Not able to connect to https://msk8s.api.cdp.microsoft.com. Error returned: action failed after 5 attempts

Question

Not able to connect to https://msk8s.api.cdp.microsoft.com. Error returned: action failed after 5 attempts

Saravanan Subbaiah 0

I am working to install and integrate Azure Local. I received the following error message in the validation steps

Deploy the arc unfractured management component getting below error:

Exception

Shraddha Pandey 375 Reputation points Microsoft External Staff Moderator

2025-11-19T14:23:16.57+00:00
Hi Saravanan Subbaiah,

The "GuestInternetConnectivityError" you're seeing during the Arc resource bridge deployment in Azure Local means that the appliance VM can't connect to the endpoint "https://msk8s.api.cdp.microsoft.com" because of network connectivity issues. The TLS handshake timeout shows the VM is unable to set up a secure internet connection.

Here are some steps you can take to troubleshoot this issue:

Confirm that URLs required by Azure Arc resource bridge, including https://msk8s.api.cdp.microsoft.com, are reachable from the appliance VM.

Check and adjust firewall and proxy settings to allow outbound HTTPS traffic without interception or blocking.

Please check that the URLs mentioned in Outbound connectivity requirements are reachable from the Appliance VM and that the firewall/proxy settings are correct.

The firewall and proxy URLs below must be whitelisted in order to enable communication from the management machine, Appliance VM, and Control Plane IP to the required Arc resource bridge URLs. The Arc resource bridge includes an appliance VM that is set up on-premises. This VM can access the local infrastructure and tag on-premises resources for guest management, enabling them to be projected into Azure Resource Manager (ARM).

Verify that the DNS Servers assigned to the Appliance VM's network adapter are correct and can successfully resolve public Microsoft domain names like msk8s.api.cdp.microsoft.com

The error message refers to a TLS handshake timeout, which may suggest that the connection is blocked or delayed due to network policies. Please check that the TLS protocol is enabled and that the network path is clear of any interruptions.

Documents:

Troubleshoot Azure Arc resource bridge issues.

Azure Arc resource bridge system requirements

I hope the above helps. Please let us know if you have any further questions on this.

Thank You!
Shraddha Pandey 375 Reputation points Microsoft External Staff Moderator

2025-11-21T05:55:09.8533333+00:00

Hi Saravanan Subbaiah,

Just checking to see if you have a chance to check my previous response and helped, do let me know if you have any further questions on this.

Thank You!
Shraddha Pandey 375 Reputation points Microsoft External Staff Moderator

2025-11-24T07:05:32.5433333+00:00

Hi Saravanan Subbaiah,

Just checking in, if you got a chance to review my earlier response, let me know if you're still blocked with the issue.

Thank You!
Saravanan Subbaiah 0 Reputation points

2025-11-24T09:32:47.9433333+00:00

Thank you @Sina Salam and @Shraddha Pandey. nslookup to msk8s.api.cdp.microsoft.com is successful. curl returns "The Remote Server returned an error : (404) Not Found.
Shraddha Pandey 375 Reputation points Microsoft External Staff Moderator

2025-11-24T11:00:11.46+00:00
HI Saravanan Subbaiah,

To resolve the error connecting to msk8s.api.cdp.microsoft.com, follow these troubleshooting steps:

Validate Endpoint URL

Double-check the API endpoint in the Portal to ensure you are using the correct, supported URL for your service or cluster.

Test Network Connectivity

In PowerShell, run:

ping msk8s.api.cdp.microsoft.com

Test-NetConnection -ComputerName msk8s.api.cdp.microsoft.com -Port 443

If these fail, review your local firewall, network security group (NSG), or proxy rules to allow outbound HTTPS (port 443)

Check Resource Provisioning

Log in to the Azure Portal and verify that the targeted resource, such as Arc resource bridge, has been provisioned and is operating in a healthy state.

If resource status is not healthy or there’s a misconfiguration, delete and re-deploy or update as needed.

Review for Known Service Issues

Check Azure Service Health (in Portal) for any outages or maintenance affecting this endpoint.

Use HTTPS (not HTTP) and include required authentication tokens if the API needs them.

Make sure to specify a full REST resource path, not just the domain

Resolve issues and errors during an AKS Arc installation

Fix known issues and errors when configuring a network in AKS Arc

I hope the above helps. Please let us know if you have any further questions on this.

Thank You!
Saravanan Subbaiah 0 Reputation points

2025-11-25T06:12:47.8566667+00:00

Thanks Shraddha. Test-NetConnection has failed. I checked this already. We have investigated the FW as well and it allows traffic to msk8s.api.cdp.microsoft.com. It appears that some of the other URLs are not allowed which we are validating one by one
Shraddha Pandey 375 Reputation points Microsoft External Staff Moderator

2025-11-26T15:35:20.05+00:00

Hi Saravanan Subbaiah,

Could you please confirm if you have validated all the necessary URLs??

Thank You!
Shraddha Pandey 375 Reputation points Microsoft External Staff Moderator

2025-11-27T08:29:07.1233333+00:00

Hi Saravanan Subbaiah,

Just checking in, if you got a chance to review my earlier response, let me know if you're still blocked with the issue.

Thank You!
Eric R 26 Reputation points

2025-11-27T20:46:06.8066667+00:00

Hi @Saravanan Subbaiah ,

I have kind of the same issue when trying to create an Azure Arc appliance.

It seems to be a certificate error on that website. (the error in the browser is: net::ERR_CERTIFICATE_TRANSPARENCY_REQUIRED)
This seems a standardisation error which Microsoft must fix.

If someone at Microsoft read this, please fix that certificate error! Thanks!

Ignore default test questions by moderators, they seem not be able to read your message well.

(if your error states a TLS handshake error, DNS is already succesfully done! Don't go doing nslookups and checks if the firewall is blocking the traffic - even the error shows that those checks won't show anything useful! Come on people...!)

2 answers

Your answer

Shraddha Pandey 375 Reputation points Microsoft External Staff Moderator

2025-11-21T05:55:09.8533333+00:00

Hi Saravanan Subbaiah,

Just checking to see if you have a chance to check my previous response and helped, do let me know if you have any further questions on this.

Thank You!
Shraddha Pandey 375 Reputation points Microsoft External Staff Moderator

2025-11-24T07:05:32.5433333+00:00

Hi Saravanan Subbaiah,

Just checking in, if you got a chance to review my earlier response, let me know if you're still blocked with the issue.

Thank You!
Saravanan Subbaiah 0 Reputation points

2025-11-24T09:32:47.9433333+00:00

Thank you @Sina Salam and @Shraddha Pandey. nslookup to msk8s.api.cdp.microsoft.com is successful. curl returns "The Remote Server returned an error : (404) Not Found.
Shraddha Pandey 375 Reputation points Microsoft External Staff Moderator

2025-11-24T11:00:11.46+00:00

HI Saravanan Subbaiah,

To resolve the error connecting to msk8s.api.cdp.microsoft.com, follow these troubleshooting steps:

Validate Endpoint URL

Double-check the API endpoint in the Portal to ensure you are using the correct, supported URL for your service or cluster.

Test Network Connectivity

In PowerShell, run:

ping msk8s.api.cdp.microsoft.com

Test-NetConnection -ComputerName msk8s.api.cdp.microsoft.com -Port 443

If these fail, review your local firewall, network security group (NSG), or proxy rules to allow outbound HTTPS (port 443)

Check Resource Provisioning

Log in to the Azure Portal and verify that the targeted resource, such as Arc resource bridge, has been provisioned and is operating in a healthy state.

If resource status is not healthy or there’s a misconfiguration, delete and re-deploy or update as needed.

Review for Known Service Issues

Check Azure Service Health (in Portal) for any outages or maintenance affecting this endpoint.

Use HTTPS (not HTTP) and include required authentication tokens if the API needs them.

Make sure to specify a full REST resource path, not just the domain

Resolve issues and errors during an AKS Arc installation

Fix known issues and errors when configuring a network in AKS Arc

I hope the above helps. Please let us know if you have any further questions on this.

Thank You!
Saravanan Subbaiah 0 Reputation points

2025-11-25T06:12:47.8566667+00:00

Thanks Shraddha. Test-NetConnection has failed. I checked this already. We have investigated the FW as well and it allows traffic to msk8s.api.cdp.microsoft.com. It appears that some of the other URLs are not allowed which we are validating one by one
Shraddha Pandey 375 Reputation points Microsoft External Staff Moderator

2025-11-26T15:35:20.05+00:00

Hi Saravanan Subbaiah,

Could you please confirm if you have validated all the necessary URLs??

Thank You!
Shraddha Pandey 375 Reputation points Microsoft External Staff Moderator

2025-11-27T08:29:07.1233333+00:00

Hi Saravanan Subbaiah,

Just checking in, if you got a chance to review my earlier response, let me know if you're still blocked with the issue.

Thank You!
Eric R 26 Reputation points

2025-11-27T20:46:06.8066667+00:00

Hi @Saravanan Subbaiah ,

I have kind of the same issue when trying to create an Azure Arc appliance.

It seems to be a certificate error on that website. (the error in the browser is: net::ERR_CERTIFICATE_TRANSPARENCY_REQUIRED)
This seems a standardisation error which Microsoft must fix.

If someone at Microsoft read this, please fix that certificate error! Thanks!

Ignore default test questions by moderators, they seem not be able to read your message well.

(if your error states a TLS handshake error, DNS is already succesfully done! Don't go doing nslookups and checks if the firewall is blocking the traffic - even the error shows that those checks won't show anything useful! Come on people...!)

Answer 1

Hello Saravanan Subbaiah,

Welcome to the Microsoft Q&A and thank you for posting your questions here.

I understand that you are not able to connect to https://msk8s.api.cdp.microsoft.com. Error returned: action failed after 5 attempts.

The error shows that the appliance VM cannot reach the critical endpoint https://msk8s.api.cdp.microsoft.com, resulting in a TLS handshake timeout.

The first priority is validating outbound internet reachability from the appliance VM, as this endpoint is mandatory according to Microsoft’s Arc Resource Bridge network requirements – https://aka.ms/AAla73m.

To resolve this, begin by verifying raw outbound HTTPS connectivity from inside the Appliance VM using: curl https://msk8s.api.cdp.microsoft.com -Verbose If this fails, inspect firewall rules for TLS interception, strict outbound filtering, or SSL proxy requirements. Microsoft clearly states that Arc endpoints must be reachable without HTTPS inspection, because certificate rewriting breaks the TLS handshake – https://learn.microsoft.com/azure/azure-arc/resource-bridge/troubleshoot#network-and-proxy-issues. Additionally, confirm DNS resolution using nslookup msk8s.api.cdp.microsoft.com; misconfigured DNS or reliance on internal-only resolvers commonly causes lookup delays leading to TLS timeouts.

From there, validate that the Appliance VM’s assigned DNS servers can resolve all required public Microsoft domains and that your environment permits outbound 443 traffic to Arc onboarding endpoints listed in the official requirements – https://learn.microsoft.com/azure/azure-arc/resource-bridge/system-requirements#outbound-connectivity. If your network uses a proxy, ensure the appliance’s cloud agent (azcmagent) is configured accordingly using PowerShell via CLI:

azcmagent config set proxy.url="http://<proxy>:<port>" and confirm that authentication or whitelisting is not blocking the MSI, extension, or Kubernetes bootstrapping calls.

Finally, if connectivity checks succeed but deployment continues failing, review any upstream latency, SSL interception devices, or load balancer behavior that could cause handshake delays. Because prolonged TLS timeouts almost always indicate blocked or altered outbound traffic rather than an Arc service issue. Ensuring end-to-end reachability, correct DNS, and proxy alignment resolves the majority of these failures and allows the arcappliance deploy hci step to complete successfully.

I hope this is helpful! Do not hesitate to let me know if you have any other questions or clarifications.

Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful.

Saravanan Subbaiah 0 Reputation points

2025-11-24T11:05:37.29+00:00

Thank you @Sina Salam. nslookup to msk8s.api.cdp.microsoft.com is successful. curl returns "The Remote Server returned an error : (404) Not Found.

Answer 2

Thanks Everyone for your support. We worked with Microsoft to resolve this. Here is the summary

Symptom: Azure Local Cluster Deployment failure at MocArb step.

Cause: The Default Gateway for the Cluster and its components such as the KVA had routing issues which dint allow internet traffic back into the KVA.

Resolution: We worked on checking the network setup of the cluster and found VLAN xxx used for KVA while the Physical Node was on VLAN 0. Collected a network trace from the host during a deployment run that failed where we could see retransmits for the msk8s address and hence confirming the core switch gateway dropping the packets.

Once the routing was fixed along with other identified VLAN mismatch issues identified the deployment was successful and the cluster successfully deployed

Share via

Not able to connect to https://msk8s.api.cdp.microsoft.com. Error returned: action failed after 5 attempts

2 answers

Your answer