使用 Azure CLI 排查出站连接问题
本文介绍如何使用 Azure 网络观察程序的排查连接问题功能来诊断和排查连接问题。 有关连接故障排除的详细信息,请参阅连接故障排除概述。
先决条件
具有活动订阅的 Azure 帐户。 创建试用版订阅。
在要排除故障的虚拟机 (VM) 区域中启用的网络观察程序。 默认情况下,在区域中创建虚拟网络时,Azure 会在该区域中启用网络观察程序。 有关详细信息,请参阅启用或禁用 Azure 网络观察程序。
已安装网络观察程序代理 VM 扩展具有以下出站 TCP 连接的虚拟机:
- 到 169.254.169.254(通过端口 80)
- 到 168.63.129.16(通过端口 8037)
通过所测试端口从 168.63.129.16 进行入站 TCP 连接的第二台虚拟机(针对端口扫描程序诊断测试)。
Azure CLI。
可以在本地安装 Azure CLI 以运行命令。 如果在本地运行 Azure CLI,请使用 az login 命令登录到 Azure。
注意
- 要在 Windows 虚拟机上安装扩展,请参阅适用于 Windows 的网络观察程序代理 VM 扩展。
- 要在 Linux 虚拟机上安装扩展,请参阅适用于 Linux 的网络观察程序代理 VM 扩展。
- 要更新已安装的扩展,请参阅将网络观察程序扩展更新到最新版本。
测试与虚拟机的连接
在本部分中,将测试从一台虚拟机到同一虚拟网络中的另一台虚拟机的远程桌面端口 (RDP) 连接。
使用 az network watcher test-connectivity 运行排查连接问题诊断测试,以测试通过端口 3389 与虚拟机的连接:
# Test connectivity between two virtual machines that are in the same resource group over port 3389.
az network watcher test-connectivity --resource-group 'myResourceGroup' --source-resource 'VM1' --dest-resource 'VM2' --protocol 'TCP' --dest-port '3389'
如果虚拟机不在同一资源组中,请使用其资源 ID 而不是名称:
# Test connectivity between two virtual machines that are in two different resource groups over port 3389.
az network watcher test-connectivity --source-resource '/subscriptions/abcdef01-2345-6789-0abc-def012345678/resourceGroups/myResourceGroup1/providers/Microsoft.Compute/virtualMachines/VM1' --dest-resource '/subscriptions/abcdef01-2345-6789-0abc-def012345678/resourceGroups/myResourceGroup2/providers/Microsoft.Compute/virtualMachines/VM2' --protocol 'TCP' --dest-port '3389'
如果这两台虚拟机正在通信,没有问题,则会看到以下结果:
{ "avgLatencyInMs": 2, "connectionStatus": "Reachable", "hops": [ { "address": "10.0.0.4", "id": "00000000-0000-0000-0000-000000000000", "issues": [], "links": [ { "context": {}, "issues": [], "linkType": "VirtualNetwork", "nextHopId": "11111111-1111-1111-1111-111111111111", "resourceId": "", "roundTripTimeAvg": 2, "roundTripTimeMax": 2, "roundTripTimeMin": 2 } ], "nextHopIds": [ "11111111-1111-1111-1111-111111111111" ], "previousHopIds": [], "previousLinks": [], "resourceId": "/subscriptions/abcdef01-2345-6789-0abc-def012345678/resourceGroups/myResourceGroup/providers/Microsoft.Compute/virtualMachines/VM1", "type": "Source" }, { "address": "10.0.0.5", "id": "11111111-1111-1111-1111-111111111111", "issues": [], "links": [], "nextHopIds": [], "previousHopIds": [ "00000000-0000-0000-0000-000000000000" ], "previousLinks": [ { "context": {}, "issues": [], "linkType": "VirtualNetwork", "nextHopId": "00000000-0000-0000-0000-000000000000", "resourceId": "" } ], "resourceId": "/subscriptions/abcdef01-2345-6789-0abc-def012345678/resourceGroups/myResourceGroup/providers/Microsoft.Compute/virtualMachines/VM2", "type": "VirtualMachine" } ], "maxLatencyInMs": 8, "minLatencyInMs": 1, "probesFailed": 0, "probesSent": 66 }- 连接状态为“可访问”(可通过端口 3389 访问目标虚拟机)。
- 已成功将 66 个探测发送到目标虚拟机。
- 两个虚拟机之间的路径有两种跃点(两个 VM 之间的路径中没有设备或其他资源)。
如果目标虚拟机具有拒绝传入 RDP 连接的网络安全组,则会看到以下结果:
{ "connectionStatus": "Unreachable", "hops": [ { "address": "10.0.0.4", "id": "00000000-0000-0000-0000-000000000000", "issues": [], "links": [ { "context": {}, "issues": [], "linkType": "VirtualNetwork", "nextHopId": "11111111-1111-1111-1111-111111111111", "resourceId": "" } ], "nextHopIds": [ "11111111-1111-1111-1111-111111111111" ], "previousHopIds": [], "previousLinks": [], "resourceId": "/subscriptions/abcdef01-2345-6789-0abc-def012345678/resourceGroups/myResourceGroup/providers/Microsoft.Compute/virtualMachines/VM1", "type": "Source" }, { "address": "10.0.0.5", "id": "11111111-1111-1111-1111-111111111111", "issues": [ { "context": [ { "key": "RuleName", "value": "/subscriptions/abcdef01-2345-6789-0abc-def012345678/resourceGroups/myResourceGroup/providers/Microsoft.Network/networkSecurityGroups/VM2-nsg/SecurityRules/Deny3389Inbound" } ], "origin": "Inbound", "severity": "Error", "type": "NetworkSecurityRule" }, { "context": [], "origin": "Local", "severity": "Error", "type": "NoListenerOnDestination" } ], "links": [], "nextHopIds": [], "previousHopIds": [ "00000000-0000-0000-0000-000000000000" ], "previousLinks": [ { "context": {}, "issues": [], "linkType": "VirtualNetwork", "nextHopId": "00000000-0000-0000-0000-000000000000", "resourceId": "" } ], "resourceId": "/subscriptions/abcdef01-2345-6789-0abc-def012345678/resourceGroups/myResourceGroup/providers/Microsoft.Compute/virtualMachines/VM2", "type": "VirtualMachine" } ], "probesFailed": 30, "probesSent": 30 }- 连接状态为“不可访问”(不可通过端口 3389 访问目标虚拟机)。
- 已发送 30 个探测,未能到达目标虚拟机。
- 两个虚拟机之间的路径有两种跃点(两个 VM 之间的路径中没有设备或其他资源)。
- 网络安全组
VM2-nsg中的安全规则Deny3389Inbound拒绝与目标虚拟机的入站连接。
解决方案:更新目标虚拟机上的网络安全组以允许入站 RDP 流量。
如果源虚拟机具有拒绝到目标的 RDP 连接的网络安全组,则会看到以下结果:
{ "connectionStatus": "Unreachable", "hops": [ { "address": "10.0.0.4", "id": "00000000-0000-0000-0000-000000000000", "issues": [ { "context": [ { "key": "RuleName", "value": "/subscriptions/abcdef01-2345-6789-0abc-def012345678/resourceGroups/myResourceGroup/providers/Microsoft.Network/networkSecurityGroups/VM1-nsg/SecurityRules/Deny3389Outbound" } ], "origin": "Outbound", "severity": "Error", "type": "NetworkSecurityRule" } ], "links": [ { "context": {}, "issues": [], "linkType": "VirtualNetwork", "nextHopId": "11111111-1111-1111-1111-111111111111", "resourceId": "" } ], "nextHopIds": [ "11111111-1111-1111-1111-111111111111" ], "previousHopIds": [], "previousLinks": [], "resourceId": "/subscriptions/abcdef01-2345-6789-0abc-def012345678/resourceGroups/myResourceGroup/providers/Microsoft.Compute/virtualMachines/VM1", "type": "Source" }, { "address": "10.0.0.5", "id": "11111111-1111-1111-1111-111111111111", "issues": [ { "context": [], "origin": "Local", "severity": "Error", "type": "NoListenerOnDestination" } ], "links": [], "nextHopIds": [], "previousHopIds": [ "00000000-0000-0000-0000-000000000000" ], "previousLinks": [ { "context": {}, "issues": [], "linkType": "VirtualNetwork", "nextHopId": "00000000-0000-0000-0000-000000000000", "resourceId": "" } ], "resourceId": "/subscriptions/abcdef01-2345-6789-0abc-def012345678/resourceGroups/myResourceGroup/providers/Microsoft.Compute/virtualMachines/VM2", "type": "VirtualMachine" } ], "probesFailed": 30, "probesSent": 30 }- 连接状态为“不可访问”(不可通过端口 3389 访问目标虚拟机)。
- 已发送 30 个探测,未能到达目标虚拟机。
- 两个虚拟机之间的路径有两种跃点(两个 VM 之间的路径中没有设备或其他资源)。
- 网络安全组
VM1-nsg中的安全规则Deny3389Outbound拒绝来自源虚拟机的出站连接。
解决方案:更新源虚拟机上的网络安全组以允许出站 RDP 流量。
如果目标虚拟机上的操作系统不接受端口 3389 上的传入连接,则会看到以下结果:
{ "connectionStatus": "Unreachable", "hops": [ { "address": "10.0.0.4", "id": "00000000-0000-0000-0000-000000000000", "issues": [], "links": [ { "context": {}, "issues": [], "linkType": "VirtualNetwork", "nextHopId": "11111111-1111-1111-1111-111111111111", "resourceId": "" } ], "nextHopIds": [ "11111111-1111-1111-1111-111111111111" ], "previousHopIds": [], "previousLinks": [], "resourceId": "/subscriptions/abcdef01-2345-6789-0abc-def012345678/resourceGroups/myResourceGroup/providers/Microsoft.Compute/virtualMachines/VM1", "type": "Source" }, { "address": "10.0.0.5", "id": "11111111-1111-1111-1111-111111111111", "issues": [ { "context": [], "origin": "Local", "severity": "Error", "type": "NoListenerOnDestination" }, { "context": [], "origin": "Local", "severity": "Error", "type": "GuestFirewall" } ], "links": [], "nextHopIds": [], "previousHopIds": [ "00000000-0000-0000-0000-000000000000" ], "previousLinks": [ { "context": {}, "issues": [], "linkType": "VirtualNetwork", "nextHopId": "00000000-0000-0000-0000-000000000000", "resourceId": "" } ], "resourceId": "/subscriptions/abcdef01-2345-6789-0abc-def012345678/resourceGroups/myResourceGroup/providers/Microsoft.Compute/virtualMachines/VM2", "type": "VirtualMachine" } ], "probesFailed": 30, "probesSent": 30 }- 连接状态为“不可访问”(不可通过端口 3389 访问目标虚拟机)。
- 已发送 30 个探测,未能到达目标虚拟机。
- 两个虚拟机之间的路径有两种跃点(两个 VM 之间的路径中没有设备或其他资源)。
- 无法在目标虚拟机上访问端口 3389(目标虚拟机上的输出具有
NoListenerOnDestination和GuestFirewall错误)。
解决方案:将目标虚拟机上的操作系统配置为接受入站 RDP 流量。
测试与网站的连接
本部分将测试虚拟机与网站之间的连接。
使用 az network watcher test-connectivity 运行排查连接问题,以测试与 www.bing.com 的连接:
# Test connectivity from a virtual machine to www.bing.com.
az network watcher test-connectivity --resource-group 'myResourceGroup' --source-resource 'VM1' --dest-address 'www.bing.com' --protocol 'TCP' --dest-port '443'
如果可从源虚拟机访问
www.bing.com,则会看到以下结果:{ "avgLatencyInMs": 9, "connectionStatus": "Reachable", "hops": [ { "address": "10.0.0.4", "id": "00000000-0000-0000-0000-000000000000", "issues": [], "links": [ { "context": {}, "issues": [], "linkType": "Internet", "nextHopId": "11111111-1111-1111-1111-111111111111", "resourceId": "", "roundTripTimeAvg": 9, "roundTripTimeMax": 9, "roundTripTimeMin": 9 } ], "nextHopIds": [ "11111111-1111-1111-1111-111111111111" ], "previousHopIds": [], "previousLinks": [], "resourceId": "/subscriptions/abcdef01-2345-6789-0abc-def012345678/resourceGroups/myResourceGroup/providers/Microsoft.Compute/virtualMachines/VM1", "type": "Source" }, { "address": "104.117.244.81", "id": "11111111-1111-1111-1111-111111111111", "issues": [], "links": [], "nextHopIds": [], "previousHopIds": [ "00000000-0000-0000-0000-000000000000" ], "previousLinks": [ { "context": {}, "issues": [], "linkType": "Internet", "nextHopId": "00000000-0000-0000-0000-000000000000", "resourceId": "" } ], "type": "Internet" } ], "maxLatencyInMs": 13, "minLatencyInMs": 7, "probesFailed": 0, "probesSent": 66 }- 连接状态为“可访问”(可从 VM1 访问
www.bing.com)。 - 已向
www.bing.com成功发送 66 个探测,平均延迟为 9 毫秒。 - 下一个跃点类型为
Internet。
- 连接状态为“可访问”(可从 VM1 访问
如果由于安全规则而无法从源虚拟机访问
www.bing.com,则会看到以下结果:{ "connectionStatus": "Unreachable", "hops": [ { "address": "10.0.0.4", "id": "00000000-0000-0000-0000-000000000000", "issues": [ { "context": [ { "key": "RuleName", "value": "/subscriptions/abcdef01-2345-6789-0abc-def012345678/resourceGroups/myResourceGroup/providers/Microsoft.Network/networkSecurityGroups/VM1-nsg/SecurityRules/DenyInternetOutbound" } ], "origin": "Outbound", "severity": "Error", "type": "NetworkSecurityRule" } ], "links": [ { "context": {}, "issues": [], "linkType": "Internet", "nextHopId": "11111111-1111-1111-1111-111111111111", "resourceId": "" } ], "nextHopIds": [ "11111111-1111-1111-1111-111111111111" ], "previousHopIds": [], "previousLinks": [], "resourceId": "/subscriptions/abcdef01-2345-6789-0abc-def012345678/resourceGroups/myResourceGroup/providers/Microsoft.Compute/virtualMachines/VM1", "type": "Source" }, { "address": "23.198.7.184", "id": "11111111-1111-1111-1111-111111111111", "issues": [], "links": [], "nextHopIds": [], "previousHopIds": [ "00000000-0000-0000-0000-000000000000" ], "previousLinks": [ { "context": {}, "issues": [], "linkType": "Internet", "nextHopId": "00000000-0000-0000-0000-000000000000", "resourceId": "" } ], "type": "Internet" } ], "probesFailed": 30, "probesSent": 30 }- 连接状态为“不可访问”(不可从 VM1 访问
www.bing.com)。 - 已发送 30 个探测,未能到达
www.bing.com。 - 网络安全组
VM1-nsg中的安全规则DenyInternetOutbound拒绝来自源虚拟机的出站连接。 - 下一个跃点类型为
Internet。
解决方案:更新源虚拟机上的网络安全组以允许到
www.bing.com的出站流量。- 连接状态为“不可访问”(不可从 VM1 访问
测试与 IP 地址的连接
本部分将测试虚拟机与另一台虚拟机的 IP 地址之间的连接。
使用 az network watcher test-connectivity 运行排查连接问题,以测试 RDP 与 10.10.10.10 的连接:
# Test connectivity from a virtual machine to 10.10.10.10 over port 3389.
az network watcher test-connectivity --resource-group 'myResourceGroup' --source-resource 'VM1' --dest-address '10.10.10.10' --protocol 'TCP' --dest-port 3389
如果 IP 地址可访问,则会看到以下结果:
{ "avgLatencyInMs": 2, "connectionStatus": "Reachable", "hops": [ { "address": "10.0.0.4", "id": "00000000-0000-0000-0000-000000000000", "issues": [], "links": [ { "context": {}, "issues": [], "linkType": "VirtualNetwork", "nextHopId": "11111111-1111-1111-1111-111111111111", "resourceId": "", "roundTripTimeAvg": 2, "roundTripTimeMax": 2, "roundTripTimeMin": 2 } ], "nextHopIds": [ "11111111-1111-1111-1111-111111111111" ], "previousHopIds": [], "previousLinks": [], "resourceId": "/subscriptions/abcdef01-2345-6789-0abc-def012345678/resourceGroups/myResourceGroup/providers/Microsoft.Compute/virtualMachines/VM1", "type": "Source" }, { "address": "10.10.10.10", "id": "11111111-1111-1111-1111-111111111111", "issues": [], "links": [], "nextHopIds": [], "previousHopIds": [ "00000000-0000-0000-0000-000000000000" ], "previousLinks": [ { "context": {}, "issues": [], "linkType": "VirtualNetwork", "nextHopId": "00000000-0000-0000-0000-000000000000", "resourceId": "" } ], "resourceId": "/subscriptions/abcdef01-2345-6789-0abc-def012345678/resourceGroups/myResourceGroup/providers/Microsoft.Network/networkInterfaces/vm2375/ipConfigurations/ipconfig1", "type": "VirtualNetwork" } ], "maxLatencyInMs": 7, "minLatencyInMs": 1, "probesFailed": 0, "probesSent": 66 }- 连接状态为“可访问”(可通过端口 3389 访问
10.10.10.10)。 - 已向
10.10.10.10成功发送 66 个探测,平均延迟为 2 毫秒。 - 两个虚拟机之间的路径有两种跃点(两个 VM 之间的路径中没有设备或其他资源)。
- 连接状态为“可访问”(可通过端口 3389 访问
如果 IP 地址由于目标虚拟机未运行而无法访问,则会看到以下结果:
{ "connectionStatus": "Unreachable", "hops": [ { "address": "10.0.0.4", "id": "00000000-0000-0000-0000-000000000000", "issues": [], "links": [ { "context": {}, "issues": [], "linkType": "VirtualNetwork", "nextHopId": "11111111-1111-1111-1111-111111111111", "resourceId": "" } ], "nextHopIds": [ "11111111-1111-1111-1111-111111111111" ], "previousHopIds": [], "previousLinks": [], "resourceId": "/subscriptions/abcdef01-2345-6789-0abc-def012345678/resourceGroups/myResourceGroup/providers/Microsoft.Compute/virtualMachines/VM1", "type": "Source" }, { "address": "10.10.10.10", "id": "11111111-1111-1111-1111-111111111111", "issues": [], "links": [], "nextHopIds": [], "previousHopIds": [ "00000000-0000-0000-0000-000000000000" ], "previousLinks": [ { "context": {}, "issues": [], "linkType": "VirtualNetwork", "nextHopId": "00000000-0000-0000-0000-000000000000", "resourceId": "" } ], "resourceId": "/subscriptions/abcdef01-2345-6789-0abc-def012345678/resourceGroups/myResourceGroup/providers/Microsoft.Network/networkInterfaces/vm2375/ipConfigurations/ipconfig1", "type": "VirtualNetwork" } ], "probesFailed": 30, "probesSent": 30 }- 连接状态为“不可访问”(不可通过端口 3389 访问
10.10.10.10)。 - 已发送 30 个探测,未能到达
10.10.10.10。 - 源虚拟机中无任何问题。
10.10.10.10无任何问题。
解决方案:启动目标虚拟机。
- 连接状态为“不可访问”(不可通过端口 3389 访问
如果源虚拟机的路由表中没有 IP 地址的路由(例如,IP 地址不在 VM 虚拟网络或其对等互连虚拟网络的地址空间中),则会看到以下结果:
{ "connectionStatus": "Unreachable", "hops": [ { "address": "10.0.0.4", "id": "00000000-0000-0000-0000-000000000000", "issues": [ { "context": [], "origin": "Local", "severity": "Error", "type": "RouteMissing" }, { "context": [ { "key": "ErrorMessage", "value": "NextHop Type None, NextHop IP " } ], "origin": "Outbound", "severity": "Error", "type": "UserDefinedRoute" }, { "context": [ { "key": "RuleName", "value": "DefaultRule_DenyAllOutBound" } ], "origin": "Outbound", "severity": "Error", "type": "NetworkSecurityRule" } ], "links": [ { "context": {}, "issues": [], "linkType": "VirtualNetwork", "nextHopId": "11111111-1111-1111-1111-111111111111", "resourceId": "" } ], "nextHopIds": [ "11111111-1111-1111-1111-111111111111" ], "previousHopIds": [], "previousLinks": [], "resourceId": "/subscriptions/abcdef01-2345-6789-0abc-def012345678/resourceGroups/myResourceGroup/providers/Microsoft.Compute/virtualMachines/VM1", "type": "Source" }, { "address": "10.10.10.10", "id": "11111111-1111-1111-1111-111111111111", "issues": [], "links": [], "nextHopIds": [], "previousHopIds": [ "00000000-0000-0000-0000-000000000000" ], "previousLinks": [ { "context": {}, "issues": [], "linkType": "VirtualNetwork", "nextHopId": "00000000-0000-0000-0000-000000000000", "resourceId": "" } ], "type": "Destination" } ], "probesFailed": 30, "probesSent": 30 }- 连接状态为“不可访问”(不可通过端口 3389 访问
10.10.10.10)。 - 已发送 30 个探测,未能到达
10.10.10.10。 - 源虚拟机的路由表中没有到
10.10.10.10的路由(源虚拟机上的输出具有RouteMissing错误)。 - 下一跃点类型为“无”,因为没有到
10.10.10.10的路由。 - 网络安全组
VM1-nsg中的安全规则DefaultRule_DenyAllOutBound拒绝来自源虚拟机的出站连接。
解决方案:将路由表与源虚拟机子网的正确路由相关联。
- 连接状态为“不可访问”(不可通过端口 3389 访问