VM stuck in "Updating" when NSG rule restricts outbound internet connectivity

An Azure VM may experience the following symptoms if you have a network security group (NSG) rule configured to deny outbound internet connectivity:

  1. When you create a new VM the status remains on Updating.
  2. When you update a VM agent extension on an existing VM, the VM status remains on Updating.
  3. When you update a VM agent extension from Azure Powershell, after 60 minutes the command fails with error Long running operation failed with status 'Failed'. ErrorCode: VMExtensionProvisioningError ErrorMessage: Multiple VM extensions failed to be provisioned on the VM. Please see the VM extension instance view for details.
  4. When you check the VM's instance view by running Get-AzureRmVM -resourcegroupname <resourcegroupname> -name <name> -status, you see VMAgent shows message: VM Agent is unresponsive.

The VM agent requires internet connectivity to connect to Azure storage to update extension status (in a .status file in the VM's storage account) as well as to download the extensions themselves into the VM.

To restrict internet connectivity while still allowing the required VM agent connectivity, add NSG rules permitting internet connectivity to only the Azure public IP address ranges for the region where the VM resides.

See the following blog post for steps to configure an NSG to allow traffic to Azure public IP ranges:

Step-by-Step: Automate Building Outbound Network Security Groups Rules via Azure Resource Manager (ARM) and PowerShell

VM status stuck on "Updating" NSG01

 VM extensions show status "unavailable" NSG2

 

Network security group outbound security rule is configured to deny all outbound internet connectivity NSG3 NSG4