Troubleshoot outbound connections - Azure portal - Azure Network Watcher (2024)

  • Article

In this article, you learn how to use the connection troubleshoot feature of Azure Network Watcher to diagnose and troubleshoot connectivity issues. For more information about connection troubleshoot, see Connection troubleshoot overview.

Prerequisites

  • An Azure account with an active subscription. Create an account for free.

  • Network Watcher enabled in the region of the virtual machine (VM) you want to troubleshoot. By default, Azure enables Network Watcher in a region when you create a virtual network in it. For more information, see Enable or disable Azure Network Watcher.

  • A virtual machine with Network Watcher agent VM extension installed on it and has the following outbound TCP connectivity:

    • to 169.254.169.254 over port 80
    • to 168.63.129.16 over port 8037
  • A second virtual machine with inbound TCP connectivity from 168.63.129.16 over the port being tested (for Port scanner diagnostic test).

Note

When you use connection troubleshoot, Azure portal automatically installs the Network Watcher agent VM extension on the source virtual machine if it's not already installed.

  • To install the extension on a Windows virtual machine, see Network Watcher agent VM extension for Windows.
  • To install the extension on a Linux virtual machine, see Network Watcher agent VM extension for Linux.
  • To update an already installed extension, see Update Network Watcher agent VM extension to the latest version.

Test connectivity to a virtual machine

In this section, you test the remote desktop port (RDP) connectivity from one virtual machine to another virtual machine in the same virtual network.

  1. Sign in to the Azure portal.

  2. In the search box at the top of the portal, enter network watcher. Select Network Watcher from the search results.

  3. Under Network diagnostic tools, select Connection troubleshoot. Enter or select the following values:

    SettingValue
    Source
    Source typeSelect Virtual machine.
    Virtual machineSelect the virtual machine that you want to troubleshoot the connection from.
    Destination
    Destination typeSelect Select a virtual machine.
    Virtual machineSelect the destination virtual machine.
    Probe Settings
    Preferred IP versionSelect IPv4. The other available options are: Both and IPv6.
    ProtocolSelect TCP. The other available option is: ICMP.
    Destination portEnter 3389. Port 3389 is the default port for RDP.
    Source portLeave blank or enter a source port number that you want to test.
    Connection Diagnostic
    Diagnostics testsSelect Connectivity, NSG diagnostic, Next hop, and Port scanner.

  4. Select Run diagnostic tests.

    • If the two virtual machines are communicating with no issues, you see the following results:

      Troubleshoot outbound connections - Azure portal - Azure Network Watcher (3)

      • 66 probes were successfully sent to the destination virtual machine. Select See details to see the next hop details.
      • Outbound connectivity from the source virtual machine is allowed. Select See details to see the security rules that are allowing the outbound communication from the source virtual machine.
      • Inbound connectivity to the destination virtual machine is allowed. Select See details to see the security rules that are allowing the inbound communication to the destination virtual machine.
      • Azure default system route is used to route traffic between the two virtual machines (Route table ID: System route).
      • Port 3389 is reachable on the destination virtual machine.
    • If the destination virtual machine has a network security group that's denying incoming RDP connections, you see the following results:

      Troubleshoot outbound connections - Azure portal - Azure Network Watcher (4)

      • 30 probes were sent and failed to reach the destination virtual machine. Select See details to see the next hop details.
      • Outbound connectivity from the source virtual machine is allowed. Select See details to see the security rules that are allowing the outbound communication from the source virtual machine.
      • Inbound connectivity to the destination virtual machine is denied. Select See details to see the security rule that is denying the inbound communication to the destination virtual machine.
      • Azure default system route is used to route traffic between the two virtual machines (Route table ID: System route).
      • Port 3389 is unreachable on the destination virtual machine because of the security rule that is denying inbound communication to the destination port.

      Solution: Update the network security group on the destination virtual machine to allow inbound RDP traffic.

    • If the source virtual machine has a network security group that's denying RDP connections to the destination, you see the following results:

      Troubleshoot outbound connections - Azure portal - Azure Network Watcher (5)

      • 30 probes were sent and failed to reach the destination virtual machine. Select See details to see the next hop details.
      • Outbound connectivity from the source virtual machine is denied. Select See details to see security rule that is denying the outbound communication from the source virtual machine.
      • Inbound connectivity to the destination virtual machine is allowed. Select See details to see the security rules that are allowing the inbound communication to the destination virtual machine.
      • Azure default system route is used to route traffic between the two virtual machines (Route table ID: System route).
      • Port 3389 is reachable on the destination virtual machine.

      Solution: Update the network security group on the source virtual machine to allow outbound RDP traffic.

    • If the operating system on the destination virtual machine doesn't accept incoming connections on port 3389, you see the following results:

      Troubleshoot outbound connections - Azure portal - Azure Network Watcher (6)

      • 30 probes were sent and failed to reach the destination virtual machine. Select See details to see the next hop details.
      • Outbound connectivity from the source virtual machine is allowed. Select See details to see the security rules that are allowing the outbound communication from the source virtual machine.
      • Inbound connectivity to the destination virtual machine is allowed. Select See details to see the security rules that are allowing the inbound communication to the destination virtual machine.
      • Azure default system route is used to route traffic between the two virtual machines (Route table ID: System route).
      • Port 3389 isn't reachable on the destination virtual machine (port 3389 on the operating system isn't accepting incoming RDP connections).

      Solution: Configure the operating system on the destination virtual machine to accept inbound RDP traffic.

  5. Select Export to CSV to download the test results in csv format.

Test connectivity to a web address

In this section, you test the connectivity between a virtual machine and a web address.

  1. On the Connection troubleshoot page. Enter or select the following information:

    SettingValue
    Source
    Source typeSelect Virtual machine.
    Virtual machineSelect the virtual machine that you want to troubleshoot the connection from.
    Destination
    Destination typeSelect Specify manually.
    URI, FQDN, or IP addressEnter the web address that you want to test the connectivity to. In this example, www.bing.com is used.
    Probe Settings
    Preferred IP versionSelect Both. The other available options are: IPv4 and IPv6.
    ProtocolSelect TCP. The other available option is: ICMP.
    Destination portEnter 443. Port 443 for HTTPS.
    Source portLeave blank or enter a source port number that you want to test.
    Connection Diagnostic
    Diagnostics testsSelect Connectivity.

  2. Select Run diagnostic tests.

    • If www.bing.com is reachable from the source virtual machine, you see the following results:

      Troubleshoot outbound connections - Azure portal - Azure Network Watcher (8)

      66 probes were successfully sent to www.bing.com. Select See details to see the next hop details.

    • If www.bing.com is unreachable from the source virtual machine due to a security rule, you see the following results:

      Troubleshoot outbound connections - Azure portal - Azure Network Watcher (9)

      30 probes were sent and failed to reach www.bing.com. Select See details to see the next hop details and the cause of the error.

      Solution: Update the network security group on the source virtual machine to allow outbound traffic to www.bing.com.

  3. Select Export to CSV to download the test results in csv format.

Test connectivity to an IP address

In this section, you test the connectivity between a virtual machine and an IP address of another virtual machine.

  1. On the Connection troubleshoot page. Enter or select the following information:

    SettingValue
    Source
    Source typeSelect Virtual machine.
    Virtual machineSelect the virtual machine that you want to troubleshoot the connection from.
    Destination
    Destination typeSelect Specify manually.
    URI, FQDN, or IP addressEnter the IP address that you want to test the connectivity to. In this example, 10.10.10.10 is used.
    Probe Settings
    Preferred IP versionSelect IPv4. The other available options are: Both and IPv6.
    ProtocolSelect TCP. The other available option is: ICMP.
    Destination portEnter 3389.
    Source portLeave blank or enter a source port number that you want to test.
    Connection Diagnostic
    Diagnostics testsSelect Connectivity, NSG diagnostic, and Next hop.

  2. Select Run diagnostic tests.

    • If the IP address is reachable, you see the following results:

      Troubleshoot outbound connections - Azure portal - Azure Network Watcher (11)

      • 66 probes were successfully sent with average latency of 4 ms. Select See details to see the next hop details.
      • Outbound connectivity from the source virtual machine is allowed. Select See details to see the security rules that are allowing the outbound communication from the source virtual machine.
      • Azure default system route is used to route traffic to the IP address, which is in the same virtual network or a peered virtual network. (Route table ID: System route and Next hop type: Virtual Network).
    • If the IP address is unreachable because the destination virtual machine isn't running, you see the following results:

      Troubleshoot outbound connections - Azure portal - Azure Network Watcher (12)

      • 30 probes were sent and failed to reach the destination virtual machine. Select See details to see the next hop details.
      • Outbound connectivity from the source virtual machine is allowed. Select See details to see the security rules that are allowing the outbound communication from the source virtual machine.
      • Azure default system route is used to route traffic to the IP address, which is in the same virtual network or a peered virtual network. (Route table ID: System route and Next hop type: Virtual Network).

      Solution: Start the destination virtual machine.

    • If there's no route to the IP address in the routing table of the source virtual machine (for example, the IP address isn't in the address space of the VM's virtual network or its peered virtual networks), you see the following results:

      Troubleshoot outbound connections - Azure portal - Azure Network Watcher (13)

      • 30 probes were sent and failed to reach the destination virtual machine. Select See details to see the next hop details.
      • Outbound connectivity from the source virtual machine is denied. Select See details to see security rule that is denying the outbound communication from the source virtual machine.
      • Next hop type is None because there isn't a route to the IP address.

      Solution: Associate a route table with a correct route to the subnet of the source virtual machine.

  3. Select Export to CSV to download the test results in csv format.

Next step

Manage packet captures

Troubleshoot outbound connections - Azure portal - Azure Network Watcher (2024)
Top Articles
The Rule of 33%: Designing Your Life and Business for Success
Complete Guide to Document Verification | Inscribe
Fernald Gun And Knife Show
Tlc Africa Deaths 2021
Overton Funeral Home Waterloo Iowa
Palm Coast Permits Online
Summit County Juvenile Court
Corpse Bride Soap2Day
MADRID BALANZA, MªJ., y VIZCAÍNO SÁNCHEZ, J., 2008, "Collares de época bizantina procedentes de la necrópolis oriental de Carthago Spartaria", Verdolay, nº10, p.173-196.
Transformers Movie Wiki
อพาร์ทเมนต์ 2 ห้องนอนในเกาะโคเปนเฮเกน
Marion County Wv Tax Maps
9044906381
Google Flights Missoula
Elemental Showtimes Near Cinemark Flint West 14
Joann Ally Employee Portal
/Www.usps.com/International/Passports.htm
Ruse For Crashing Family Reunions Crossword
How your diet could help combat climate change in 2019 | CNN
Robeson County Mugshots 2022
Myhr North Memorial
Encore Atlanta Cheer Competition
Chase Bank Pensacola Fl
Rs3 Ushabti
Criterion Dryer Review
Carroway Funeral Home Obituaries Lufkin
Craigslist Brandon Vt
The Clapping Song Lyrics by Belle Stars
897 W Valley Blvd
Dl.high Stakes Sweeps Download
Noaa Marine Forecast Florida By Zone
The Legacy 3: The Tree of Might – Walkthrough
Skip The Games Ventura
Edict Of Force Poe
How to play Yahoo Fantasy Football | Yahoo Help - SLN24152
Mixer grinder buying guide: Everything you need to know before choosing between a traditional and bullet mixer grinder
Rs3 Bis Perks
Search All of Craigslist: A Comprehensive Guide - First Republic Craigslist
Atlanta Musicians Craigslist
Kerry Cassidy Portal
Saybyebugs At Walmart
Htb Forums
Aurora Il Back Pages
Gym Assistant Manager Salary
Mbfs Com Login
How Big Is 776 000 Acres On A Map
Wpne Tv Schedule
sin city jili
Zom 100 Mbti
Secondary Math 2 Module 3 Answers
Land of Samurai: One Piece’s Wano Kuni Arc Explained
Latest Posts
Article information

Author: Kelle Weber

Last Updated:

Views: 6248

Rating: 4.2 / 5 (53 voted)

Reviews: 84% of readers found this page helpful

Author information

Name: Kelle Weber

Birthday: 2000-08-05

Address: 6796 Juan Square, Markfort, MN 58988

Phone: +8215934114615

Job: Hospitality Director

Hobby: tabletop games, Foreign language learning, Leather crafting, Horseback riding, Swimming, Knapping, Handball

Introduction: My name is Kelle Weber, I am a magnificent, enchanting, fair, joyous, light, determined, joyous person who loves writing and wants to share my knowledge and understanding with you.