure services like Service Bus, Access Control & Cache or to SQL Azure
  • Firewall allows communication to target services is allowed and you have telnet commands confirm that computer that is running the Program can connect to target service without any issue

   Note: If the computer is unable to reach target services outside Azure, then, communicaton issue must be resolved before going any further. This blog entry http://blogs.msdn.com/b/narahari/archive/2011/08/01/ip-range-for-windows-azure-platform-identifying-connectivity-issues.aspx has a section to identify, troubleshoot such issues.

 

Cause

Issue happens if the machine that is running the program is behind corporate proxy (or firewall?) that allows traffic coming only from authenticated users. By default Azure/IIS configures AppPool to run under “NetworkService”.  Hence, Proxy does not allow traffic coming from this account

 

Resolution / Workarounds

There are few ways this issue could be worked around.

  • At my corporate network, we use Microsoft Firewall ISA client. Hence, i have used fwctool(from ISA client install location) that ships with ISA client to explicitly allow traffic from w3wp. Below is the command i ran from Install location of ISA client to resolve the issue.

fwctool enable /g /app:w3wp (This command allows w3wp traffic to go through firewall client program and ensures settings are applied globally, for all users)

Firewall Client Tool for ISA Server 2004
http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=12168

Note: If you are using different firewall client other than Microsoft ISA client, you need to figure our similar command that can enable the traffic to go via firewall client configured on your machine. If you are unable to find the command, below are few options you can use to resolve the issue.

  • Comment out “<Sites>” section in ServiceDefinition.csdef file when testing the application in Compute Emulator. Once you are through with testing and ready to publish the application to cloud, uncomment the <Sites> section.  (In my opinion this option is easier and quicker to resolve the issue)
  • Allow traffic from non-authenticated users at proxy level (In most corporates, this request will be denied by Administrators)
  • Use direct internet connections by passing the proxy server. i.e. USB internet connection stick, etc
  • Programmatically change the Identity of the Application Pool that is created by Azure and configure it to run under Domain account. Download the sample application with code to change the Identity of AppPool here

 Note: Few of these techniques can be used to resolve the issue for Non-Azure web applications as well if you cannot change the AppPool identity to Domain Account(which is easier in On-premise scenarios)

 

Applies to:

Azure applications running in compute emulator environment