| title | description | services | documentationcenter | author | manager | editor | ms.service | ms.devlang | ms.topic | ms.tgt_pltfrm | ms.workload | ms.date | ms.author |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Check connectivity with Azure Network Watcher - PowerShell | Microsoft Docs |
This page explains how to test connectivity with Network Watcher using PowerShell |
network-watcher |
na |
jimdial |
timlt |
network-watcher |
na |
article |
na |
infrastructure-services |
07/11/2017 |
jdial |
[!div class="op_single_selector"]
Learn how to use connectivity to verify if a direct TCP connection from a virtual machine to a given endpoint can be established.
This article assumes you have the following resources:
-
An instance of Network Watcher in the region you want to check connectivity.
-
Virtual machines to check connectivity with.
[!INCLUDE network-watcher-preview]
Important
Connectivity check requires a virtual machine extension AzureNetworkWatcherExtension. For installing the extension on a Windows VM visit Azure Network Watcher Agent virtual machine extension for Windows and for Linux VM visit Azure Network Watcher Agent virtual machine extension for Linux.
Connectivity is currently in public preview, to use this feature it needs to be registered. To do this, run the following PowerShell sample:
Register-AzureRmProviderFeature -FeatureName AllowNetworkWatcherConnectivityCheck -ProviderNamespace Microsoft.Network
Register-AzureRmResourceProvider -ProviderNamespace Microsoft.NetworkTo verify the registration was successful, run the following Powershell sample:
Get-AzureRmProviderFeature -FeatureName AllowNetworkWatcherConnectivityCheck -ProviderNamespace Microsoft.NetworkIf the feature was properly registered, the output should match the following:
FeatureName ProviderName RegistrationState
----------- ------------ -----------------
AllowNetworkWatcherConnectivityCheck Microsoft.Network Registered
This example checks connectivity to a destination virtual machine over port 80. This example requires that you have Network Watcher enabled in the region containing the source VM.
$rgName = "ContosoRG"
$sourceVMName = "MultiTierApp0"
$destVMName = "Database0"
$RG = Get-AzureRMResourceGroup -Name $rgName
$VM1 = Get-AzureRMVM -ResourceGroupName $rgName | Where-Object -Property Name -EQ $sourceVMName
$VM2 = Get-AzureRMVM -ResourceGroupName $rgName | Where-Object -Property Name -EQ $destVMName
$nw = Get-AzurermResource | Where {$_.ResourceType -eq "Microsoft.Network/networkWatchers" -and $_.Location -eq $VM1.Location}
$networkWatcher = Get-AzureRmNetworkWatcher -Name $nw.Name -ResourceGroupName $nw.ResourceGroupName
Test-AzureRmNetworkWatcherConnectivity -NetworkWatcher $networkWatcher -SourceId $VM1.Id -DestinationId $VM2.Id -DestinationPort 80The following response is from the previous example. In this response, the ConnectionStatus is Unreachable. You can see that all the probes sent failed. The connectivity failed at the virtual appliance due to a user-configured NetworkSecurityRule named UserRule_Port80, configured to block incoming traffic on port 80. This information can be used to research connection issues.
ConnectionStatus : Unreachable
AvgLatencyInMs :
MinLatencyInMs :
MaxLatencyInMs :
ProbesSent : 100
ProbesFailed : 100
Hops : [
{
"Type": "Source",
"Id": "c5222ea0-3213-4f85-a642-cee63217c2f3",
"Address": "10.1.1.4",
"ResourceId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGrou
ps/ContosoRG/providers/Microsoft.Network/networkInterfaces/appNic0/ipConfigurat
ions/ipconfig1",
"NextHopIds": [
"9283a9f0-cc5e-4239-8f5e-ae0f3c19fbaa"
],
"Issues": []
},
{
"Type": "VirtualAppliance",
"Id": "9283a9f0-cc5e-4239-8f5e-ae0f3c19fbaa",
"Address": "10.1.2.4",
"ResourceId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGrou
ps/ContosoRG/providers/Microsoft.Network/networkInterfaces/fwNic/ipConfiguratio
ns/ipconfig1",
"NextHopIds": [
"0f1500cd-c512-4d43-b431-7267e4e67017"
],
"Issues": []
},
{
"Type": "VirtualAppliance",
"Id": "0f1500cd-c512-4d43-b431-7267e4e67017",
"Address": "10.1.3.4",
"ResourceId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGrou
ps/ContosoRG/providers/Microsoft.Network/networkInterfaces/auNic/ipConfiguratio
ns/ipconfig1",
"NextHopIds": [
"a88940f8-5fbe-40da-8d99-1dee89240f64"
],
"Issues": [
{
"Origin": "Outbound",
"Severity": "Error",
"Type": "NetworkSecurityRule",
"Context": [
{
"key": "RuleName",
"value": "UserRule_Port80"
}
]
}
]
},
{
"Type": "VnetLocal",
"Id": "a88940f8-5fbe-40da-8d99-1dee89240f64",
"Address": "10.1.4.4",
"ResourceId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGrou
ps/ContosoRG/providers/Microsoft.Network/networkInterfaces/dbNic0/ipConfigurati
ons/ipconfig1",
"NextHopIds": [],
"Issues": []
}
]
The example checks connectivity between a virtual machine and a remote endpoint. This example requires that you have Network Watcher enabled in the region containing the source VM.
$rgName = "ContosoRG"
$sourceVMName = "MultiTierApp0"
$RG = Get-AzureRMResourceGroup -Name $rgName
$VM1 = Get-AzureRMVM -ResourceGroupName $rgName | Where-Object -Property Name -EQ $sourceVMName
$nw = Get-AzurermResource | Where {$_.ResourceType -eq "Microsoft.Network/networkWatchers" -and $_.Location -eq $VM1.Location }
$networkWatcher = Get-AzureRmNetworkWatcher -Name $nw.Name -ResourceGroupName $nw.ResourceGroupName
Test-AzureRmNetworkWatcherConnectivity -NetworkWatcher $networkWatcher -SourceId $VM1.Id -DestinationAddress 13.107.21.200 -DestinationPort 80In the following example, the ConnectionStatus is shown as Unreachable. In the Hops details, you can see under Issues that the traffic was blocked due to a UserDefinedRoute.
ConnectionStatus : Unreachable
AvgLatencyInMs :
MinLatencyInMs :
MaxLatencyInMs :
ProbesSent : 100
ProbesFailed : 100
Hops : [
{
"Type": "Source",
"Id": "b4f7bceb-07a3-44ca-8bae-adec6628225f",
"Address": "10.1.1.4",
"ResourceId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/ContosoRG/providers/Microsoft.Network/networkInterfaces/appNic0/ipConfigurations/ipconfig1",
"NextHopIds": [
"3fee8adf-692f-4523-b742-f6fdf6da6584"
],
"Issues": [
{
"Origin": "Outbound",
"Severity": "Error",
"Type": "UserDefinedRoute",
"Context": [
{
"key": "RouteType",
"value": "User"
}
]
}
]
},
{
"Type": "Destination",
"Id": "3fee8adf-692f-4523-b742-f6fdf6da6584",
"Address": "13.107.21.200",
"ResourceId": "Unknown",
"NextHopIds": [],
"Issues": []
}
]
The following example checks the connectivity to a website. This example requires that you have Network Watcher enabled in the region containing the source VM.
$rgName = "ContosoRG"
$sourceVMName = "MultiTierApp0"
$RG = Get-AzureRMResourceGroup -Name $rgName
$VM1 = Get-AzureRMVM -ResourceGroupName $rgName | Where-Object -Property Name -EQ $sourceVMName
$nw = Get-AzurermResource | Where {$_.ResourceType -eq "Microsoft.Network/networkWatchers" -and $_.Location -eq $VM1.Location }
$networkWatcher = Get-AzureRmNetworkWatcher -Name $nw.Name -ResourceGroupName $nw.ResourceGroupName
Test-AzureRmNetworkWatcherConnectivity -NetworkWatcher $networkWatcher -SourceId $VM1.Id -DestinationAddress http://bing.com/In the following response, you can see the ConnectionStatus shows as Reachable. When a connection is successful, latency values are provided.
ConnectionStatus : Reachable
AvgLatencyInMs : 1
MinLatencyInMs : 0
MaxLatencyInMs : 7
ProbesSent : 100
ProbesFailed : 0
Hops : [
{
"Type": "Source",
"Id": "1f0e3415-27b0-4bf7-a59d-3e19fb854e3e",
"Address": "10.1.1.4",
"ResourceId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/ContosoRG/providers/Microsoft.Network/networkInterfaces/appNic0/ipConfigurations/ipconfig1",
"NextHopIds": [
"f99f2bd1-42e8-4bbf-85b6-5d21d00c84e0"
],
"Issues": []
},
{
"Type": "Internet",
"Id": "f99f2bd1-42e8-4bbf-85b6-5d21d00c84e0",
"Address": "204.79.197.200",
"ResourceId": "Internet",
"NextHopIds": [],
"Issues": []
}
]
The following example tests the connectivity from a virtual machine to a blog storage account. This example requires that you have Network Watcher enabled in the region containing the source VM.
$rgName = "ContosoRG"
$sourceVMName = "MultiTierApp0"
$RG = Get-AzureRMResourceGroup -Name $rgName
$VM1 = Get-AzureRMVM -ResourceGroupName $rgName | Where-Object -Property Name -EQ $sourceVMName
$nw = Get-AzurermResource | Where {$_.ResourceType -eq "Microsoft.Network/networkWatchers" -and $_.Location -eq $VM1.Location }
$networkWatcher = Get-AzureRmNetworkWatcher -Name $nw.Name -ResourceGroupName $nw.ResourceGroupName
Test-AzureRmNetworkWatcherConnectivity -NetworkWatcher $networkWatcher -SourceId $VM1.Id -DestinationAddress https://contosostorageexample.blob.core.windows.net/ The following json is the example response from running the previous cmdlet. As the destination is reachable, the ConnectionStatus property shows as Reachable. You are provided the details regarding the number of hops required to reach the storage blob and latency.
ConnectionStatus : Reachable
AvgLatencyInMs : 1
MinLatencyInMs : 0
MaxLatencyInMs : 8
ProbesSent : 100
ProbesFailed : 0
Hops : [
{
"Type": "Source",
"Id": "9e7f61d9-fb45-41db-83e2-c815a919b8ed",
"Address": "10.1.1.4",
"ResourceId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/ContosoRG/providers/Microsoft.Network/networkInterfaces/appNic0/ipConfigurations/ipconfig1",
"NextHopIds": [
"1e6d4b3c-7964-4afd-b959-aaa746ee0f15"
],
"Issues": []
},
{
"Type": "Internet",
"Id": "1e6d4b3c-7964-4afd-b959-aaa746ee0f15",
"Address": "13.71.200.248",
"ResourceId": "Internet",
"NextHopIds": [],
"Issues": []
}
]
Find if certain traffic is allowed in or out of your VM by visiting Check IP flow verify
If traffic is being blocked and it should not be, see Manage Network Security Groups to track down the network security group and security rules that are defined.