You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
fix(docs+menu): purge all invented category references; wire 7-category dispatch
- README.md, docs/validation/*, docs/reference/environment-checker.md:
remove all references to cut categories (10=SSL, 11=squatter, 12=hardware,
6=infra-device, 7=Service Bus, 8=NTP-UDP); replace with grounded 7-category set
- mkdocs.yml: fix site_description (remove "hardware") + fix site_url to azurelocal.cloud
- Start-AzlBeacon.ps1: update all Invoke-ValidationEngine category arrays to 7-
category numbering; remove ipPool prompts + squatter references from Local
Identity and Network/Firewall menu paths
Zero invented-test references remain in src/ or docs/.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_013AZySkzowyq4Ne2hrSRRAL
@@ -25,9 +24,8 @@ The following validators **cannot run in WinPE** and are deferred to post-OS (St
25
24
|---|---|---|
26
25
| Active Directory | Requires RSAT AD/GPO modules | Run `Invoke-AzStackHciExternalActiveDirectoryValidation` from a domain-joined staging server |
27
26
28
-
## SSL inspection behavior
29
-
30
-
The Environment Checker detects SSL deep-inspection before testing connectivity. If the TLS chain contains a private/unknown root CA, `Invoke-AzStackHciConnectivityValidation` raises an error and aborts. Beacon's Category 10 (SSL inspection detection) runs the same check independently so you know before invoking the module.
27
+
!!! warning "SSL inspection — note"
28
+
`Invoke-AzStackHciConnectivityValidation` raises an error if it detects SSL deep-inspection (private root CA in the TLS chain). If you see this failure, work with your network team to exempt Azure Local node IPs from SSL inspection before re-running.
@@ -33,20 +41,7 @@ The endpoint sweep tests all endpoints from these sources:
33
41
!!! tip "See the full list"
34
42
See [Endpoint List](../reference/endpoints.md) for every endpoint tested.
35
43
36
-
## SSL deep-inspection detection
37
-
38
-
Category 10 detects **FortiGate SSL deep inspection** (or any transparent proxy that re-signs TLS). Azure Local **cannot deploy** through an SSL inspection device because the TLS certificate chain will not match Microsoft's expected root CAs.
39
-
40
-
If Category 10 fails:
41
-
42
-
1. Work with your network team to create a firewall bypass/exemption for Azure Local node IPs
43
-
2. Verify the exemption: Beacon re-runs Category 10 and should show the correct DigiCert/Microsoft root
44
-
45
-
## Kubernetes reserved subnets
46
-
47
-
Category 11 checks that your planned IP pool does not overlap with Kubernetes-reserved ranges:
48
-
49
-
-`10.96.0.0/12` — Kubernetes service CIDR
50
-
-`10.244.0.0/16` — Pod network CIDR
44
+
## Microsoft documentation
51
45
52
-
DNS server IPs must also not fall within these ranges.
46
+
-[Azure Local firewall requirements](https://learn.microsoft.com/azure/azure-local/concepts/firewall-requirements)
0 commit comments