Troubleshoot virtual network gateway and connections with Azure Network Watcher using Azure CLI
Network Watcher provides many capabilities as it relates to understanding your network resources in Azure. One of these capabilities is resource troubleshooting. Resource troubleshooting can be called through the portal, PowerShell, CLI, or REST API. When called, Network Watcher inspects the health of a Virtual Network Gateway or a Connection and returns its findings.
To perform the steps in this article, you need to install the Azure CLI for Windows, Linux, or macOS.
Before you begin
This scenario assumes you have already followed the steps in Create a Network Watcher to create a Network Watcher.
For a list of supported gateway types visit, Supported Gateway types.
Overview
Resource troubleshooting provides the ability troubleshoot issues that arise with Virtual Network Gateways and Connections. When a request is made to resource troubleshooting, logs are being queried and inspected. When inspection is complete, the results are returned. Resource troubleshooting requests are long running requests, which could take multiple minutes to return a result. The logs from troubleshooting are stored in a container on a storage account that is specified.
Retrieve a Virtual Network Gateway Connection
In this example, resource troubleshooting is being ran on a Connection. You can also pass it a Virtual Network Gateway. The following cmdlet lists the vpn-connections in a resource group.
az network vpn-connection list --resource-group resourceGroupName
Once you have the name of the connection, you can run this command to get its resource Id:
az network vpn-connection show --resource-group resourceGroupName --ids vpnConnectionIds
Create a storage account
Resource troubleshooting returns data about the health of the resource, it also saves logs to a storage account to be reviewed. In this step, we create a storage account, if an existing storage account exists you can use it.
Create the storage account
az storage account create --name storageAccountName --location westcentralus --resource-group resourceGroupName --sku Standard_LRS
Get the storage account keys
az storage account keys list --resource-group resourcegroupName --account-name storageAccountName
Create the container
az storage container create --account-name storageAccountName --account-key {storageAccountKey} --name logs
Run Network Watcher resource troubleshooting
You troubleshoot resources with the az network watcher troubleshooting
cmdlet. We pass the cmdlet the resource group, the name of the Network Watcher, the Id of the connection, the Id of the storage account, and the path to the blob to store the troubleshoot results in.
az network watcher troubleshooting start --resource-group resourceGroupName --resource resourceName --resource-type {vnetGateway/vpnConnection} --storage-account storageAccountName --storage-path https://{storageAccountName}.blob.core.windows.net/{containerName}
Once you run the cmdlet, Network Watcher reviews the resource to verify the health. It returns the results to the shell and stores logs of the results in the storage account specified.
Understanding the results
The action text provides general guidance on how to resolve the issue. If an action can be taken for the issue, a link is provided with additional guidance. In the case where there is no additional guidance, the response provides the url to open a support case. For more information about the properties of the response and what is included, visit Network Watcher Troubleshoot overview
For instructions on downloading files from azure storage accounts, refer to Get started with Azure Blob storage using .NET. Another tool that can be used is Storage Explorer. More information about Storage Explorer can be found here at the following link: Storage Explorer
Azure CLI troubleshooting
The Azure CLI can run in several shell environments, but with slight format variations. If you have unexpected results with Azure CLI commands, see How to use the Azure CLI successfully.
Next steps
If settings have been changed that stop VPN connectivity, see Manage Network Security Groups to track down the network security group and security rules that may be in question.
Feedback
Submit and view feedback for