Azure Documentation

Troubleshooting Azure VM Connectivity

Connectivity issues can prevent your Azure Virtual Machines (VMs) from communicating with other resources, either within Azure or from external networks. This guide outlines common scenarios and steps to diagnose and resolve them.

Common Connectivity Problems

  • VM cannot be reached from the internet.
  • VM cannot reach other VMs in the same virtual network.
  • VM cannot reach resources outside the virtual network (e.g., on-premises).
  • Application hosted on the VM is unreachable.

Diagnostic Steps

1. Network Security Groups (NSGs)

NSGs act as a distributed firewall, controlling inbound and outbound traffic to and from Azure resources. Incorrectly configured NSGs are a primary cause of connectivity issues.

  • Check Inbound Rules: Ensure there's an inbound rule allowing traffic on the required port (e.g., RDP port 3389 for Windows, SSH port 22 for Linux) from your source IP address or range.
  • Check Outbound Rules: Verify that outbound rules permit the VM to connect to its destination (e.g., internet, other Azure services).
  • Priority: Lower-numbered priority rules are processed first. An explicit deny rule with a lower priority can override an allow rule.

Action: Navigate to the VM's Network Interface, then to its associated NSG. Review and modify rules as needed. Use the "Effective Security Rules" view to see the combined effect of all NSGs applied to the VM.

2. Azure Firewall and UDRs

If you are using Azure Firewall or User-Defined Routes (UDRs) to route traffic through a network virtual appliance (NVA) or Azure Firewall, these also need to be checked.

  • Firewall Rules: Ensure Azure Firewall rules allow the traffic.
  • Route Tables: Verify UDRs correctly route traffic to the next hop (e.g., Azure Firewall, NVA).

Action: Examine your Azure Firewall policies and associated Route Tables.

3. Network Virtual Appliances (NVAs)

If an NVA (like a third-party firewall or router) is deployed in your network, ensure it is healthy and configured to allow the traffic.

Action: Log in to your NVA and check its configuration and traffic logs.

4. Public IP Addresses

For external connectivity to a VM, ensure the VM's Network Interface has a Public IP Address associated with it. For inbound access to VMs behind a Load Balancer or Application Gateway, ensure those services have Public IPs and are configured correctly.

Action: Check the VM's Network Interface and the configuration of any public-facing load balancing services.

5. DNS Resolution

Problems resolving hostnames can prevent connections. Ensure your VMs are using correct DNS servers.

  • Azure-provided DNS: Default DNS servers for Azure VNets are typically reliable.
  • Custom DNS: If using custom DNS servers, verify they are reachable and configured correctly.

Action: From the VM, try pinging an IP address and then a hostname to differentiate between network path issues and DNS issues. Use nslookup or dig.

6. VM Status and Operating System

Sometimes, connectivity issues stem from the VM itself.

  • VM State: Ensure the VM is running.
  • OS Firewall: Check the firewall within the VM's operating system (e.g., Windows Firewall, iptables on Linux) to ensure it's not blocking traffic.
  • Network Services: Verify that essential networking services are running within the OS.

Action: Connect to the VM via console or serial console if network access is unavailable. Check OS logs.

Tip: Use the "Connection Troubleshoot" blade in the Azure portal for a quick diagnostic. It can check NSGs, UDRs, and other network configurations.

7. Azure Network Watcher

Azure Network Watcher provides tools to monitor and diagnose network performance and health.

  • IP Flow Verify: Checks if traffic is allowed or denied by NSGs.
  • Next Hop: Determines the next hop for traffic originating from a VM, helping to diagnose routing issues.
  • Connection Troubleshoot: Tests connectivity between two endpoints.
  • Packet Capture: Captures network traffic for deeper analysis.

Action: Enable Network Watcher for your region and utilize its tools for comprehensive diagnostics.

Troubleshooting Scenarios

Scenario: VM cannot be reached from the internet
  1. Verify the VM has a Public IP Address.
  2. Check the NSG attached to the VM's NIC for inbound rules allowing traffic on the required port from 'Any' or your specific IP.
  3. If using Azure Firewall or NVAs, check their rules and routing.
  4. Ensure the OS firewall on the VM allows the traffic.
Scenario: VM cannot reach other VMs in the same VNet
  1. Check NSGs associated with both source and destination VMs for inbound/outbound rules.
  2. Verify UDRs are not misdirecting traffic.
  3. Ensure VMs are in the same or peered VNets.
  4. Check OS firewalls.

By systematically following these steps, you can effectively diagnose and resolve most Azure VM connectivity issues.