MicrosoftDocs
diff --git a/‎articles/storage-mover/media/network-prerequisites/networking-topology-lrg.png‎
95.9 KB b/‎articles/storage-mover/media/network-prerequisites/networking-topology-lrg.png‎
95.9 KB
diff --git a/‎articles/storage-mover/media/network-prerequisites/networking-topology-sml.png‎
38.4 KB b/‎articles/storage-mover/media/network-prerequisites/networking-topology-sml.png‎
38.4 KB
diff --git a/‎articles/storage-mover/media/network-prerequisites/networking-topology.png‎
-88.8 KB b/‎articles/storage-mover/media/network-prerequisites/networking-topology.png‎
-88.8 KB
diff --git a/‎articles/storage-mover/media/network-prerequisites/proxy-configuration-lrg.png‎
136 KB b/‎articles/storage-mover/media/network-prerequisites/proxy-configuration-lrg.png‎
136 KB
diff --git a/‎articles/storage-mover/media/network-prerequisites/proxy-configuration-sml.png‎
55.5 KB b/‎articles/storage-mover/media/network-prerequisites/proxy-configuration-sml.png‎
55.5 KB
diff --git a/‎articles/storage-mover/media/network-prerequisites/proxy-configuration.png‎
-89.2 KB b/‎articles/storage-mover/media/network-prerequisites/proxy-configuration.png‎
-89.2 KB
diff --git a/‎articles/storage-mover/network-prerequisites.md‎
Lines changed: 15 additions & 13 deletions b/‎articles/storage-mover/network-prerequisites.md‎
Lines changed: 15 additions & 13 deletions
diff --git a/‎articles/storage-mover/network-troubleshooting.md‎
Lines changed: 86 additions & 3 deletions b/‎articles/storage-mover/network-troubleshooting.md‎
Lines changed: 86 additions & 3 deletions
@@ -46,37 +46,39 @@ A storage mover agent supports both SMB and NFS clients. The following list of p
 
 The following table provides a summary of the required services, their endpoint types, and whether private access is supported. Because your network settings must allow the Storage Mover Agent to connect over HTTPS to the service's endpoints, the Fully Qualified Domain Name (FQDN) is also included.
 
-# [Public Cloud](#tab/public)
+<!--# [Public Cloud](#tab/public)-->
 
 | Service                    | Needed For           | Supports Private Endpoints | FQDN                                               |
 |----------------------------|----------------------|----------------------------|----------------------------------------------------|
-| **MCR**                    | Agent updates        | &#10060;                   | `mcr.microsoft.com`                                |
+| **Microsoft Artifact Registry** | Agent updates   | &#10060;                   | `mcr.microsoft.com`                                |
 | **Storage Mover Service**  | Agent heartbeats and migration job assignments    | &#10060; | `<region>.agentgateway.prd.azsm.azure.com` |
 | **Event Hubs**             | Publishing copy logs | &#10060;                   | `evhns-sm-ur-prd-<region>.servicebus.windows.net`  |
-| **Azure Arc**              | Registration         | &#9989; (via Arc Private Link Scope)  | `*.guestconfiguration.azure.com` and<br />`*.his.arc.azure.com` |
-| **Entra ID**               | Registration         | &#10060;                   | `login.microsoftonline.com` and<br />`pas.windows.net` |
+| **Azure Arc**              | Registration         | &#9989; (via Arc Private Link Scope) | `*.guestconfiguration.azure.com` and<br />`*.his.arc.azure.com` |
+| **Microsoft Entra ID**     | Registration         | &#10060;                   | `login.microsoftonline.com` and<br />`pas.windows.net` |
 | **Azure Resource Manager** | Registration         | &#10060;                   | `management.azure.com`                             |
 | **Storage Account (Flat Blob)** | Job targets     | &#9989;                    | `*.blob.core.windows.net`                          |
 | **Storage Account (HNS Blob)**  | Job targets     | &#9989;                    | `*.blob.core.windows.net` and<br />`*.dfs.core.windows.net` |
 | **Storage Account (File)** | Job targets          | &#9989;                    | `*.file.core.windows.net`                          |
 | **Key Vault**              | SMB credentials      | &#9989;                    |  `*.vault.azure.net`                               |
 
+<!--
 # [Fairfax](#tab/fairfax)
 
 | Service                    | Needed For           | Supports Private Endpoints | FQDN                                                   |
 |----------------------------|----------------------|----------------------------|--------------------------------------------------------|
-| **MCR**                    | Agent updates        | &#10060;                   | `mcr.microsoft.com`                                    |
+| **Microsoft Artifact Registry** | Agent updates   | &#10060;                   | `mcr.microsoft.com`                                    |
 | **Storage Mover Service**  | Agent heartbeats and migration job assignments | &#10060; | `<region>.agentgateway.ff.azsm.azure.us`       |
 | **Event Hubs**             | Publishing copy logs | &#10060;                   | `evhns-sm-ur-ff-<region>.servicebus.usgovcloudapi.net` |
 | **Azure Arc**              | Registration         | &#9989; (via Arc Private Link Scope) | `*.guestconfiguration.azure.com` and<br />`*.his.arc.azure.com` |
-| **Entra ID**               | Registration         | &#10060;                   | `login.microsoftonline.com` and<br />`pasff.usgovcloudapi.net` |
+| **Microsoft Entra ID**     | Registration         | &#10060;                   | `login.microsoftonline.com` and<br />`pasff.usgovcloudapi.net` |
 | **Azure Resource Manager** | Registration         | &#10060;                   | `management.usgovcloudapi.net`                         |
 | **Storage Account (Flat Blob)** | Job targets     | &#9989;                    | `*.blob.core.usgovcloudapi.net`                        |
 | **Storage Account (HNS Blob)**  | Job targets     | &#9989;                    | `*.blob.core.windows.net` and<br />`*.dfs.core.usgovcloudapi.net` |
 | **Storage Account (File)** | Job targets          | &#9989;                    | `*.file.core.usgovcloudapi.net`                        |
 | **Key Vault**              | SMB credentials      | &#9989;                    |  `*.vault.usgovcloudapi.net`                           |
 
 ---
+-->
 
 The following sections detail the required components, public endpoint dependencies, and networking considerations for deploying Storage Mover in a private network.
 
@@ -104,7 +106,7 @@ The following diagram illustrates an example of a resource topology for enabling
 > [!NOTE]
 > This configuration is one of many possible setups for a private network and doesn't encompass all components involved in network configuration, such as DNS, proxies, and virtual network peering.
 
-:::image type="content" source="media/network-prerequisites/networking-topology.png" alt-text="A diagram illustrating an example of a resource topology for enabling private connectivity to all endpoints that support it.":::
+:::image border="false" type="content" source="media/network-prerequisites/networking-topology-sml.png" alt-text="A diagram illustrating an example of a resource topology for enabling private connectivity to all endpoints that support it." lightbox="media/network-prerequisites/networking-topology-lrg.png":::
 
 <sup>1</sup> Arc Private Link Scopes provide access to three Arc services as shown in the image. The *Extensions* Arc service isn't used by the Storage Mover Agent. It appears muted in the image to avoid confusion.<br>
 <sup>2</sup> Arc Private Link Scopes and the three Arc services to which they connect can both be accessed directly over public endpoints. The Arc Private Link Scope can be configured to enable or disable public network access.<br>
@@ -116,10 +118,10 @@ Despite the emphasis on private networking, certain required Storage Mover servi
 
 The following endpoints *must* be accessible over public endpoints for the Storage Mover Agent to function correctly:
 
-- **MCR** for automated agent updates.
+- **Microsoft Artifact Registry** for automated agent updates.
 - **The Storage Mover Service** for agent heartbeats and job coordination.
-- **Event Hub** for publishing copy logs.
-- **AAD/Entra ID** for registration and identity management.
+- **Event Hubs** for publishing copy logs.
+- **Azure AD/Microsoft Entra ID** for registration and identity management.
 - **Azure Resource Manager** for registration and resource management.
 
 ## Arc-enabled server considerations
@@ -135,11 +137,11 @@ A Private Link Scope allows you to maintain private connectivity by facilitating
 
 Beyond the core components, there are networking considerations that can be configured to enhance the security and functionality of the Storage Mover Agent. However, these configurations are optional, depend on your specific network requirements, and might affect networking performance - especially if misconfigured.
 
-### Proxy Support
+### Proxy support
 
 The Storage Mover Agent supports external HTTP and HTTPS proxies. Configuration is done via the agent's shell within the **Network Configuration** section's **Update network configuration** menu. When prompted, select **Proxy** and enter the Fully Qualified Domain Name (FQDN) or IP address of the proxy. Include the port number if necessary. The following example illustrates the configuration steps:
 
-:::image type="content" source="media/network-prerequisites/proxy-configuration.png" alt-text="A screenshot showing the proxy configuration screen in the Storage Mover Agent.":::
+:::image type="content" source="media/network-prerequisites/proxy-configuration-sml.png" alt-text="A screenshot showing the proxy configuration screen in the Storage Mover Agent." lightbox="media/network-prerequisites/proxy-configuration-lrg.png":::
 
-### SSL Inspection
+### SSL inspection
 If your network performs SSL interception, the agent might fail to recognize modified certificates. Currently, adding custom certificates to the agent isn't supported. To avoid issues, add required endpoints to the allowlist to bypass SSL inspection. These endpoints are available in the [Networking overview](#networking-overview) section.
@@ -9,9 +9,9 @@ ms.date: 10/22/2025
 ms.custom: template-how-to
 ---
 
-# Troubleshooting network issues with the Azure Storage Mover Agent
+# Troubleshooting network issues with the Azure Storage Mover agent
 
-The Azure Storage Mover Agent is an important part of the Azure Storage Mover service, a powerful tool for seamlessly migrating data to Azure. The agent's functionality depends heavily on reliable network connectivity. When network issues arise, The Azure Storage Mover Agent provides a robust set of tools for diagnosing and resolving network issues. 
+The Azure Storage Mover agent is an important part of the Azure Storage Mover service, a powerful tool for seamlessly migrating data to Azure. The agent's functionality depends heavily on reliable network connectivity. When network issues arise, the Azure Storage Mover agent provides a robust set of tools for diagnosing and resolving network issues. 
 
 By following a structured approach, starting with configuration checks, progressing through connectivity tests, and applying endpoint diagnostics, administrators can ensure reliable operation and successful data migrations. For persistent or complex issues, the support bundle offers a path to deeper analysis and assistance from Microsoft Support. 
 
@@ -75,7 +75,7 @@ For general connectivity testing, select the **Test Network Connectivity** optio
 - Proxy usage
 
 > [!NOTE]
-> Note: This test doesn't include Storage Account or Key Vault endpoints used during job execution.
+> This test doesn't include Storage Account or Key Vault endpoints used during job execution.
 
 ### Verbose network checks
 
@@ -89,6 +89,89 @@ The `Test single endpoint connectivity` option allows you to test the connectivi
 - `traceroute` for path analysis
 - `curl` for HTTPS connectivity
 
+The following example provides sample output from the tool:
+
+```Output
+1) Show network configuration
+2) Update network configuration
+3) Test network connectivity
+4) Test network connectivity verbosely
+5) Test single endpoint connectivity
+6) Quit
+ 
+Choice: 5
+This option tests connectivity to one endpoint with your current network setup using tools like nslookup, traceroute, curl, etc.
+Provide an Azure endpoint (URL or FQDN) to test: https://mydemoaccount.blob.core.windows.net/demo-nfs4-file-share
+Run in verbose mode? [y/N] n
++----------------------------------------------------------+
+| Checking domain name resolution with nslookup... |
++----------------------------------------------------------+
+  Testing 'mydemoaccount.blob.core.windows.net'...
+ 
+Server:         203.50.10.50
+Address:        203.50.10.50#53
+ 
+Non-authoritative answer:
+mydemoaccount.blob.core.windows.net  canonical name = blob.regionprdstr03a.store.core.windows.net.
+Name:   blob.regionprdstr03a.store.core.windows.net
+Address: 203.60.14.164
+ 
++------------------------------------------------------------+
+|    Checking network path to endpoint with traceroute...    |
++------------------------------------------------------------+
+  Testing 'mydemoaccount.blob.core.windows.net' port 443 over TCP...
+ 
+traceroute to mydemoaccount.blob.core.windows.net (10.60.14.164), 30 hops max, 60 byte packets
+1  cgbslon66ca901-Te0-0-0-16-2620.network.microsoft.com (10.126.12.2)  0.401 ms  0.440 ms  0.507 ms
+2  musmtvsvcanrl1-Eth23-1.network.microsoft.com (10.10.80.2)  0.279 ms musmtvsvcanrl2-Eth23-1.network.microsoft.com (10.10.80.6)  0.267 ms musmtvsvcanrl1-Eth23-1.network.microsoft.com (10.10.80.2)  0.305 ms
+3  musmtvsvcanrb1-Eth25-1.network.microsoft.com (10.126.137.144)  0.303 ms musmtvsvcanrb3-Eth33-1.network.microsoft.com (10.126.137.156)  0.230 ms musmtvsvcanrb2-Eth25-1.network.microsoft.com (10.126.137.146)  0.279 ms
+4  musmtv005anrs2-ethernet31-1.clouddatahub.net (10.126.137.139)  0.274 ms  0.262 ms musmtvsvcanrs2-Eth30-1.network.microsoft.com (10.126.137.141)  0.250 ms
+5  10.161.128.7 (10.161.128.7)  0.123 ms 10.161.128.21 (10.161.128.21)  0.216 ms 10.161.128.7 (10.161.128.7)  0.218 ms
+6  musmtvsvcanrs1-Eth15-1-22.network.microsoft.com (10.161.128.4)  0.323 ms  0.337 ms  0.273 ms
+7  musmtvsvcanrb3-Eth29-1.network.microsoft.com (10.126.137.4)  0.329 ms musmtvsvcanrb4-Eth29-1.network.microsoft.com (10.126.137.6)  0.553 ms musmtvsvcanrb2-Eth29-1.network.microsoft.com (10.126.137.2)  0.306 ms
+8  musmtvsvcanrc2-Eth5-1.network.microsoft.com (10.126.137.9)  0.393 ms  0.326 ms musmtvsvcanrc1-Eth5-1.network.microsoft.com (10.126.137.1)  0.382 ms
+9  cusmtvsvcca901-Bu12.network.microsoft.com (10.37.12.118)  0.800 ms 10.37.12.120 (10.37.12.120)  0.870 ms  0.814 ms
+10  * * *
+11  * * *
+12  * * *
+13  cussclb21ca940-Hu0-0-0-0.network.microsoft.com (10.37.12.104)  2.850 ms cussclb21ca940-Hu0-0-0-1.network.microsoft.com (10.37.12.106)  2.126 ms cussclb21ca940-Hu0-0-0-0.network.microsoft.com (10.37.12.104)  2.560 ms
+14  cussclb21an7k1-Po92-11.network.microsoft.com (10.37.171.33)  0.787 ms  0.826 ms  0.814 ms
+15  10.37.171.70 (10.37.171.70)  1.077 ms  1.056 ms  1.040 ms
+16  dussclb21an7k1-Po21-11.network.microsoft.com (10.37.168.4)  1.221 ms  1.295 ms  1.212 ms
+17  dussclb21a7201-Po7.network.microsoft.com (169.220.17.1)  1.168 ms  1.351 ms  1.340 ms
+18  ae60-0.car01.region.ntwk.msn.net (203.44.15.46)  2.153 ms  1.319 ms  1.306 ms
+19  ae22-0.icr01.region.ntwk.msn.net (203.44.232.202)  1.382 ms ae24-0.icr02.region.ntwk.msn.net (203.44.232.204)  1.370 ms  1.717 ms
+20  be-120-0.ibr03.region.ntwk.msn.net (203.44.22.167)  17.054 ms * *
+21  be-2-0.ibr04.region.ntwk.msn.net (203.44.17.23)  16.926 ms * be-2-0.ibr03.region.ntwk.msn.net (203.44.17.21)  17.911 ms
+22  * be-5-0.ibr02.region.ntwk.msn.net (203.44.17.71)  116.530 ms  116.798 ms
+23  169.10.19.29 (169.10.19.29)  18.540 ms  18.096 ms *
+24  * 169.10.6.142 (169.10.6.142)  18.161 ms 169.10.11.182 (169.10.11.182)  18.559 ms
+25  169.10.11.174 (169.10.11.174)  17.550 ms 169.10.11.170 (169.10.11.170)  17.132 ms *
+26  * * *
+27  * * 192.98.222.143 (192.98.222.143)  15.860 ms
+28  * 127.106.199.121 (127.106.199.121)  16.719 ms 127.106.199.111 (127.106.199.111)  16.341 ms
+29  127.106.199.112 (127.106.199.112)  16.521 ms * 127.106.199.109 (127.106.199.109)  16.200 ms
+30  * * *
+ 
++------------------------------------------------+
+|   Checking HTTPS connectivity with curl...   |
++------------------------------------------------+
+  Testing 'https://mydemoaccount.blob.core.windows.net/sm-nfs4-file-share'...
+ 
+This only checks that the endpoint is physically reachable over the network, and does not attempt authentication or authorization;
+some 4XX or 5XX errors will be expected when testing certain Azure endpoints, even when the endpoints are reachable over the network.
+See https://learn.microsoft.com/en-us/azure/storage-mover/deployment-planning for more info about RBAC roles for Storage Mover resources.
+ 
+  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
+                                 Dload  Upload   Total   Spent    Left  Speed
+  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
+HTTP/1.1 409 Public access is not permitted on this storage account.
+Transfer-Encoding: chunked
+Server: Blob Service Version 1.0 Microsoft-HTTPAPI/2.0
+x-ms-request-id: 22cc22cc-dd33-ee44-ff55-66aa66aa66aa
+Date: Thu, 23 Oct 2025 21:37:01 GMT
+```
+
 ## Service and job status checks
 
 Within the `Service and job Status` menu, two tools are available for assessing the health of the agent's connection to the Storage Mover Service and the status of job executions. These tools, the **Service Communication Status** and **Job Summary, Details, and Copy logs**, help assess the Agent's registration status and job execution health.