You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: includes/app-service-web-vnet-troubleshooting.md
+17-17Lines changed: 17 additions & 17 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -9,7 +9,7 @@ ms.author: ccompy
9
9
While the feature is easy to set up, that doesn't mean that your experience will be problem free. Should you encounter problems accessing your desired endpoint there are some utilities you can use to test connectivity from the app console. There are two consoles that you can use. One is the Kudu console and the other is the console in the Azure portal. To reach the Kudu console from your app, go to Tools -> Kudu. You can also reach the Kudo console at [sitename].scm.azurewebsites.net. Once the website loads, go to the Debug console tab. To get to the Azure portal hosted console then from your app go to Tools -> Console.
10
10
11
11
#### Tools
12
-
The tools **ping**, **nslookup**, and **tracert** won’t work through the console due to security constraints. To fill the void, two separate tools added. In order to test DNS functionality, we added a tool named nameresolver.exe. The syntax is:
12
+
The tools **ping**, **nslookup**, and **tracert** won't work through the console due to security constraints. To fill the void, two separate tools added. In order to test DNS functionality, we added a tool named nameresolver.exe. The syntax is:
13
13
14
14
nameresolver.exe hostname [optional: DNS Server]
15
15
@@ -30,44 +30,44 @@ There are a number of things that can prevent your app from reaching a specific
30
30
If those items don't answer your problems, look first for things like:
31
31
32
32
**regional VNet Integration**
33
-
* is your destination a non-RFC1918 address and you do not have WEBSITE_VNET_ROUTE_ALL set to 1
34
-
* is there an NSG blocking egress from your integration subnet
33
+
* is your destination a non-RFC1918 address and you do not have WEBSITE_VNET_ROUTE_ALL set to 1?
34
+
* is there an NSG blocking egress from your integration subnet?
35
35
* if going across ExpressRoute or a VPN, is your on-premises gateway configured to route traffic back up to Azure? If you can reach endpoints in your VNet but not on-premises, check your routes.
36
36
* do you have enough permissions to set delegation on the integration subnet? During regional VNet Integration configuration, your integration subnet will be delegated to Microsoft.Web. The VNet Integration UI will delegate the subnet to Microsoft.Web automatically. If your account does not have sufficient networking permissions to set delegation, you will need someone who can set attributes on your integration subnet to delegate the subnet. To manually delegate the integration subnet, go to the Azure Virtual Network subnet UI and set delegation for Microsoft.Web.
37
37
38
38
**gateway required VNet Integration**
39
39
* is the point-to-site address range in the RFC 1918 ranges (10.0.0.0-10.255.255.255 / 172.16.0.0-172.31.255.255 / 192.168.0.0-192.168.255.255)?
40
40
* Does the Gateway show as being up in the portal? If your gateway is down, then bring it back up.
41
41
* Do certificates show as being in sync or do you suspect that the network configuration was changed? If your certificates are out of sync or you suspect that there has been a change made to your VNet configuration that wasn't synced with your ASPs, then hit "Sync Network".
42
-
*if going across a VPN, is the on-premises gateway configured to route traffic back up to Azure? If you can reach endpoints in your VNet but not on-premises, check your routes.
43
-
*are you trying to use a coexistence gateway that supports both point to site and ExpressRoute? Coexistence gateways are not supported with VNet Integration
42
+
*If going across a VPN, is the on-premises gateway configured to route traffic back up to Azure? If you can reach endpoints in your VNet but not on-premises, check your routes.
43
+
*Are you trying to use a coexistence gateway that supports both point to site and ExpressRoute? Coexistence gateways are not supported with VNet Integration.
44
44
45
45
Debugging networking issues is a challenge because there you cannot see what is blocking access to a specific host:port combination. Some of the causes include:
46
46
47
-
*you have a firewall up on your host preventing access to the application port from your point to site IP range. Crossing subnets often requires Public access.
48
-
*your target host is down
49
-
*your application is down
50
-
*you had the wrong IP or hostname
51
-
*your application is listening on a different port than what you expected. You can match your process ID with the listening port by using "netstat -aon" on the endpoint host.
52
-
*your network security groups are configured in such a manner that they prevent access to your application host and port from your point to site IP range
47
+
*You have a firewall up on your host preventing access to the application port from your point to site IP range. Crossing subnets often requires Public access.
48
+
*Your target host is down.
49
+
*Your application is down.
50
+
*You had the wrong IP or hostname.
51
+
*Your application is listening on a different port than what you expected. You can match your process ID with the listening port by using "netstat -aon" on the endpoint host.
52
+
*Your network security groups are configured in such a manner that they prevent access to your application host and port from your point to site IP range.
53
53
54
54
Remember that you don't know what address your app will actually use. It could be any address in the integration subnet or point-to-site address range, so you need to allow access from the entire address range.
55
55
56
56
Additional debug steps include:
57
57
58
-
*connect to a VM in your VNet and attempt to reach your resource host:port from there. To test for TCP access, use the PowerShell command **test-netconnection**. The syntax is:
58
+
*Connect to a VM in your VNet and attempt to reach your resource host:port from there. To test for TCP access, use the PowerShell command **test-netconnection**. The syntax is:
59
59
60
60
test-netconnection hostname [optional: -Port]
61
61
62
-
*bring up an application on a VM and test access to that host and port from the console from your app using **tcpping**
62
+
*Bring up an application on a VM and test access to that host and port from the console from your app using **tcpping**
63
63
64
64
#### On-premises resources ####
65
65
66
66
If your app cannot reach a resource on-premises, then check if you can reach the resource from your VNet. Use the **test-netconnection** PowerShell command to check for TCP access. If your VM can't reach your on-premises resource, your VPN or ExpressRoute connection may not be configured properly.
67
67
68
68
If your VNet hosted VM can reach your on-premises system but your app can't, then the cause is likely one of the following reasons:
69
69
70
-
*your routes are not configured with your subnet or point to site address ranges in your on-premises gateway
71
-
*your network security groups are blocking access for your Point-to-Site IP range
72
-
*your on-premises firewalls are blocking traffic from your Point-to-Site IP range
73
-
*you are trying to reach a non-RFC 1918 address using the regional VNet Integration feature
70
+
*Your routes are not configured with your subnet or point to site address ranges in your on-premises gateway.
71
+
*Your network security groups are blocking access for your Point-to-Site IP range.
72
+
*Your on-premises firewalls are blocking traffic from your Point-to-Site IP range.
73
+
*You are trying to reach a non-RFC 1918 address using the regional VNet Integration feature.
0 commit comments