Merge pull request #231642 from halkazwini/revert-229751-revert-227288-nw-uct

Revert "Revert "Unified connection troubleshoot""

Author: American-Dipper

articles/network-watcher/media/network-watcher-connectivity-portal/bing-test-result.png

@@ -1,34 +1,70 @@
 ---
-title: Introduction to connection troubleshoot
+title: Connection troubleshoot overview
 titleSuffix: Azure Network Watcher
-description: This page provides an overview of Azure Network Watcher connection troubleshoot capability.
+description: Learn about Azure Network Watcher connection troubleshoot capability.
 services: network-watcher
 author: halkazwini
 ms.service: network-watcher
 ms.topic: conceptual
 ms.workload: infrastructure-services
-ms.date: 11/10/2022
+ms.date: 03/01/2023
 ms.author: halkazwini
+ms.custom: template-concept, engagement-fy23
 ---
 
-# Introduction to Azure Network Watcher connection troubleshoot in Azure Network Watcher
+# Connection troubleshoot overview
 
-The connection troubleshoot feature of Network Watcher provides the capability to check a direct TCP connection from a virtual machine to a virtual machine (VM), fully qualified domain name (FQDN), URI, or IPv4 address. Network scenarios are complex, they're implemented using network security groups, firewalls, user-defined routes, and resources provided by Azure. Complex configurations make troubleshooting connectivity issues challenging. Network Watcher helps reduce the amount of time to find and detect connectivity issues. The results returned can provide insights into whether a connectivity issue is due to a platform or a user configuration issue. Connectivity can be checked with [PowerShell](network-watcher-connectivity-powershell.md), [Azure CLI](network-watcher-connectivity-cli.md), and [REST API](network-watcher-connectivity-rest.md).
+With the increase of sophisticated and high-performance workloads in Azure, there's a critical need for increased visibility and control over the operational state of complex networks running these workloads. Such complex networks are implemented using network security groups, firewalls, user-defined routes, and resources provided by Azure. Complex configurations make troubleshooting connectivity issues challenging.
+
+The connection troubleshoot feature of Azure Network Watcher helps reduce the amount of time to diagnose and troubleshoot network connectivity issues. The results returned can provide insights about the root cause of the connectivity problem and whether it's due to a platform or user configuration issue.
+
+Connection troubleshoot reduces the Mean Time To Resolution (MTTR) by providing a comprehensive method of performing all connection major checks to detect issues pertaining to network security groups, user-defined routes, and blocked ports. It provides the following results with actionable insights where a step-by-step guide or corresponding documentation is provided for faster resolution:
+
+- Connectivity test with different destination types (VM, URI, FQDN, or IP Address)
+- Configuration issues that impact reachability
+- All possible hop by hop paths from the source to destination
+- Hop by hop latency
+- Latency (minimum, maximum, and average between source and destination)
+- Graphical topology view from source to destination
+- Number of probes failed during the connection troubleshoot check
+
+## Supported source and destination types
+
+Connection troubleshoot provides the capability to check TCP or ICMP connections from any of these Azure resources:
+
+- Virtual machines
+- Azure Bastion instances
+- Application gateways (except v1)
 
 > [!IMPORTANT]
-> Connection troubleshoot requires that the VM you troubleshoot from has the `AzureNetworkWatcherExtension` VM extension installed. For installing the extension on a Windows VM visit [Azure Network Watcher Agent virtual machine extension for Windows](../virtual-machines/extensions/network-watcher-windows.md?toc=%2fazure%2fnetwork-watcher%2ftoc.json) and for Linux VM visit [Azure Network Watcher Agent virtual machine extension for Linux](../virtual-machines/extensions/network-watcher-linux.md?toc=%2fazure%2fnetwork-watcher%2ftoc.json). The extension is not required on the destination endpoint.
+> Connection troubleshoot requires that the virtual machine you troubleshoot from has the `AzureNetworkWatcherExtension` extension installed. The extension is not required on the destination virtual machine.
+> - To install the extension on a Windows VM, see [Azure Network Watcher Agent virtual machine extension for Windows](../virtual-machines/extensions/network-watcher-windows.md?toc=%2fazure%2fnetwork-watcher%2ftoc.json).
+> - To install the extension on a Linux VM, see [Azure Network Watcher Agent virtual machine extension for Linux](../virtual-machines/extensions/network-watcher-linux.md?toc=%2fazure%2fnetwork-watcher%2ftoc.json).
+
+Connection troubleshoot can test connections to any of these destinations:
+
+- Virtual machines
+- Fully qualified domain names (FQDNs)
+- Uniform resource identifiers (URIs)
+- IP addresses
 
-## Supported source types
+## Issues detected by connection troubleshoot
 
-The following sources are supported by Network Watcher:
+Connection troubleshoot can detect the following types of issues that can impact connectivity:
 
-- Virtual Machines
-- Bastion
-- Application Gateways (except v1)
+- High VM CPU utilization
+- High VM memory utilization
+- Virtual machine (guest) firewall rules blocking traffic
+- DNS resolution failures
+- Misconfigured or missing routes
+- Network security group (NSG) rules that are blocking traffic
+- Inability to open a socket at the specified source port
+- Missing address resolution protocol entries for Azure ExpressRoute circuits
+- Servers not listening on designated destination ports
 
 ## Response
 
-The following table shows the properties returned when connection troubleshoot has finished running.
+The following table shows the properties returned after running connection troubleshoot.
 
 |**Property**  |**Description**  |
 |---------|---------|
@@ -77,11 +113,12 @@ Connection troubleshoot returns fault types about the connection. The following
 |---------|---------|
 |CPU     | High CPU utilization.       |
 |Memory     | High Memory utilization.       |
-|GuestFirewall     | Traffic is blocked due to a virtual machine firewall configuration. <br><br> Note that a TCP ping is a unique use case in which, if there's no allowed rule, the firewall itself responds to the client's TCP ping request even though the TCP ping doesn't reach the target IP address/FQDN. This event isn't logged. If there's a network rule that allows access to the target IP address/FQDN, the ping request reaches the target server and its response is relayed back to the client. This event is logged in the Network rules log.   |
+|GuestFirewall     | Traffic is blocked due to a virtual machine firewall configuration. <br><br> A TCP ping is a unique use case in which, if there's no allowed rule, the firewall itself responds to the client's TCP ping request even though the TCP ping doesn't reach the target IP address/FQDN. This event isn't logged. If there's a network rule that allows access to the target IP address/FQDN, the ping request reaches the target server and its response is relayed back to the client. This event is logged in the Network rules log.   |
 |DNSResolution     | DNS resolution failed for the destination address.        |
-|NetworkSecurityRule    | Traffic is blocked by an NSG Rule (Rule is returned)        |
+|NetworkSecurityRule    | Traffic is blocked by a network security group rule (security rule is returned)        |
 |UserDefinedRoute|Traffic is dropped due to a user defined or system route. |
 
 ### Next steps
 
-Learn how to troubleshoot connections using the [Azure portal](network-watcher-connectivity-portal.md), [PowerShell](network-watcher-connectivity-powershell.md), the [Azure CLI](network-watcher-connectivity-cli.md), or [REST API](network-watcher-connectivity-rest.md).
+- To learn how to use connection troubleshoot to test and troubleshoot connections, see [Troubleshoot connections with Azure Network Watcher using the Azure portal](network-watcher-connectivity-portal.md).
+- To learn more about Network Watcher and its other capabilities, see [What is Azure Network Watcher?](network-watcher-monitoring-overview.md).

articles/network-watcher/media/network-watcher-connectivity-portal/figure1.png

@@ -7,51 +7,144 @@ author: halkazwini
 ms.service: network-watcher
 ms.topic: how-to
 ms.workload: infrastructure-services
-ms.date: 01/04/2021
+ms.date: 03/01/2023
 ms.author: halkazwini
+ms.custom: template-how-to, engagement-fy23
 ---
 
 # Troubleshoot connections with Azure Network Watcher using the Azure portal
 
-> [!div class="op_single_selector"]
-> - [Portal](network-watcher-connectivity-portal.md)
-> - [PowerShell](network-watcher-connectivity-powershell.md)
-> - [Azure CLI](network-watcher-connectivity-cli.md)
-> - [Azure REST API](network-watcher-connectivity-rest.md)
+In this article, you learn how to use [Azure Network Watcher connection troubleshoot](network-watcher-connectivity-overview.md) to diagnose and troubleshoot connectivity issues.
 
-Learn how to use connection troubleshoot to verify whether a direct TCP connection from a virtual machine to a given endpoint can be established.
+## Prerequisites
 
-## Before you begin
+- An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).
+- Two virtual machines in your subscription.
 
-This article assumes you have the following resources:
+> [!IMPORTANT]
+> Connection troubleshoot requires that the virtual machine you troubleshoot from has the `AzureNetworkWatcherExtension` extension installed. The extension is not required on the destination virtual machine.
+> - To install the extension on a Windows VM, see [Azure Network Watcher Agent virtual machine extension for Windows](../virtual-machines/extensions/network-watcher-windows.md?toc=%2fazure%2fnetwork-watcher%2ftoc.json).
+> - To install the extension on a Linux VM, see [Azure Network Watcher Agent virtual machine extension for Linux](../virtual-machines/extensions/network-watcher-linux.md?toc=%2fazure%2fnetwork-watcher%2ftoc.json).
 
-* An instance of Network Watcher in the region you want to troubleshoot a connection.
-* Virtual machines to troubleshoot connections with.
+## Test connectivity between two connected virtual machines
 
-> [!IMPORTANT]
-> Connection troubleshoot requires that the VM you troubleshoot from has the `AzureNetworkWatcherExtension` VM extension installed. For installing the extension on a Windows VM visit [Azure Network Watcher Agent virtual machine extension for Windows](../virtual-machines/extensions/network-watcher-windows.md?toc=%2fazure%2fnetwork-watcher%2ftoc.json) and for Linux VM visit [Azure Network Watcher Agent virtual machine extension for Linux](../virtual-machines/extensions/network-watcher-linux.md?toc=%2fazure%2fnetwork-watcher%2ftoc.json). The extension is not required on the destination endpoint.
+In this section, you test connectivity between two connected virtual machines.
 
-## Check connectivity to a virtual machine
+1. Sign in to the [Azure portal](https://portal.azure.com).
 
-This example checks connectivity to a destination virtual machine over port 80.
+1. In the search box at the top of the portal, enter *network watcher*. Select **Network Watcher** in the search results.
 
-Navigate to your Network Watcher and click **Connection troubleshoot**. Select the virtual machine to check connectivity from. In the **Destination** section choose **Select a virtual machine** and choose the correct virtual machine and port to test.
+1. Under **Network diagnostic tools**, select **Connection troubleshoot**. Enter or select the following information:
 
-Once you click **Check**, connectivity between the virtual machines on the port specified is checked. In the example, the destination VM is unreachable, a listing of hops are shown.
+    | Setting | Value  |
+    | ------- | ------ |
+    | **Source** |  |
+    | Subscription | Select your Azure subscription. |
+    | Resource group | Select **myResourceGroup**. |
+    | Source type | Select **Virtual machine**. |
+    | Virtual machine | Select **VM1**. |
+    | **Destination** |  |
+    | Destination type | Select **Select a virtual machine**. |
+    | Resource group | Select **myResourceGroup**. |
+    | Virtual machine | Select **VM2**. |
+    | **Probe Settings** |  |
+    | Preferred IP version | Select **IPv4**. |
+    | Protocol | Select **TCP**. |
+    | Destination port | Enter *80*. |
+    | **Connection Diagnostics** |  |
+    | Diagnostics tests | Select **Select all**. |
 
-![Check connectivity results for a virtual machine][1]
+    :::image type="content" source="./media/network-watcher-connectivity-portal/test-virtual-machines-connected.png" alt-text="Screenshot of Network Watcher connection troubleshoot in Azure portal to test the connection between two connected virtual machines.":::
 
-## Check remote endpoint connectivity
+1. Select **Test connection**.
 
-To check the connectivity and latency to a remote endpoint, choose the **Specify manually** radio button in the **Destination** section, input the url and the port and click **Check**.  This is used for remote endpoints like websites and storage endpoints.
+    The test results show that the two virtual machines are communicating with no issues:
 
-![Check connectivity results for a web site][2]
+    - Network security group rules allow traffic between the two virtual machines.
+    - The two virtual machines are directly connected (VM2 is the next hop of VM1).
+    - Azure default system route is used to route traffic between the two virtual machines (Route table ID: System route).
+    - 66 probes were successfully sent with average latency of 2 ms.
 
-## Next steps
+    :::image type="content" source="./media/network-watcher-connectivity-portal/virtual-machine-connected-test-result.png" alt-text="Screenshot of connection troubleshoot results after testing the connection between two connected virtual machines.":::
+
+## Troubleshoot connectivity issue between two virtual machines
+
+In this section, you test connectivity between two virtual machines that have connectivity issue.
+
+1. Sign in to the [Azure portal](https://portal.azure.com).
+
+1. In the search box at the top of the portal, enter *network watcher*. Select **Network Watcher** in the search results.
+
+1. Under **Network diagnostic tools**, select **Connection troubleshoot**. Enter or select the following information:
+
+    | Setting | Value  |
+    | ------- | ------ |
+    | **Source** |  |
+    | Subscription | Select your Azure subscription. |
+    | Resource group | Select **myResourceGroup**. |
+    | Source type | Select **Virtual machine**. |
+    | Virtual machine | Select **VM1**. |
+    | **Destination** |  |
+    | Destination type | Select **Select a virtual machine**. |
+    | Resource group | Select **myResourceGroup**. |
+    | Virtual machine | Select **VM3**. |
+    | **Probe Settings** |  |
+    | Preferred IP version | Select **IPv4**. |
+    | Protocol | Select **TCP**. |
+    | Destination port | Enter *80*. |
+    | **Connection Diagnostics** |  |
+    | Diagnostics tests | Select **Select all**. |
+
+    :::image type="content" source="./media/network-watcher-connectivity-portal/test-two-virtual-machines.png" alt-text="Screenshot of Network Watcher connection troubleshoot in Azure portal to test the connection between two virtual machines.":::
+
+1. Select **Test connection**.
+
+    The test results show that the two virtual machines aren't communicating:
+
+    - The two virtual machines aren't connected (no probes were sent from VM1 to VM3).
+    - There's no route between the two virtual machines (Next hop type: None).
+    - Azure default system route is the route table used (Route table ID: System route).
+    - Network security group rules allow traffic between the two virtual machines.
 
-Learn how to automate packet captures with Virtual machine alerts by viewing [Create an alert triggered packet capture](network-watcher-alert-triggered-packet-capture.md)
+    :::image type="content" source="./media/network-watcher-connectivity-portal/virtual-machines-test-result.png" alt-text="Screenshot of connection troubleshoot results after testing the connection between two virtual machines that aren't communicating.":::
 
-Find if certain traffic is allowed in or out of your VM by visiting [Check IP flow verify](diagnose-vm-network-traffic-filtering-problem.md)
+## Test connectivity with `www.bing.com`
+
+In this section, you test connectivity between a virtual machines and `www.bing.com`.
+
+1. Sign in to the [Azure portal](https://portal.azure.com).
+
+1. In the search box at the top of the portal, enter *network watcher*. Select **Network Watcher** in the search results.
+
+1. Under **Network diagnostic tools**, select **Connection troubleshoot**. Enter or select the following information:
+
+    | Setting | Value  |
+    | ------- | ------ |
+    | **Source** |  |
+    | Subscription | Select your Azure subscription. |
+    | Resource group | Select **myResourceGroup**. |
+    | Source type | Select **Virtual machine**. |
+    | Virtual machine | Select **VM1**. |
+    | **Destination** |  |
+    | Destination type | Select **Specify manually**. |
+    | Resource group | Enter *www\.bing.com*. |
+    | **Probe Settings** |  |
+    | Preferred IP version | Select **IPv4**. |
+    | Protocol | Select **TCP**. |
+    | Destination port | Enter *443*. |
+    | **Connection Diagnostics** |  |
+    | Diagnostics tests | Select **Connectivity**. |
+
+    :::image type="content" source="./media/network-watcher-connectivity-portal/test-bing.png" alt-text="Screenshot of Network Watcher connection troubleshoot in Azure portal to test the connection between a virtual machines and Microsoft Bing search engine.":::
+
+1. Select **Test connection**.
+
+    The test results show that `www.bing.com` is reachable from **VM1** virtual machine:
+
+    - Connectivity test is successful with 66 probes sent with an average latency of 3 ms.
+
+    :::image type="content" source="./media/network-watcher-connectivity-portal/bing-test-result.png" alt-text="Screenshot of connection troubleshoot results after testing the connection with Microsoft Bing search engine.":::
+
+## Next steps
 
-[1]: ./media/network-watcher-connectivity-portal/figure1.png
-[2]: ./media/network-watcher-connectivity-portal/figure2.png
+Learn how to [automate virtual machines packet captures](network-watcher-alert-triggered-packet-capture.md)