Troubleshooting IP Flow - Azure Networking

Introduction to IP Flow Verification

Azure Network Watcher provides a comprehensive set of tools to monitor, diagnose, and troubleshoot network performance and health for Azure deployments. IP Flow Verification is a powerful feature within Network Watcher that helps you analyze traffic flow from or to a virtual machine (VM) in Azure. It allows you to determine if traffic is allowed or denied to or from your VM, and if denied, which security rule is causing the denial.

When to Use IP Flow Verification

When applications are not accessible from your Azure VM.
When your Azure VM cannot access specific applications or services.
When you suspect network security group (NSG) rules are blocking legitimate traffic.
For general network connectivity troubleshooting within your Azure environment.

How IP Flow Verification Works

IP Flow Verification sends a test packet from a source IP address to a destination IP address and port. It then checks the flow of this packet through the Azure network, considering:

Network Security Groups (NSGs) applied to the VM's network interface and subnet.
User Defined Routes (UDRs) that might redirect traffic.
Azure Firewall rules, if applicable.
Other network configurations.

The tool reports whether the traffic is allowed or denied and, if denied, it provides the name of the specific security rule responsible.

Steps to Use IP Flow Verification

Navigate to Network Watcher: In the Azure portal, search for "Network Watcher" and select it.
Select IP Flow Verification: Within Network Watcher, choose "IP Flow Verification" from the menu.
Configure the Test:
- Subscription and Resource Group: Select the appropriate subscription and resource group for your VM.
- Virtual Machine: Choose the target virtual machine.
- Direction: Select 'Inbound' if you are troubleshooting traffic coming *to* the VM, or 'Outbound' for traffic going *from* the VM.
- Protocol: Choose the protocol (e.g., TCP, UDP, ICMP).
- Source IP Address: Enter the IP address from which the traffic originates (for inbound) or the VM's IP (for outbound).
- Source Port: Enter the source port (often '*' for any port).
- Destination IP Address: Enter the IP address of the destination.
- Destination Port: Enter the destination port.
Run the Verification: Click the "Check" button to start the IP flow verification process.
Analyze the Results: The results will indicate whether the flow is "Allowed" or "Denied." If denied, the tool will specify the name of the Network Security Group and the rule that caused the denial.

Important: IP Flow Verification uses the VM's primary private IP address for outbound tests and checks against NSGs applied to the VM's network interface and subnet.

Interpreting the Results

Allowed Flow

If the IP Flow Verification indicates that the traffic is "Allowed," it means that no NSG rules or other network configurations are blocking the traffic between the specified source and destination endpoints for the given protocol and port.

Denied Flow

When the flow is "Denied," you will see details about the specific rule responsible:

Network Security Group: The name of the NSG containing the blocking rule.
Rule: The name or priority of the security rule that denied the traffic.

This information is crucial for quickly identifying and rectifying misconfigurations in your NSGs. You can then navigate to the identified NSG in the Azure portal and modify or remove the blocking rule, or add an exception if necessary.

Tip: For outbound traffic, ensure your NSGs allow egress traffic to the required destination ports and IPs. For inbound traffic, verify that your NSGs permit ingress traffic from the expected sources to the VM's IP and relevant ports.

Example: Troubleshooting Inbound Web Access

Let's say a web server running on an Azure VM is not accessible from the internet. You suspect an NSG is blocking inbound traffic.

Configuration:

VM: myWebAppVM
Direction: Inbound
Protocol: TCP
Source IP Address: * (for any internet IP)
Source Port: *
Destination IP Address: [VM's Public IP]
Destination Port: 80 (HTTP)

Expected Result (Denied):

If the result shows "Denied" with a rule like "DenyAllInbound," you would need to create an inbound security rule to allow TCP traffic on port 80 from the appropriate source (e.g., 'Internet' or specific IP ranges).

Example NSG Rule (to be added):

## Inbound Security Rule for HTTP ##
Priority: 300
Name: AllowHTTPInbound
Source: Any
Source Port: *
Destination: Any
Destination Port: 80
Protocol: TCP
Action: Allow

Advanced Troubleshooting with Network Watcher

Beyond IP Flow Verification, Network Watcher offers other valuable tools such as:

Connection Troubleshoot: Tests TCP connectivity to a specific endpoint.
Connection Monitor: Monitors network health and performance between network endpoints.
Packet Capture: Captures network traffic for deeper analysis.
Topology: Visualizes your Azure network architecture.

Combining these tools provides a powerful suite for diagnosing and resolving complex network issues.

Microsoft Docs

Troubleshooting IP Flow with Network Watcher

Introduction to IP Flow Verification

When to Use IP Flow Verification

How IP Flow Verification Works

Steps to Use IP Flow Verification

Interpreting the Results

Allowed Flow

Denied Flow

Example: Troubleshooting Inbound Web Access

Configuration:

Expected Result (Denied):

Example NSG Rule (to be added):

Advanced Troubleshooting with Network Watcher

Troubleshooting IP Flow with Network Watcher

Introduction to IP Flow Verification

When to Use IP Flow Verification

How IP Flow Verification Works

Steps to Use IP Flow Verification

Interpreting the Results

Allowed Flow

Denied Flow

Example: Troubleshooting Inbound Web Access

Configuration:

Expected Result (Denied):

Example NSG Rule (to be added):

Advanced Troubleshooting with Network Watcher

Related Topics