This is a troubleshooting guideline for Azure networking, I will keep this guideline updated.
Performing a network troubleshooting is a very complex job, especially when on-premise environment and different data centres are involved.
Azure Network Watcher
Microsoft Azure provides Azure Network Watcher, it is a complete solution to assist you with network troubleshooting, monitoring and more.
We also need to use other tools as support like Wireshark, Microsoft Message Analyzer and CapAnalysis for packets analysis and it runs in Linux only but very powerful and open source.
First of all we need to enable the Azure Network Watcher (ANW) and in order to do that we need to search for Network Watcher and select the same region where our VM or resources we want to troubleshoot are located.
|The important point is that the ANW need to be enabled in all the same regions that our resources we want to troubleshoot are located.
The ANW will create a resource group for you for each region
You will see the ANW partially enabled
Network Security Group rules
To check the NSG associated to our VM we need to select the ANW and select Security group viewer and you will be able to select the RG you want, the VM inside the RG and the network interface.
Here we can check the effective rules applied for inbound and outbound, we can also check for the subnet, the network interfaces and the default rules.
We can download the excel spreadsheet to do statistics and reporting and send the rules to the IT admins and have a call with them.
Network Security Group access
We know the rules now but we like to test these ports and check if we have some not unsecured or vulnerable ports opened or if we have the ports we need properly setup.
In order to do that we need to select IP flow verify, select our NSG, VM as before and we can start checking our ports, for example we can start checking or RDP connectivity like below
We can see that it is enabled and we can see the rule
In the other case we see if the port it is denied and the rule as well
This is very useful to understand how the network is composed, select Network Topology, the subscription, NSG and VN and you will have all the topology, you can also download the SVG file.
Below I created an NLB with a couple of VM to create a bit more complex scenario.
Check the connectivity
This is the most important check because we test the connectivity between our server and network with others and external VM and networks.
Think about the classic scenario where we have performances issues and we need to understand if the reason is the network or CPU or other, this is a saving life feature.
We can have connectivity issues for a lot of different reasons and sometime the cause of our performances problem could be the CPU, Disk, the storage, using ANW we can easily check the network performances.
In order to do that we need to install the Network Watcher Agent NWA in both the machines, to install the NWA in an Azure VM we need to select the VM, select extensions
And select the NWA for Windows
Select the Connectivity Check in ANW and set the source and destination machine
ANW will check the connectivity and issues, for example in this case I see found an issue in the NLB.
NWA MSDN documentation here