Troubleshoot outbound connections using PowerShell
In this article, you learn how to use the connection troubleshoot feature of Azure Network Watcher to diagnose and troubleshoot connectivity issues. For more information about connection troubleshoot, see Connection troubleshoot overview.
Prerequisites
An Azure account with an active subscription. Create an account for free.
Network Watcher enabled in the region of the virtual machine (VM) you want to troubleshoot. By default, Azure enables Network Watcher in a region when you create a virtual network in it. For more information, see Enable or disable Azure Network Watcher.
A virtual machine with Network Watcher agent VM extension installed on it and has the following outbound TCP connectivity:
- to 169.254.169.254 over port 80
- to 168.63.129.16 over port 8037
A second virtual machine with inbound TCP connectivity from 168.63.129.16 over the port being tested (for Port scanner diagnostic test).
Azure Cloud Shell or Azure PowerShell.
The steps in this article run the Azure PowerShell cmdlets interactively in Azure Cloud Shell. To run the commands in the Cloud Shell, select Open Cloud Shell at the upper-right corner of a code block. Select Copy to copy the code and then paste it into Cloud Shell to run it. You can also run the Cloud Shell from within the Azure portal.
You can also install Azure PowerShell locally to run the cmdlets. This article requires the Az PowerShell module. For more information, see How to install Azure PowerShell. To find the installed version, run
Get-InstalledModule -Name Az. If you run PowerShell locally, sign in to Azure using the Connect-AzAccount cmdlet.
Note
- To install the extension on a Windows virtual machine, see Network Watcher agent VM extension for Windows.
- To install the extension on a Linux virtual machine, see Network Watcher agent VM extension for Linux.
- To update an already installed extension, see Update Network Watcher agent VM extension to the latest version.
Check connectivity to a virtual machine
This example checks a connection to a destination virtual machine over port 80. This example requires that you have Network Watcher enabled in the region containing the source VM.
Example
$rgName = "ContosoRG"
$sourceVMName = "MultiTierApp0"
$destVMName = "Database0"
$RG = Get-AzResourceGroup -Name $rgName
$VM1 = Get-AzVM -ResourceGroupName $rgName | Where-Object -Property Name -EQ $sourceVMName
$VM2 = Get-AzVM -ResourceGroupName $rgName | Where-Object -Property Name -EQ $destVMName
$networkWatcher = Get-AzNetworkWatcher | Where-Object -Property Location -EQ -Value $VM1.Location
Test-AzNetworkWatcherConnectivity -NetworkWatcher $networkWatcher -SourceId $VM1.Id -DestinationId $VM2.Id -DestinationPort 80
Response
The following response is from the previous example. In this response, the ConnectionStatus is Unreachable. You can see that all the probes sent failed. The connectivity failed at the virtual appliance due to a user-configured NetworkSecurityRule named UserRule_Port80, configured to block incoming traffic on port 80. This information can be used to research connection issues.
ConnectionStatus : Unreachable
AvgLatencyInMs :
MinLatencyInMs :
MaxLatencyInMs :
ProbesSent : 100
ProbesFailed : 100
Hops : [
{
"Type": "Source",
"Id": "c5222ea0-3213-4f85-a642-cee63217c2f3",
"Address": "10.1.1.4",
"ResourceId": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGrou
ps/ContosoRG/providers/Microsoft.Network/networkInterfaces/appNic0/ipConfigurat
ions/ipconfig1",
"NextHopIds": [
"9283a9f0-cc5e-4239-8f5e-ae0f3c19fbaa"
],
"Issues": []
},
{
"Type": "VirtualAppliance",
"Id": "9283a9f0-cc5e-4239-8f5e-ae0f3c19fbaa",
"Address": "10.1.2.4",
"ResourceId": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGrou
ps/ContosoRG/providers/Microsoft.Network/networkInterfaces/fwNic/ipConfiguratio
ns/ipconfig1",
"NextHopIds": [
"0f1500cd-c512-4d43-b431-7267e4e67017"
],
"Issues": []
},
{
"Type": "VirtualAppliance",
"Id": "0f1500cd-c512-4d43-b431-7267e4e67017",
"Address": "10.1.3.4",
"ResourceId": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGrou
ps/ContosoRG/providers/Microsoft.Network/networkInterfaces/auNic/ipConfiguratio
ns/ipconfig1",
"NextHopIds": [
"a88940f8-5fbe-40da-8d99-1dee89240f64"
],
"Issues": [
{
"Origin": "Outbound",
"Severity": "Error",
"Type": "NetworkSecurityRule",
"Context": [
{
"key": "RuleName",
"value": "UserRule_Port80"
}
]
}
]
},
{
"Type": "VnetLocal",
"Id": "a88940f8-5fbe-40da-8d99-1dee89240f64",
"Address": "10.1.4.4",
"ResourceId": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGrou
ps/ContosoRG/providers/Microsoft.Network/networkInterfaces/dbNic0/ipConfigurati
ons/ipconfig1",
"NextHopIds": [],
"Issues": []
}
]
Validate routing issues
This example checks connectivity between a virtual machine and a remote endpoint. This example requires that you have Network Watcher enabled in the region containing the source VM.
Example
$rgName = "ContosoRG"
$sourceVMName = "MultiTierApp0"
$RG = Get-AzResourceGroup -Name $rgName
$VM1 = Get-AzVM -ResourceGroupName $rgName | Where-Object -Property Name -EQ $sourceVMName
$networkWatcher = Get-AzNetworkWatcher | Where-Object -Property Location -EQ -Value $VM1.Location
Test-AzNetworkWatcherConnectivity -NetworkWatcher $networkWatcher -SourceId $VM1.Id -DestinationAddress 13.107.21.200 -DestinationPort 80
Response
In the following example, the ConnectionStatus is shown as Unreachable. In the Hops details, you can see under Issues that the traffic was blocked due to a UserDefinedRoute.
ConnectionStatus : Unreachable
AvgLatencyInMs :
MinLatencyInMs :
MaxLatencyInMs :
ProbesSent : 100
ProbesFailed : 100
Hops : [
{
"Type": "Source",
"Id": "b4f7bceb-07a3-44ca-8bae-adec6628225f",
"Address": "10.1.1.4",
"ResourceId": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/ContosoRG/providers/Microsoft.Network/networkInterfaces/appNic0/ipConfigurations/ipconfig1",
"NextHopIds": [
"3fee8adf-692f-4523-b742-f6fdf6da6584"
],
"Issues": [
{
"Origin": "Outbound",
"Severity": "Error",
"Type": "UserDefinedRoute",
"Context": [
{
"key": "RouteType",
"value": "User"
}
]
}
]
},
{
"Type": "Destination",
"Id": "3fee8adf-692f-4523-b742-f6fdf6da6584",
"Address": "13.107.21.200",
"ResourceId": "Unknown",
"NextHopIds": [],
"Issues": []
}
]
Check website latency
The following example checks connectivity to a website. This example requires that you have Network Watcher enabled in the region containing the source VM.
Example
$rgName = "ContosoRG"
$sourceVMName = "MultiTierApp0"
$RG = Get-AzResourceGroup -Name $rgName
$VM1 = Get-AzVM -ResourceGroupName $rgName | Where-Object -Property Name -EQ $sourceVMName
$networkWatcher = Get-AzNetworkWatcher | Where-Object -Property Location -EQ -Value $VM1.Location
Test-AzNetworkWatcherConnectivity -NetworkWatcher $networkWatcher -SourceId $VM1.Id -DestinationAddress https://bing.com/
Response
In the following response, you can see the ConnectionStatus shows as Reachable. When a connection is successful, latency values are provided.
ConnectionStatus : Reachable
AvgLatencyInMs : 1
MinLatencyInMs : 0
MaxLatencyInMs : 7
ProbesSent : 100
ProbesFailed : 0
Hops : [
{
"Type": "Source",
"Id": "1f0e3415-27b0-4bf7-a59d-3e19fb854e3e",
"Address": "10.1.1.4",
"ResourceId": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/ContosoRG/providers/Microsoft.Network/networkInterfaces/appNic0/ipConfigurations/ipconfig1",
"NextHopIds": [
"f99f2bd1-42e8-4bbf-85b6-5d21d00c84e0"
],
"Issues": []
},
{
"Type": "Internet",
"Id": "f99f2bd1-42e8-4bbf-85b6-5d21d00c84e0",
"Address": "204.79.197.200",
"ResourceId": "Internet",
"NextHopIds": [],
"Issues": []
}
]
Check connectivity to a storage endpoint
The following example checks connectivity from a virtual machine to a blog storage account. This example requires that you have Network Watcher enabled in the region containing the source VM.
Example
$rgName = "ContosoRG"
$sourceVMName = "MultiTierApp0"
$RG = Get-AzResourceGroup -Name $rgName
$VM1 = Get-AzVM -ResourceGroupName $rgName | Where-Object -Property Name -EQ $sourceVMName
$networkWatcher = Get-AzNetworkWatcher | Where-Object -Property Location -EQ -Value $VM1.Location
Test-AzNetworkWatcherConnectivity -NetworkWatcher $networkWatcher -SourceId $VM1.Id -DestinationAddress https://contosostorageexample.blob.core.windows.net/
Response
The following json is the example response from running the previous cmdlet. As the destination is reachable, the ConnectionStatus property shows as Reachable. You're provided the details regarding the number of hops required to reach the storage blob and latency.
ConnectionStatus : Reachable
AvgLatencyInMs : 1
MinLatencyInMs : 0
MaxLatencyInMs : 8
ProbesSent : 100
ProbesFailed : 0
Hops : [
{
"Type": "Source",
"Id": "9e7f61d9-fb45-41db-83e2-c815a919b8ed",
"Address": "10.1.1.4",
"ResourceId": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/ContosoRG/providers/Microsoft.Network/networkInterfaces/appNic0/ipConfigurations/ipconfig1",
"NextHopIds": [
"1e6d4b3c-7964-4afd-b959-aaa746ee0f15"
],
"Issues": []
},
{
"Type": "Internet",
"Id": "1e6d4b3c-7964-4afd-b959-aaa746ee0f15",
"Address": "13.71.200.248",
"ResourceId": "Internet",
"NextHopIds": [],
"Issues": []
}
]