Troubleshooting Connectivity in Azure

This lesson focuses on diagnosing connectivity issues using:

• Azure Network Watcher Azure Virtual Network
• Network Watcher is Azure’s built-in networking troubleshooting toolkit.

1️⃣ What Is Azure Network Watcher?#

Network Watcher is:

• A regional Azure service
• Automatically enabled when a VNet is deployed
• Used to diagnose network and connectivity problems
• 📌 Key concept: One Network Watcher instance per region.

If you deploy VNets in:

• East US → 1 Network Watcher in East US
• West Europe → 1 Network Watcher in West Europe

It is auto-created in a resource group like:

• NetworkWatcherRG

2️⃣ Why Network Watcher Is Important#

In Azure, connectivity can break due to:

• NSG rules
• Route tables (UDRs)
• BGP propagation
• Peering issues
• VPN failures
• Closed ports
• Incorrect next hop
• DNS resolution failures
• Network Watcher helps isolate the issue quickly.
• Think of it as a networking Swiss Army knife.

3️⃣ Major Network Watcher Tools Explained#

Below are the core tools and when to use them:

🔎 1. IP Flow Verify#

Tests whether traffic is allowed or denied based on:

• Source IP
• Source Port
• Destination IP
• Destination Port
• Protocol (TCP/UDP)

It evaluates:

• NSG rules
• Effective security rules
• Use when: You suspect NSG blocking traffic.

Docs:

🔎 2. NSG Diagnostics#

Shows:

• Which NSG rule allowed/denied traffic
• Evaluation order
• Final decision
• Helpful when: You have multiple NSGs (NIC + subnet).

Docs:

🔎 3. Next Hop#

Equivalent to:

• Traceroute in Azure.

Shows:

• Next hop type
• Route source (System / UDR / BGP)

Whether traffic goes:

• Internet
• VNet peering
• Virtual appliance
• VPN gateway
• Useful for: Route debugging.

Docs:

🔎 4. Connection Troubleshoot (Most Powerful Tool)#

Combines multiple tests:

• Connectivity
• NSG diagnostics
• Next hop
• Port scan

Source options:

• VM
• Application Gateway
• Bastion

Destination options:

• VM
• IP
• FQDN
• URI

Protocol:

• TCP
• ICMP
• When run: Deploys Network Watcher VM extension automatically.

Docs:

🔎 5. VPN Troubleshoot#

Used for:

• Site-to-site VPN issues
• Gateway connection debugging

Docs:

🔎 6. Packet Capture#

Captures traffic as:

• PCAP file

Requires:

• Storage account
• VM extension
• Similar to: Wireshark in cloud.

Docs:

🔎 7. Topology View#

Provides:

• Visual network map
• Subnets
• NSGs
• Peerings
• NICs
• Public IPs
• Great for quick architecture review.

Docs:

4️⃣ Demonstration Summary#

Scenario:

• Two VNets
• Peered together
• Web VM in VNet1
• DB VM in VNet2
• Testing SSH connectivity (Port 22)

Steps:

• 1️⃣ Selected source VM 2️⃣ Selected destination VM 3️⃣ Ran Connection Troubleshoot 4️⃣ Reviewed results

Results Showed:

• ✔ Connectivity successful ✔ Outbound NSG allowed ✔ Next hop via VNet peering ✔ Port 22 reachable ✔ Using system route

Network Watcher clearly indicated:

• Traffic flowed across peering successfully.

5️⃣ How Connection Troubleshoot Works Internally#

When run:

• Azure deploys Network Watcher extension on VM
• Performs active probe
• Returns structured diagnostic results

It checks:

• DNS resolution
• Route table lookup
• NSG rules
• Effective security rules
• Next hop
• Port availability
• This saves massive troubleshooting time.

6️⃣ Understanding the Output#

Connection Troubleshoot returns:

If failure occurs:

• It tells you exactly which layer failed.

7️⃣ Real-World Troubleshooting Workflow#

When connection fails:

• Step 1 → Connection Troubleshoot Step 2 → Check NSG rules Step 3 → Check Effective routes Step 4 → Check UDRs Step 5 → Check Peering Step 6 → Check VPN / Gateway Step 7 → Use Packet Capture
• This structured method reduces guesswork.

8️⃣ Common Failure Causes Identified by Network Watcher#

❌ NSG blocking inbound port ❌ UDR overriding system route ❌ Peering not configured properly ❌ VPN tunnel down ❌ Port closed on VM ❌ Incorrect next hop (blackhole route) ❌ No service running on destination

9️⃣ Route Interpretation in Results#

Next hop types may include:

• Internet
• VNet Peering
• Virtual Appliance
• VNet Gateway
• None (blackhole)

Route source:

• System
• User Defined Route (UDR)
• BGP

Important exam concept:

• User-defined routes override system routes.

🔟 Network Watcher Architecture Concepts#

✔ Regional service ✔ Auto-enabled with first VNet ✔ Extension deployed for active testing ✔ Does not incur heavy cost unless packet capture used

11️⃣ Exam Tips (AZ-104 / AZ-700)#

🚩 Network Watcher is global → False (regional) 🚩 Automatically deployed when VNet created → True 🚩 Connection Troubleshoot checks NSGs and routes → True 🚩 Packet capture requires storage account → True 🚩 Next hop identifies route source → True

12️⃣ Best Practices#

✔ Use Connection Troubleshoot first ✔ Use Topology for architecture validation ✔ Check effective routes before modifying NSGs ✔ Use packet capture only when deeper inspection needed ✔ Enable flow logs for ongoing monitoring

13️⃣ Advanced Insight#

Network Watcher helps validate:

• Zero Trust networking
• Hub-spoke routing
• NVA routing
• Hybrid connectivity
• BGP route propagation
• Firewall insertion architectures

It becomes essential in:

• Enterprise-scale Azure networking.

14️⃣ Conceptual Summary#

Network Watcher gives you visibility into:

• Traffic path
• Security evaluation
• Route decisions
• Service availability

Instead of guessing:

• It gives deterministic answers.

If you'd like next:

• 🔥 20 troubleshooting scenario questions
• 📊 NSG vs UDR vs Firewall debugging guide
• 🧠 AZ-104 networking rapid revision sheet
• 🏗 Enterprise troubleshooting flowchart
• Tell me your certification target and I’ll tailor it.