Configure and manage virtual networks in Azure
📘Microsoft Certified: Azure Administrator Associate (AZ-104)
Troubleshooting network connectivity is an important skill for Azure Administrators. You must know how to identify why a resource (such as a VM, App Service, database, or on-premises server) cannot reach another resource. To pass the AZ-104 exam, you must understand the common connectivity issues, how Azure networking components work, and which tools to use to diagnose problems.
This section covers:
- Key concepts of Azure network connectivity
- Common causes of connectivity failures
- Step-by-step troubleshooting approach
- Azure tools used for diagnosing network issues
- Troubleshooting VMs, VNets, NSGs, firewalls, and hybrid connections
- Troubleshooting DNS issues
- Troubleshooting routing issues
- Troubleshooting service endpoints and private endpoints
1. Understanding Azure Network Connectivity Fundamentals
To troubleshoot network issues, you need to understand the core components involved:
1.1 Virtual Networks (VNets) and Subnets
VNets act as private networks inside Azure. Each VNet is divided into subnets.
Connectivity issues often occur when:
- VNets are not peered
- Subnets are not correctly configured
- Overlapping IP address ranges exist
1.2 Network Security Groups (NSGs)
NSGs filter traffic using allow/deny rules.
Connectivity fails when:
- Incorrect NSG rules block traffic
- Default “Deny All” rule blocks communication
- NSG is attached to the wrong subnet or NIC
1.3 Route Tables (UDRs)
Azure uses system routing automatically.
User Defined Routes can override system routes.
Connectivity issues occur when:
- A UDR sends traffic to the wrong next hop
- A next hop (like a firewall) is unavailable
1.4 Azure Firewall or NVA (Network Virtual Appliance)
If all outbound/inbound traffic must pass through a firewall, incorrect rules or routing can break communication.
1.5 DNS
DNS is needed to convert hostnames to IP addresses.
Trouble symptoms:
- Resource reachable by IP but not by hostname
- Private link misconfiguration
- Custom DNS servers unreachable
2. Common Connectivity Issues in Azure
Azure network failures usually fall into predictable categories:
2.1 NSG Blocks Traffic
Most common issue.
If a VM cannot be reached via RDP (3389) or SSH (22), NSG rules are often blocking.
2.2 Incorrect Routing
Traffic may be routed:
- To a dead firewall
- To a wrong next hop
- To an on-premises gateway that isn’t working
- To a blackhole route caused by BGP
2.3 VNet Peering Not Working
Issues include:
- Peering not established
- “Use Remote Gateways” not configured
- Overlapping address ranges
2.4 DNS Resolution Fails
- VM cannot resolve internal names
- Private endpoint resolves to a private IP when a service expects a public IP
- Wrong custom DNS settings
2.5 Firewall/NVA Issues
- Missing NAT rules
- Missing application rules
- Disabled or overloaded firewall
2.6 Hybrid Connection Issues
On-premises to Azure connectivity fails due to:
- VPN Gateway failure
- Wrong shared key
- Incorrect local network gateway IP ranges
- ExpressRoute routing issues
3. Systematic Troubleshooting Workflow (Important for the Exam)
Microsoft expects you to follow a layer-by-layer troubleshooting approach.
Step 1: Check VM/Resource Status
- VM running?
- NIC attached correctly?
- IP assigned?
- OS firewall enabled?
Step 2: Validate NSG Rules
Check:
- Inbound rules
- Outbound rules
- Destination IPs and ports
- Subnet-level NSG
- NIC-level NSG
Use Effective Security Rules in Azure Portal.
Step 3: Check Routing
Use:
- Effective Routes on the VM NIC
- Ensure default route (0.0.0.0/0) goes to correct next hop
- Verify no conflicting UDRs
- Check BGP routes (if VPN/ExpressRoute is used)
Step 4: Check VNet Peering
Verify:
- Peering is connected
- No overlapping IP ranges
- “Allow forwarded traffic” enabled when needed
- “Use remote gateways” correctly configured
Step 5: Check Firewalls / NVA
- Rule exists for the port/traffic
- NAT rules are correct
- Appliance is reachable
- UDR next hop points correctly
Step 6: Check DNS
- Hostname resolves?
- Correct DNS servers assigned?
- Private endpoints not causing unexpected resolution?
Use PowerShell or CLI inside VM:
nslookup <hostname>
Step 7: Check On-Premises Connectivity (if hybrid)
- VPN Gateway status
- Tunnel active?
- Correct shared key?
- Correct BGP routes?
4. Tools for Troubleshooting Azure Network Connectivity
Azure provides several built-in tools.
4.1 Network Watcher
(a) IP Flow Verify
Checks if traffic is allowed or denied by NSGs.
Example:
- VM cannot be accessed on RDP → IP Flow Verify shows NSG is blocking port 3389.
(b) Connection Troubleshoot
Tests connectivity between:
- VM ↔ VM
- VM ↔ Internet
- VM ↔ On-premises
Shows if connection is successful and where it is failing.
(c) Next Hop
Tells you which route a packet will use.
Used for UDR troubleshooting.
(d) Effective Security Rules
Shows final NSG rules applied after combining:
- Subnet NSG
- NIC NSG
(e) Topology
Visual map of your network to quickly identify misconfigurations.
4.2 Packet Capture
Captures network packets from a VM NIC for deep inspection.
Useful when:
- VM application port not responding
- Unexpected outbound connections
- Traffic not reaching VM
4.3 Azure Monitor Logs (Log Analytics)
If NSG flow logs are enabled, you can analyze:
- Allowed traffic
- Denied traffic
- Traffic patterns
5. Troubleshooting Common Scenarios for AZ-104 Exam
5.1 VM Cannot Connect to Internet
Check:
- UDR incorrectly sends 0.0.0.0/0 to an offline firewall
- NSG denies outbound traffic
- Azure Firewall rule missing
- No public IP
5.2 Cannot RDP/SSH to VM
Check in order:
- VM running
- NSG inbound rules
- Public IP exists
- Azure Firewall/NVA rules
- Windows Firewall/Linux iptables
- Routing not sending traffic to a wrong device
5.3 VNet Peering Not Working
Check:
- Peering status = “Connected”
- Network ranges do not overlap
- “Allow traffic between VNets” enabled
- No UDR blocking communication
5.4 DNS Resolution Issues
Check:
- Custom DNS servers reachable
- Azure DNS enabled if needed
- Private endpoint name resolution behavior
- Conditional forwarding rules
5.5 Hybrid Connectivity Fails (On-Prem to Azure)
Check:
- VPN gateway status
- Shared key correct
- Local network gateway prefix correct
- BGP routes correct
- On-prem firewall not blocking traffic
6. Troubleshooting Private Endpoints & Service Endpoints
6.1 Private Endpoint Issues
A private endpoint maps a service to a private IP.
Problems occur when:
- DNS resolves to wrong IP
- Firewall blocks traffic
- Network policies not disabled on the private endpoint subnet
- Missing RBAC permissions to approve connections
6.2 Service Endpoint Issues
Service Endpoints allow Azure resources to connect over the backbone network.
Troubleshooting:
- Correct subnet selected?
- Resource firewall configured to allow subnet?
- No conflicting UDR forcing traffic through a firewall?
7. Best Practices for the Exam
To succeed in the exam:
✔ Understand how NSGs, UDRs, peering, and firewalls affect traffic
✔ Know how to use Network Watcher tools
✔ Understand private endpoints vs service endpoints
✔ Memorize common troubleshooting steps
✔ Be able to identify bad routing or DNS issues
✔ Recognize when traffic is blocked by NSG rules
✔ Know how hybrid connectivity failures occur
Final Summary
Troubleshooting network connectivity in Azure involves evaluating:
- NSG rules
- Routing and UDRs
- VNet peering
- Firewalls / NVAs
- DNS configuration
- Resource status
- Hybrid network components
Using Azure’s built-in tools — especially Network Watcher — allows you to quickly identify where traffic is blocked and what must be fixed.
Mastering these troubleshooting skills is essential for passing the AZ-104 exam and for real-world Azure administration.
