@@ -6,7 +6,7 @@ author: halkazwini
66ms.author : halkazwini
77ms.service : network-watcher
88ms.topic : how-to
9- ms.date : 03/18 /2024
9+ ms.date : 03/20 /2024
1010ms.custom : devx-track-azurecli
1111
1212# CustomerIntent: As an Azure administrator, I want to learn how to use Connection Troubleshoot to diagnose outbound connectivity issues in Azure using the Azure CLI.
@@ -42,84 +42,313 @@ In this article, you learn how to use the connection troubleshoot feature of Azu
4242
4343## Check connectivity to a virtual machine
4444
45- This example checks connectivity to a destination virtual machine over port 80 .
45+ In this section, you test the remote desktop port (RDP) connectivity from one virtual machine to another virtual machine in the same virtual network .
4646
47- ### Example
47+ Use [ az network watcher test-connectivity ] ( /cli/azure/network/watcher#az-network-watcher-test-connectivity ) to run connection troubleshoot diagnostic tests to check the connectivity to a virtual machine over port 3389:
4848
4949``` azurecli-interactive
50- az network watcher test-connectivity --resource-group ContosoRG --source-resource MultiTierApp0 --dest-resource Database0 --dest-port 80
50+ # Test connectivity between two virtual machines that are in the same resource group over port 3389.
51+ az network watcher test-connectivity --resource-group 'myResourceGroup' --source-resource 'VM1' --dest-resource 'VM2' --protocol 'TCP' --dest-port '3389'
5152```
5253
53- ### Response
54+ If the virtual machines aren't in the same resource group, then use their resource IDs instead of the names:
5455
55- The following response is from the previous example. In this response, the ` ConnectionStatus ` is ** Unreachable** . You can see that all the probes sent failed. The connectivity failed at the virtual appliance due to a user-configured ` NetworkSecurityRule ` named ** UserRule_Port80** , configured to block incoming traffic on port 80. This information can be used to research connection issues.
56+ ``` azurecli-interactive
57+ # Test connectivity between two virtual machines that are in two different resource groups over port 3389.
58+ az network watcher test-connectivity --source-resource '/subscriptions/abcdef01-2345-6789-0abc-def012345678/resourceGroups/myResourceGroup1/providers/Microsoft.Compute/virtualMachines/VM1' --dest-resource '/subscriptions/abcdef01-2345-6789-0abc-def012345678/resourceGroups/myResourceGroup2/providers/Microsoft.Compute/virtualMachines/VM2' --protocol 'TCP' --dest-port '3389'
59+ ```
5660
57- ``` json
58- {
59- "avgLatencyInMs" : null ,
60- "connectionStatus" : " Unreachable"
61- "hops" : [
61+ - If the two virtual machines are communicating with no issues, you see the following results:
62+
63+ ``` json
6264 {
63- "address" : " 10.1.1.4"
64- "id" : " bb01d336-d881-4808-9fbc-72f091974d68"
65- "issues" : [],
66- "nextHopIds" : [
67- " f8b074e9-9980-496b-a35e-619f9bcbf648"
65+ "avgLatencyInMs" : 2 ,
66+ "connectionStatus" : " Reachable"
67+ "hops" : [
68+ {
69+ "address" : " 10.0.0.4"
70+ "id" : " 00000000-0000-0000-0000-000000000000"
71+ "issues" : [],
72+ "links" : [
73+ {
74+ "context" : {},
75+ "issues" : [],
76+ "linkType" : " VirtualNetwork"
77+ "nextHopId" : " 11111111-1111-1111-1111-111111111111"
78+ "resourceId" : " "
79+ "roundTripTimeAvg" : 3 ,
80+ "roundTripTimeMax" : 3 ,
81+ "roundTripTimeMin" : 3
82+ }
83+ ],
84+ "nextHopIds" : [
85+ " 11111111-1111-1111-1111-111111111111"
86+ ],
87+ "previousHopIds" : [],
88+ "previousLinks" : [],
89+ "resourceId" : " /subscriptions/abcdef01-2345-6789-0abc-def012345678/resourceGroups/myResourceGroup/providers/Microsoft.Compute/virtualMachines/VM1"
90+ "type" : " Source"
91+ },
92+ {
93+ "address" : " 10.0.0.5"
94+ "id" : " 11111111-1111-1111-1111-111111111111"
95+ "issues" : [],
96+ "links" : [],
97+ "nextHopIds" : [],
98+ "previousHopIds" : [
99+ " 00000000-0000-0000-0000-000000000000"
100+ ],
101+ "previousLinks" : [
102+ {
103+ "context" : {},
104+ "issues" : [],
105+ "linkType" : " VirtualNetwork"
106+ "nextHopId" : " 00000000-0000-0000-0000-000000000000"
107+ "resourceId" : " "
108+ }
109+ ],
110+ "resourceId" : " /subscriptions/abcdef01-2345-6789-0abc-def012345678/resourceGroups/myResourceGroup/providers/Microsoft.Compute/virtualMachines/VM2"
111+ "type" : " VirtualMachine"
112+ }
68113 ],
69- "resourceId" : "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/ContosoRG/providers/Microsoft.Network/networkInterfaces/ap
70- pNic0/ipConfigurations/ipconfig1",
71- "type" : " Source"
72- },
114+ "maxLatencyInMs" : 8 ,
115+ "minLatencyInMs" : 1 ,
116+ "probesFailed" : 0 ,
117+ "probesSent" : 66
118+ }
119+ ```
120+
121+ - Connection status is **Reachable** (destination virtual machine is reachable over port 3389).
122+ - 66 probes were successfully sent to the destination virtual machine.
123+ - There are two hopes in the path between the two virtual machines (no appliances or other resources in the path between the two VMs).
124+
125+ - If the destination virtual machine has a network security group that's denying incoming RDP connections, you see the following results:
126+
127+ ```json
73128 {
74- "address" : " 10.1.2.4"
75- "id" : " f8b074e9-9980-496b-a35e-619f9bcbf648"
76- "issues" : [],
77- "nextHopIds" : [
78- " 8a5857f3-6ab8-4b11-b9bf-a046d66b8696"
129+ "connectionStatus" : " Unreachable"
130+ "hops" : [
131+ {
132+ "address" : " 10.0.0.4"
133+ "id" : " 00000000-0000-0000-0000-000000000000"
134+ "issues" : [],
135+ "links" : [
136+ {
137+ "context" : {},
138+ "issues" : [],
139+ "linkType" : " VirtualNetwork"
140+ "nextHopId" : " 11111111-1111-1111-1111-111111111111"
141+ "resourceId" : " "
142+ }
143+ ],
144+ "nextHopIds" : [
145+ " 11111111-1111-1111-1111-111111111111"
146+ ],
147+ "previousHopIds" : [],
148+ "previousLinks" : [],
149+ "resourceId" : " /subscriptions/abcdef01-2345-6789-0abc-def012345678/resourceGroups/myResourceGroup/providers/Microsoft.Compute/virtualMachines/VM1"
150+ "type" : " Source"
151+ },
152+ {
153+ "address" : " 10.0.0.5"
154+ "id" : " 11111111-1111-1111-1111-111111111111"
155+ "issues" : [
156+ {
157+ "context" : [
158+ {
159+ "key" : " RuleName"
160+ "value" : " /subscriptions/abcdef01-2345-6789-0abc-def012345678/resourceGroups/myResourceGroup/providers/Microsoft.Network/networkSecurityGroups/VM2-nsg/SecurityRules/Deny3389Inbound"
161+ }
162+ ],
163+ "origin" : " Inbound"
164+ "severity" : " Error"
165+ "type" : " NetworkSecurityRule"
166+ },
167+ {
168+ "context" : [],
169+ "origin" : " Local"
170+ "severity" : " Error"
171+ "type" : " NoListenerOnDestination"
172+ }
173+ ],
174+ "links" : [],
175+ "nextHopIds" : [],
176+ "previousHopIds" : [
177+ " 00000000-0000-0000-0000-000000000000"
178+ ],
179+ "previousLinks" : [
180+ {
181+ "context" : {},
182+ "issues" : [],
183+ "linkType" : " VirtualNetwork"
184+ "nextHopId" : " 00000000-0000-0000-0000-000000000000"
185+ "resourceId" : " "
186+ }
187+ ],
188+ "resourceId" : " /subscriptions/abcdef01-2345-6789-0abc-def012345678/resourceGroups/myResourceGroup/providers/Microsoft.Compute/virtualMachines/VM2"
189+ "type" : " VirtualMachine"
190+ }
79191 ],
80- "resourceId" : "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/ContosoRG/providers/Microsoft.Network/networkInterfaces/fw
81- Nic/ipConfigurations/ipconfig1",
82- "type" : " VirtualAppliance"
83- },
192+ "probesFailed" : 30 ,
193+ "probesSent" : 30
194+ }
195+ ```
196+
197+ - Connection status is **Unreachable** (destination virtual machine is unreachable over port 3389).
198+ - 30 probes were sent and failed to reach the destination virtual machine.
199+ - There are two hopes in the path between the two virtual machines (no appliances or other resources in the path between the two VMs).
200+ - Inbound connectivity to the destination virtual machine is denied by the security rule `Deny3389Inbound` in the network security group `VM2-nsg`.
201+
202+ - If the source virtual machine has a network security group that's denying RDP connections to the destination, you see the following results:
203+
204+ ```json
84205 {
85- "address" : " 10.1.3.4"
86- "id" : " 8a5857f3-6ab8-4b11-b9bf-a046d66b8696"
87- "issues" : [
206+ "connectionStatus" : " Unreachable"
207+ "hops" : [
88208 {
89- "context" : [
209+ "address" : " 10.0.0.4"
210+ "id" : " 00000000-0000-0000-0000-000000000000"
211+ "issues" : [
90212 {
91- "key" : " RuleName"
92- "value" : " UserRule_Port80"
213+ "context" : [
214+ {
215+ "key" : " RuleName"
216+ "value" : " /subscriptions/abcdef01-2345-6789-0abc-def012345678/resourceGroups/myResourceGroup/providers/Microsoft.Network/networkSecurityGroups/VM1-nsg/SecurityRules/Deny3389Outbound"
217+ }
218+ ],
219+ "origin" : " Outbound"
220+ "severity" : " Error"
221+ "type" : " NetworkSecurityRule"
93222 }
94223 ],
95- "origin" : " Outbound"
96- "severity" : " Error"
97- "type" : " NetworkSecurityRule"
224+ "links" : [
225+ {
226+ "context" : {},
227+ "issues" : [],
228+ "linkType" : " VirtualNetwork"
229+ "nextHopId" : " 11111111-1111-1111-1111-111111111111"
230+ "resourceId" : " "
231+ }
232+ ],
233+ "nextHopIds" : [
234+ " 11111111-1111-1111-1111-111111111111"
235+ ],
236+ "previousHopIds" : [],
237+ "previousLinks" : [],
238+ "resourceId" : " /subscriptions/abcdef01-2345-6789-0abc-def012345678/resourceGroups/myResourceGroup/providers/Microsoft.Compute/virtualMachines/VM1"
239+ "type" : " Source"
240+ },
241+ {
242+ "address" : " 10.0.0.5"
243+ "id" : " 11111111-1111-1111-1111-111111111111"
244+ "issues" : [
245+ {
246+ "context" : [],
247+ "origin" : " Local"
248+ "severity" : " Error"
249+ "type" : " NoListenerOnDestination"
250+ }
251+ ],
252+ "links" : [],
253+ "nextHopIds" : [],
254+ "previousHopIds" : [
255+ " 00000000-0000-0000-0000-000000000000"
256+ ],
257+ "previousLinks" : [
258+ {
259+ "context" : {},
260+ "issues" : [],
261+ "linkType" : " VirtualNetwork"
262+ "nextHopId" : " 00000000-0000-0000-0000-000000000000"
263+ "resourceId" : " "
264+ }
265+ ],
266+ "resourceId" : " /subscriptions/abcdef01-2345-6789-0abc-def012345678/resourceGroups/myResourceGroup/providers/Microsoft.Compute/virtualMachines/VM2"
267+ "type" : " VirtualMachine"
98268 }
99269 ],
100- "nextHopIds" : [
101- " 6ce2f7a2-ceb4-4145-80e8-5d9f661655d6"
102- ],
103- "resourceId" : "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/ContosoRG/providers/Microsoft.Network/networkInterfaces/au
104- Nic/ipConfigurations/ipconfig1",
105- "type" : " VirtualAppliance"
106- },
270+ "probesFailed" : 30 ,
271+ "probesSent" : 30
272+ }
273+ ```
274+
275+ - Connection status is **Unreachable** (destination virtual machine is unreachable over port 3389).
276+ - 30 probes were sent and failed to reach the destination virtual machine.
277+ - There are two hopes in the path between the two virtual machines (no appliances or other resources in the path between the two VMs).
278+ - Outbound connectivity from the source virtual machine is denied by the security rule `Deny3389Outbound` in the network security group `VM1-nsg`.
279+
280+ - If the operating system on the destination virtual machine doesn't accept incoming connections on port 3389, you see the following results:
281+
282+ ```json
107283 {
108- "address" : " 10.1.4.4"
109- "id" : " 6ce2f7a2-ceb4-4145-80e8-5d9f661655d6"
110- "issues" : [],
111- "nextHopIds" : [],
112- "resourceId" : "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/ContosoRG/providers/Microsoft.Network/networkInterfaces/db
113- Nic0/ipConfigurations/ipconfig1",
114- "type" : " VnetLocal"
284+ "connectionStatus" : " Unreachable"
285+ "hops" : [
286+ {
287+ "address" : " 10.0.0.4"
288+ "id" : " 00000000-0000-0000-0000-000000000000"
289+ "issues" : [],
290+ "links" : [
291+ {
292+ "context" : {},
293+ "issues" : [],
294+ "linkType" : " VirtualNetwork"
295+ "nextHopId" : " 11111111-1111-1111-1111-111111111111"
296+ "resourceId" : " "
297+ }
298+ ],
299+ "nextHopIds" : [
300+ " 11111111-1111-1111-1111-111111111111"
301+ ],
302+ "previousHopIds" : [],
303+ "previousLinks" : [],
304+ "resourceId" : " /subscriptions/abcdef01-2345-6789-0abc-def012345678/resourceGroups/myResourceGroup/providers/Microsoft.Compute/virtualMachines/VM1"
305+ "type" : " Source"
306+ },
307+ {
308+ "address" : " 10.0.0.5"
309+ "id" : " 11111111-1111-1111-1111-111111111111"
310+ "issues" : [
311+ {
312+ "context" : [],
313+ "origin" : " Local"
314+ "severity" : " Error"
315+ "type" : " NoListenerOnDestination"
316+ },
317+ {
318+ "context" : [],
319+ "origin" : " Local"
320+ "severity" : " Error"
321+ "type" : " GuestFirewall"
322+ }
323+ ],
324+ "links" : [],
325+ "nextHopIds" : [],
326+ "previousHopIds" : [
327+ " 00000000-0000-0000-0000-000000000000"
328+ ],
329+ "previousLinks" : [
330+ {
331+ "context" : {},
332+ "issues" : [],
333+ "linkType" : " VirtualNetwork"
334+ "nextHopId" : " 00000000-0000-0000-0000-000000000000"
335+ "resourceId" : " "
336+ }
337+ ],
338+ "resourceId" : " /subscriptions/abcdef01-2345-6789-0abc-def012345678/resourceGroups/myResourceGroup/providers/Microsoft.Compute/virtualMachines/VM2"
339+ "type" : " VirtualMachine"
340+ }
341+ ],
342+ "probesFailed" : 30 ,
343+ "probesSent" : 30
115344 }
116- ],
117- "maxLatencyInMs" : null ,
118- "minLatencyInMs" : null ,
119- "probesFailed" : 100 ,
120- "probesSent" : 100
121- }
122- ```
345+ ```
346+
347+ - Connection status is **Unreachable** (destination virtual machine is unreachable over port 3389).
348+ - 30 probes were sent and failed to reach the destination virtual machine.
349+ - There are two hopes in the path between the two virtual machines (no appliances or other resources in the path between the two VMs).
350+ - Port 3389 isn't reachable on the destination virtual machine. The output has `NoListenerOnDestination` and `GuestFirewall` errors on the destination virtual machine.
351+
123352
124353## Validate routing issues
125354
0 commit comments