Document Details
Connection Troubleshoot Manage
❌
This page contains Windows bias
About This Page
This page is part of the Azure documentation. It contains code examples and configuration instructions for working with Azure services.
Bias Analysis
Bias Types:
⚠️
windows_first
⚠️
missing_linux_example
Summary:
The documentation consistently uses Windows-centric examples, particularly by focusing on RDP (port 3389) connectivity, which is specific to Windows environments. There are no equivalent Linux scenarios (such as SSH on port 22) provided. The troubleshooting steps and sample outputs are all based on RDP, and solutions reference enabling RDP or related Windows firewall/security group rules. While the documentation does mention Linux in the context of installing the Network Watcher agent, it does not provide Linux-specific connectivity tests or troubleshooting examples.
Recommendations:
- Include Linux-centric connectivity scenarios, such as testing SSH (port 22) between virtual machines, alongside or instead of RDP examples.
- For each troubleshooting example, provide parallel steps and outputs for both RDP (Windows) and SSH (Linux) to ensure parity.
- In solution sections, mention updating firewall rules for SSH on Linux (e.g., opening port 22) as well as RDP for Windows.
- Where operating system configuration is referenced, provide guidance for both Windows (enabling RDP) and Linux (enabling SSH, checking sshd status, etc.).
- Ensure that screenshots and sample outputs reflect both Windows and Linux use cases where applicable.
Create pull request
Scan History
| Date | Scan ID | Status | Bias Status |
|---|---|---|---|
| 2025-08-17 00:01 | #83 | in_progress | ✅ Clean |
| 2025-07-13 21:37 | #48 | completed | ✅ Clean |
| 2025-07-12 23:44 | #41 | in_progress | ❌ Biased |
| 2025-07-09 13:09 | #3 | cancelled | ✅ Clean |
| 2025-07-08 04:23 | #2 | cancelled | ❌ Biased |
Flagged Code Snippets
- Connection status is **Unreachable** (destination virtual machine is unreachable over port 3389).
- 30 probes were sent and failed to reach the destination virtual machine.
- There are two hops in the path between the two virtual machines (no appliances or other resources in the path between the two VMs).
- Outbound connectivity from the source virtual machine is denied by the security rule `Deny3389Outbound` in the network security group `VM1-nsg`.
**Solution**: Update the network security group on the source virtual machine to allow outbound RDP traffic.
- If the operating system on the destination virtual machine doesn't accept incoming connections on port 3389, you see the following results:
- Connection status is **Unreachable** (`www.bing.com` isn't reachable from **VM1**).
- 30 probes were sent and failed to reach `www.bing.com`.
- Outbound connectivity from the source virtual machine is denied by the security rule `DenyInternetOutbound` in the network security group `VM1-nsg`.
- Next hop type is `Internet`.
**Solution**: Update the network security group on the source virtual machine to allow outbound traffic to `www.bing.com`.
---
## Test connectivity to an IP address
In this section, you test the connectivity between a virtual machine and an IP address of another virtual machine.
# [**Portal**](#tab/portal)
1. On the **Connection troubleshoot** page. Enter or select the following information:
| Setting | Value |
| ------- | ------ |
| **Source** | |
| Source type | Select **Virtual machine**. |
| Virtual machine | Select the virtual machine that you want to troubleshoot the connection from. |
| **Destination** | |
| Destination type | Select **Specify manually**. |
| URI, FQDN, or IP address | Enter the IP address that you want to test the connectivity to. In this example, `10.10.10.10` is used. |
| **Probe Settings** | |
| Preferred IP version | Select **IPv4**. The other available options are: **Both** and **IPv6**. |
| Protocol | Select **TCP**. The other available option is: **ICMP**. |
| Destination port | Enter **3389**. |
| Source port | Leave blank or enter a source port number that you want to test. |
| **Connection Diagnostic** | |
| Diagnostics tests | Select **Connectivity**, **NSG diagnostic**, and **Next hop**. |
:::image type="content" source="./media/connection-troubleshoot-manage/test-connectivity-ip.png" alt-text="Screenshot that shows connection troubleshoot in the Azure portal to test the connection between a virtual machine and an IP address." lightbox="./media/connection-troubleshoot-manage/test-connectivity-ip.png":::
1. Select **Run diagnostic tests**.
- If the IP address is reachable, you see the following results:
:::image type="content" source="./media/connection-troubleshoot-manage/ip-reachable.png" alt-text="Screenshot that shows connection troubleshoot results after testing the connection to a reachable IP address." lightbox="./media/connection-troubleshoot-manage/ip-reachable.png":::
- 66 probes were successfully sent with average latency of 4 ms. Select **See details** to see the next hop details.
- Outbound connectivity from the source virtual machine is allowed. Select **See details** to see the security rules that are allowing the outbound communication from the source virtual machine.
- Azure default system route is used to route traffic to the IP address, which is in the same virtual network or a peered virtual network. (Route table ID: System route and Next hop type: Virtual Network).
- If the IP address is unreachable because the destination virtual machine isn't running, you see the following results:
:::image type="content" source="./media/connection-troubleshoot-manage/ip-unreachable-vm-stopped.png" alt-text="Screenshot that shows connection troubleshoot results after testing the connection to an IP address of a stopped virtual machine." lightbox="./media/connection-troubleshoot-manage/ip-unreachable-vm-stopped.png":::
- 30 probes were sent and failed to reach the destination virtual machine. Select **See details** to see the next hop details.
- Outbound connectivity from the source virtual machine is allowed. Select **See details** to see the security rules that are allowing the outbound communication from the source virtual machine.
- Azure default system route is used to route traffic to the IP address, which is in the same virtual network or a peered virtual network. (Route table ID: System route and Next hop type: Virtual Network).
**Solution**: Start the destination virtual machine.
- If there's no route to the IP address in the routing table of the source virtual machine (for example, the IP address isn't in the address space of the VM's virtual network or its peered virtual networks), you see the following results:
:::image type="content" source="./media/connection-troubleshoot-manage/ip-unreachable-route-table.png" alt-text="Screenshot that shows connection troubleshoot results after testing the connection to unreachable IP address with no route in the routing table." lightbox="./media/connection-troubleshoot-manage/ip-unreachable-route-table.png":::
- 30 probes were sent and failed to reach the destination virtual machine. Select **See details** to see the next hop details.
- Outbound connectivity from the source virtual machine is denied. Select **See details** to see security rule that is denying the outbound communication from the source virtual machine.
- Next hop type is *None* because there isn't a route to the IP address.
**Solution**: Associate a route table with a correct route to the subnet of the source virtual machine.
1. Select **Export to CSV** to download the test results in csv format.
# [**PowerShell**](#tab/powershell)
Use [Test-AzNetworkWatcherConnectivity](/powershell/module/az.network/test-aznetworkwatcherconnectivity) cmdlet to run connection troubleshoot to test RDP connectivity to `10.10.10.10`:
- Connection status is **Reachable** (destination virtual machine is reachable over port 3389).
- 66 probes were successfully sent to the destination virtual machine.
- There are two hops in the path between the two virtual machines (no appliances or other resources in the path between the two VMs).
- If the destination virtual machine has a network security group that's denying incoming RDP connections, you see the following results:
- Connection status is **Unreachable** (destination virtual machine is unreachable over port 3389).
- 30 probes were sent and failed to reach the destination virtual machine.
- There are two hops in the path between the two virtual machines (no appliances or other resources in the path between the two VMs).
- Inbound connectivity to the destination virtual machine is denied by the security rule `Deny3389Inbound` in the network security group `VM2-nsg`.
**Solution**: Update the network security group on the destination virtual machine to allow inbound RDP traffic.
- If the source virtual machine has a network security group that's denying RDP connections to the destination, you see the following results:
- Connection status is **Unreachable** (destination virtual machine is unreachable over port 3389).
- 30 probes were sent and failed to reach the destination virtual machine.
- There are two hops in the path between the two virtual machines (no appliances or other resources in the path between the two VMs).
- Port 3389 isn't reachable on the destination virtual machine (the output has `NoListenerOnDestination` and `GuestFirewall` errors on the destination virtual machine).
**Solution**: Configure the operating system on the destination virtual machine to accept inbound RDP traffic.
# [**Azure CLI**](#tab/cli)
Use [az network watcher test-connectivity](/cli/azure/network/watcher#az-network-watcher-test-connectivity) command to run connection troubleshoot diagnostic tests to test the connectivity to a virtual machine over port 3389:
- Connection status is **Reachable** (destination virtual machine is reachable over port 3389).
- 66 probes were successfully sent to the destination virtual machine.
- There are two hops in the path between the two virtual machines (no appliances or other resources in the path between the two VMs).
- If the destination virtual machine has a network security group that's denying incoming RDP connections, you see the following results:
- Connection status is **Unreachable** (destination virtual machine is unreachable over port 3389).
- 30 probes were sent and failed to reach the destination virtual machine.
- There are two hops in the path between the two virtual machines (no appliances or other resources in the path between the two VMs).
- Inbound connectivity to the destination virtual machine is denied by the security rule `Deny3389Inbound` in the network security group `VM2-nsg`.
**Solution**: Update the network security group on the destination virtual machine to allow inbound RDP traffic.
- If the source virtual machine has a network security group that's denying RDP connections to the destination, you see the following results:
- Connection status is **Unreachable** (destination virtual machine is unreachable over port 3389).
- 30 probes were sent and failed to reach the destination virtual machine.
- There are two hops in the path between the two virtual machines (no appliances or other resources in the path between the two VMs).
- Outbound connectivity from the source virtual machine is denied by the security rule `Deny3389Outbound` in the network security group `VM1-nsg`.
**Solution**: Update the network security group on the source virtual machine to allow outbound RDP traffic.
- If the operating system on the destination virtual machine doesn't accept incoming connections on port 3389, you see the following results:
- Connection status is **Unreachable** (destination virtual machine is unreachable over port 3389).
- 30 probes were sent and failed to reach the destination virtual machine.
- There are two hops in the path between the two virtual machines (no appliances or other resources in the path between the two VMs).
- Port 3389 isn't reachable on the destination virtual machine (the output has `NoListenerOnDestination` and `GuestFirewall` errors on the destination virtual machine).
**Solution**: Configure the operating system on the destination virtual machine to accept inbound RDP traffic.
---
## Test connectivity to a web address
In this section, you test the connectivity between a virtual machine and a web address.
# [**Portal**](#tab/portal)
1. On the **Connection troubleshoot** page. Enter or select the following information:
| Setting | Value |
| ------- | ------ |
| **Source** | |
| Source type | Select **Virtual machine**. |
| Virtual machine | Select the virtual machine that you want to troubleshoot the connection from. |
| **Destination** | |
| Destination type | Select **Specify manually**. |
| URI, FQDN, or IP address | Enter the web address that you want to test the connectivity to. In this example, `www.bing.com` is used. |
| **Probe Settings** | |
| Preferred IP version | Select **Both**. The other available options are: **IPv4** and **IPv6**. |
| Protocol | Select **TCP**. The other available option is: **ICMP**. |
| Destination port | Enter **443**. Port 443 for HTTPS. |
| Source port | Leave blank or enter a source port number that you want to test. |
| **Connection Diagnostic** | |
| Diagnostics tests | Select **Connectivity**. |
:::image type="content" source="./media/connection-troubleshoot-manage/test-connectivity-bing.png" alt-text="Screenshot that shows connection troubleshoot in the Azure portal to test the connection between a virtual machine and Microsoft Bing website." lightbox="./media/connection-troubleshoot-manage/test-connectivity-bing.png":::
1. Select **Run diagnostic tests**.
- If `www.bing.com` is reachable from the source virtual machine, you see the following results:
:::image type="content" source="./media/connection-troubleshoot-manage/test-connectivity-bing-reachable.png" alt-text="Screenshot that shows connection troubleshoot results after testing the connection with Microsoft Bing website." lightbox="./media/connection-troubleshoot-manage/test-connectivity-bing-reachable.png":::
66 probes were successfully sent to `www.bing.com`. Select **See details** to see the next hop details.
- If `www.bing.com` is unreachable from the source virtual machine due to a security rule, you see the following results:
:::image type="content" source="./media/connection-troubleshoot-manage/test-connectivity-bing-unreachable.png" alt-text="Screenshot that shows connection troubleshoot results after unsuccessfully testing the connection with Microsoft Bing website." lightbox="./media/connection-troubleshoot-manage/test-connectivity-bing-unreachable.png":::
30 probes were sent and failed to reach `www.bing.com`. Select **See details** to see the next hop details and the cause of the error.
**Solution**: Update the network security group on the source virtual machine to allow outbound traffic to `www.bing.com`.
1. Select **Export to CSV** to download the test results in csv format.
# [**PowerShell**](#tab/powershell)
Use [Test-AzNetworkWatcherConnectivity](/powershell/module/az.network/test-aznetworkwatcherconnectivity) cmdlet to run connection troubleshoot to test the connectivity to `www.bing.com`:
- Connection status is **Unreachable** (`10.10.10.10` is unreachable over port 3389).
- 30 probes were sent and failed to reach `10.10.10.10`.
- No route in the routing table of the source virtual machine to `10.10.10.10` (the output has `RouteMissing` error on the source virtual machine).
- Next hop type is *None* because there's no route to `10.10.10.10`.
- Outbound connectivity from the source virtual machine is denied by the security rule `DefaultRule_DenyAllOutBound` in the network security group `VM1-nsg`.
**Solution**: Associate a route table with a correct route to the subnet of the source virtual machine.
# [**Azure CLI**](#tab/cli)
Use [az network watcher test-connectivity](/cli/azure/network/watcher#az-network-watcher-test-connectivity) command to run connection troubleshoot to test RDP connectivity to `10.10.10.10`: