教程:使用 Azure 门户监视两个虚拟机之间的网络通信Tutorial: Monitor network communication between two virtual machines using the Azure portal

在虚拟机 (VM) 和终结点(例如另一 VM)之间成功通信对于组织来说可能很重要。Successful communication between a virtual machine (VM) and an endpoint such as another VM, can be critical for your organization. 有时候,引入配置更改可能会导致通信中断。Sometimes, configuration changes are introduced which can break communication. 本教程介绍如何执行下列操作:In this tutorial, you learn how to:

  • 创建两个 VMCreate two VMs
  • 使用网络观察程序的连接监视器功能监视 VM 之间的通信Monitor communication between VMs with the connection monitor capability of Network Watcher
  • 根据连接监视器指标生成警报Generate alerts on Connection Monitor metrics
  • 诊断两个 VM 之间的通信问题,并了解如何解决该问题Diagnose a communication problem between two VMs, and learn how you can resolve it

如果没有 Azure 订阅,可在开始前创建一个试用帐户If you don't have an Azure subscription, create a trial account before you begin.

登录 AzureSign in to Azure

登录到 Azure 门户Sign in to the Azure portal.

创建 VMCreate VMs

创建两个 VM。Create two VMs.

创建第一个 VMCreate the first VM

  1. 选择 Azure 门户左上角的“+ 创建资源”。Select + Create a resource found on the upper, left corner of the Azure portal.

  2. 选择“计算”,然后选择操作系统。Select Compute, and then select an operating system. 在本教程中,使用的是 Windows Server 2016 DatacenterIn this tutorial, Windows Server 2016 Datacenter is used.

  3. 输入或选择以下信息,保留剩下的默认设置,然后选择“确定”:Enter, or select, the following information, accept the defaults for the remaining settings, and then select OK:

    设置Setting Value
    NameName myVM1myVm1
    用户名User name 输入所选用户名。Enter a user name of your choosing.
    密码Password 输入所选密码。Enter a password of your choosing. 密码必须至少 12 个字符长,且符合定义的复杂性要求The password must be at least 12 characters long and meet the defined complexity requirements.
    订阅Subscription 选择订阅。Select your subscription.
    资源组Resource group 选择“新建”,并输入 myResourceGroupSelect Create new and enter myResourceGroup.
    位置Location 选择“中国东部”Select China East
  4. 选择 VM 的大小,然后选择“选择”。Select a size for the VM and then select Select.

  5. 在“设置”下选择“扩展”。Under Settings, select Extensions. 选择“添加扩展”,然后选择“用于 Windows 的网络观察程序代理”,如下图所示:Select Add extension, and select Network Watcher Agent for Windows, as shown in the following picture:

    网络观察程序代理扩展

  6. 在“用于 Windows 的网络观察程序代理”下选择“创建”,在“安装扩展”下选择“确定”,,然后在“扩展”下选择“确定”。Under Network Watcher Agent for Windows, select Create, under Install extension select OK, and then under Extensions, select OK.

  7. 接受其余“设置”的默认值,然后选择“确定”。Accept the defaults for the remaining Settings and select OK.

  8. 在“摘要”中的“创建”下,选择“创建”以启动 VM 部署。Under Create of the Summary, select Create to start VM deployment.

创建第二个 VMCreate the second VM

再次完成创建第一个 VM 中的步骤,并做出以下更改:Complete the steps in Create the first VM again, with the following changes:

步骤Step 设置Setting Value
11 选择某一版本的 Ubuntu ServerSelect a version of Ubuntu Server
33 NameName myVm2myVm2
33 身份验证类型Authentication type 粘贴 SSH 公钥,或者在选择“密码”后输入密码。Paste your SSH public key or select Password, and enter a password.
33 资源组Resource group 选择“使用现有资源组”,再选择“myResourceGroup”。Select Use existing and select myResourceGroup.
66 扩展Extensions 适用于 Linux 的网络代理Network Agent for Linux

部署 VM 需要几分钟时间。The VM takes a few minutes to deploy. 在继续余下的步骤之前,请等待 VM 完成部署。Wait for the VM to finish deploying before continuing with the remaining steps.

创建连接监视器Create a connection monitor

创建一个连接监视器,监视通过 TCP 端口 22 进行的从 myVm1myVm2 的通信。Create a connection monitor to monitor communication over TCP port 22 from myVm1 to myVm2.

  1. 在门户左侧选择“所有服务”。On the left side of the portal, select All services.

  2. 首先在“筛选”框中键入“网络观察程序”。Start typing network watcher in the Filter box. 搜索结果中出现“网络观察程序”后,将其选中。When Network Watcher appears in the search results, select it.

  3. 在“监视”下选择“连接监视器”。Under MONITORING, select Connection monitor.

  4. 选择“+ 添加”。Select + Add.

  5. 输入或选择要监视的连接信息,然后选择“添加”。Enter or select the information for the connection you want to monitor, and then select Add. 在下图所示的示例中,将通过端口 22 监视从 myVm1 VM 到 myVm2 VM 的连接:In the example shown in the following picture, the connection monitored is from the myVm1 VM to the myVm2 VM over port 22:

    设置Setting Value
    NameName myVm1-myVm2(22)myVm1-myVm2(22)
    Source
    虚拟机Virtual machine myVM1myVm1
    目标Destination
    选择一个虚拟机Select a virtual machine
    虚拟机Virtual machine myVm2myVm2
    端口Port 2222

    添加连接监视器

查看连接监视器View a connection monitor

  1. 完成创建连接监视器中的步骤 1-3 以查看连接监视。Complete steps 1-3 in Create a connection monitor to view connection monitoring. 可以看到现有连接监视器的列表,如下图所示:You see a list of existing connection monitors, as shown in the following picture:

    连接监视器

  2. 选择名为 myVm1-myVm2(22) 的监视器(如上图所示),以便查看监视器的详细信息(如下图所示):Select the monitor with the name myVm1-myVm2(22), as shown in the previous picture, to see details for the monitor, as shown in the following picture:

    监视器详细信息

    请注意以下信息:Note the following information:

    项目Item Value 详细信息Details
    状态Status 可访问Reachable 指示终结点是否可以访问。Lets you know whether the endpoint is reachable or not.
    平均AVG. 往返时间ROUND-TRIP 指示进行连接所需的往返时间,以毫秒为单位。Lets you know the round-trip time to make the connection, in milliseconds. 连接监视器每 60 秒探测一次连接,因此可以监视一段时间的延迟情况。Connection monitor probes the connection every 60 seconds, so you can monitor latency over time.
    HopsHops 连接监视器指示两个终结点之间的跃点数。Connection monitor lets you know the hops between the two endpoints. 在此示例中,连接是在同一虚拟网络中的两个 VM 之间进行的,因此只有一个到 IP 地址 10.0.0.5 的跃点。In this example, the connection is between two VMs in the same virtual network, so there is only one hop, to the 10.0.0.5 IP address. 如果在 VM 之间存在通过其他方式(例如 VPN 网关或网络虚拟设备)完成的系统的或自定义的路由、路由流量,则会列出其他跃点。If any existing system or custom routes, route traffic between the VMs through a VPN gateway, or network virtual appliance, for example, additional hops are listed.
    状态STATUS 终结点出现绿色复选标记指示该终结点是正常的。The green check marks for each endpoint let you know that each endpoint is healthy.

生成警报Generate alerts

警报通过警报规则在 Azure Monitor 中创建,可以按固定的时间间隔自动运行保存的查询或自定义日志搜索。Alerts are created by alert rules in Azure Monitor and can automatically run saved queries or custom log searches at regular intervals. 生成的警报可以自动运行一项或多项操作,例如通知某人或启动另一进程。A generated alert can automatically run one or more actions, such as to notify someone or start another process. 设置警报规则时,目标资源决定了可以用于生成警报的一系列指标。When setting an alert rule, the resource that you target determines the list of available metrics that you can use to generate alerts.

  1. 在 Azure 门户中选择“监视器”服务,然后选择“警报 > “新建警报规则”。In Azure portal, select the Monitor service, and then select Alerts > New alert rule.

  2. 单击“选择目标”,然后选择要作为目标的资源。Click Select target, and then select the resources that you want to target. 选择“订阅”,然后设置“资源类型”,以便筛选出要使用的连接监视器。Select the Subscription, and set Resource type to filter down to the Connection Monitor that you want to use.

    目标为选中状态的警报屏幕

  3. 选中目标资源以后,请选择“添加条件”。网络观察程序有创建警报时基于的指标Once you have selected a resource to target, select Add criteria.The Network Watcher has metrics on which you can create alerts. 将“可用信号”设置为指标 ProbesFailedPercent 和 AverageRoundtripMs:Set Available signals to the metrics ProbesFailedPercent and AverageRoundtripMs:

    信号处于选中状态的警报页

  4. 填写警报详细信息,例如警报规则名称、说明和严重性。Fill out the alert details like alert rule name, description and severity. 也可向警报添加操作组,以便自动完成和自定义警报响应。You can also add an action group to the alert to automate and customize the alert response.

查看问题View a problem

默认情况下,Azure 允许在同一虚拟网络中的 VM 之间通过所有端口进行通信。By default, Azure allows communication over all ports between VMs in the same virtual network. 一段时间之后,你或者组织中的其他人可能会覆盖 Azure 的默认规则,无意中引发通信故障。Over time, you, or someone in your organization, might override Azure's default rules, inadvertently causing a communication failure. 完成下述用于制造通信问题的步骤,然后再次查看连接监视器:Complete the following steps to create a communication problem and then view the connection monitor again:

  1. 在门户顶部的搜索框中输入“myResourceGroup”。In the search box at the top of the portal, enter myResourceGroup. 当“myResourceGroup”资源组出现在搜索结果中时,将其选中。When the myResourceGroup resource group appears in the search results, select it.

  2. 选择 myVm2-nsg 网络安全组。Select the myVm2-nsg network security group.

  3. 选择“入站安全规则”,然后选择“添加”,如下图所示:Select Inbound security rules, and then select Add, as shown in the following picture:

    入站安全规则

  4. 允许在一个虚拟网络的所有 VM 之间通信的默认规则是名为 AllowVnetInBound 的规则。The default rule that allows communication between all VMs in a virtual network is the rule named AllowVnetInBound. 创建一项优先级高于(数字较小)AllowVnetInBound 规则(拒绝通过端口 22 进行的入站通信)的规则。Create a rule with a higher priority (lower number) than the AllowVnetInBound rule that denies inbound communication over port 22. 选择或输入以下信息,接受剩下的默认设置,然后选择“添加”:Select, or enter, the following information, accept the remaining defaults, and then select Add:

    设置Setting Value
    目标端口范围Destination port ranges 2222
    操作Action 拒绝Deny
    PriorityPriority 100100
    NameName DenySshInboundDenySshInbound
  5. 由于连接监视器按 60 秒的时间间隔进行探测,因此请等待数分钟,然后在门户左侧选择“网络观察程序”、“连接监视器”,并再次选择“myVm1-myVm2(22)”监视器。Since connection monitor probes at 60-second intervals, wait a few minutes and then on the left side of the portal, select Network Watcher, then Connection monitor, and then select the myVm1-myVm2(22) monitor again. 如下图所示,现在的结果有所不同:The results are different now, as shown in the following picture:

    监视器详细信息错误

    可以看到在 myvm2529 网络接口的状态列中有一个红色感叹号。You can see that there's a red exclamation icon in the status column for the myvm2529 network interface.

  6. 若要了解状态变化的原因,请选择上图中的“10.0.0.5”。To learn why the status has changed, select 10.0.0.5, in the previous picture. 连接监视器通知你通信失败的原因是:“由于以下网络安全组规则,通信被阻止:UserRule_DenySshInbound”。Connection monitor informs you that the reason for the communication failure is: Traffic blocked due to the following network security group rule: UserRule_DenySshInbound.

    如果你并不知道某人已实施你在步骤 4 中创建的安全规则,则可以从连接监视器中了解到,该规则是引发通信问题的原因。If you didn't know that someone had implemented the security rule you created in step 4, you'd learn from connection monitor that the rule is causing the communication problem. 然后,你就可以更改、覆盖或删除该规则,以便还原 VM 之间的通信。You could then change, override, or remove the rule, to restore communication between the VMs.

清理资源Clean up resources

不再需要资源组时,可将资源组及其包含的所有资源一并删除:When no longer needed, delete the resource group and all of the resources it contains:

  1. 在门户顶部的“搜索”框中输入“myResourceGroup”。Enter myResourceGroup in the Search box at the top of the portal. 当在搜索结果中看到“myResourceGroup”时,将其选中。When you see myResourceGroup in the search results, select it.
  2. 选择“删除资源组”。Select Delete resource group.
  3. 对于“键入资源组名称:”,输入“myResourceGroup”,然后选择“删除”。Enter myResourceGroup for TYPE THE RESOURCE GROUP NAME: and select Delete.

后续步骤Next steps

本教程介绍了如何监视两个 VM 之间的连接,In this tutorial, you learned how to monitor a connection between two VMs. 同时还介绍了如何通过网络安全组规则阻止到 VM 的通信。You learned that a network security group rule prevented communication to a VM. 若要了解连接监视器可能返回的所有不同的响应,请参阅响应类型To learn about all of the different responses connection monitor can return, see response types. 还可以监视 VM、完全限定的域名、统一资源标识符或 IP 地址之间的连接。You can also monitor a connection between a VM, a fully qualified domain name, a uniform resource identifier, or an IP address.

有时候,你可能会发现某个虚拟网络中的资源无法与通过 Azure 虚拟网关连接的其他网络中的资源通信。At some point, you may find that resources in a virtual network are unable to communicate with resources in other networks connected by an Azure virtual network gateway. 请转到下一教程,了解如何诊断虚拟网关的问题。Advance to the next tutorial to learn how to diagnose a problem with a virtual network gateway.