Secure KMS Activation in Azure VMs: Leverage Custom Routes & Forced Tunneling

Table of Contents

Azure Virtual Machines (VMs) running Windows typically rely on Key Management Service (KMS) for activation, ensuring compliance and proper licensing within the cloud environment. However, specific network configurations, particularly when implementing forced tunneling, can disrupt this critical activation process. This article delves into the challenges posed by forced tunneling to KMS activation and provides a comprehensive solution using Azure custom routes.

Understanding Windows Activation in Azure¶

Windows operating systems deployed in Azure utilize a KMS activation model for volume licensing. This method allows Microsoft to provide a streamlined and automated way to activate numerous virtual machines without requiring individual product keys for each instance. For this system to function correctly, Azure Windows VMs must be able to communicate directly with the Azure KMS servers. These servers are hosted within Microsoft’s cloud infrastructure, and successful activation typically requires the activation request to originate from an Azure public IP address.

The seamless integration of KMS with Azure’s network ensures that VMs are activated automatically upon deployment, minimizing administrative overhead. This standard behavior is essential for maintaining the operational readiness and licensed status of your Windows Server and client OS instances within Azure. Any interruption to this communication path can lead to activation failures, displaying error messages and potentially limiting VM functionality over time.

The Challenge of Forced Tunneling¶

Forced tunneling is a networking configuration widely adopted by organizations that demand stringent security and compliance. In scenarios involving site-to-site VPN connections or Azure ExpressRoute, forced tunneling redirects all Internet-bound traffic from Azure virtual network subnets back to an on-premises network. This practice ensures that all outbound traffic from Azure VMs passes through on-premises security appliances, such as firewalls and intrusion detection systems, before reaching the public internet. It provides a centralized point for inspection, auditing, and policy enforcement, which is crucial for meeting corporate governance and regulatory requirements.

While beneficial for security, forced tunneling introduces a significant challenge for Azure KMS activation. When forced tunneling is enabled, the default routing behavior of Azure VMs changes. Instead of sending traffic destined for the Azure KMS server directly over Azure’s backbone, the activation requests are rerouted through the on-premises network. Consequently, the activation request then appears to originate from an on-premises public IP address, rather than an Azure public IP address.

Symptom: Activation Failure¶

When forced tunneling is active, Windows VMs in Azure will experience activation failures. Users might observe error messages indicating that Windows cannot be activated or that the KMS server cannot be reached. Common error codes associated with this problem include 0xC004F074, which generally signifies that the Key Management Service (KMS) host could not be reached. These errors indicate a fundamental routing issue preventing the VM from establishing a proper connection with the Azure KMS server.

The direct implication is that your Windows VMs will remain in an unlicensed state, potentially leading to reduced functionality or warnings after a grace period. This situation can impact operational stability and compliance, making it imperative to address the underlying networking conflict efficiently. The core problem is that the Azure KMS server is designed to authenticate activation requests specifically from within the Azure network infrastructure, identifying them by their Azure-native public IP origins.

Cause: Redirected Activation Traffic¶

The fundamental cause of the KMS activation failure under forced tunneling lies in the altered network path for outbound traffic. Azure Windows VMs require a direct connection to the Azure KMS server for Windows activation. A key requirement for this activation is that the activation request must appear to originate from an Azure public IP address. This design ensures that only legitimate Azure-based instances are activated, preventing misuse of the KMS service.

When forced tunneling is enabled, the default route (0.0.0.0/0) for the Azure subnet is set to point towards the Azure VPN Gateway or ExpressRoute gateway, which then forwards the traffic to the on-premises network. Therefore, any attempt by an Azure VM to contact an external service, including the Azure KMS server, is first directed to the on-premises network. From there, the request exits to the internet using the on-premises public IP address. This redirection causes the KMS server to perceive the activation request as coming from an external, non-Azure source, leading to its rejection. The KMS server does not recognize the request as legitimate, as it expects to see traffic originating from Azure’s own IP ranges.

Solution: Azure Custom Routes (User-Defined Routes - UDRs)¶

To effectively resolve the KMS activation problem in scenarios involving forced tunneling, the recommended solution is to implement Azure custom routes, also known as User-Defined Routes (UDRs). UDRs provide a powerful mechanism to override Azure’s default routing behavior, allowing administrators to define specific network paths for designated traffic flows. In this case, UDRs are used to create a direct route for activation traffic from Azure VMs to the Azure KMS server, bypassing the forced tunneling mechanism for this specific communication.

By configuring a custom route, you instruct the Azure subnet to direct traffic bound for the Azure KMS server’s IP addresses directly to the “Internet” as the next hop type. This ensures that KMS activation requests egress directly from Azure, using an Azure public IP address, fulfilling the KMS server’s requirement. All other Internet-bound traffic, not covered by the custom KMS route, will continue to adhere to the forced tunneling configuration, maintaining the desired security posture.

Identifying Azure KMS Server Endpoints¶

The first crucial step in implementing the solution is to accurately identify the IP addresses of the Azure KMS servers relevant to your Azure cloud environment. Microsoft maintains KMS servers in various Azure regions and sovereign clouds, each with its specific DNS names and IP addresses. It is imperative to include all specified IP addresses for redundancy and to ensure activation success.

The following table lists the KMS server DNS names and corresponding IP addresses for different Azure platforms:

Platform	KMS DNS	KMS IP Addresses
Azure Global	azkms.core.windows.net kms.core.windows.net	20.118.99.224, 40.83.235.53 23.102.135.246
Azure Germany	kms.core.cloudapi.de	51.4.143.248
Azure US Government	kms.core.usgovcloudapi.net azkms.core.usgovcloudapi.net	23.97.0.13 52.126.105.2
Azure China 21Vianet	azkms.core.chinacloudapi.cn kms.core.chinacloudapi.cn	159.27.28.100, 163.228.64.161 42.159.7.249

Note: For Azure Global, Azure China, and Azure US Government, it is critical to add all listed IP addresses to your custom route table. This redundancy ensures that your VMs can reach the KMS service even if one of the IP endpoints is temporarily unavailable or routing changes occur. The KMS service uses these multiple IPs to provide high availability and reliability for activation requests.

Implementing Custom Routes for Resource Manager VMs¶

The following steps detail how to configure Azure custom routes using Azure PowerShell for Resource Manager-based VMs. This process involves creating a route table, defining specific routes for the KMS server IP addresses, and then associating this route table with the subnet where your Windows VMs reside.

Prerequisites¶

Before proceeding, ensure you have the following:
* An Azure subscription with appropriate permissions to create and manage network resources (Route Tables, Virtual Networks, Subnets).
* Azure PowerShell module installed and configured on your local machine.
* The name of the Resource Group, Virtual Network, and Subnet hosting the Azure VMs experiencing activation problems.

Step-by-Step Configuration¶

1. Open Azure PowerShell and Sign In:
   Begin by launching Azure PowerShell. You need to authenticate to your Azure subscription to manage resources. Use the Connect-AzAccount cmdlet, which will prompt you to log in with your Azure credentials.

   Connect-AzAccount
   

   Ensure you select the correct subscription if you have access to multiple. You can set your subscription using Set-AzContext -SubscriptionName "YourSubscriptionName".

2. Retrieve Virtual Network Information:
   First, identify the virtual network that hosts the VMs experiencing activation issues. This step is crucial for associating the newly created route table with the correct subnet. Replace "ArmVNet-DM" with the actual names of your resource group and virtual network.

   # First, get the virtual network that hosts the VMs that have activation problems. 
   # In this example, we retrieve virtual network "ArmVNet-DM" in Resource Group "ArmVNet-DM":
   $vnet = Get-AzVirtualNetwork -ResourceGroupName "ArmVNet-DM" -Name "ArmVNet-DM"
   

   This command retrieves the details of your virtual network and stores them in the $vnet variable, which will be used in subsequent steps.

3. Create a New Route Table:
   Next, create an Azure route table. This table will contain the custom routes necessary to direct KMS traffic. Provide a meaningful name for your route table and specify the resource group and location where it should be deployed. It’s often best practice to place the route table in the same region as your virtual network.

   # Next, create a route table:
   $RouteTable = New-AzRouteTable -Name "ArmVNet-DM-KmsDirectRoute" -ResourceGroupName "ArmVNet-DM" -Location "centralus"
   

   This command initializes an empty route table. The routes will be added in the next step.

4. Configure Routes for Azure KMS Servers:
   Now, add the specific routes for the Azure KMS server IP addresses to the newly created route table. For each KMS IP address, you will create a route with an AddressPrefix set to the specific IP address followed by /32 (indicating a single host) and a NextHopType of Internet. This Internet next hop type ensures that traffic for these specific IP addresses bypasses the forced tunneling and goes directly to the public internet via Azure’s network fabric. Remember to add all relevant IP addresses for your specific Azure cloud.

   # Next, configure the route table with routes for Azure Global KMS servers:
   Add-AzRouteConfig -Name "DirectRouteToKMS" -AddressPrefix 23.102.135.246/32 -NextHopType Internet -RouteTable $RouteTable
   Add-AzRouteConfig -Name "DirectRouteToAZKMS01" -AddressPrefix 20.118.99.224/32 -NextHopType Internet -RouteTable $RouteTable
   Add-AzRouteConfig -Name "DirectRouteToAZKMS02" -AddressPrefix 40.83.235.53/32 -NextHopType Internet -RouteTable $RouteTable
   
   # If using Azure US Government, add these:
   # Add-AzRouteConfig -Name "DirectRouteToUSGovKMS01" -AddressPrefix 23.97.0.13/32 -NextHopType Internet -RouteTable $RouteTable
   # Add-AzRouteConfig -Name "DirectRouteToUSGovKMS02" -AddressPrefix 52.126.105.2/32 -NextHopType Internet -RouteTable $RouteTable
   
   # Save the changes to the route table:
   Set-AzRouteTable -RouteTable $RouteTable
   

   Each Add-AzRouteConfig command creates a highly specific route for a single IP address. The /32 CIDR ensures that these routes take precedence over broader routes, including the default route (0.0.0.0/0) enforced by forced tunneling.

5. Attach the Route Table to the Target Subnet:
   Finally, associate the configured route table with the subnet where your Windows VMs are located. This step applies the custom routing rules to all VMs within that subnet. Ensure you replace "Subnet01" with the actual name of your subnet and "10.0.0.0/24" with its correct address prefix.

   # Next, attach the route table to the subnet that hosts the VMs:
   Set-AzVirtualNetworkSubnetConfig -Name "Subnet01" -VirtualNetwork $vnet -AddressPrefix "10.0.0.0/24" -RouteTable $RouteTable
   
   # Commit the changes to the virtual network:
   Set-AzVirtualNetwork -VirtualNetwork $vnet
   

   Once these commands are executed, the custom routes will be in effect for all VMs within the specified subnet. Traffic destined for the KMS server IPs will now follow the “Internet” next hop, while all other traffic will continue to be routed via your on-premises network.

Verification and Activation¶

After configuring the custom routes, it’s essential to verify that your VMs can now reach the KMS servers and then attempt Windows activation.

1. Test Connectivity with PsPing:
   Access one of the VMs that previously had activation problems. Use a network utility like PsPing (part of Sysinternals tools, which you might need to download and install if not already present) to test connectivity to the KMS server on port 1688 (the standard KMS port).

   psping kms.core.windows.net:1688
   psping azkms.core.windows.net:1688
   

   A successful PsPing output will show Opened connection to <KMS_IP>:1688, indicating that the VM can now establish a TCP connection to the KMS server. If PsPing fails, double-check your route table configuration and ensure the correct KMS IP addresses are used. You might also want to verify that there are no local firewall rules on the VM blocking outbound traffic on port 1688.

2. Try to Activate Windows:
   Once connectivity is verified, attempt to activate Windows on your VM. You can do this through the Windows activation settings in the Control Panel or by using the slmgr command-line tool.

   slmgr /ato
   

   The slmgr /ato command attempts to activate Windows online. If successful, you will receive a message indicating that Windows has been activated successfully. If it fails, check the error message for further troubleshooting clues. You can also use slmgr /dlv to display detailed license information, which might help diagnose the issue.

   If activation still fails, consider the following:
   * Firewall: Ensure no network security groups (NSGs) on the subnet or network interfaces, or local firewalls on the VM, are blocking outbound traffic to KMS IP addresses on port 1688.
   * KMS Client Key: Verify that the correct KMS client setup key is installed on your Windows VM. You can find these keys on the Microsoft website. (slmgr /ipk <KMS_Client_Key>)
   * DNS Resolution: Ensure the VM can correctly resolve the KMS DNS names to their IP addresses.
   * Route Table Association: Confirm the route table is correctly associated with the target subnet.

Network Topology Diagram¶

To visualize the solution, consider the following simplified network topology:

```mermaid
graph TD
subgraph Azure Virtual Network
SubnetA(Azure Subnet with VMs)
RouteTable[Custom Route Table]
end

subgraph On-Premises Network
    VPN_Gateway_OnPrem(On-Premises VPN Gateway/ExpressRoute Router)
    Firewall(On-Premises Firewall)
    Internet_OnPrem(Internet Access via On-Prem)
end

subgraph Azure Infrastructure
    Azure_VPN_Gateway(Azure VPN Gateway/ExpressRoute Gateway)
    Azure_Backbone(Azure Network Backbone)
    Azure_KMS_Server(Azure KMS Server)
    Internet_Azure(Internet Access via Azure)
end

SubnetA -- Default Route (0.0.0.0/0) --> Azure_VPN_Gateway
Azure_VPN_Gateway -- Forced Tunneling --> VPN_Gateway_OnPrem
VPN_Gateway_OnPrem -- Traffic Inspection --> Firewall
Firewall -- Outbound Internet --> Internet_OnPrem

SubnetA -- Associated with --> RouteTable
RouteTable -- Custom Route (KMS IPs/32, Next Hop: Internet) --> Azure_Backbone
Azure_Backbone -- Direct Connect --> Azure_KMS_Server

Azure_KMS_Server -- Activation Traffic --> Internet_Azure
Internet_OnPrem -- Other Internet Traffic --> Internet_Azure

```

Explanation:
* The default route from SubnetA goes to Azure_VPN_Gateway, then through VPN_Gateway_OnPrem and Firewall to Internet_OnPrem. This is the forced tunneling path for most traffic.
* The Custom Route Table associated with SubnetA creates a specific override.
* Traffic destined for the Azure_KMS_Server (identified by its specific IP addresses) is directed by the custom route to Azure_Backbone with a Next Hop: Internet.
* This allows the KMS activation request to reach the Azure_KMS_Server directly through Azure’s infrastructure, ensuring it appears to originate from an Azure public IP address.

Best Practices and Considerations¶

When implementing custom routes for KMS activation, keep the following best practices and considerations in mind:

• Redundancy: Always include all listed KMS IP addresses for your Azure cloud in the custom route table. This provides redundancy and ensures activation even if one KMS endpoint is temporarily unreachable.
• Specificity: Using /32 CIDR for each KMS IP address makes the routes highly specific. This specificity is crucial as it ensures these routes take precedence over the broader default route (0.0.0.0/0) enforced by forced tunneling, without affecting other general internet traffic.
• Monitoring: Regularly monitor your Windows VM activation status. While KMS activation is typically a one-time process, occasional re-activation might be necessary, and monitoring helps catch any issues promptly.
• Azure Updates: While KMS IP addresses are generally stable, Microsoft may occasionally update them. It’s good practice to periodically review the official Microsoft documentation for any changes to KMS endpoints, especially if you encounter new activation failures.
• Documentation: Document your custom route configuration, including the KMS IP addresses used and the subnets they are applied to. This aids in troubleshooting and future maintenance.
• Alternative Activation Methods: While KMS is the standard for volume licensing in Azure, for very specific scenarios, you might consider Multiple Activation Keys (MAK). However, MAK keys require manual intervention for each VM and do not offer the same automation benefits as KMS. KMS is generally preferred for its scalability and ease of management in cloud environments.
• Network Security Groups (NSGs): Ensure that your NSG rules on the VM’s network interface or subnet allow outbound traffic on TCP port 1688 to the KMS server IP addresses. While custom routes handle the path, NSGs handle the actual permission for the traffic to flow.

Conclusion¶

Enabling forced tunneling is a powerful security measure for Azure environments, but it can inadvertently disrupt critical services like Windows KMS activation. By understanding the routing conflict and strategically implementing Azure custom routes (UDRs), you can ensure that your Azure Windows VMs remain properly activated while still adhering to your organization’s security and compliance requirements for traffic inspection. This solution provides a precise and effective way to bypass the forced tunneling for specific KMS activation traffic, maintaining the integrity and functionality of your Azure-based Windows deployments.

This approach demonstrates the flexibility and control that Azure networking offers, allowing administrators to fine-tune network behavior for optimal performance and security. Proper implementation of these steps will ensure your Windows VMs in Azure are always activated and compliant.

Do you have any experiences with KMS activation issues in forced tunneling scenarios, or have you implemented alternative solutions? Share your thoughts and questions in the comments below!