Troubleshooting Azure Virtual Networks

This document provides guidance and common solutions for troubleshooting issues related to Azure Virtual Networks (VNets).

Common Issues and Solutions

Connectivity Problems

Ensuring seamless connectivity between resources within your VNet, and between your VNet and on-premises networks, is crucial. Here are some common challenges:

Scenario: Virtual Machines cannot communicate with each other

• Check Network Security Groups (NSGs): Ensure NSGs associated with the VMs' subnets or NICs allow traffic on the required ports and protocols.
• Check Firewall Rules: Verify that any host-based firewalls (e.g., Windows Firewall, iptables) on the VMs are not blocking communication.
• Verify Subnet Configuration: Ensure VMs are in the same or correctly peered VNets and have valid IP addresses within their respective subnets.
• Route Tables: Confirm that route tables associated with the subnets are not forcing traffic to an incorrect destination.

Scenario: On-premises resources cannot connect to Azure resources

• VPN/ExpressRoute Status: Verify the health and connectivity of your VPN gateway or ExpressRoute circuit. Check for active connections and data transfer.
• BGP Routing: If using BGP, ensure routes are being advertised and received correctly between your on-premises network and Azure.
• NSGs and Firewalls: Just like with inter-VM communication, NSGs and Azure Firewall rules need to permit traffic from on-premises IP ranges.
• IP Address Conflicts: Ensure there are no overlapping IP address spaces between your on-premises network and your Azure VNet.

Scenario: Azure resources cannot connect to on-premises resources

• Return Routes: Confirm that your on-premises network is advertising the correct routes back to Azure for the VNet address space.
• Network Address Translation (NAT): If NAT is involved, ensure it's configured correctly for bidirectional communication.
• Gateway Health: Check the health and configuration of your Azure VPN Gateway or ExpressRoute connection.

DNS Resolution Issues

Proper DNS resolution is vital for name-based communication within and outside your VNet.

• Azure-provided DNS: By default, VNets use Azure-provided DNS. Ensure your VMs are configured to use DHCP to obtain DNS settings.
• Custom DNS Servers: If you've configured custom DNS servers, verify their accessibility from within the VNet and that they are correctly configured to resolve Azure resource names (e.g., using conditional forwarders to .azure.internal).
• DNS Zone Records: If you're using Azure DNS private zones, ensure they are linked to your VNet and that the necessary A or CNAME records exist.

Performance Bottlenecks

Slow network performance can impact application responsiveness.

• Bandwidth Limits: Be aware of the network bandwidth limits for your VM SKUs and VNet peering/gateway configurations.
• Network Latency: High latency can occur due to geographical distance. Consider deploying resources closer to your users or on-premises network.
• Throughput: Ensure your network components (VM NICs, VPN gateways) are sized appropriately for your throughput requirements.

Troubleshooting Tools

Azure Network Watcher

Network Watcher is a suite of tools for monitoring, diagnosing, and viewing network performance for Azure environments.

• IP Flow Verify: Determines if traffic is allowed or denied to or from a virtual machine based on NSG rules.
• Connection Troubleshoot: Checks if a virtual machine can connect to a specified endpoint.
• Next Hop: Identifies the next hop for network traffic from a virtual machine to a destination.
• Packet Capture: Captures network traffic to and from a virtual machine.
• VNet Flow Logs: Captures information about the IP traffic flowing to and from network interfaces in your VNet.

Azure CLI and PowerShell

Command-line tools offer powerful ways to inspect and configure your network resources.

# Example using Azure CLI to check NSG rules
az network nsg rule list --resource-group <your-rg> --nsg-name <your-nsg> --query "[?name=='<rule-name>']"

# Example using Azure PowerShell to check VPN Gateway connection
Get-AzVpnGatewayConnection -ResourceGroupName <your-rg> -Name <connection-name>
            

Best Practices for Prevention

• Plan Your IP Addressing: Carefully plan your VNet and subnet address spaces to avoid overlaps and accommodate future growth.
• Implement a Clear NSG Strategy: Define granular NSG rules based on the principle of least privilege.
• Regularly Monitor Network Health: Utilize Azure Monitor and Network Watcher for proactive monitoring.
• Document Your Network Topology: Maintain up-to-date documentation of your VNets, subnets, peering, and gateways.