How To
Summary
Errors during `apt update` indicate network connectivity issues preventing your Ubuntu system from reaching the package repositories. This includes the official Ubuntu mirrors such as the azure archive for ubuntu and the security for ubuntu as well as third-party ones at apt for datadoghq for Datadog and packages for at fluentbit` for Fluent Bit).
Objective
Errors during `apt update` indicate network connectivity issues preventing your Ubuntu system from reaching the package repositories. This includes the official Ubuntu mirrors such as the azure archive for ubuntu and the security for ubuntu as well as third-party ones at apt for datadoghq for Datadog and packages for at fluentbit` for Fluent Bit).
The problems manifest as:
- Connection timeouts on IPv4 addresses.
- "Network is unreachable" errors specifically for IPv6 addresses, suggesting IPv6 is enabled but not properly routed or functional, causing APT to attempt (and fail) IPv6 connections first before falling back to IPv4.
Common causes in Azure environments include:
- Network Security Group rules blocking outbound traffic on ports 80 (HTTP) or 443 (HTTPS).
- Lack of outbound internet access (e.g., no public IP on the VM's NIC, no NAT Gateway on the subnet, or issues with load balancers/SNAT).
- IPv6 dual-stack misconfiguration, where the system prefers IPv6 but it isn't usable.
- Firewall or virtual appliance restrictions.
- DNS resolution failures or proxy misconfigurations
These are typical for Azure VMs in private subnets or with restricted networking. To resolve, follow these troubleshooting steps in order. Run them as root (or with `sudo`).
Environment
Azure for Ubuntu
Steps
1. Verify Basic Network Connectivity
Test if your VM has any outbound access:
```
ping 8.8.8.8 Tests IP-level connectivity (Google's DNS).
ping google.com Tests DNS resolution + connectivity.
curl -v http:// to google Tests HTTP; use -v for verbose output to see connection details.
curl -v https:// to google Tests HTTPS.
```
- If pings to IPs work but domains fail: DNS issue. Check `/etc/resolv.conf` for valid nameservers (e.g., Azure's default is 168.63.129.16). Run `nslookup to Abuntu’s Azure archive` to test resolution.
- If nothing works: Proceed to Azure-specific checks (step 4).
- If it partially works (e.g., IPv4 succeeds but IPv6 fails in verbose output): IPv6 is likely the culprit (step 3).
2. Temporarily Switch to a Different Ubuntu Mirror
This can bypass mirror-specific issues. Edit `/etc/apt/sources.list` (backup first: `cp /etc/apt/sources.list /etc/apt/sources.list.bak`):
- Replace ` Abuntu’s Azure archive` ` with only the following archive for ubuntu or a regional mirror such as the COUNTRY archive for ubuntu.
- For security repo, replace security for ubuntu site similarly if needed.
Then run apt update. If it works, the issue is specific to the Azure mirror (e.g., Azure networking rules). Revert if desired after fixing the root cause.
3. Address IPv6 Issues
Since many errors involve IPv6 "network unreachable," disable it temporarily or prefer IPv4:
- Temporary disable (reverts on reboot):
```
sysctl -w net.ipv6.conf.all.disable_ipv6=1
sysctl -w net.ipv6.conf.default.disable_ipv6=1
sysctl -w net.ipv6.conf.lo.disable_ipv6=1
```
- Permanent disable:
Add to `/etc/sysctl.conf`:
```
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1
```
Then apply: `sysctl -p`.
- Prefer IPv4 without disabling IPv6: Edit `/etc/gai.conf` (uncomment or add):
```
precedence ::ffff:0:0/96 100
```
This makes APT favor IPv4.
After changes, run `apt update` to test. If it succeeds, IPv6 was the problem—consider leaving it disabled if not needed.
4. Check and Fix Azure Networking Configuration
Log into the Azure Portal and review your VM's settings:
- Network Security Group (NSG): Attached to the VM's NIC or subnet. Ensure outbound rules allow traffic to "Internet" or specific IPs on ports 80/443 (priority lower than deny rules). Add a rule if missing:
- Source: Any
- Destination: Service Tag "Internet"
- Ports: 80,443
- Action: Allow
- Priority: Low (e.g., 1000)
- Public IP: Assign one to the VM's NIC if missing (under Networking > IP configurations). This enables outbound access.
- Load Balancer (if used): For internal LBs, add outbound rules or enable SNAT. For external, ensure outbound is configured.
- NAT Gateway: If the subnet is private, attach a NAT Gateway (under Virtual Network > Subnets > YourSubnet > NAT Gateway).
- Firewall/Azure Firewall: If enabled, add application rules allowing ` Abuntu’s Azure archive`, `security.ubuntu`, `apt.datadoghq`, and `packages.fluentbit` on 80/443.
- Proxy: If your environment uses one, configure APT:
Edit `/etc/apt/apt.conf.d/99proxy` with:
```
Acquire::http::Proxy "http://yourproxy:port";
Acquire::https::Proxy "https://yourproxy:port";
```
Check for environment proxies: `env | grep -i proxy`. Remove if not needed.
After changes, restart the VM networking (`systemctl restart networking`) or reboot, then retry `apt update`.
Additional Information
Additional Steps if Issues Persist
- Clean APT cache: `apt clean; rm -rf /var/lib/apt/lists/; apt update`.
- Check for repo file corruption: Verify `/etc/apt/sources.list` and files in `/etc/apt/sources.list.d/` (e.g., datadog list, fluentbit list).
- Test specific repos: Run `apt update -o Dir::Etc::sourcelist=/etc/apt/sources.list.d/datadog.list` (replace with the problematic file).
- If on a corporate/VPN network: Disconnect temporarily to test.
- Review Azure VM logs: `journalctl -u systemd-networkd` or `dmesg | grep eth` for network clues.
Document Location
Worldwide
Was this topic helpful?
Document Information
Modified date:
22 December 2025
UID
ibm17255694