add Test connectivity to a website section

Author: halkazwini

articles/network-watcher/connection-troubleshoot-cli.md

@@ -40,18 +40,18 @@ In this article, you learn how to use the connection troubleshoot feature of Azu
 > - To install the extension on a Linux virtual machine, see [Network Watcher agent VM extension for Linux](../virtual-machines/extensions/network-watcher-linux.md?toc=/azure/network-watcher/toc.json&bc=/azure/network-watcher/breadcrumb/toc.json).
 > - To update an already installed extension, see [Update Network Watcher agent VM extension to the latest version](../virtual-machines/extensions/network-watcher-update.md?toc=/azure/network-watcher/toc.json&bc=/azure/network-watcher/breadcrumb/toc.json).
 
-## Check connectivity to a virtual machine
+## Test connectivity to a virtual machine
 
 In this section, you test the remote desktop port (RDP) connectivity from one virtual machine to another virtual machine in the same virtual network.
 
-Use [az network watcher test-connectivity](/cli/azure/network/watcher#az-network-watcher-test-connectivity) to run connection troubleshoot diagnostic tests to check the connectivity to a virtual machine over port 3389:
+Use [az network watcher test-connectivity](/cli/azure/network/watcher#az-network-watcher-test-connectivity) to run connection troubleshoot diagnostic tests to test the connectivity to a virtual machine over port 3389:
 
 ```azurecli-interactive
 # Test connectivity between two virtual machines that are in the same resource group over port 3389.
 az network watcher test-connectivity --resource-group 'myResourceGroup' --source-resource 'VM1' --dest-resource 'VM2' --protocol 'TCP' --dest-port '3389'
 ```
 
-If the virtual machines aren't in the same resource group, then use their resource IDs instead of the names:
+If the virtual machines aren't in the same resource group, use their resource IDs instead of their names:
 
 ```azurecli-interactive
 # Test connectivity between two virtual machines that are in two different resource groups over port 3389.
@@ -118,6 +118,7 @@ az network watcher test-connectivity --source-resource '/subscriptions/abcdef01-
     }
     ```
 
+
     - Connection status is **Reachable** (destination virtual machine is reachable over port 3389).
     - 66 probes were successfully sent to the destination virtual machine.
     - There are two hopes in the path between the two virtual machines (no appliances or other resources in the path between the two VMs).
@@ -194,11 +195,14 @@ az network watcher test-connectivity --source-resource '/subscriptions/abcdef01-
     }
     ```
 
+
     - Connection status is **Unreachable** (destination virtual machine is unreachable over port 3389).
     - 30 probes were sent and failed to reach the destination virtual machine.
     - There are two hopes in the path between the two virtual machines (no appliances or other resources in the path between the two VMs).
     - Inbound connectivity to the destination virtual machine is denied by the security rule `Deny3389Inbound` in the network security group `VM2-nsg`.
 
+    **Solution**: Update the network security group on the destination virtual machine to allow inbound RDP traffic.
+
 - If the source virtual machine has a network security group that's denying RDP connections to the destination, you see the following results:
 
     ```json
@@ -272,11 +276,14 @@ az network watcher test-connectivity --source-resource '/subscriptions/abcdef01-
     }
     ```
 
+
     - Connection status is **Unreachable** (destination virtual machine is unreachable over port 3389).
     - 30 probes were sent and failed to reach the destination virtual machine.
     - There are two hopes in the path between the two virtual machines (no appliances or other resources in the path between the two VMs).
     - Outbound connectivity from the source virtual machine is denied by the security rule `Deny3389Outbound` in the network security group `VM1-nsg`.
 
+    **Solution**: Update the network security group on the source virtual machine to allow outbound RDP traffic.
+
 - If the operating system on the destination virtual machine doesn't accept incoming connections on port 3389, you see the following results:
 
     ```json
@@ -349,6 +356,153 @@ az network watcher test-connectivity --source-resource '/subscriptions/abcdef01-
     - There are two hopes in the path between the two virtual machines (no appliances or other resources in the path between the two VMs).
     - Port 3389 isn't reachable on the destination virtual machine. The output has `NoListenerOnDestination` and `GuestFirewall` errors on the destination virtual machine. 
 
+    **Solution**: Configure the operating system on the destination virtual machine to accept inbound RDP traffic.
+
+## Test connectivity to a website
+
+In this section, you test connectivity between a virtual machine and a website.
+
+Use [az network watcher test-connectivity](/cli/azure/network/watcher#az-network-watcher-test-connectivity) to run connection troubleshoot to test the connectivity to `www.bing.com`:
+
+```azurecli-interactive
+# Test connectivity between two virtual machines that are in the same resource group over port 3389.
+az network watcher test-connectivity --resource-group 'myResourceGroup' --source-resource 'VM1' --dest-address 'www.bing.com' --protocol 'TCP' --dest-port '443'
+```
+
+- If `www.bing.com` is reachable from the source virtual machine, you see the following results:
+
+    ```json
+    {
+      "avgLatencyInMs": 9,
+      "connectionStatus": "Reachable",
+      "hops": [
+        {
+          "address": "10.0.0.4",
+          "id": "00000000-0000-0000-0000-000000000000",
+          "issues": [],
+          "links": [
+            {
+              "context": {},
+              "issues": [],
+              "linkType": "Internet",
+              "nextHopId": "11111111-1111-1111-1111-111111111111",
+              "resourceId": "",
+              "roundTripTimeAvg": 9,
+              "roundTripTimeMax": 9,
+              "roundTripTimeMin": 9
+            }
+          ],
+          "nextHopIds": [
+            "11111111-1111-1111-1111-111111111111"
+          ],
+          "previousHopIds": [],
+          "previousLinks": [],
+          "resourceId": "/subscriptions/abcdef01-2345-6789-0abc-def012345678/resourceGroups/myResourceGroup/providers/Microsoft.Compute/virtualMachines/VM1",
+          "type": "Source"
+        },
+        {
+          "address": "104.117.244.81",
+          "id": "11111111-1111-1111-1111-111111111111",
+          "issues": [],
+          "links": [],
+          "nextHopIds": [],
+          "previousHopIds": [
+            "00000000-0000-0000-0000-000000000000"
+          ],
+          "previousLinks": [
+            {
+              "context": {},
+              "issues": [],
+              "linkType": "Internet",
+              "nextHopId": "00000000-0000-0000-0000-000000000000",
+              "resourceId": ""
+            }
+          ],
+          "type": "Internet"
+        }
+      ],
+      "maxLatencyInMs": 13,
+      "minLatencyInMs": 7,
+      "probesFailed": 0,
+      "probesSent": 66
+    }
+    ```
+
+
+    - 66 probes were successfully sent to `www.bing.com` with average latency of 9 ms.
+    - Next hop type is `Internet`.
+
+- If `www.bing.com` is unreachable from the source virtual machine due to a security rule, you see the following results:
+
+    ```json
+    {
+      "connectionStatus": "Unreachable",
+      "hops": [
+        {
+          "address": "10.0.0.4",
+          "id": "425bc206-b4d8-4c4e-8ea6-5175211cb858",
+          "issues": [
+            {
+              "context": [
+                {
+                  "key": "RuleName",
+                  "value": "/subscriptions/793c74bb-7f49-419b-a8a0-f3c66c48050b/resourceGroups/myResourceGroup/providers/Microsoft.Network/networkSecurityGroups/VM1-nsg/SecurityRules/DenyInternetOutbound"
+                }
+              ],
+              "origin": "Outbound",
+              "severity": "Error",
+              "type": "NetworkSecurityRule"
+            }
+          ],
+          "links": [
+            {
+              "context": {},
+              "issues": [],
+              "linkType": "Internet",
+              "nextHopId": "5a5adacb-80f3-4e00-ae0e-927ece6e3c61",
+              "resourceId": ""
+            }
+          ],
+          "nextHopIds": [
+            "5a5adacb-80f3-4e00-ae0e-927ece6e3c61"
+          ],
+          "previousHopIds": [],
+          "previousLinks": [],
+          "resourceId": "/subscriptions/793c74bb-7f49-419b-a8a0-f3c66c48050b/resourceGroups/myResourceGroup/providers/Microsoft.Compute/virtualMachines/VM1",
+          "type": "Source"
+        },
+        {
+          "address": "23.198.7.184",
+          "id": "5a5adacb-80f3-4e00-ae0e-927ece6e3c61",
+          "issues": [],
+          "links": [],
+          "nextHopIds": [],
+          "previousHopIds": [
+            "425bc206-b4d8-4c4e-8ea6-5175211cb858"
+          ],
+          "previousLinks": [
+            {
+              "context": {},
+              "issues": [],
+              "linkType": "Internet",
+              "nextHopId": "425bc206-b4d8-4c4e-8ea6-5175211cb858",
+              "resourceId": ""
+            }
+          ],
+          "type": "Internet"
+        }
+      ],
+      "probesFailed": 30,
+      "probesSent": 30
+    }
+    ```
+    
+
+    - 30 probes were sent and failed to reach `www.bing.com`.
+    - Outbound connectivity from the source virtual machine is denied by the security rule `DenyInternetOutbound` in the network security group `VM1-nsg`.
+    - Next hop type is `Internet`.
+
+    **Solution**: Update the network security group on the source virtual machine to allow outbound traffic to `www.bing.com`.
 
 ## Validate routing issues