Skip to content

Commit 981e64c

Browse files
Merge pull request #232522 from asudbring/prvlink-review
Review of Private Endpoint troubleshoot article
2 parents ceb9e3b + c928744 commit 981e64c

File tree

1 file changed

+57
-37
lines changed

1 file changed

+57
-37
lines changed
Lines changed: 57 additions & 37 deletions
Original file line numberDiff line numberDiff line change
@@ -1,14 +1,11 @@
11
---
22
title: Troubleshoot Azure Private Endpoint connectivity problems
33
description: Step-by-step guidance to diagnose private endpoint connectivity
4-
services: private-endpoint
5-
author: rdhillon
6-
manager: narayan
4+
author: asudbring
75
ms.service: private-link
86
ms.topic: troubleshooting
9-
ms.workload: infrastructure-services
10-
ms.date: 01/31/2020
11-
ms.author: rdhillon
7+
ms.date: 03/28/2023
8+
ms.author: allensu
129
ms.custom: ignite-2022
1310
---
1411

@@ -21,112 +18,135 @@ Azure Private Endpoint is a network interface that connects you privately and se
2118
Here are the connectivity scenarios that are available with Private Endpoint:
2219

2320
- Virtual network from the same region
21+
2422
- Regionally peered virtual networks
23+
2524
- Globally peered virtual networks
25+
2626
- Customer on-premises over VPN or Azure ExpressRoute circuits
2727

2828
## Diagnose connectivity problems
2929

3030
Review these steps to make sure all the usual configurations are as expected to resolve connectivity problems with your private endpoint setup.
3131

32-
1. Review Private Endpoint configuration by browsing the resource.
32+
1. Review private endpoint configuration by browsing the resource.
3333

3434
a. Go to [Private Link Center](https://portal.azure.com/#blade/Microsoft_Azure_Network/PrivateLinkCenterBlade/overview).
35-
36-
![Private Link Center](./media/private-endpoint-tsg/private-link-center.png)
35+
36+
:::image type="content" source="./media/private-endpoint-tsg/private-link-center.png" alt-text="Screenshot of Private Link Center.":::
3737

3838
b. On the left pane, select **Private endpoints**.
3939

40-
![Private endpoints](./media/private-endpoint-tsg/private-endpoints.png)
40+
:::image type="content" source="./media/private-endpoint-tsg/private-endpoints.png" alt-text="Screenshot of private endpoints.":::
4141

4242
c. Filter and select the private endpoint that you want to diagnose.
4343

4444
d. Review the virtual network and DNS information.
45+
4546
- Validate that the connection state is **Approved**.
47+
4648
- Make sure the VM has connectivity to the virtual network that hosts the private endpoints.
49+
4750
- Check that the FQDN information (copy) and Private IP address are assigned.
48-
49-
![Virtual network and DNS configuration](./media/private-endpoint-tsg/vnet-dns-configuration.png)
51+
52+
:::image type="content" source="./media/private-endpoint-tsg/vnet-dns-configuration.png" alt-text="Screenshot of virtual network and DNS configuration.":::
5053

5154
1. Use [Azure Monitor](../azure-monitor/overview.md) to see if data is flowing.
5255

5356
a. On the private endpoint resource, select **Metrics**.
57+
5458
- Select **Bytes In** or **Bytes Out**.
59+
5560
- See if data is flowing when you attempt to connect to the private endpoint. Expect a delay of approximately 10 minutes.
5661

57-
![Verify private endpoint telemetry](./media/private-endpoint-tsg/private-endpoint-monitor.png)
62+
:::image type="content" source="./media/private-endpoint-tsg/private-endpoint-monitor.png" alt-text="Screenshot of verify private endpoint monitor.":::
5863

5964
1. Use **VM Connection troubleshoot** from Azure Network Watcher.
6065

6166
a. Select the client VM.
6267

6368
b. Select **Connection troubleshoot**, and then select the **Outbound connections** tab.
6469

65-
![Network Watcher - Test outbound connections](./media/private-endpoint-tsg/network-watcher-outbound-connection.png)
70+
:::image type="content" source="./media/private-endpoint-tsg/network-watcher-outbound-connection.png" alt-text="Screenshot of Network Watcher - Test outbound connections.":::
6671

6772
c. Select **Use Network Watcher for detailed connection tracing**.
6873

69-
![Network Watcher - Connection troubleshoot](./media/private-endpoint-tsg/network-watcher-connection-troubleshoot.png)
74+
:::image type="content" source="./media/private-endpoint-tsg/network-watcher-connection-troubleshoot.png" alt-text="Screenshot of Network Watcher - Connection troubleshoot.":::
7075

7176
d. Select **Test by FQDN**.
77+
7278
- Paste the FQDN from the private endpoint resource.
79+
7380
- Provide a port. Typically, use 443 for Azure Storage or Azure Cosmos DB and 1336 for SQL.
7481

7582
e. Select **Test**, and validate the test results.
76-
77-
![Network Watcher - Test results](./media/private-endpoint-tsg/network-watcher-test-results.png)
78-
83+
84+
:::image type="content" source="./media/private-endpoint-tsg/network-watcher-test-results.png" alt-text="Screenshot of Network Watcher - Test results.":::
7985

8086
1. DNS resolution from the test results must have the same private IP address assigned to the private endpoint.
8187

8288
a. If the DNS settings are incorrect, follow these steps:
89+
8390
- If you use a private zone:
91+
8492
- Make sure that the client VM virtual network is associated with the private zone.
93+
8594
- Check to see that the private DNS zone record exists. If it doesn't exist, create it.
95+
8696
- If you use custom DNS:
97+
8798
- Review your custom DNS settings, and validate that the DNS configuration is correct.
8899
For guidance, see [Private endpoint overview: DNS configuration](./private-endpoint-overview.md#dns-configuration).
89100

90101
b. If connectivity is failing because of network security groups (NSGs) or user-defined routes:
91102
- Review the NSG outbound rules, and create the appropriate outbound rules to allow traffic.
92-
93-
![NSG outbound rules](./media/private-endpoint-tsg/nsg-outbound-rules.png)
94103

95-
1. Source Virtual Machine should have the route to Private Endpoint IP next hop as InterfaceEndpoints in the NIC Effective Routes.
104+
:::image type="content" source="./media/private-endpoint-tsg/nsg-outbound-rules.png" alt-text="Screenshot of NSG outbound rules.":::
105+
106+
1. Source virtual machine should have the route to private endpoint IP next hop as InterfaceEndpoints in the network interface effective routes.
107+
108+
a. If you aren't able to see the private endpoint route in the source VM, check if
96109

97-
a. If you aren't able to see the Private Endpoint Route in the Source VM, check if
98-
- The Source VM and the Private Endpoint are part of the same VNET. If yes, then you need to engage support.
99-
- The Source VM and the Private Endpoint are part of different VNETs that are directly peered with each other. If yes, then you need to engage support.
100-
- The Source VM and the Private Endpoint are part of different VNETs that aren't directly peered with each other, then check for the IP connectivity between the VNETs.
110+
- The source VM and the private endpoint are part of the same virtual network. If yes, then you need to engage support.
111+
112+
- The source VM and the private endpoint are part of different virtual networks that are directly peered with each other. If yes, then you need to engage support.
113+
114+
- The source VM and the private endpoint are part of different virtual networks that aren't directly peered with each other, then check for the IP connectivity between the virtual networks.
101115

102116
1. If the connection has validated results, the connectivity problem might be related to other aspects like secrets, tokens, and passwords at the application layer.
117+
103118
- In this case, review the configuration of the private link resource associated with the private endpoint. For more information, see the [Azure Private Link troubleshooting guide](troubleshoot-private-link-connectivity.md)
104119

105120
1. It's always good to narrow down before raising the support ticket.
106121

107-
a. If the Source is on-premises, connecting to Private Endpoint in Azure having issues, then try to connect
108-
- To another Virtual Machine from on-premises and check if you have IP connectivity to the Virtual Network from on-premises.
109-
- From a Virtual Machine in the Virtual Network to the Private Endpoint.
122+
a. If the source is on-premises, connecting to private endpoint in Azure having issues, then:
123+
124+
- Try to connect to another virtual machine from on-premises. Check if you have IP connectivity to the virtual network from on-premises.
125+
126+
- Try to connect from a virtual machine in the virtual network to the private endpoint.
110127

111-
b. If the Source is Azure and Private Endpoint is in different Virtual Network, then try to connect
112-
- To the Private Endpoint from a different Source. By doing this, you can isolate any Virtual Machine specific issues.
113-
- To any Virtual Machine, which is part of the same Virtual Network of that of Private Endpoint.
128+
b. If the source is Azure and private endpoint is in different virtual network, then:
114129

115-
1. If the Private Endpoint is linked to a [Private Link Service](./troubleshoot-private-link-connectivity.md), which is linked to a Load Balancer, check if the backend pool is reporting healthy. Fixing the Load Balancer health will fix the issue with connecting to the Private Endpoint.
130+
- Try to connect to the private endpoint from a different source. By connecting from a different source, you can isolate any virtual machine specific issues.
131+
132+
- Try to connect to any virtual machine, which is part of the same virtual network of the private endpoint.
133+
134+
1. If the private endpoint is linked to a [Private Link Service](./troubleshoot-private-link-connectivity.md), which is linked to a load balancer, check if the backend pool is reporting healthy. Fixing the load balancer health fixes the issue with connecting to the private endpoint.
116135

117136
- You can see a visual diagram or a [resource view](../network-watcher/network-insights-overview.md#resource-view) of the related resources, metrics, and insights by going to:
137+
118138
- Azure Monitor
139+
119140
- Networks
120-
- Private endpoints
121-
- Resource view
122141

123-
![Monitor-Networks](https://user-images.githubusercontent.com/20302679/134994620-0660b9e2-e2a3-4233-8953-d3e49b93e2f2.png)
142+
- Private endpoints
124143

125-
![DependencyView](https://user-images.githubusercontent.com/20302679/134994637-fb8b4a1a-81d5-4723-b1c3-d7bdc72162f3.png)
144+
- Resource view
126145

127-
9. Contact the [Azure Support](https://portal.azure.com/#blade/Microsoft_Azure_Support/HelpAndSupportBlade/overview) team if your problem is still unresolved and a connectivity problem still exists.
146+
Contact the [Azure Support](https://portal.azure.com/#blade/Microsoft_Azure_Support/HelpAndSupportBlade/overview) team if your problem is still unresolved and a connectivity problem still exists.
128147

129148
## Next steps
130149

131150
* [Create a private endpoint on the updated subnet (Azure portal)](./create-private-endpoint-portal.md)
151+
132152
* [Azure Private Link troubleshooting guide](troubleshoot-private-link-connectivity.md)

0 commit comments

Comments
 (0)