Introduction to connection troubleshoot in Azure Network Watcher

The connection troubleshoot feature of Network Watcher provides the capability to check a direct TCP connection from a virtual machine to a virtual machine (VM), fully qualified domain name (FQDN), URI, or IPv4 address. Network scenarios are complex, they're implemented using network security groups, firewalls, user-defined routes, and resources provided by Azure. Complex configurations make troubleshooting connectivity issues challenging. Network Watcher helps reduce the amount of time to find and detect connectivity issues. The results returned can provide insights into whether a connectivity issue is due to a platform or a user configuration issue. Connectivity can be checked with PowerShell, Azure CLI, and REST API.


Connection troubleshoot requires that the VM you troubleshoot from has the AzureNetworkWatcherExtension VM extension installed. For installing the extension on a Windows VM visit Azure Network Watcher Agent virtual machine extension for Windows and for Linux VM visit Azure Network Watcher Agent virtual machine extension for Linux. The extension is not required on the destination endpoint.

Supported source types

The following sources are supported by Network Watcher:

  • Virtual Machines
  • Bastion
  • Application Gateways (except v1)


The following table shows the properties returned when connection troubleshoot has finished running.

Property Description
ConnectionStatus The status of the connectivity check. Possible results are Reachable and Unreachable.
AvgLatencyInMs Average latency during the connectivity check, in milliseconds. (Only shown if check status is reachable)
MinLatencyInMs Minimum latency during the connectivity check, in milliseconds. (Only shown if check status is reachable)
MaxLatencyInMs Maximum latency during the connectivity check, in milliseconds. (Only shown if check status is reachable)
ProbesSent Number of probes sent during the check. Max value is 100.
ProbesFailed Number of probes that failed during the check. Max value is 100.
Hops Hop by hop path from source to destination.
Hops[].Type Type of resource. Possible values are Source, VirtualAppliance, VnetLocal, and Internet.
Hops[].Id Unique identifier of the hop.
Hops[].Address IP address of the hop.
Hops[].ResourceId ResourceID of the hop if the hop is an Azure resource. If it's an internet resource, ResourceID is Internet.
Hops[].NextHopIds The unique identifier of the next hop taken.
Hops[].Issues A collection of issues that were encountered during the check at that hop. If there were no issues, the value is blank.
Hops[].Issues[].Origin At the current hop, where issue occurred. Possible values are:
Inbound - Issue is on the link from the previous hop to the current hop
Outbound - Issue is on the link from the current hop to the next hop
Local - Issue is on the current hop.
Hops[].Issues[].Severity The severity of the issue detected. Possible values are Error and Warning.
Hops[].Issues[].Type The type of issue found. Possible values are:
Hops[].Issues[].Context Details regarding the issue found.
Hops[].Issues[].Context[].key Key of the key value pair returned.
Hops[].Issues[].Context[].value Value of the key value pair returned.

The following is an example of an issue found on a hop.

"Issues": [
        "Origin": "Outbound",
        "Severity": "Error",
        "Type": "NetworkSecurityRule",
        "Context": [
                "key": "RuleName",
                "value": "UserRule_Port80"

Fault types

Connection troubleshoot returns fault types about the connection. The following table provides a list of the current fault types returned.

Type Description
CPU High CPU utilization.
Memory High Memory utilization.
GuestFirewall Traffic is blocked due to a virtual machine firewall configuration.

Note that a TCP ping is a unique use case in which, if there's no allowed rule, the firewall itself responds to the client's TCP ping request even though the TCP ping doesn't reach the target IP address/FQDN. This event isn't logged. If there's a network rule that allows access to the target IP address/FQDN, the ping request reaches the target server and its response is relayed back to the client. This event is logged in the Network rules log.
DNSResolution DNS resolution failed for the destination address.
NetworkSecurityRule Traffic is blocked by an NSG Rule (Rule is returned)
UserDefinedRoute Traffic is dropped due to a user defined or system route.

Next steps

Learn how to troubleshoot connections using the Azure portal, PowerShell, the Azure CLI, or REST API.