Document Details
Connection Troubleshoot Manage
❌
This page contains Windows bias
About This Page
This page is part of the Azure documentation. It contains code examples and configuration instructions for working with Azure services.
Bias Analysis
Bias Types:
⚠️
windows_first
⚠️
missing_linux_example
Summary:
The documentation demonstrates a Windows bias primarily by focusing on RDP (port 3389) as the default connectivity scenario throughout all examples, which is specific to Windows virtual machines. There are no equivalent examples for Linux-based protocols (such as SSH on port 22), and all troubleshooting scenarios and solutions reference RDP and Windows patterns. While the documentation does mention Linux in the context of installing the Network Watcher agent, all connectivity tests and diagnostic flows are centered around Windows use cases, with no Linux-specific examples or parity.
Recommendations:
- Include Linux-centric connectivity scenarios, such as testing SSH (port 22) between virtual machines, alongside or instead of RDP examples.
- Provide troubleshooting examples and solutions relevant to Linux VMs (e.g., checking SSH daemon status, Linux firewall rules).
- Balance the documentation by alternating or combining Windows and Linux examples in each section, making it clear that both platforms are supported.
- Explicitly mention that the procedures apply to both Windows and Linux VMs, and clarify any platform-specific differences where relevant.
- Add sample outputs and error cases for Linux scenarios, such as failed SSH connections due to iptables or firewalld rules.
Create pull request
Scan History
| Date | Scan ID | Status | Bias Status |
|---|---|---|---|
| 2025-08-17 00:01 | #83 | in_progress | ✅ Clean |
| 2025-07-13 21:37 | #48 | completed | ✅ Clean |
| 2025-07-12 23:44 | #41 | in_progress | ❌ Biased |
| 2025-07-09 13:09 | #3 | cancelled | ✅ Clean |
| 2025-07-08 04:23 | #2 | cancelled | ❌ Biased |
Flagged Code Snippets
- Connection status is **Unreachable** (destination virtual machine is unreachable over port 3389).
- 30 probes were sent and failed to reach the destination virtual machine.
- There are two hops in the path between the two virtual machines (no appliances or other resources in the path between the two VMs).
- Inbound connectivity to the destination virtual machine is denied by the security rule `Deny3389Inbound` in the network security group `VM2-nsg`.
**Solution**: Update the network security group on the destination virtual machine to allow inbound RDP traffic.
- If the source virtual machine has a network security group that's denying RDP connections to the destination, you see the following results:
- Connection status is **Unreachable** (destination virtual machine is unreachable over port 3389).
- 30 probes were sent and failed to reach the destination virtual machine.
- There are two hops in the path between the two virtual machines (no appliances or other resources in the path between the two VMs).
- Outbound connectivity from the source virtual machine is denied by the security rule `Deny3389Outbound` in the network security group `VM1-nsg`.
**Solution**: Update the network security group on the source virtual machine to allow outbound RDP traffic.
- If the operating system on the destination virtual machine doesn't accept incoming connections on port 3389, you see the following results:
- Connection status is **Unreachable** (`www.bing.com` isn't reachable from **VM1**).
- 30 probes were sent and failed to reach `www.bing.com`.
- Outbound connectivity from the source virtual machine is denied by the security rule `DenyInternetOutbound` in the network security group `VM1-nsg`.
- Next hop type is `Internet`.
**Solution**: Update the network security group on the source virtual machine to allow outbound traffic to `www.bing.com`.
---
## Test connectivity to an IP address
In this section, you test the connectivity between a virtual machine and an IP address of another virtual machine.
# [**Portal**](#tab/portal)
1. On the **Connection troubleshoot** page. Enter or select the following information:
| Setting | Value |
| ------- | ------ |
| **Source** | |
| Source type | Select **Virtual machine**. |
| Virtual machine | Select the virtual machine that you want to troubleshoot the connection from. |
| **Destination** | |
| Destination type | Select **Specify manually**. |
| URI, FQDN, or IP address | Enter the IP address that you want to test the connectivity to. In this example, `10.10.10.10` is used. |
| **Probe Settings** | |
| Preferred IP version | Select **IPv4**. The other available options are: **Both** and **IPv6**. |
| Protocol | Select **TCP**. The other available option is: **ICMP**. |
| Destination port | Enter **3389**. |
| Source port | Leave blank or enter a source port number that you want to test. |
| **Connection Diagnostic** | |
| Diagnostics tests | Select **Connectivity**, **NSG diagnostic**, and **Next hop**. |
:::image type="content" source="./media/connection-troubleshoot-manage/test-connectivity-ip.png" alt-text="Screenshot that shows connection troubleshoot in the Azure portal to test the connection between a virtual machine and an IP address." lightbox="./media/connection-troubleshoot-manage/test-connectivity-ip.png":::
1. Select **Run diagnostic tests**.
- If the IP address is reachable, you see the following results:
:::image type="content" source="./media/connection-troubleshoot-manage/ip-reachable.png" alt-text="Screenshot that shows connection troubleshoot results after testing the connection to a reachable IP address." lightbox="./media/connection-troubleshoot-manage/ip-reachable.png":::
- 66 probes were successfully sent with average latency of 4 ms. Select **See details** to see the next hop details.
- Outbound connectivity from the source virtual machine is allowed. Select **See details** to see the security rules that are allowing the outbound communication from the source virtual machine.
- Azure default system route is used to route traffic to the IP address, which is in the same virtual network or a peered virtual network. (Route table ID: System route and Next hop type: Virtual Network).
- If the IP address is unreachable because the destination virtual machine isn't running, you see the following results:
:::image type="content" source="./media/connection-troubleshoot-manage/ip-unreachable-vm-stopped.png" alt-text="Screenshot that shows connection troubleshoot results after testing the connection to an IP address of a stopped virtual machine." lightbox="./media/connection-troubleshoot-manage/ip-unreachable-vm-stopped.png":::
- 30 probes were sent and failed to reach the destination virtual machine. Select **See details** to see the next hop details.
- Outbound connectivity from the source virtual machine is allowed. Select **See details** to see the security rules that are allowing the outbound communication from the source virtual machine.
- Azure default system route is used to route traffic to the IP address, which is in the same virtual network or a peered virtual network. (Route table ID: System route and Next hop type: Virtual Network).
**Solution**: Start the destination virtual machine.
- If there's no route to the IP address in the routing table of the source virtual machine (for example, the IP address isn't in the address space of the VM's virtual network or its peered virtual networks), you see the following results:
:::image type="content" source="./media/connection-troubleshoot-manage/ip-unreachable-route-table.png" alt-text="Screenshot that shows connection troubleshoot results after testing the connection to unreachable IP address with no route in the routing table." lightbox="./media/connection-troubleshoot-manage/ip-unreachable-route-table.png":::
- 30 probes were sent and failed to reach the destination virtual machine. Select **See details** to see the next hop details.
- Outbound connectivity from the source virtual machine is denied. Select **See details** to see security rule that is denying the outbound communication from the source virtual machine.
- Next hop type is *None* because there isn't a route to the IP address.
**Solution**: Associate a route table with a correct route to the subnet of the source virtual machine.
1. Select **Export to CSV** to download the test results in csv format.
# [**PowerShell**](#tab/powershell)
Use [Test-AzNetworkWatcherConnectivity](/powershell/module/az.network/test-aznetworkwatcherconnectivity) cmdlet to run connection troubleshoot to test RDP connectivity to `10.10.10.10`:
- Connection status is **Unreachable** (destination virtual machine is unreachable over port 3389).
- 30 probes were sent and failed to reach the destination virtual machine.
- There are two hops in the path between the two virtual machines (no appliances or other resources in the path between the two VMs).
- Port 3389 isn't reachable on the destination virtual machine (the output has `NoListenerOnDestination` and `GuestFirewall` errors on the destination virtual machine).
**Solution**: Configure the operating system on the destination virtual machine to accept inbound RDP traffic.
# [**Azure CLI**](#tab/cli)
Use [az network watcher test-connectivity](/cli/azure/network/watcher#az-network-watcher-test-connectivity) command to run connection troubleshoot diagnostic tests to test the connectivity to a virtual machine over port 3389:
- Connection status is **Unreachable** (destination virtual machine is unreachable over port 3389).
- 30 probes were sent and failed to reach the destination virtual machine.
- There are two hops in the path between the two virtual machines (no appliances or other resources in the path between the two VMs).
- Outbound connectivity from the source virtual machine is denied by the security rule `Deny3389Outbound` in the network security group `VM1-nsg`.
**Solution**: Update the network security group on the source virtual machine to allow outbound RDP traffic.
- If the operating system on the destination virtual machine doesn't accept incoming connections on port 3389, you see the following results:
- Connection status is **Reachable** (destination virtual machine is reachable over port 3389).
- 66 probes were successfully sent to the destination virtual machine.
- There are two hops in the path between the two virtual machines (no appliances or other resources in the path between the two VMs).
- If the destination virtual machine has a network security group that's denying incoming RDP connections, you see the following results:
- Connection status is **Reachable** (destination virtual machine is reachable over port 3389).
- 66 probes were successfully sent to the destination virtual machine.
- There are two hops in the path between the two virtual machines (no appliances or other resources in the path between the two VMs).
- If the destination virtual machine has a network security group that's denying incoming RDP connections, you see the following results:
- Connection status is **Unreachable** (destination virtual machine is unreachable over port 3389).
- 30 probes were sent and failed to reach the destination virtual machine.
- There are two hops in the path between the two virtual machines (no appliances or other resources in the path between the two VMs).
- Inbound connectivity to the destination virtual machine is denied by the security rule `Deny3389Inbound` in the network security group `VM2-nsg`.
**Solution**: Update the network security group on the destination virtual machine to allow inbound RDP traffic.
- If the source virtual machine has a network security group that's denying RDP connections to the destination, you see the following results:
- Connection status is **Unreachable** (destination virtual machine is unreachable over port 3389).
- 30 probes were sent and failed to reach the destination virtual machine.
- There are two hops in the path between the two virtual machines (no appliances or other resources in the path between the two VMs).
- Port 3389 isn't reachable on the destination virtual machine (the output has `NoListenerOnDestination` and `GuestFirewall` errors on the destination virtual machine).
**Solution**: Configure the operating system on the destination virtual machine to accept inbound RDP traffic.
---
## Test connectivity to a web address
In this section, you test the connectivity between a virtual machine and a web address.
# [**Portal**](#tab/portal)
1. On the **Connection troubleshoot** page. Enter or select the following information:
| Setting | Value |
| ------- | ------ |
| **Source** | |
| Source type | Select **Virtual machine**. |
| Virtual machine | Select the virtual machine that you want to troubleshoot the connection from. |
| **Destination** | |
| Destination type | Select **Specify manually**. |
| URI, FQDN, or IP address | Enter the web address that you want to test the connectivity to. In this example, `www.bing.com` is used. |
| **Probe Settings** | |
| Preferred IP version | Select **Both**. The other available options are: **IPv4** and **IPv6**. |
| Protocol | Select **TCP**. The other available option is: **ICMP**. |
| Destination port | Enter **443**. Port 443 for HTTPS. |
| Source port | Leave blank or enter a source port number that you want to test. |
| **Connection Diagnostic** | |
| Diagnostics tests | Select **Connectivity**. |
:::image type="content" source="./media/connection-troubleshoot-manage/test-connectivity-bing.png" alt-text="Screenshot that shows connection troubleshoot in the Azure portal to test the connection between a virtual machine and Microsoft Bing website." lightbox="./media/connection-troubleshoot-manage/test-connectivity-bing.png":::
1. Select **Run diagnostic tests**.
- If `www.bing.com` is reachable from the source virtual machine, you see the following results:
:::image type="content" source="./media/connection-troubleshoot-manage/test-connectivity-bing-reachable.png" alt-text="Screenshot that shows connection troubleshoot results after testing the connection with Microsoft Bing website." lightbox="./media/connection-troubleshoot-manage/test-connectivity-bing-reachable.png":::
66 probes were successfully sent to `www.bing.com`. Select **See details** to see the next hop details.
- If `www.bing.com` is unreachable from the source virtual machine due to a security rule, you see the following results:
:::image type="content" source="./media/connection-troubleshoot-manage/test-connectivity-bing-unreachable.png" alt-text="Screenshot that shows connection troubleshoot results after unsuccessfully testing the connection with Microsoft Bing website." lightbox="./media/connection-troubleshoot-manage/test-connectivity-bing-unreachable.png":::
30 probes were sent and failed to reach `www.bing.com`. Select **See details** to see the next hop details and the cause of the error.
**Solution**: Update the network security group on the source virtual machine to allow outbound traffic to `www.bing.com`.
1. Select **Export to CSV** to download the test results in csv format.
# [**PowerShell**](#tab/powershell)
Use [Test-AzNetworkWatcherConnectivity](/powershell/module/az.network/test-aznetworkwatcherconnectivity) cmdlet to run connection troubleshoot to test the connectivity to `www.bing.com`:
- Connection status is **Reachable** (`10.10.10.10` is reachable over port 3389).
- 66 probes were successfully sent to `10.10.10.10` with average latency of 2 ms.
- There are two hops in the path between the two virtual machines (no appliances or other resources in the path between the two VMs).
- If the IP address is unreachable because the destination virtual machine isn't running, you see the following results:
- Connection status is **Unreachable** (`10.10.10.10` is unreachable over port 3389).
- 30 probes were sent and failed to reach `10.10.10.10`.
- No route in the routing table of the source virtual machine to `10.10.10.10` (the output has `RouteMissing` error on the source virtual machine).
- Next hop type is *None* because there's no route to `10.10.10.10`.
- Outbound connectivity from the source virtual machine is denied by the security rule `DefaultRule_DenyAllOutBound` in the network security group `VM1-nsg`.
**Solution**: Associate a route table with a correct route to the subnet of the source virtual machine.
# [**Azure CLI**](#tab/cli)
Use [az network watcher test-connectivity](/cli/azure/network/watcher#az-network-watcher-test-connectivity) command to run connection troubleshoot to test RDP connectivity to `10.10.10.10`: