诊断虚拟机网络路由问题 - Azure PowerShellDiagnose a virtual machine network routing problem - Azure PowerShell

本文首先部署虚拟机 (VM),然后检查其与 IP 地址和 URL 的通信。In this article, you deploy a virtual machine (VM), and then check communications to an IP address and URL. 确定通信失败的原因以及解决方法。You determine the cause of a communication failure and how you can resolve it.

如果没有 Azure 订阅,可在开始前创建一个试用帐户If you don't have an Azure subscription, create a trial account before you begin.

备注

本文进行了更新,以便使用新的 Azure PowerShell Az 模块。This article has been updated to use the new Azure PowerShell Az module. 你仍然可以使用 AzureRM 模块,至少在 2020 年 12 月之前,它将继续接收 bug 修补程序。You can still use the AzureRM module, which will continue to receive bug fixes until at least December 2020. 若要详细了解新的 Az 模块和 AzureRM 兼容性,请参阅新 Azure Powershell Az 模块简介To learn more about the new Az module and AzureRM compatibility, see Introducing the new Azure PowerShell Az module. 有关 Az 模块安装说明,请参阅安装 Azure PowerShellFor Az module installation instructions, see Install Azure PowerShell.

如果选择在本地安装和使用 PowerShell,则本文需要 Azure PowerShell Az 模块。If you choose to install and use PowerShell locally, this article requires the Azure PowerShell Az module. 要查找已安装的版本,请运行 Get-Module -ListAvailable AzTo find the installed version, run Get-Module -ListAvailable Az. 如果需要进行升级,请参阅 Install Azure PowerShell module(安装 Azure PowerShell 模块)。If you need to upgrade, see Install Azure PowerShell module. 如果在本地运行 PowerShell,则还需运行 Connect-AzAccount -EnvironmentName AzureChinaCloud 来创建与 Azure 的连接。If you are running PowerShell locally, you also need to run Connect-AzAccount -EnvironmentName AzureChinaCloud to create a connection with Azure.

创建 VMCreate a VM

在创建 VM 之前,必须创建该 VM 所属的资源组。Before you can create a VM, you must create a resource group to contain the VM. 使用 New-AzResourceGroup 创建资源组。Create a resource group with New-AzResourceGroup. 以下示例在“中国东部 2”位置创建名为 myResourceGroup 的资源组。 The following example creates a resource group named myResourceGroup in the China East 2 location.

New-AzResourceGroup -Name myResourceGroup -Location 'China East 2'

使用 New-AzVM 创建 VM。Create the VM with New-AzVM. 运行此步骤时,会提示输入凭据。When running this step, you are prompted for credentials. 输入的值将配置为用于 VM 的用户名和密码。The values that you enter are configured as the user name and password for the VM.

$vM = New-AzVm `
    -ResourceGroupName "myResourceGroup" `
    -Name "myVm" `
    -Location "China East"

创建 VM 需要几分钟时间。The VM takes a few minutes to create. 在创建好 VM 且 PowerShell 返回输出之前,请勿继续执行剩余的步骤。Don't continue with remaining steps until the VM is created and PowerShell returns output.

测试网络通信Test network communication

若要通过网络观察程序测试网络通信,必须先在要测试的 VM 所在区域中启用网络观察程序,然后使用网络观察程序的“下一个跃点”功能来测试通信。To test network communication with Network Watcher, you must first enable a network watcher in the region the VM that you want to test is in, and then use Network Watcher's next hop capability to test communication.

启用网络观察程序Enable network watcher

如果已在“中国东部 2”区域启用了网络观察程序,请使用 Get-AzureRmNetworkWatcher 来检索网络观察程序。If you already have a network watcher enabled in the China East 2 region, use Get-AzureRmNetworkWatcher to retrieve the network watcher. 以下示例检索 NetworkWatcherRG 资源组中名为 NetworkWatcher_chinaeast 的现有网络观察程序:The following example retrieves an existing network watcher named NetworkWatcher_chinaeast that is in the NetworkWatcherRG resource group:

$networkWatcher = Get-AzNetworkWatcher `
  -Name NetworkWatcher_chinaeast `
  -ResourceGroupName NetworkWatcherRG

如果还没有在“中国东部 2”区域启用网络观察程序,请使用 New-AzNetworkWatcher 在“中国东部 2”区域创建网络观察程序:If you don't already have a network watcher enabled in the China East 2 region, use New-AzNetworkWatcher to create a network watcher in the China East 2 region:

$networkWatcher = New-AzNetworkWatcher `
  -Name "NetworkWatcher_chinaeast" `
  -ResourceGroupName "NetworkWatcherRG" `
  -Location "China East 2"

使用下一个跃点Use next hop

Azure 自动创建到默认目标的路由。Azure automatically creates routes to default destinations. 可以创建自定义路由来覆盖默认路由。You may create custom routes that override the default routes. 有时候,自定义路由可能会导致通信故障。Sometimes, custom routes can cause communication to fail. 要测试来自 VM 的路由,请使用 Get-AzureRmNetworkWatcherNextHop 命令确定流量发送到特定地址时的下一个路由跃点。To test routing from a VM, use the Get-AzureRmNetworkWatcherNextHop command to determine the next routing hop when traffic is destined for a specific address.

测试从 VM 发往 www.bing.com 的某个 IP 地址的出站通信:Test outbound communication from the VM to one of the IP addresses for www.bing.com:

Get-AzNetworkWatcherNextHop `
  -NetworkWatcher $networkWatcher `
  -TargetVirtualMachineId $VM.Id `
  -SourceIPAddress 192.168.1.4 `
  -DestinationIPAddress 13.107.21.200

数秒钟后,输出结果指示 NextHopType 为“Internet”,RouteTableId 为“系统路由”。After a few seconds, the output informs you that the NextHopType is Internet, and that the RouteTableId is System Route. 此结果指示存在通往目标的有效路由。This result lets you know that there is a valid route to the destination.

测试从 VM 发往 172.31.0.100 的出站通信:Test outbound communication from the VM to 172.31.0.100:

Get-AzNetworkWatcherNextHop `
  -NetworkWatcher $networkWatcher `
  -TargetVirtualMachineId $VM.Id `
  -SourceIPAddress 192.168.1.4 `
  -DestinationIPAddress 172.31.0.100

输出结果指示“NextHopType”为“无”,“RouteTableId”仍为“系统路由”。The output returned informs you that None is the NextHopType, and that the RouteTableId is also System Route. 此结果指示,虽然存在有效的通往目标的系统路由,但是没有将流量路由到目标的下一跃点。This result lets you know that, while there is a valid system route to the destination, there is no next hop to route the traffic to the destination.

查看路由详细信息View details of a route

若要进一步分析路由情况,请使用 Get-AzEffectiveRouteTable 命令查看网络接口的有效路由:To analyze routing further, review the effective routes for the network interface with the Get-AzEffectiveRouteTable command:

Get-AzEffectiveRouteTable `
  -NetworkInterfaceName myVm `
  -ResourceGroupName myResourceGroup |
  Format-table

将返回包含以下文本的输出:Output that includes the following text is returned:

Name State  Source  AddressPrefix           NextHopType NextHopIpAddress
---- -----  ------  -------------           ----------- ----------------
     Active Default {192.168.0.0/16}        VnetLocal   {}              
     Active Default {0.0.0.0/0}             Internet    {}              
     Active Default {10.0.0.0/8}            None        {}              
     Active Default {100.64.0.0/10}         None        {}              
     Active Default {172.16.0.0/12}         None        {}              

正如在之前输出中所看到的,带有 0.0.0.0/0 的 AddressPrefix 的路由会将未指定给地址的所有流量路由到以 Internet 的下一个跃点为前缀的其他路由地址内。As you can see in the previous output, the route with the AddressPrefix of 0.0.0.0/0 routes all traffic not destined for addresses within other route's address prefixes with a next hop of Internet. 同时还可在输出结果中看到,虽然有一个到 172.16.0.0/12 前缀的默认路由(其中包括地址 172.31.0.100),但“nextHopType”为“无”。As you can also see in the output, though there is a default route to the 172.16.0.0/12 prefix, which includes the 172.31.0.100 address, the nextHopType is None. Azure 会创建到 172.16.0.0/12 的默认路由,但不会无故指定下一个跃点类型。Azure creates a default route to 172.16.0.0/12, but doesn't specify a next hop type until there is a reason to. 在特定情况下,例如在已将 172.16.0.0/12 地址范围添加到虚拟网络的地址空间的情况下,Azure 会将路由的“nextHopType”更改为“虚拟网络”。If, for example, you added the 172.16.0.0/12 address range to the address space of the virtual network, Azure changes the nextHopType to Virtual network for the route. 此时进行检查会将“nextHopType”显示为“虚拟网络”。A check would then show Virtual network as the nextHopType.

清理资源Clean up resources

如果不再需要资源组及其包含的所有资源,请使用 Remove-AzResourceGroup 将其删除:When no longer needed, you can use Remove-AzResourceGroup to remove the resource group and all of the resources it contains:

Remove-AzResourceGroup -Name myResourceGroup -Force

后续步骤Next steps

本文介绍了如何创建 VM 并根据该 VM 诊断网络路由问题。In this article, you created a VM and diagnosed network routing from the VM. 同时说明了 Azure 可以创建多个默认路由,并且还测试了到两个不同目标的路由。You learned that Azure creates several default routes and tested routing to two different destinations.

对于出站 VM 连接,还可以使用网络观察程序的连接故障排除功能来确定延迟、VM 和终结点之间获得允许的和被拒绝的网络流量。For outbound VM connections, you can also determine the latency and allowed and denied network traffic between the VM and an endpoint using Network Watcher's connection troubleshoot capability. 可以使用网络观察程序的连接监视器功能监视 VM 和终结点(例如 IP 地址或 URL)之间在某段时间的通信情况。You can monitor communication between a VM and an endpoint, such as an IP address or URL, over time using the Network Watcher connection monitor capability. 如需了解如何操作,请参阅监视网络连接To learn how, see Monitor a network connection.