通过 Azure REST API 使用 Azure 网络观察程序排查连接问题Troubleshoot connections with Azure Network Watcher using the Azure REST API

了解如何使用排查连接问题来验证是否可以建立从虚拟机到给定终结点的直接 TCP 连接。Learn how to use connection troubleshoot to verify whether a direct TCP connection from a virtual machine to a given endpoint can be established.

开始之前Before you begin

本文假定你拥有以下资源:This article assumes you have the following resources:

  • 要排查连接问题的区域中的网络观察程序实例。An instance of Network Watcher in the region you want to troubleshoot a connection.
  • 用以排查连接问题的虚拟机。Virtual machines to troubleshoot connections with.

重要

连接故障排除需要从中进行故障排除的 VM 安装了 AzureNetworkWatcherExtension VM 扩展。Connection troubleshoot requires that the VM you troubleshoot from has the AzureNetworkWatcherExtension VM extension installed. 有关在 Windows VM 上安装扩展的信息,请访问适用于 Windows 的 Azure 网络观察程序代理虚拟机扩展;有关 Linux VM 的信息,请访问适用于 Linux 的 Azure 网络观察程序代理虚拟机扩展For installing the extension on a Windows VM visit Azure Network Watcher Agent virtual machine extension for Windows and for Linux VM visit Azure Network Watcher Agent virtual machine extension for Linux. 在目标终结点上不需要该扩展。The extension is not required on the destination endpoint.

使用 ARMClient 登录Log in with ARMClient

使用 Azure 凭据登录到 armclient。Log in to armclient with your Azure credentials.

$env:ARMCLIENT_ENV="MOONCAKE"
armclient login

检索虚拟机Retrieve a virtual machine

运行以下脚本返回虚拟机。Run the following script to return a virtual machine. 运行连接时需要此信息。This information is needed for running connectivity.

以下代码需要以下变量的值:The following code needs values for the following variables:

  • subscriptionId - 要使用的订阅 ID。subscriptionId - The subscription ID to use.
  • resourceGroupName - 包含虚拟机的资源组的名称。resourceGroupName - The name of a resource group that contains virtual machines.
$subscriptionId = '<subscription id>'
$resourceGroupName = '<resource group name>'

armclient get https://management.chinacloudapi.cn/subscriptions/${subscriptionId}/ResourceGroups/${resourceGroupName}/providers/Microsoft.Compute/virtualMachines?api-version=2015-05-01-preview

从以下输出看,在以下示例中使用了虚拟机的 ID:From the following output, the ID of the virtual machine is used in the following example:

...
,
      "type": "Microsoft.Compute/virtualMachines",
      "location": "chinaeast",
      "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/ContosoExampleRG/providers/Microsoft.Compute
/virtualMachines/ContosoVM",
      "name": "ContosoVM"
    }
  ]
}

检查与虚拟机的连接Check connectivity to a virtual machine

此示例通过端口 80 检查与目标虚拟机的连接。This example checks connectivity to a destination virtual machine over port 80.

示例Example

$subscriptionId = "00000000-0000-0000-0000-000000000000"
$resourceGroupName = "NetworkWatcherRG"
$networkWatcherName = "NetworkWatcher_chinaeast"
$sourceResourceId = "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/ContosoRG/providers/Microsoft.Compute/virtualMachines/MultiTierApp0"
$destinationResourceId = "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/ContosoRG/providers/Microsoft.Compute/virtualMachines/Database0"
$destinationPort = "0"
$requestBody = @"
{
  'source': {
    'resourceId': '${sourceResourceId}',
    'port': 0
  },
  'destination': {
    'resourceId': '${destinationResourceId}',
    'port': ${destinationPort}
  }
}
"@

$response = armclient post "https://management.chinacloudapi.cn/subscriptions/${subscriptionId}/ResourceGroups/${resourceGroupName}/providers/Microsoft.Network/networkWatchers/${networkWatcherName}/connectivityCheck?api-version=2017-03-01" $requestBody

由于此操作会长时间运行,因此会在响应标头中返回结果的 URI,如以下响应中所示:Since this operation is long running, the URI for the result is returned in the response header as shown in the following response:

重要值Important Values

  • Location - 此属性包含完成操作时结果所在的 URILocation - This property contains the URI where the results are when the operation is complete
HTTP/1.1 202 Accepted
Pragma: no-cache
Retry-After: 10
x-ms-request-id: f09b55fe-1d3a-4df7-817f-bceb8d2a94c8
Strict-Transport-Security: max-age=31536000; includeSubDomains
Cache-Control: no-cache
Location: https://management.chinacloudapi.cn/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Network/locations/chinaeast/operationResults/f09b55fe-1d3a-4df7-817f-bceb8d2a94c8?api-version=2017-03-01
Server: Microsoft-HTTPAPI/2.0; Microsoft-HTTPAPI/2.0
x-ms-ratelimit-remaining-subscription-writes: 1199
x-ms-correlation-request-id: 367a91aa-7142-436a-867d-d3a36f80bc54
x-ms-routing-request-id: chinanorth2:20170602T202117Z:367a91aa-7142-436a-867d-d3a36f80bc54
Date: Fri, 02 Jun 2017 20:21:16 GMT

null

响应Response

以下响应来自前面的示例。The following response is from the previous example. 在此响应中,ConnectionStatus 为“不可访问” 。In this response, the ConnectionStatus is Unreachable. 可以看到所有探测都发送失败。You can see that all the probes sent failed. 由于用户配置的名为 UserRule_Port80NetworkSecurityRule 已配置为阻止端口 80 上的传入流量,虚拟设备上的连接失败。The connectivity failed at the virtual appliance due to a user-configured NetworkSecurityRule named UserRule_Port80, configured to block incoming traffic on port 80. 可以使用此信息来了解连接问题。This information can be used to research connection issues.

{
  "hops": [
    {
      "type": "Source",
      "id": "0cb75c91-7ebf-4df8-8424-15594d6fb51c",
      "address": "10.1.1.4",
      "resourceId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/ContosoRG/providers/Microsoft.Network/networkInterfaces/appNic0/ipConfigurations/ipconfig1",
      "nextHopIds": [
        "06dee00a-9c4a-4fb1-b2ea-fa0a539ca684"
      ],
      "issues": []
    },
    {
      "type": "VirtualAppliance",
      "id": "06dee00a-9c4a-4fb1-b2ea-fa0a539ca684",
      "address": "10.1.2.4",
      "resourceId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/ContosoRG/providers/Microsoft.Network/networkInterfaces/fwNic/ipConfigurations/ipconfig1",
      "nextHopIds": [
        "75e0cfa5-f9d2-48d8-b705-2c7016f81570"
      ],
      "issues": []
    },
    {
      "type": "VirtualAppliance",
      "id": "75e0cfa5-f9d2-48d8-b705-2c7016f81570",
      "address": "10.1.3.4",
      "resourceId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/ContosoRG/providers/Microsoft.Network/networkInterfaces/auNic/ipConfigurations/ipconfig1",
      "nextHopIds": [
        "86caf6aa-33b0-48a1-b4da-f3c9ce785072"
      ],
      "issues": [
        {
          "origin": "Outbound",
          "severity": "Error",
          "type": "NetworkSecurityRule",
          "context": [
            {
              "key": "RuleName",
              "value": "UserRule_Port80"
            }
          ]
        }
      ]
    },
    {
      "type": "VnetLocal",
      "id": "86caf6aa-33b0-48a1-b4da-f3c9ce785072",
      "address": "10.1.4.4",
      "resourceId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/ContosoRG/providers/Microsoft.Network/networkInterfaces/dbNic0/ipConfigurations/ipconfig1",
      "nextHopIds": [],
      "issues": []
    }
  ],
  "connectionStatus": "Unreachable",
  "probesSent": 100,
  "probesFailed": 100
}

验证路由问题Validate routing issues

该示例检查虚拟机与远程终结点之间的连接。The example checks connectivity between a virtual machine and a remote endpoint.

示例Example

$subscriptionId = "00000000-0000-0000-0000-000000000000"
$resourceGroupName = "NetworkWatcherRG"
$networkWatcherName = "NetworkWatcher_chinaeast"
$sourceResourceId = "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/ContosoRG/providers/Microsoft.Compute/virtualMachines/MultiTierApp0"
$destinationResourceId = "13.107.21.200"
$destinationPort = "80"
$requestBody = @"
{
  'source': {
    'resourceId': '${sourceResourceId}',
    'port': 0
  },
  'destination': {
    'address': '${destinationResourceId}',
    'port': ${destinationPort}
  }
}
"@

$response = armclient post "https://management.chinacloudapi.cn/subscriptions/${subscriptionId}/ResourceGroups/${resourceGroupName}/providers/Microsoft.Network/networkWatchers/${networkWatcherName}/connectivityCheck?api-version=2017-03-01" $requestBody

由于此操作会长时间运行,因此会在响应标头中返回结果的 URI,如以下响应中所示:Since this operation is long running, the URI for the result is returned in the response header as shown in the following response:

重要值Important Values

  • Location - 此属性包含完成操作时结果所在的 URILocation - This property contains the URI where the results are when the operation is complete
HTTP/1.1 202 Accepted
Pragma: no-cache
Retry-After: 10
x-ms-request-id: 15eeeb69-fcef-41db-bc4a-e2adcf2658e0
Strict-Transport-Security: max-age=31536000; includeSubDomains
Cache-Control: no-cache
Location: https://management.chinacloudapi.cn/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Network/locations/chinaeast/operationResults/15eeeb69-fcef-41db-bc4a-e2adcf2658e0?api-version=2017-03-01
Server: Microsoft-HTTPAPI/2.0; Microsoft-HTTPAPI/2.0
x-ms-ratelimit-remaining-subscription-writes: 1199
x-ms-correlation-request-id: 4370b798-cd8b-4d3e-ba28-22232bc81dc5
x-ms-routing-request-id: chinanorth:20170602T202606Z:4370b798-cd8b-4d3e-ba28-22232bc81dc5
Date: Fri, 02 Jun 2017 20:26:05 GMT

null

响应Response

在以下示例中,connectionStatus 显示为“不可访问” 。In the following example, the connectionStatus is shown as Unreachable. hops 详细信息中,可以在 issues 下看到由于 UserDefinedRoute 流量已被阻止。In the hops details, you can see under issues that the traffic was blocked due to a UserDefinedRoute.

{
  "hops": [
    {
      "type": "Source",
      "id": "5528055a-b393-4751-97bc-353d8c0aaeff",
      "address": "10.1.1.4",
      "resourceId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/ContosoRG/providers/Microsoft.Network/networkInterfaces/appNic0/ipConfigurations/ipconfig1",
      "nextHopIds": [
        "66eefa79-5bfe-48b2-b6ca-eec8247457a3"
      ],
      "issues": [
        {
          "origin": "Outbound",
          "severity": "Error",
          "type": "UserDefinedRoute",
          "context": [
            {
              "key": "RouteType",
              "value": "User"
            }
          ]
        }
      ]
    },
    {
      "type": "Destination",
      "id": "66eefa79-5bfe-48b2-b6ca-eec8247457a3",
      "address": "13.107.21.200",
      "resourceId": "Unknown",
      "nextHopIds": [],
      "issues": []
    }
  ],
  "connectionStatus": "Unreachable",
  "probesSent": 100,
  "probesFailed": 100
}

检查网站延迟Check website latency

以下示例检查与网站的连接。The following example checks the connectivity to a website.

示例Example

$subscriptionId = "00000000-0000-0000-0000-000000000000"
$resourceGroupName = "NetworkWatcherRG"
$networkWatcherName = "NetworkWatcher_chinaeast"
$sourceResourceId = "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/ContosoRG/providers/Microsoft.Compute/virtualMachines/MultiTierApp0"
$destinationResourceId = "https://bing.com"
$destinationPort = "0"
$requestBody = @"
{
  'source': {
    'resourceId': '${sourceResourceId}',
    'port': 0
  },
  'destination': {
    'address': '${destinationResourceId}',
    'port': ${destinationPort}
  }
}
"@

$response = armclient post "https://management.chinacloudapi.cn/subscriptions/${subscriptionId}/ResourceGroups/${resourceGroupName}/providers/Microsoft.Network/networkWatchers/${networkWatcherName}/connectivityCheck?api-version=2017-03-01" $requestBody

由于此操作会长时间运行,因此会在响应标头中返回结果的 URI,如以下响应中所示:Since this operation is long running, the URI for the result is returned in the response header as shown in the following response:

重要值Important Values

  • Location - 此属性包含完成操作时结果所在的 URILocation - This property contains the URI where the results are when the operation is complete
HTTP/1.1 202 Accepted
Pragma: no-cache
Retry-After: 10
x-ms-request-id: e49b12c7-c232-472c-b6d2-6c257ce80fa5
Strict-Transport-Security: max-age=31536000; includeSubDomains
Cache-Control: no-cache
Location: https://management.chinacloudapi.cn/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Network/locations/chinaeast/operationResults/e49b12c7-c232-472c-b6d2-6c257ce80fa5?api-version=2017-03-01
Server: Microsoft-HTTPAPI/2.0; Microsoft-HTTPAPI/2.0
x-ms-ratelimit-remaining-subscription-writes: 1199
x-ms-correlation-request-id: c3d9744f-5683-427d-bdd1-636b68ab01b6
x-ms-routing-request-id: chinanorth:20170602T203101Z:c3d9744f-5683-427d-bdd1-636b68ab01b6
Date: Fri, 02 Jun 2017 20:31:00 GMT

null

响应Response

在以下响应中,可以看到 connectionStatus 显示为“可以访问” 。In the following response, you can see the connectionStatus shows as Reachable. 连接成功后,提供了延迟值。When a connection is successful, latency values are provided.

{
  "hops": [
    {
      "type": "Source",
      "id": "6adc0fe1-e384-4220-b1b1-f0d181220072",
      "address": "10.1.1.4",
      "resourceId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/ContosoRG/providers/Microsoft.Network/networkInterfaces/appNic0/ipConfigurations/ipconfig1",
      "nextHopIds": [
        "b50b7076-9ff2-4782-b40e-0b89cf758f74"
      ],
      "issues": []
    },
    {
      "type": "Internet",
      "id": "b50b7076-9ff2-4782-b40e-0b89cf758f74",
      "address": "204.79.197.200",
      "resourceId": "Internet",
      "nextHopIds": [],
      "issues": []
    }
  ],
  "connectionStatus": "Reachable",
  "avgLatencyInMs": 1,
  "minLatencyInMs": 0,
  "maxLatencyInMs": 7,
  "probesSent": 100,
  "probesFailed": 0
}

检查与存储终结点的连接Check connectivity to a storage endpoint

以下示例检查从虚拟机到博客存储帐户的连接。The following example checks the connectivity from a virtual machine to a blog storage account.

示例Example

$subscriptionId = "00000000-0000-0000-0000-000000000000"
$resourceGroupName = "NetworkWatcherRG"
$networkWatcherName = "NetworkWatcher_chinaeast"
$sourceResourceId = "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/ContosoRG/providers/Microsoft.Compute/virtualMachines/MultiTierApp0"
$destinationResourceId = "https://build2017nwdiag360.blob.core.chinacloudapi.cn/"
$destinationPort = "0"
$requestBody = @"
{
  'source': {
    'resourceId': '${sourceResourceId}',
    'port': 0
  },
  'destination': {
    'address': '${destinationResourceId}',
    'port': ${destinationPort}
  }
}
"@

$response = armclient post "https://management.chinacloudapi.cn/subscriptions/${subscriptionId}/ResourceGroups/${resourceGroupName}/providers/Microsoft.Network/networkWatchers/${networkWatcherName}/connectivityCheck?api-version=2017-03-01" $requestBody

由于此操作会长时间运行,因此会在响应标头中返回结果的 URI,如以下响应中所示:Since this operation is long running, the URI for the result is returned in the response header as shown in the following response:

重要值Important Values

  • Location - 此属性包含完成操作时结果所在的 URILocation - This property contains the URI where the results are when the operation is complete
HTTP/1.1 202 Accepted
Pragma: no-cache
Retry-After: 10
x-ms-request-id: c4ed3806-61ea-4a6b-abc1-9d6f2afc79c2
Strict-Transport-Security: max-age=31536000; includeSubDomains
Cache-Control: no-cache
Location: https://management.chinacloudapi.cn/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Network/locations/chinaeast/operationResults/c4ed3806-61ea-4a6b-abc1-9d6f2afc79c2?api-version=2017-03-01
Server: Microsoft-HTTPAPI/2.0; Microsoft-HTTPAPI/2.0
x-ms-ratelimit-remaining-subscription-writes: 1199
x-ms-correlation-request-id: 93bf5af0-fef5-4b7a-bb9e-9976ba5cdb95
x-ms-routing-request-id: chinanorth2:20170602T200504Z:93bf5af0-fef5-4b7a-bb9e-9976ba5cdb95
Date: Fri, 02 Jun 2017 20:05:03 GMT

null

响应Response

下面是运行前面 API 调用的响应示例。The following example is the response from running the previous API call. 由于此检查成功,connectionStatus 属性显示为“可以访问” 。As the check is successful, the connectionStatus property shows as Reachable. 提供了有关到达存储 Blob 所需的跃点数和延迟的详细信息。You are provided the details regarding the number of hops required to reach the storage blob and latency.

{
  "hops": [
    {
      "type": "Source",
      "id": "6adc0fe1-e384-4220-b1b1-f0d181220072",
      "address": "10.1.1.4",
      "resourceId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/ContosoRG/providers/Microsoft.Network/networkInterfaces/appNic0/ipConfigurations/ipconfig1",
      "nextHopIds": [
        "b50b7076-9ff2-4782-b40e-0b89cf758f74"
      ],
      "issues": []
    },
    {
      "type": "Internet",
      "id": "b50b7076-9ff2-4782-b40e-0b89cf758f74",
      "address": "13.71.200.248",
      "resourceId": "Internet",
      "nextHopIds": [],
      "issues": []
    }
  ],
  "connectionStatus": "Reachable",
  "avgLatencyInMs": 1,
  "minLatencyInMs": 0,
  "maxLatencyInMs": 7,
  "probesSent": 100,
  "probesFailed": 0
}

后续步骤Next steps

查看创建警报触发的数据包捕获,了解如何利用虚拟机警报自动执行数据包捕获。Learn how to automate packet captures with Virtual machine alerts by viewing Create an alert triggered packet capture.

访问查看“IP 流验证”,了解是否允许某些流量传入和传出 VM。Find if certain traffic is allowed in or out of your VM by visiting Check IP flow verify.