Merge pull request #189611 from ronhogue/ronh-2022-02-24

PRMerger3 · web-flow · commit 8042d1986fd2 · 2022-02-26T01:08:06.000+05:30
Adding Queue Storage service to pre-reqs
diff --git a/articles/hpc-cache/hpc-cache-prerequisites.md b/articles/hpc-cache/hpc-cache-prerequisites.md
@@ -1,10 +1,10 @@
 ---
 title: Azure HPC Cache prerequisites
 description: Prerequisites for using Azure HPC Cache
-author: ekpgh
+author: ronhogue
 ms.service: hpc-cache
 ms.topic: how-to
-ms.date: 01/19/2022
+ms.date: 02/24/2022
 ms.author: rohogue
 ---
 
@@ -34,10 +34,11 @@ A paid subscription is recommended.
 
 ## Network infrastructure
 
-Two network-related prerequisites should be set up before you can use your cache:
+These network-related prerequisites need to be set up before you can use your cache:
 
 * A dedicated subnet for the Azure HPC Cache instance
 * DNS support so that the cache can access storage and other resources
+* Access from the subnet to additional Microsoft Azure infrastructure services, including NTP servers and the Azure Queue Storage service.
 
 ### Cache subnet
 
@@ -49,6 +50,8 @@ The Azure HPC Cache needs a dedicated subnet with these qualities:
 
 The best practice is to create a new subnet for each cache. You can create a new virtual network and subnet as part of creating the cache.
 
+When creating this subnet, be careful that its security settings allow access to the necessary infrastructure services mentioned later in this section. You can restrict outbound internet connectivity, but make sure that there are exceptions for the items documented here.
+
 ### DNS access
 
 The cache needs DNS to access resources outside of its virtual network. Depending on which resources you're using, you might need to set up a customized DNS server and configure forwarding between that server and Azure DNS servers:
@@ -95,6 +98,55 @@ More tips for NTP access:
 
 * You can configure which NTP server your HPC Cache uses on the **Networking** page. Read [Configure additional settings](configuration.md#customize-ntp) for more information.
 
+### Azure Queue Storage access
+
+The cache must be able to securely access the [Azure Queue Storage service](../storage/queues/storage-queues-introduction.md) from inside its dedicated subnet. Azure HPC Cache uses the queues service when communicating configuration and state information.
+
+If the cache can't access the queue service, you might see a CacheConnectivityError message when creating the cache.
+
+There are two ways to provide access:
+
+* Create an Azure Storage service endpoint in your cache subnet.
+  Read [Add a virtual network subnet](../virtual-network/virtual-network-manage-subnet.md#add-a-subnet) for instructions to add the **Microsoft.Storage** service endpoint.
+
+* Individually configure access to the Azure storage queue service domain in your network security group or other firewalls.
+
+  Add rules to permit access on these ports:
+
+  * TCP port 443 for secure traffic to any host in the domain queue.core.windows.net (`*.queue.core.windows.net`).
+
+  * TCP port 80 - used for verification of the server-side certificate. This is sometimes referred to as certificate revocation list (CRL) checking and online certificate status protocol (OCSP) communications. All of *.queue.core.windows.net uses the same certificate, and thus the same CRL/OCSP servers. The hostname is stored in the server-side SSL certificate.
+
+  Refer to the security rule tips in [NTP access](#ntp-access) for more information.
+
+  This command lists the CRL and OSCP servers that need to be permitted access. These servers must be resolvable by DNS and reachable on port 80 from the cache subnet.
+
+  ```bash
+
+  openssl s_client -connect azure.queue.core.windows.net:443 2>&1 < /dev/null | sed -n '/-----BEGIN/,/-----END/p' | openssl x509 -noout -text -in /dev/stdin |egrep -i crl\|ocsp|grep URI
+
+  ```
+
+  The output looks something like this, and can change if the SSL certificate updates:
+
+  ```bash
+  OCSP - URI:http://ocsp.msocsp.com
+  CRL - URI:http://mscrl.microsoft.com/pki/mscorp/crl/Microsoft%20RSA%20TLS%20CA%2002.crl
+  CRL - URI:http://crl.microsoft.com/pki/mscorp/crl/Microsoft%20RSA%20TLS%20CA%2002.crl
+  ```
+
+You can check the subnet's connectivity by using this command from a test VM inside the subnet:
+
+```bash
+openssl s_client -connect azure.queue.core.windows.net:443 -status 2>&1 < /dev/null |grep "OCSP Response Status"
+```
+
+A successful connection gives this response:
+
+```bash
+OCSP Response Status: successful (0x0)
+```
+
 ## Permissions
 
 Check these permission-related prerequisites before starting to create your cache.
