You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
description: Learn about Azure Network Watcher connection troubleshoot capability.
4
+
description: This page provides an overview of Azure Network Watcher connection troubleshoot capability.
5
5
services: network-watcher
6
6
author: halkazwini
7
7
ms.service: network-watcher
8
8
ms.topic: conceptual
9
9
ms.workload: infrastructure-services
10
-
ms.date: 03/01/2023
10
+
ms.date: 11/10/2022
11
11
ms.author: halkazwini
12
-
ms.custom: template-concept, engagement-fy23
13
12
---
14
13
15
-
# Connection troubleshoot overview
14
+
# Introduction to Azure Network Watcher connection troubleshoot in Azure Network Watcher
16
15
17
-
With the increase of sophisticated and high-performance workloads in Azure, there's a critical need for increased visibility and control over the operational state of complex networks running these workloads. Such complex networks are implemented using network security groups, firewalls, user-defined routes, and resources provided by Azure. Complex configurations make troubleshooting connectivity issues challenging.
18
-
19
-
The connection troubleshoot feature of Azure Network Watcher helps reduce the amount of time to diagnose and troubleshoot network connectivity issues. The results returned can provide insights about the root cause of the connectivity problem and whether it's due to a platform or user configuration issue.
20
-
21
-
Connection troubleshoot reduces the Mean Time To Resolution (MTTR) by providing a comprehensive method of performing all connection major checks to detect issues pertaining to network security groups, user-defined routes, and blocked ports. It provides the following results with actionable insights where a step-by-step guide or corresponding documentation is provided for faster resolution:
22
-
23
-
- Connectivity test with different destination types (VM, URI, FQDN, or IP Address)
24
-
- Configuration issues that impact reachability
25
-
- All possible hop by hop paths from the source to destination
26
-
- Hop by hop latency
27
-
- Latency (minimum, maximum, and average between source and destination)
28
-
- Graphical topology view from source to destination
29
-
- Number of probes failed during the connection troubleshoot check
30
-
31
-
## Supported source and destination types
32
-
33
-
Connection troubleshoot provides the capability to check TCP or ICMP connections from any of these Azure resources:
34
-
35
-
- Virtual machines
36
-
- Azure Bastion instances
37
-
- Application gateways (except v1)
16
+
The connection troubleshoot feature of Network Watcher provides the capability to check a direct TCP connection from a virtual machine to a virtual machine (VM), fully qualified domain name (FQDN), URI, or IPv4 address. Network scenarios are complex, they're implemented using network security groups, firewalls, user-defined routes, and resources provided by Azure. Complex configurations make troubleshooting connectivity issues challenging. Network Watcher helps reduce the amount of time to find and detect connectivity issues. The results returned can provide insights into whether a connectivity issue is due to a platform or a user configuration issue. Connectivity can be checked with [PowerShell](network-watcher-connectivity-powershell.md), [Azure CLI](network-watcher-connectivity-cli.md), and [REST API](network-watcher-connectivity-rest.md).
38
17
39
18
> [!IMPORTANT]
40
-
> Connection troubleshoot requires that the virtual machine you troubleshoot from has the `AzureNetworkWatcherExtension` extension installed. The extension is not required on the destination virtual machine.
41
-
> - To install the extension on a Windows VM, see [Azure Network Watcher Agent virtual machine extension for Windows](../virtual-machines/extensions/network-watcher-windows.md?toc=%2fazure%2fnetwork-watcher%2ftoc.json).
42
-
> - To install the extension on a Linux VM, see [Azure Network Watcher Agent virtual machine extension for Linux](../virtual-machines/extensions/network-watcher-linux.md?toc=%2fazure%2fnetwork-watcher%2ftoc.json).
43
-
44
-
Connection troubleshoot can test connections to any of these destinations:
45
-
46
-
- Virtual machines
47
-
- Fully qualified domain names (FQDNs)
48
-
- Uniform resource identifiers (URIs)
49
-
- IP addresses
19
+
> Connection troubleshoot requires that the VM you troubleshoot from has the `AzureNetworkWatcherExtension` VM extension installed. For installing the extension on a Windows VM visit [Azure Network Watcher Agent virtual machine extension for Windows](../virtual-machines/extensions/network-watcher-windows.md?toc=%2fazure%2fnetwork-watcher%2ftoc.json) and for Linux VM visit [Azure Network Watcher Agent virtual machine extension for Linux](../virtual-machines/extensions/network-watcher-linux.md?toc=%2fazure%2fnetwork-watcher%2ftoc.json). The extension is not required on the destination endpoint.
50
20
51
-
## Issues detected by connection troubleshoot
21
+
## Supported source types
52
22
53
-
Connection troubleshoot can detect the following types of issues that can impact connectivity:
23
+
The following sources are supported by Network Watcher:
- Network security group (NSG) rules that are blocking traffic
61
-
- Inability to open a socket at the specified source port
62
-
- Missing address resolution protocol entries for Azure ExpressRoute circuits
63
-
- Servers not listening on designated destination ports
25
+
- Virtual Machines
26
+
- Bastion
27
+
- Application Gateways (except v1)
64
28
65
29
## Response
66
30
67
-
The following table shows the properties returned after running connection troubleshoot.
31
+
The following table shows the properties returned when connection troubleshoot has finished running.
68
32
69
33
|**Property**|**Description**|
70
34
|---------|---------|
@@ -113,12 +77,11 @@ Connection troubleshoot returns fault types about the connection. The following
113
77
|---------|---------|
114
78
|CPU | High CPU utilization. |
115
79
|Memory | High Memory utilization. |
116
-
|GuestFirewall | Traffic is blocked due to a virtual machine firewall configuration. <br><br> A TCP ping is a unique use case in which, if there's no allowed rule, the firewall itself responds to the client's TCP ping request even though the TCP ping doesn't reach the target IP address/FQDN. This event isn't logged. If there's a network rule that allows access to the target IP address/FQDN, the ping request reaches the target server and its response is relayed back to the client. This event is logged in the Network rules log. |
80
+
|GuestFirewall | Traffic is blocked due to a virtual machine firewall configuration. <br><br> Note that a TCP ping is a unique use case in which, if there's no allowed rule, the firewall itself responds to the client's TCP ping request even though the TCP ping doesn't reach the target IP address/FQDN. This event isn't logged. If there's a network rule that allows access to the target IP address/FQDN, the ping request reaches the target server and its response is relayed back to the client. This event is logged in the Network rules log. |
117
81
|DNSResolution | DNS resolution failed for the destination address. |
118
-
|NetworkSecurityRule | Traffic is blocked by a network security group rule (security rule is returned) |
82
+
|NetworkSecurityRule | Traffic is blocked by an NSG Rule (Rule is returned) |
119
83
|UserDefinedRoute|Traffic is dropped due to a user defined or system route. |
120
84
121
85
### Next steps
122
86
123
-
- To learn how to use connection troubleshoot to test and troubleshoot connections, see [Troubleshoot connections with Azure Network Watcher using the Azure portal](network-watcher-connectivity-portal.md).
124
-
- To learn more about Network Watcher and its other capabilities, see [What is Azure Network Watcher?](network-watcher-monitoring-overview.md).
87
+
Learn how to troubleshoot connections using the [Azure portal](network-watcher-connectivity-portal.md), [PowerShell](network-watcher-connectivity-powershell.md), the [Azure CLI](network-watcher-connectivity-cli.md), or [REST API](network-watcher-connectivity-rest.md).
# Troubleshoot connections with Azure Network Watcher using the Azure portal
16
15
17
-
In this article, you learn how to use [Azure Network Watcher connection troubleshoot](network-watcher-connectivity-overview.md) to diagnose and troubleshoot connectivity issues.
Learn how to use connection troubleshoot to verify whether a direct TCP connection from a virtual machine to a given endpoint can be established.
20
23
21
-
- An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).
22
-
- Two virtual machines in your subscription.
24
+
## Before you begin
23
25
24
-
> [!IMPORTANT]
25
-
> Connection troubleshoot requires that the virtual machine you troubleshoot from has the `AzureNetworkWatcherExtension` extension installed. The extension is not required on the destination virtual machine.
26
-
> - To install the extension on a Windows VM, see [Azure Network Watcher Agent virtual machine extension for Windows](../virtual-machines/extensions/network-watcher-windows.md?toc=%2fazure%2fnetwork-watcher%2ftoc.json).
27
-
> - To install the extension on a Linux VM, see [Azure Network Watcher Agent virtual machine extension for Linux](../virtual-machines/extensions/network-watcher-linux.md?toc=%2fazure%2fnetwork-watcher%2ftoc.json).
28
-
29
-
## Test connectivity between two connected virtual machines
30
-
31
-
In this section, you test connectivity between two connected virtual machines.
32
-
33
-
1. Sign in to the [Azure portal](https://portal.azure.com).
34
-
35
-
1. In the search box at the top of the portal, enter *network watcher*. Select **Network Watcher** in the search results.
36
-
37
-
1. Under **Network diagnostic tools**, select **Connection troubleshoot**. Enter or select the following information:
38
-
39
-
| Setting | Value |
40
-
| ------- | ------ |
41
-
|**Source**||
42
-
| Subscription | Select your Azure subscription. |
43
-
| Resource group | Select **myResourceGroup**. |
44
-
| Source type | Select **Virtual machine**. |
45
-
| Virtual machine | Select **VM1**. |
46
-
|**Destination**||
47
-
| Destination type | Select **Select a virtual machine**. |
48
-
| Resource group | Select **myResourceGroup**. |
49
-
| Virtual machine | Select **VM2**. |
50
-
|**Probe Settings**||
51
-
| Preferred IP version | Select **IPv4**. |
52
-
| Protocol | Select **TCP**. |
53
-
| Destination port | Enter *80*. |
54
-
|**Connection Diagnostics**||
55
-
| Diagnostics tests | Select **Select all**. |
56
-
57
-
:::image type="content" source="./media/network-watcher-connectivity-portal/test-virtual-machines-connected.png" alt-text="Screenshot of Network Watcher connection troubleshoot in Azure portal to test the connection between two connected virtual machines.":::
58
-
59
-
1. Select **Test connection**.
60
-
61
-
The test results show that the two virtual machines are communicating with no issues:
62
-
63
-
- Network security group rules allow traffic between the two virtual machines.
64
-
- The two virtual machines are directly connected (VM2 is the next hop of VM1).
65
-
- Azure default system route is used to route traffic between the two virtual machines (Route table ID: System route).
66
-
- 66 probes were successfully sent with average latency of 2 ms.
67
-
68
-
:::image type="content" source="./media/network-watcher-connectivity-portal/virtual-machine-connected-test-result.png" alt-text="Screenshot of connection troubleshoot results after testing the connection between two connected virtual machines.":::
69
-
70
-
## Troubleshoot connectivity issue between two virtual machines
26
+
This article assumes you have the following resources:
71
27
72
-
In this section, you test connectivity between two virtual machines that have connectivity issue.
28
+
* An instance of Network Watcher in the region you want to troubleshoot a connection.
29
+
* Virtual machines to troubleshoot connections with.
73
30
74
-
1. Sign in to the [Azure portal](https://portal.azure.com).
75
-
76
-
1. In the search box at the top of the portal, enter *network watcher*. Select **Network Watcher** in the search results.
77
-
78
-
1. Under **Network diagnostic tools**, select **Connection troubleshoot**. Enter or select the following information:
79
-
80
-
| Setting | Value |
81
-
| ------- | ------ |
82
-
|**Source**||
83
-
| Subscription | Select your Azure subscription. |
84
-
| Resource group | Select **myResourceGroup**. |
85
-
| Source type | Select **Virtual machine**. |
86
-
| Virtual machine | Select **VM1**. |
87
-
|**Destination**||
88
-
| Destination type | Select **Select a virtual machine**. |
89
-
| Resource group | Select **myResourceGroup**. |
90
-
| Virtual machine | Select **VM3**. |
91
-
|**Probe Settings**||
92
-
| Preferred IP version | Select **IPv4**. |
93
-
| Protocol | Select **TCP**. |
94
-
| Destination port | Enter *80*. |
95
-
|**Connection Diagnostics**||
96
-
| Diagnostics tests | Select **Select all**. |
97
-
98
-
:::image type="content" source="./media/network-watcher-connectivity-portal/test-two-virtual-machines.png" alt-text="Screenshot of Network Watcher connection troubleshoot in Azure portal to test the connection between two virtual machines.":::
99
-
100
-
1. Select **Test connection**.
101
-
102
-
The test results show that the two virtual machines aren't communicating:
103
-
104
-
- The two virtual machines aren't connected (no probes were sent from VM1 to VM3).
105
-
- There's no route between the two virtual machines (Next hop type: None).
106
-
- Azure default system route is the route table used (Route table ID: System route).
107
-
- Network security group rules allow traffic between the two virtual machines.
108
-
109
-
:::image type="content" source="./media/network-watcher-connectivity-portal/virtual-machines-test-result.png" alt-text="Screenshot of connection troubleshoot results after testing the connection between two virtual machines that aren't communicating.":::
110
-
111
-
## Test connectivity with `www.bing.com`
31
+
> [!IMPORTANT]
32
+
> Connection troubleshoot requires that the VM you troubleshoot from has the `AzureNetworkWatcherExtension` VM extension installed. For installing the extension on a Windows VM visit [Azure Network Watcher Agent virtual machine extension for Windows](../virtual-machines/extensions/network-watcher-windows.md?toc=%2fazure%2fnetwork-watcher%2ftoc.json) and for Linux VM visit [Azure Network Watcher Agent virtual machine extension for Linux](../virtual-machines/extensions/network-watcher-linux.md?toc=%2fazure%2fnetwork-watcher%2ftoc.json). The extension is not required on the destination endpoint.
112
33
113
-
In this section, you test connectivity between a virtual machines and `www.bing.com`.
34
+
## Check connectivity to a virtual machine
114
35
115
-
1. Sign in to the [Azure portal](https://portal.azure.com).
36
+
This example checks connectivity to a destination virtual machine over port 80.
116
37
117
-
1. In the search box at the top of the portal, enter *network watcher*. Select **Network Watcher** in the search results.
38
+
Navigate to your Network Watcher and click **Connection troubleshoot**. Select the virtual machine to check connectivity from. In the **Destination** section choose **Select a virtual machine** and choose the correct virtual machine and port to test.
118
39
119
-
1. Under **Network diagnostic tools**, select **Connection troubleshoot**. Enter or select the following information:
40
+
Once you click **Check**, connectivity between the virtual machines on the port specified is checked. In the example, the destination VM is unreachable, a listing of hops are shown.
120
41
121
-
| Setting | Value |
122
-
| ------- | ------ |
123
-
|**Source**||
124
-
| Subscription | Select your Azure subscription. |
125
-
| Resource group | Select **myResourceGroup**. |
126
-
| Source type | Select **Virtual machine**. |
127
-
| Virtual machine | Select **VM1**. |
128
-
|**Destination**||
129
-
| Destination type | Select **Specify manually**. |
130
-
| Resource group | Enter *www.bing.com*.|
131
-
|**Probe Settings**||
132
-
| Preferred IP version | Select **IPv4**. |
133
-
| Protocol | Select **TCP**. |
134
-
| Destination port | Enter *443*. |
135
-
|**Connection Diagnostics**||
136
-
| Diagnostics tests | Select **Connectivity**. |
42
+
![Check connectivity results for a virtual machine][1]
137
43
138
-
:::image type="content" source="./media/network-watcher-connectivity-portal/test-bing.png" alt-text="Screenshot of Network Watcher connection troubleshoot in Azure portal to test the connection between a virtual machines and Microsoft Bing search engine.":::
44
+
## Check remote endpoint connectivity
139
45
140
-
1. Select **Test connection**.
46
+
To check the connectivity and latency to a remote endpoint, choose the **Specify manually** radio button in the **Destination** section, input the url and the port and click **Check**. This is used for remote endpoints like websites and storage endpoints.
141
47
142
-
The test results show that `www.bing.com` is reachable from **VM1** virtual machine:
48
+
![Check connectivity results for a web site][2]
143
49
144
-
- Connectivity test is successful with 66 probes sent with an average latency of 3 ms.
50
+
## Next steps
145
51
146
-
:::image type="content" source="./media/network-watcher-connectivity-portal/bing-test-result.png" alt-text="Screenshot of connection troubleshoot results after testing the connection with Microsoft Bing search engine.":::
52
+
Learn how to automate packet captures with Virtual machine alerts by viewing [Create an alert triggered packet capture](network-watcher-alert-triggered-packet-capture.md)
147
53
148
-
## Next steps
54
+
Find if certain traffic is allowed in or out of your VM by visiting [Check IP flow verify](diagnose-vm-network-traffic-filtering-problem.md)
149
55
150
-
Learn how to [automate virtual machines packet captures](network-watcher-alert-triggered-packet-capture.md)
0 commit comments