Tutorial: Monitor network communication between two virtual machines using the Azure portal
This tutorial covers Connection Monitor (classic). Try the new and improved Connection Monitor to experience enhanced connectivity monitoring.
Starting 1 July 2021, you will not be able to add new connection monitors in Connection Monitor (classic) but you can continue to use existing connection monitors created prior to 1 July 2021. To minimize service disruption to your current workloads, migrate from Connection Monitor (classic) to the new Connection Monitor in Azure Network Watcher before 29 February 2024.
Successful communication between a virtual machine (VM) and an endpoint such as another VM, can be critical for your organization. Sometimes, configuration changes break communication. In this tutorial, you learn how to:
- Create two VMs
- Monitor communication between VMs with the Connection Monitor capability of Network Watcher
- Generate alerts on Connection Monitor metrics
- Diagnose a communication problem between two VMs, and learn how you can resolve it
If you don't have an Azure subscription, create a free account before you begin.
- An Azure subscription
Sign in to Azure
Sign in to the Azure portal.
Create two VMs.
Create the first VM
In the search box at the top of the portal, enter virtual machine. Select Virtual machines.
In Virtual machines, select + Create then + Azure virtual machine.
Enter or select the following information in Create a virtual machine.
Setting Value Project details Subscription Select your subscription. Resource group Select Create new. Enter myResourceGroup in Name. Select OK. Instance details Virtual machine name Enter myVM1. Region Select (US) East US. Availability options Select No infrastructure redundancy required. Security type Leave the default of Standard. Image Select Windows Server 2019 Datacenter - Gen2. Azure Spot instance Leave the default. Size Select a size. Administrator account Username Enter a username. Password Enter a password. Confirm password Confirm password. Inbound port rules Public inbound ports Leave the default of Allow selected ports. Select inbound ports Leave the default of RDP (3389).
Select Advanced tab, then select Select an extension to install.
Enter Network Watcher Agent for Windows in the search box. Select Network Watcher Agent for Windows and then select Next.
In Configure Network Watcher Agent for Windows Extension page, select Create.
In Create a virtual machine page, select Review + create and then Create to start VM deployment.
Create the second VM
Complete the steps in Create the first VM again, with the following changes:
|Resource group||Select myResourceGroup.|
|Virtual machine name||Enter myVM2.|
|Image||Select Ubuntu Server 18.04 LTS - Gen2.|
|Public inbound ports||Select Allow selected ports.|
|Select inbound ports||Select SSH (22).|
|Extensions||Select Network Watcher Agent for Linux.|
The VM takes a few minutes to deploy. Wait for the VM to finish deploying before continuing with the remaining steps.
Create a connection monitor
Create a connection monitor to monitor communication over TCP port 22 from myVm1 to myVm2.
In the search box at the top of the portal, enter network watcher. Select Network Watcher.
Under Monitoring, select Connection monitor (classic).
Select + Add.
Enter or select the information for the connection you want to monitor, and then select Add. In the example shown in the following picture, the connection monitored is from the myVm1 VM to the myVm2 VM over port 22:
Setting Value Name myVm1-myVm2(22) Source Virtual machine myVm1 Destination Select a virtual machine Virtual machine myVm2 Port 22
View a connection monitor
Complete steps 1-3 in Create a connection monitor to view connection monitoring. You see a list of existing connection monitors, as shown in the following picture:
Select the monitor with the name myVm1-myVm2(22), as shown in the previous picture, to see details for the monitor, as shown in the following picture:
Note the following information:
Item Value Details Status Reachable Lets you know whether the endpoint is reachable or not. AVG. ROUND-TRIP Lets you know the round-trip time to make the connection, in milliseconds. Connection monitor probes the connection every 60 seconds, so you can monitor latency over time. Hops Connection monitor lets you know the hops between the two endpoints. In this example, the connection is between two VMs in the same virtual network, so there's only one hop, to the 10.0.0.5 IP address. If any existing system or custom routes, route traffic between the VMs through a VPN gateway, or network virtual appliance, for example, additional hops are listed. STATUS The green check marks for each endpoint let you know that each endpoint is healthy.
Alerts are created by alert rules in Azure Monitor and can automatically run saved queries or custom log searches at regular intervals. A generated alert can automatically run one or more actions, such as to notify someone or start another process. When setting an alert rule, the resource that you target determines the list of available metrics that you can use to generate alerts.
In Azure portal, select the Monitor service, and then select Alerts > New alert rule.
Select Select target, and then select the resources that you want to target. Select the Subscription, and set the Resource type to filter down to the Connection Monitor that you want to use.
Once you've selected a resource to target, select Add criteria. The Network Watcher has metrics on which you can create alerts. Set Available signals to the metrics ProbesFailedPercent and AverageRoundtripMs:
Fill out the alert details like alert rule name, description, and severity. You can also add an action group to the alert to automate and customize the alert response.
View a problem
By default, Azure allows communication over all ports between VMs in the same virtual network. Over time, you, or someone in your organization, might override Azure's default rules, inadvertently causing a communication failure. Complete the following steps to create a communication problem and then view the connection monitor again:
In the search box at the top of the portal, enter myResourceGroup. When the myResourceGroup resource group appears in the search results, select it.
Select the myVm2-nsg network security group.
Select Inbound security rules, and then select Add, as shown in the following picture:
The default rule that allows communication between all VMs in a virtual network is the rule named AllowVnetInBound. Create a rule with a higher priority (lower number) than the AllowVnetInBound rule that denies inbound communication over port 22. Select, or enter, the following information, accept the remaining defaults, and then select + Add:
Setting Value Destination port ranges 22 Action Deny Priority 100 Name DenySshInbound
Since connection monitor probes at 60-second intervals, wait a few minutes, and then on the left side of the portal, select Network Watcher, then Connection monitor, and then select the myVm1-myVm2(22) monitor again. The results are different now, as shown in the following picture:
You can see that there's a red exclamation icon in the status column for the myvm2529 network interface.
To learn why the status has changed, select 10.0.0.5, in the previous picture. Connection monitor informs you that the reason for the communication failure is: Traffic blocked due to the following network security group rule: UserRule_DenySshInbound.
If you didn't know that someone had implemented the security rule you created in step 4, you'd learn from connection monitor that the rule is causing the communication problem. You could then change, override, or remove the rule, to restore communication between the VMs.
Clean up resources
When no longer needed, delete the resource group and all of the resources it contains:
- Enter myResourceGroup in the Search box at the top of the portal. When you see myResourceGroup in the search results, select it.
- Select Delete resource group.
- Enter myResourceGroup for TYPE THE RESOURCE GROUP NAME: and select Delete.
In this tutorial, you learned how to monitor a connection between two VMs. You learned that a network security group rule prevented communication to a VM. To learn about all of the different responses connection monitor can return, see response types. You can also monitor a connection between a VM, a fully qualified domain name, a uniform resource identifier, or an IP address.
At some point, you may find that resources in a virtual network are unable to communicate with resources in other networks connected by an Azure virtual network gateway. Advance to the next tutorial to learn how to diagnose a problem with a virtual network gateway.
Submit and view feedback for