通过 Azure CLI 使用 Azure 网络观察程序排查连接问题Troubleshoot connections with Azure Network Watcher using the Azure CLI
了解如何使用排查连接问题来验证是否可以建立从虚拟机到给定终结点的直接 TCP 连接。Learn how to use connection troubleshoot to verify whether a direct TCP connection from a virtual machine to a given endpoint can be established.
开始之前Before you begin
本文假定你拥有以下资源:This article assumes you have the following resources:
- 要排查连接问题的区域中的网络观察程序实例。An instance of Network Watcher in the region you want to troubleshoot a connection.
- 用以排查连接问题的虚拟机。Virtual machines to troubleshoot connections with.
重要
连接故障排除需要从中进行故障排除的 VM 安装了 AzureNetworkWatcherExtension VM 扩展。Connection troubleshoot requires that the VM you troubleshoot from has the AzureNetworkWatcherExtension VM extension installed. 有关在 Windows VM 上安装扩展的信息,请访问适用于 Windows 的 Azure 网络观察程序代理虚拟机扩展;有关 Linux VM 的信息,请访问适用于 Linux 的 Azure 网络观察程序代理虚拟机扩展。For installing the extension on a Windows VM visit Azure Network Watcher Agent virtual machine extension for Windows and for Linux VM visit Azure Network Watcher Agent virtual machine extension for Linux. 在目标终结点上不需要该扩展。The extension is not required on the destination endpoint.
检查与虚拟机的连接Check connectivity to a virtual machine
此示例通过端口 80 检查与目标虚拟机的连接。This example checks connectivity to a destination virtual machine over port 80.
示例Example
az network watcher test-connectivity --resource-group ContosoRG --source-resource MultiTierApp0 --dest-resource Database0 --dest-port 80
响应Response
以下响应来自前面的示例。The following response is from the previous example. 在此响应中,ConnectionStatus 为“不可访问” 。In this response, the ConnectionStatus is Unreachable. 可以看到所有探测都发送失败。You can see that all the probes sent failed. 由于用户配置的名为 UserRule_Port80 的 NetworkSecurityRule 已配置为阻止端口 80 上的传入流量,虚拟设备上的连接失败。The connectivity failed at the virtual appliance due to a user-configured NetworkSecurityRule named UserRule_Port80, configured to block incoming traffic on port 80. 可以使用此信息来了解连接问题。This information can be used to research connection issues.
{
"avgLatencyInMs": null,
"connectionStatus": "Unreachable",
"hops": [
{
"address": "10.1.1.4",
"id": "bb01d336-d881-4808-9fbc-72f091974d68",
"issues": [],
"nextHopIds": [
"f8b074e9-9980-496b-a35e-619f9bcbf648"
],
"resourceId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/ContosoRG/providers/Microsoft.Network/networkInterfaces/ap
pNic0/ipConfigurations/ipconfig1",
"type": "Source"
},
{
"address": "10.1.2.4",
"id": "f8b074e9-9980-496b-a35e-619f9bcbf648",
"issues": [],
"nextHopIds": [
"8a5857f3-6ab8-4b11-b9bf-a046d66b8696"
],
"resourceId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/ContosoRG/providers/Microsoft.Network/networkInterfaces/fw
Nic/ipConfigurations/ipconfig1",
"type": "VirtualAppliance"
},
{
"address": "10.1.3.4",
"id": "8a5857f3-6ab8-4b11-b9bf-a046d66b8696",
"issues": [
{
"context": [
{
"key": "RuleName",
"value": "UserRule_Port80"
}
],
"origin": "Outbound",
"severity": "Error",
"type": "NetworkSecurityRule"
}
],
"nextHopIds": [
"6ce2f7a2-ceb4-4145-80e8-5d9f661655d6"
],
"resourceId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/ContosoRG/providers/Microsoft.Network/networkInterfaces/au
Nic/ipConfigurations/ipconfig1",
"type": "VirtualAppliance"
},
{
"address": "10.1.4.4",
"id": "6ce2f7a2-ceb4-4145-80e8-5d9f661655d6",
"issues": [],
"nextHopIds": [],
"resourceId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/ContosoRG/providers/Microsoft.Network/networkInterfaces/db
Nic0/ipConfigurations/ipconfig1",
"type": "VnetLocal"
}
],
"maxLatencyInMs": null,
"minLatencyInMs": null,
"probesFailed": 100,
"probesSent": 100
}
验证路由问题Validate routing issues
该示例检查虚拟机与远程终结点之间的连接。This example checks connectivity between a virtual machine and a remote endpoint.
示例Example
az network watcher test-connectivity --resource-group ContosoRG --source-resource MultiTierApp0 --dest-address 13.107.21.200 --dest-port 80
响应Response
在以下示例中,connectionStatus 显示为“不可访问” 。In the following example, the connectionStatus is shown as Unreachable. 在 hops 详细信息中,可以在 issues 下看到由于 UserDefinedRoute 流量已被阻止。In the hops details, you can see under issues that the traffic was blocked due to a UserDefinedRoute.
{
"avgLatencyInMs": null,
"connectionStatus": "Unreachable",
"hops": [
{
"address": "10.1.1.4",
"id": "f2cb1868-2049-4839-b8ed-57a480d06f95",
"issues": [
{
"context": [
{
"key": "RouteType",
"value": "User"
}
],
"origin": "Outbound",
"severity": "Error",
"type": "UserDefinedRoute"
}
],
"nextHopIds": [
"da4022db-0ab0-48c4-a507-dd4c03561ca5"
],
"resourceId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/ContosoRG/providers/Microsoft.Network/networkInterfaces/ap
pNic0/ipConfigurations/ipconfig1",
"type": "Source"
},
{
"address": "13.107.21.200",
"id": "da4022db-0ab0-48c4-a507-dd4c03561ca5",
"issues": [],
"nextHopIds": [],
"resourceId": "Unknown",
"type": "Destination"
}
],
"maxLatencyInMs": null,
"minLatencyInMs": null,
"probesFailed": 100,
"probesSent": 100
}
检查网站延迟Check website latency
以下示例检查与网站的连接。The following example checks the connectivity to a website.
示例Example
az network watcher test-connectivity --resource-group ContosoRG --source-resource MultiTierApp0 --dest-address https://bing.com --dest-port 80
响应Response
在以下响应中,可以看到 connectionStatus 显示为“可以访问” 。In the following response, you can see the connectionStatus shows as Reachable. 连接成功后,提供了延迟值。When a connection is successful, latency values are provided.
{
"avgLatencyInMs": 2,
"connectionStatus": "Reachable",
"hops": [
{
"address": "10.1.1.4",
"id": "639c2d19-e163-4dfd-8737-5018dd1168ae",
"issues": [],
"nextHopIds": [
"fd43a6e7-c758-4f48-90aa-8db99105a4a3"
],
"resourceId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/ContosoRG/providers/Microsoft.Network/networkInterfaces/ap
pNic0/ipConfigurations/ipconfig1",
"type": "Source"
},
{
"address": "204.79.197.200",
"id": "fd43a6e7-c758-4f48-90aa-8db99105a4a3",
"issues": [],
"nextHopIds": [],
"resourceId": "Internet",
"type": "Internet"
}
],
"maxLatencyInMs": 7,
"minLatencyInMs": 0,
"probesFailed": 0,
"probesSent": 100
}
检查与存储终结点的连接Check connectivity to a storage endpoint
以下示例检查从虚拟机到博客存储帐户的连接。The following example checks the connectivity from a virtual machine to a blog storage account.
示例Example
az network watcher test-connectivity --resource-group ContosoRG --source-resource MultiTierApp0 --dest-address https://contosoexamplesa.blob.core.chinacloudapi.cn/
响应Response
以下 json 是运行前面 cmdlet 的示例响应。The following json is the example response from running the previous cmdlet. 由于此检查成功,connectionStatus 属性显示为“可以访问” 。As the check is successful, the connectionStatus property shows as Reachable. 提供了有关到达存储 Blob 所需的跃点数和延迟的详细信息。You are provided the details regarding the number of hops required to reach the storage blob and latency.
{
"avgLatencyInMs": 1,
"connectionStatus": "Reachable",
"hops": [
{
"address": "10.1.1.4",
"id": "5136acff-bf26-4c93-9966-4edb7dd40353",
"issues": [],
"nextHopIds": [
"f8d958b7-3636-4d63-9441-602c1eb2fd56"
],
"resourceId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/ContosoRG/providers/Microsoft.Network/networkInterfaces/appNic0/ipConfigurations/ipconfig1",
"type": "Source"
},
{
"address": "1.2.3.4",
"id": "f8d958b7-3636-4d63-9441-602c1eb2fd56",
"issues": [],
"nextHopIds": [],
"resourceId": "Internet",
"type": "Internet"
}
],
"maxLatencyInMs": 7,
"minLatencyInMs": 0,
"probesFailed": 0,
"probesSent": 100
}
后续步骤Next steps
查看创建警报触发的数据包捕获,了解如何利用虚拟机警报自动执行数据包捕获Learn how to automate packet captures with Virtual machine alerts by viewing Create an alert triggered packet capture
访问查看“IP 流验证”,了解是否允许某些流量传入和传出 VMFind if certain traffic is allowed in or out of your VM by visiting Check IP flow verify