You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
:::image type="content" source="./media/private-endpoint-tsg/private-endpoints.png" alt-text="Screenshot of private endpoints.":::
41
41
42
42
c. Filter and select the private endpoint that you want to diagnose.
43
43
44
44
d. Review the virtual network and DNS information.
45
+
45
46
- Validate that the connection state is **Approved**.
47
+
46
48
- Make sure the VM has connectivity to the virtual network that hosts the private endpoints.
49
+
47
50
- Check that the FQDN information (copy) and Private IP address are assigned.
48
-
49
-
51
+
52
+
:::image type="content" source="./media/private-endpoint-tsg/vnet-dns-configuration.png" alt-text="Screenshot of virtual network and DNS configuration.":::
50
53
51
54
1. Use [Azure Monitor](../azure-monitor/overview.md) to see if data is flowing.
52
55
53
56
a. On the private endpoint resource, select **Metrics**.
57
+
54
58
- Select **Bytes In** or **Bytes Out**.
59
+
55
60
- See if data is flowing when you attempt to connect to the private endpoint. Expect a delay of approximately 10 minutes.
:::image type="content" source="./media/private-endpoint-tsg/network-watcher-connection-troubleshoot.png" alt-text="Screenshot of Network Watcher - Connection troubleshoot.":::
70
75
71
76
d. Select **Test by FQDN**.
77
+
72
78
- Paste the FQDN from the private endpoint resource.
79
+
73
80
- Provide a port. Typically, use 443 for Azure Storage or Azure Cosmos DB and 1336 for SQL.
74
81
75
82
e. Select **Test**, and validate the test results.
76
-
77
-
78
-
83
+
84
+
:::image type="content" source="./media/private-endpoint-tsg/network-watcher-test-results.png" alt-text="Screenshot of Network Watcher - Test results.":::
79
85
80
86
1. DNS resolution from the test results must have the same private IP address assigned to the private endpoint.
81
87
82
88
a. If the DNS settings are incorrect, follow these steps:
89
+
83
90
- If you use a private zone:
91
+
84
92
- Make sure that the client VM virtual network is associated with the private zone.
93
+
85
94
- Check to see that the private DNS zone record exists. If it doesn't exist, create it.
95
+
86
96
- If you use custom DNS:
97
+
87
98
- Review your custom DNS settings, and validate that the DNS configuration is correct.
88
99
For guidance, see [Private endpoint overview: DNS configuration](./private-endpoint-overview.md#dns-configuration).
89
100
90
101
b. If connectivity is failing because of network security groups (NSGs) or user-defined routes:
91
102
- Review the NSG outbound rules, and create the appropriate outbound rules to allow traffic.
1. Source Virtual Machine should have the route to Private Endpoint IP next hop as InterfaceEndpoints in the NIC Effective Routes.
104
+
:::image type="content" source="./media/private-endpoint-tsg/nsg-outbound-rules.png" alt-text="Screenshot of NSG outbound rules.":::
105
+
106
+
1. Source virtual machine should have the route to private endpoint IP next hop as InterfaceEndpoints in the network interface effective routes.
107
+
108
+
a. If you aren't able to see the private endpoint route in the source VM, check if
96
109
97
-
a. If you aren't able to see the Private Endpoint Route in the Source VM, check if
98
-
- The Source VM and the Private Endpoint are part of the same VNET. If yes, then you need to engage support.
99
-
- The Source VM and the Private Endpoint are part of different VNETs that are directly peered with each other. If yes, then you need to engage support.
100
-
- The Source VM and the Private Endpoint are part of different VNETs that aren't directly peered with each other, then check for the IP connectivity between the VNETs.
110
+
- The source VM and the private endpoint are part of the same virtual network. If yes, then you need to engage support.
111
+
112
+
- The source VM and the private endpoint are part of different virtual networks that are directly peered with each other. If yes, then you need to engage support.
113
+
114
+
- The source VM and the private endpoint are part of different virtual networks that aren't directly peered with each other, then check for the IP connectivity between the virtual networks.
101
115
102
116
1. If the connection has validated results, the connectivity problem might be related to other aspects like secrets, tokens, and passwords at the application layer.
117
+
103
118
- In this case, review the configuration of the private link resource associated with the private endpoint. For more information, see the [Azure Private Link troubleshooting guide](troubleshoot-private-link-connectivity.md)
104
119
105
120
1. It's always good to narrow down before raising the support ticket.
106
121
107
-
a. If the Source is on-premises, connecting to Private Endpoint in Azure having issues, then try to connect
108
-
- To another Virtual Machine from on-premises and check if you have IP connectivity to the Virtual Network from on-premises.
109
-
- From a Virtual Machine in the Virtual Network to the Private Endpoint.
122
+
a. If the source is on-premises, connecting to private endpoint in Azure having issues, then:
123
+
124
+
- Try to connect to another virtual machine from on-premises. Check if you have IP connectivity to the virtual network from on-premises.
125
+
126
+
- Try to connect from a virtual machine in the virtual network to the private endpoint.
110
127
111
-
b. If the Source is Azure and Private Endpoint is in different Virtual Network, then try to connect
112
-
- To the Private Endpoint from a different Source. By doing this, you can isolate any Virtual Machine specific issues.
113
-
- To any Virtual Machine, which is part of the same Virtual Network of that of Private Endpoint.
128
+
b. If the source is Azure and private endpoint is in different virtual network, then:
114
129
115
-
1. If the Private Endpoint is linked to a [Private Link Service](./troubleshoot-private-link-connectivity.md), which is linked to a Load Balancer, check if the backend pool is reporting healthy. Fixing the Load Balancer health will fix the issue with connecting to the Private Endpoint.
130
+
- Try to connect to the private endpoint from a different source. By connecting from a different source, you can isolate any virtual machine specific issues.
131
+
132
+
- Try to connect to any virtual machine, which is part of the same virtual network of the private endpoint.
133
+
134
+
1. If the private endpoint is linked to a [Private Link Service](./troubleshoot-private-link-connectivity.md), which is linked to a load balancer, check if the backend pool is reporting healthy. Fixing the load balancer health fixes the issue with connecting to the private endpoint.
116
135
117
136
- You can see a visual diagram or a [resource view](../network-watcher/network-insights-overview.md#resource-view) of the related resources, metrics, and insights by going to:
9.Contact the [Azure Support](https://portal.azure.com/#blade/Microsoft_Azure_Support/HelpAndSupportBlade/overview) team if your problem is still unresolved and a connectivity problem still exists.
146
+
Contact the [Azure Support](https://portal.azure.com/#blade/Microsoft_Azure_Support/HelpAndSupportBlade/overview) team if your problem is still unresolved and a connectivity problem still exists.
128
147
129
148
## Next steps
130
149
131
150
*[Create a private endpoint on the updated subnet (Azure portal)](./create-private-endpoint-portal.md)
151
+
132
152
*[Azure Private Link troubleshooting guide](troubleshoot-private-link-connectivity.md)
0 commit comments