You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/virtual-network/diagnose-network-traffic-filter-problem.md
+19-11Lines changed: 19 additions & 11 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,13 +1,10 @@
1
1
---
2
2
title: Diagnose a virtual machine network traffic filter problem
3
3
description: Learn how to diagnose a virtual machine network traffic filter problem by viewing the effective security rules for a virtual machine.
4
-
services: virtual-network
5
4
author: asudbring
6
-
7
-
ms.assetid: a54feccf-0123-4e49-a743-eb8d0bdd1ebc
8
5
ms.service: azure-virtual-network
9
6
ms.topic: troubleshooting
10
-
ms.date: 05/29/2018
7
+
ms.date: 03/26/2025
11
8
ms.author: allensu
12
9
ms.custom: devx-track-azurecli
13
10
ms.devlang: azurecli
@@ -28,19 +25,30 @@ The steps that follow assume you have an existing VM to view the effective secur
28
25
## Diagnose using Azure portal
29
26
30
27
1. Log into the Azure [portal](https://portal.azure.com) with an Azure account that has the [necessary permissions](virtual-network-network-interface.md#permissions).
31
-
2. At the top of the Azure portal, enter the name of the VM in the search box. When the name of the VM appears in the search results, select it.
32
-
3. Under **SETTINGS**, select **Networking**, as shown in the following picture:
33
28
34
-
29
+
1. At the top of the Azure portal, enter the name of the VM in the search box. When the name of the VM appears in the search results, select it.
30
+
31
+
1. Expand **Networking** in the left pane. Select **Network settings**. The following figures show the network security group settings for the VM's network interface.
32
+
33
+
:::image type="content" source="./media/diagnose-network-traffic-filter-problem/view-security-rules.png" alt-text="Screenshot of security rules for NSG nsg-subnet." lightbox="./media/diagnose-network-traffic-filter-problem/view-security-rules.png":::
34
+
35
+
:::image type="content" source="./media/diagnose-network-traffic-filter-problem/view-security-rules2.png" alt-text="Screenshot of security rules for NSG nsg-nic." lightbox="./media/diagnose-network-traffic-filter-problem/view-security-rules.png":::
36
+
35
37
36
-
The rules you see listed in the previous picture are for a network interface named **myVMVMNic**. You see that there are **INBOUND PORT RULES** for the network interface from two different network security groups:
38
+
The rules you see listed in the previous figures are for a network interface named **vm-1445**. You see that there are **Inbound port rules** for the network interface from two different network security groups:
37
39
38
-
-**mySubnetNSG**: Associated to the subnet that the network interface is in.
39
-
-**myVMNSG**: Associated to the network interface in the VM named **myVMVMNic**.
40
+
-**nsg-subnet**: Associated to the subnet that the network interface is in.
41
+
-**nsg-nic**: Associated to the network interface in the VM named **vm-1445**.
40
42
41
43
The rule named **DenyAllInBound** is what's preventing inbound communication to the VM over port 80, from the internet, as described in the [scenario](#scenario). The rule lists *0.0.0.0/0* for **SOURCE**, which includes the internet. No other rule with a higher priority (lower number) allows port 80 inbound. To allow port 80 inbound to the VM from the internet, see [Resolve a problem](#resolve-a-problem). To learn more about security rules and how Azure applies them, see [Network security groups](./network-security-groups-overview.md).
42
44
43
-
At the bottom of the picture, you also see **OUTBOUND PORT RULES**. Under that are the outbound port rules for the network interface. Though the picture only shows four inbound rules for each NSG, your NSGs may have many more than four rules. In the picture, you see **VirtualNetwork** under **SOURCE** and **DESTINATION** and **AzureLoadBalancer** under **SOURCE**. **VirtualNetwork** and **AzureLoadBalancer** are [service tags](./network-security-groups-overview.md#service-tags). Service tags represent a group of IP address prefixes to help minimize complexity for security rule creation.
45
+
At the bottom of the picture, you also see **Outbound port rules**. The outbound port rules for the network interface are listed. Though the picture only shows four inbound rules for each NSG, your NSGs may have many more than four rules. In the picture, you see **VirtualNetwork** under **Source** and **Destination** and **AzureLoadBalancer** under **SOURCE**. **VirtualNetwork** and **AzureLoadBalancer** are [service tags](./network-security-groups-overview.md#service-tags). Service tags represent a group of IP address prefixes to help minimize complexity for security rule creation.
46
+
47
+
1. To view the effective security rules, select the interface in the network settings of the virtual machine.
48
+
49
+
50
+
51
+
44
52
45
53
4. Ensure that the VM is in the running state, and then select **Effective security rules**, as shown in the previous picture, to see the effective security rules, shown in the following picture:
0 commit comments