Troubleshoot outbound connections - Azure portal - Azure Network Watcher (2024)

Table of Contents
In this article Prerequisites Test connectivity to a virtual machine Test connectivity to a web address Test connectivity to an IP address Next step
  • Article

In this article, you learn how to use the connection troubleshoot feature of Azure Network Watcher to diagnose and troubleshoot connectivity issues. For more information about connection troubleshoot, see Connection troubleshoot overview.

Prerequisites

  • An Azure account with an active subscription. Create an account for free.

  • Network Watcher enabled in the region of the virtual machine (VM) you want to troubleshoot. By default, Azure enables Network Watcher in a region when you create a virtual network in it. For more information, see Enable or disable Azure Network Watcher.

  • A virtual machine with Network Watcher agent VM extension installed on it and has the following outbound TCP connectivity:

    • to 169.254.169.254 over port 80
    • to 168.63.129.16 over port 8037

  • A second virtual machine with inbound TCP connectivity from 168.63.129.16 over the port being tested (for Port scanner diagnostic test).

Note

When you use connection troubleshoot, Azure portal automatically installs the Network Watcher agent VM extension on the source virtual machine if it's not already installed.

  • To install the extension on a Windows virtual machine, see Network Watcher agent VM extension for Windows.
  • To install the extension on a Linux virtual machine, see Network Watcher agent VM extension for Linux.
  • To update an already installed extension, see Update Network Watcher agent VM extension to the latest version.

Test connectivity to a virtual machine

In this section, you test the remote desktop port (RDP) connectivity from one virtual machine to another virtual machine in the same virtual network.

  1. Sign in to the Azure portal.

  2. In the search box at the top of the portal, enter network watcher. Select Network Watcher from the search results.

    See Also
    Azure Monitor vs Azure Advisor: Key Differences & SimilaritiesConfigure apps - Azure App ServiceAdd Azure Monitor | Online Help Site24x7How to Create a Custom Azure IAM Role | Skeddly Help Center

  3. Under Network diagnostic tools, select Connection troubleshoot. Enter or select the following values:

    SettingValue
    Source
    Source typeSelect Virtual machine.
    Virtual machineSelect the virtual machine that you want to troubleshoot the connection from.
    Destination
    Destination typeSelect Select a virtual machine.
    Virtual machineSelect the destination virtual machine.
    Probe Settings
    Preferred IP versionSelect IPv4. The other available options are: Both and IPv6.
    ProtocolSelect TCP. The other available option is: ICMP.
    Destination portEnter 3389. Port 3389 is the default port for RDP.
    Source portLeave blank or enter a source port number that you want to test.
    Connection Diagnostic
    Diagnostics testsSelect Connectivity, NSG diagnostic, Next hop, and Port scanner.

  4. Select Run diagnostic tests.

    • If the two virtual machines are communicating with no issues, you see the following results:

      Troubleshoot outbound connections - Azure portal - Azure Network Watcher (3)

      • 66 probes were successfully sent to the destination virtual machine. Select See details to see the next hop details.
      • Outbound connectivity from the source virtual machine is allowed. Select See details to see the security rules that are allowing the outbound communication from the source virtual machine.
      • Inbound connectivity to the destination virtual machine is allowed. Select See details to see the security rules that are allowing the inbound communication to the destination virtual machine.
      • Azure default system route is used to route traffic between the two virtual machines (Route table ID: System route).
      • Port 3389 is reachable on the destination virtual machine.

    • If the destination virtual machine has a network security group that's denying incoming RDP connections, you see the following results:

      Troubleshoot outbound connections - Azure portal - Azure Network Watcher (4)

      • 30 probes were sent and failed to reach the destination virtual machine. Select See details to see the next hop details.
      • Outbound connectivity from the source virtual machine is allowed. Select See details to see the security rules that are allowing the outbound communication from the source virtual machine.
      • Inbound connectivity to the destination virtual machine is denied. Select See details to see the security rule that is denying the inbound communication to the destination virtual machine.
      • Azure default system route is used to route traffic between the two virtual machines (Route table ID: System route).
      • Port 3389 is unreachable on the destination virtual machine because of the security rule that is denying inbound communication to the destination port.

      Solution: Update the network security group on the destination virtual machine to allow inbound RDP traffic.

    • If the source virtual machine has a network security group that's denying RDP connections to the destination, you see the following results:

      Troubleshoot outbound connections - Azure portal - Azure Network Watcher (5)

      • 30 probes were sent and failed to reach the destination virtual machine. Select See details to see the next hop details.
      • Outbound connectivity from the source virtual machine is denied. Select See details to see security rule that is denying the outbound communication from the source virtual machine.
      • Inbound connectivity to the destination virtual machine is allowed. Select See details to see the security rules that are allowing the inbound communication to the destination virtual machine.
      • Azure default system route is used to route traffic between the two virtual machines (Route table ID: System route).
      • Port 3389 is reachable on the destination virtual machine.

      Solution: Update the network security group on the source virtual machine to allow outbound RDP traffic.

    • If the operating system on the destination virtual machine doesn't accept incoming connections on port 3389, you see the following results:

      Troubleshoot outbound connections - Azure portal - Azure Network Watcher (6)

      • 30 probes were sent and failed to reach the destination virtual machine. Select See details to see the next hop details.
      • Outbound connectivity from the source virtual machine is allowed. Select See details to see the security rules that are allowing the outbound communication from the source virtual machine.
      • Inbound connectivity to the destination virtual machine is allowed. Select See details to see the security rules that are allowing the inbound communication to the destination virtual machine.
      • Azure default system route is used to route traffic between the two virtual machines (Route table ID: System route).
      • Port 3389 isn't reachable on the destination virtual machine (port 3389 on the operating system isn't accepting incoming RDP connections).

      Solution: Configure the operating system on the destination virtual machine to accept inbound RDP traffic.

      See Also
      Enable VM insights by using Azure Policy - Azure Monitor

  5. Select Export to CSV to download the test results in csv format.

Test connectivity to a web address

In this section, you test the connectivity between a virtual machine and a web address.

  1. On the Connection troubleshoot page. Enter or select the following information:

    SettingValue
    Source
    Source typeSelect Virtual machine.
    Virtual machineSelect the virtual machine that you want to troubleshoot the connection from.
    Destination
    Destination typeSelect Specify manually.
    URI, FQDN, or IP addressEnter the web address that you want to test the connectivity to. In this example, www.bing.com is used.
    Probe Settings
    Preferred IP versionSelect Both. The other available options are: IPv4 and IPv6.
    ProtocolSelect TCP. The other available option is: ICMP.
    Destination portEnter 443. Port 443 for HTTPS.
    Source portLeave blank or enter a source port number that you want to test.
    Connection Diagnostic
    Diagnostics testsSelect Connectivity.

  2. Select Run diagnostic tests.

    • If www.bing.com is reachable from the source virtual machine, you see the following results:

      Troubleshoot outbound connections - Azure portal - Azure Network Watcher (8)

      66 probes were successfully sent to www.bing.com. Select See details to see the next hop details.

    • If www.bing.com is unreachable from the source virtual machine due to a security rule, you see the following results:

      Troubleshoot outbound connections - Azure portal - Azure Network Watcher (9)

      30 probes were sent and failed to reach www.bing.com. Select See details to see the next hop details and the cause of the error.

      Solution: Update the network security group on the source virtual machine to allow outbound traffic to www.bing.com.

  3. Select Export to CSV to download the test results in csv format.

Test connectivity to an IP address

In this section, you test the connectivity between a virtual machine and an IP address of another virtual machine.

  1. On the Connection troubleshoot page. Enter or select the following information:

    SettingValue
    Source
    Source typeSelect Virtual machine.
    Virtual machineSelect the virtual machine that you want to troubleshoot the connection from.
    Destination
    Destination typeSelect Specify manually.
    URI, FQDN, or IP addressEnter the IP address that you want to test the connectivity to. In this example, 10.10.10.10 is used.
    Probe Settings
    Preferred IP versionSelect IPv4. The other available options are: Both and IPv6.
    ProtocolSelect TCP. The other available option is: ICMP.
    Destination portEnter 3389.
    Source portLeave blank or enter a source port number that you want to test.
    Connection Diagnostic
    Diagnostics testsSelect Connectivity, NSG diagnostic, and Next hop.

  2. Select Run diagnostic tests.

    • If the IP address is reachable, you see the following results:

      Troubleshoot outbound connections - Azure portal - Azure Network Watcher (11)

      • 66 probes were successfully sent with average latency of 4 ms. Select See details to see the next hop details.
      • Outbound connectivity from the source virtual machine is allowed. Select See details to see the security rules that are allowing the outbound communication from the source virtual machine.
      • Azure default system route is used to route traffic to the IP address, which is in the same virtual network or a peered virtual network. (Route table ID: System route and Next hop type: Virtual Network).

    • If the IP address is unreachable because the destination virtual machine isn't running, you see the following results:

      Troubleshoot outbound connections - Azure portal - Azure Network Watcher (12)

      • 30 probes were sent and failed to reach the destination virtual machine. Select See details to see the next hop details.
      • Outbound connectivity from the source virtual machine is allowed. Select See details to see the security rules that are allowing the outbound communication from the source virtual machine.
      • Azure default system route is used to route traffic to the IP address, which is in the same virtual network or a peered virtual network. (Route table ID: System route and Next hop type: Virtual Network).

      Solution: Start the destination virtual machine.

    • If there's no route to the IP address in the routing table of the source virtual machine (for example, the IP address isn't in the address space of the VM's virtual network or its peered virtual networks), you see the following results:

      Troubleshoot outbound connections - Azure portal - Azure Network Watcher (13)

      • 30 probes were sent and failed to reach the destination virtual machine. Select See details to see the next hop details.
      • Outbound connectivity from the source virtual machine is denied. Select See details to see security rule that is denying the outbound communication from the source virtual machine.
      • Next hop type is None because there isn't a route to the IP address.

      Solution: Associate a route table with a correct route to the subnet of the source virtual machine.

  3. Select Export to CSV to download the test results in csv format.

Next step

Manage packet captures

Troubleshoot outbound connections - Azure portal - Azure Network Watcher (2024)
Top Articles
Food and drink in Sweden | Where to eat in Sweden
Money in Sweden | Frommer's
Katie Pavlich Bikini Photos
Gamevault Agent
Hocus Pocus Showtimes Near Harkins Theatres Yuma Palms 14
Free Atm For Emerald Card Near Me
Craigslist Mexico Cancun
Hendersonville (Tennessee) – Travel guide at Wikivoyage
Doby's Funeral Home Obituaries
Vardis Olive Garden (Georgioupolis, Kreta) ✈️ inkl. Flug buchen
Select Truck Greensboro
How To Cut Eelgrass Grounded
Craigslist In Flagstaff
Shasta County Most Wanted 2022
Energy Healing Conference Utah
Testberichte zu E-Bikes & Fahrrädern von PROPHETE.
Aaa Saugus Ma Appointment
Geometry Review Quiz 5 Answer Key
Walgreens Alma School And Dynamite
Bible Gateway passage: Revelation 3 - New Living Translation
Home
Shadbase Get Out Of Jail
Gina Wilson Angle Addition Postulate
Celina Powell Lil Meech Video: A Controversial Encounter Shakes Social Media - Video Reddit Trend
Walmart Pharmacy Near Me Open
Dmv In Anoka
A Christmas Horse - Alison Senxation
Ou Football Brainiacs
Access a Shared Resource | Computing for Arts + Sciences
Umn Biology
Obituaries, 2001 | El Paso County, TXGenWeb
Cvs Sport Physicals
Mercedes W204 Belt Diagram
Rogold Extension
'Conan Exiles' 3.0 Guide: How To Unlock Spells And Sorcery
Colin Donnell Lpsg
Teenbeautyfitness
Weekly Math Review Q4 3
Facebook Marketplace Marrero La
Nobodyhome.tv Reddit
Topos De Bolos Engraçados
Gregory (Five Nights at Freddy's)
Grand Valley State University Library Hours
Holzer Athena Portal
Hampton In And Suites Near Me
Stoughton Commuter Rail Schedule
Bedbathandbeyond Flemington Nj
Free Carnival-themed Google Slides & PowerPoint templates
Otter Bustr
Used Curio Cabinets For Sale Near Me
San Pedro Sula To Miami Google Flights
Selly Medaline
Latest Posts
Here's How Long You'll Want to Study for the CCNA
Money and payment
Article information

Author: Kelle Weber

Last Updated:

Views: 6248

Rating: 4.2 / 5 (53 voted)

Reviews: 84% of readers found this page helpful

Author information

Name: Kelle Weber

Birthday: 2000-08-05

Address: 6796 Juan Square, Markfort, MN 58988

Phone: +8215934114615

Job: Hospitality Director

Hobby: tabletop games, Foreign language learning, Leather crafting, Horseback riding, Swimming, Knapping, Handball

Introduction: My name is Kelle Weber, I am a magnificent, enchanting, fair, joyous, light, determined, joyous person who loves writing and wants to share my knowledge and understanding with you.