排查 Azure 中虚拟机上的应用程序连接问题Troubleshoot application connectivity issues on virtual machines in Azure

有多种原因可导致无法启用或连接到在 Azure 虚拟机 (VM) 上运行的应用程序。There are various reasons when you cannot start or connect to an application running on an Azure virtual machine (VM). 原因包括应用程序未在预期端口上运行或侦听、侦听端口受到阻止,或网络规则未将流量正确传递到应用程序。Reasons include the application not running or listening on the expected ports, the listening port blocked, or networking rules not correctly passing traffic to the application. 本文说明有条理地找到问题并更正问题。This article describes a methodical approach to find and correct the problem.

如果在使用 RDP 或 SSH 连接到 VM 时发生问题,请先参阅以下文章之一:If you are having issues connecting to your VM using RDP or SSH, see one of the following articles first:

如果对本文中的任何观点存在疑问,可以联系 Azure 支持上的 Azure 专家。If you need more help at any point in this article, you can contact the Azure experts on Azure support. 或者,也可以提出 Azure 支持事件。Alternatively, you can also file an Azure support incident. 请转到 Azure 支持站点提交请求。Go to the Azure support site and submit your request.

快速入门故障排除步骤Quick-start troubleshooting steps

如果在连接到应用程序时发生问题,请尝试以下一般故障排除步骤。If you have problems connecting to an application, try the following general troubleshooting steps. 执行每个步骤之后,尝试重新连接到应用程序:After each step, try connecting to your application again:

有关详细信息,请参阅终结点连接(RDP/SSH/HTTP 等故障)疑难解答For more information, see Troubleshooting Endpoint Connectivity (RDP/SSH/HTTP, etc. failures).

详细故障排除概述Detailed troubleshooting overview

有四个主要区域需要对 Azure 虚拟机上运行的应用程序的访问进行故障排除。There are four main areas to troubleshoot the access of an application that is running on an Azure virtual machine.

对无法启动应用程序进行故障排除

  1. 在 Azure 虚拟机上运行的应用程序。The application running on the Azure virtual machine.
    • 应用程序本身是否正常运行?Is the application itself running correctly?
  2. Azure 虚拟机。The Azure virtual machine.
    • VM 本身是否正常运行并响应请求?Is the VM itself running correctly and responding to requests?
  3. Azure 网络终结点。Azure network endpoints.
    • 用于经典部署模型中虚拟机的云服务终结点。Cloud service endpoints for virtual machines in the Classic deployment model.
    • 用于 Resource Manager 部署模型中虚拟机的网络安全组和入站 NAT 规则。Network Security Groups and inbound NAT rules for virtual machines in Resource Manager deployment model.
    • 流量是否可以通过预期的端口从用户流向 VM/应用程序?Can traffic flow from users to the VM/application on the expected ports?
  4. Internet 边缘设备。Your Internet edge device.
    • 是否有防火墙规则阻止流量正常流动?Are firewall rules in place preventing traffic from flowing correctly?

对于通过站点到站点 VPN 或 ExpressRoute 连接访问应用程序的客户端计算机,可能会导致问题的主要区域是应用程序和 Azure 虚拟机。For client computers that are accessing the application over a site-to-site VPN or ExpressRoute connection, the main areas that can cause problems are the application and the Azure virtual machine.

若要确定问题根源并进行更正,请执行以下步骤。To determine the source of the problem and its correction, follow these steps.

步骤 1:从目标 VM 访问应用程序Step 1: Access application from target VM

尝试使用适当的客户端程序,从运行该程序的 VM 访问应用程序。Try to access the application with the appropriate client program from the VM on which it is running. 使用本地主机名、本地 IP 地址或环回地址 (127.0.0.1)。Use the local host name, the local IP address, or the loopback address (127.0.0.1).

直接从 VM 启动应用程序

例如,如果应用程序是 Web 服务器,则在 VM 上打开浏览器,并尝试访问 VM 上托管的网页。For example, if the application is a web server, open a browser on the VM and try to access a web page hosted on the VM.

如果可以访问应用程序,请转到步骤 2If you can access the application, go to Step 2.

如果不能访问应用程序,请验证以下设置:If you cannot access the application, verify the following settings:

  • 应用程序是否在目标虚拟机上运行。The application is running on the target virtual machine.
  • 应用程序是否在预期 TCP 和 UDP 端口侦听。The application is listening on the expected TCP and UDP ports.

在基于 Windows 和基于 Linux 的虚拟机上,使用 netstat -a 命令显示活动的侦听端口。On both Windows and Linux-based virtual machines, use the netstat -a command to show the active listening ports. 检查应用程序应侦听的预期端口的输出。Examine the output for the expected ports on which your application should be listening. 重新启动应用程序,或根据需要将其配置为使用预期的端口,然后尝试在本地重新访问应用程序。Restart the application or configure it to use the expected ports as needed and try to access the application locally again.

步骤 2:从同一虚拟网络中的另一个 VM 访问应用程序Step 2: Access application from another VM in the same virtual network

使用 VM 的主机名或其 Azure 分配的公共、专用或提供程序 IP 地址尝试访问位于不同 VM 但相同虚拟网络中的应用程序。Try to access the application from a different VM but in the same virtual network, using the VM's host name or its Azure-assigned public, private, or provider IP address. 对于使用经典部署模型创建的虚拟机,请不要使用云服务的公共 IP 地址。For virtual machines created using the classic deployment model, do not use the public IP address of the cloud service.

从不同的 VM 启动应用程序

例如,如果应用程序是 Web 服务器,则尝试在相同虚拟网络中的不同 VM 上使用浏览器访问网页。For example, if the application is a web server, try to access a web page from a browser on a different VM in the same virtual network.

如果可以访问应用程序,请转到步骤 3If you can access the application, go to Step 3.

如果不能访问应用程序,请验证以下设置:If you cannot access the application, verify the following settings:

在基于 Windows 的虚拟机上,使用具有高级安全性的 Windows 防火墙确定防火墙规则是否排除应用程序的入站和出站流量。On a Windows-based virtual machine, use Windows Firewall with Advanced Security to determine whether the firewall rules exclude your application's inbound and outbound traffic.

步骤 3:从虚拟网络外部访问应用程序Step 3: Access application from outside the virtual network

尝试通过虚拟网络之外的计算机访问应用程序,作为应用程序运行的 VM。Try to access the application from a computer outside the virtual network as the VM on which the application is running. 使用其他网络作为原始客户端计算机。Use a different network as your original client computer.

从虚拟网络外部的计算机启动应用程序。

例如,如果应用程序是 Web 服务器,则尝试通过不在虚拟网络中的虚拟机使用浏览器访问网页。For example, if the application is a web server, try to access the web page from a browser running on a computer that is not in the virtual network.

如果不能访问应用程序,请验证以下设置:If you cannot access the application, verify the following settings:

  • 对于使用经典部署模型创建的 VM:For VMs created using the classic deployment model:

    • 确保 VM 的终结点配置允许传入流量,尤其是协议(TCP 或 UDP)及公用和专用端口号。Verify that the endpoint configuration for the VM is allowing the incoming traffic, especially the protocol (TCP or UDP) and the public and private port numbers.
    • 确保终结点上的访问控制列表 (ACL) 不会阻止来自 Internet 的传入流量。Verify that access control lists (ACLs) on the endpoint are not preventing incoming traffic from the Internet.
    • 有关详细信息,请参阅如何对虚拟机设置终结点For more information, see How to Set Up Endpoints to a Virtual Machine.
  • 对于使用 Resource Manager 部署模型创建的 VM:For VMs created using the Resource Manager deployment model:

    • 确保 VM 的入站 NAT 规则配置允许传入流量,尤其是协议(TCP 或 UDP)及公用和专用端口号。Verify that the inbound NAT rule configuration for the VM is allowing the incoming traffic, especially the protocol (TCP or UDP) and the public and private port numbers.
    • 确保网络安全组允许入站请求和出站响应流量。Verify that Network Security Groups are allowing the inbound request and outbound response traffic.
    • 有关详细信息,请参阅什么是网络安全组?For more information, see What is a network security group?

如果虚拟机或终结点是负载均衡集的成员,则:If the virtual machine or endpoint is a member of a load-balanced set:

  • 验证探测协议(TCP 或 UDP)和端口号是否正确。Verify that the probe protocol (TCP or UDP) and port number are correct.
  • 如果探测协议和端口与负载均衡集协议和端口不同,则:If the probe protocol and port is different than the load-balanced set protocol and port:
    • 验证应用程序是否在探测协议(TCP 或 UDP)和端口号(在目标 VM 上使用 netstat –a)上侦听。Verify that the application is listening on the probe protocol (TCP or UDP) and port number (use netstat -a on the target VM).
    • 确保目标 VM 上的主机防火墙允许入站探测请求和出站探测响应流量。Verify that the host firewall on the target VM is allowing the inbound probe request and outbound probe response traffic.

如果可以访问应用程序,请确保 Internet 边缘设备允许:If you can access the application, ensure that your Internet edge device is allowing:

  • 从客户端计算机到 Azure 虚拟机的出站应用程序请求流量。The outbound application request traffic from your client computer to the Azure virtual machine.
  • 来自 Azure 虚拟机的入站应用程序响应流量。The inbound application response traffic from the Azure virtual machine.

步骤 4:如果无法访问应用程序,请使用“IP 验证”来检查设置。Step 4 If you cannot access the application, use IP Verify to check the settings.

有关详细信息,请参阅 Azure network monitoring overview(Azure 网络监视概述)。For more information, see Azure network monitoring overview.

其他资源Additional resources

对与基于 Windows 的 Azure 虚拟机的远程桌面连接进行故障排除Troubleshoot Remote Desktop connections to a Windows-based Azure Virtual Machine

对于基于 Linux 的 Azure 虚拟机的 Secure Shell (SSH) 连接进行故障排除Troubleshoot Secure Shell (SSH) connections to a Linux-based Azure virtual machine