使用 Azure CLI 對輸出連線進行疑難解答
在本文中,您將瞭解如何使用 Azure 網路監看員 的連線疑難解答功能來診斷和疑難解答連線問題。 如需瞭解連線疑難解答的詳細資訊,請參閱連線疑難排解概觀。
必要條件
具有有效訂用帳戶的 Azure 帳戶。 免費建立帳戶。
網路監看員 在您要進行疑難解答的虛擬機 (VM) 區域中啟用。 根據預設,當您在區域中建立虛擬網路時,Azure 會在區域中啟用 網路監看員。 如需詳細資訊,請參閱啟用或停用 Azure 網路監看員。
已安裝 網路監看員 代理程式 VM 擴充功能的虛擬機,且具有下列輸出 TCP 連線:
- 至連接埠 80 上的 169.254.169.254
- 至連接埠 8037 上的 168.63.129.16
第二部虛擬機,具有來自 168.63.129.16 之埠的輸入 TCP 連線能力(適用於埠掃描器診斷測試)。
Azure Cloud Shell 或 Azure CLI。
本文中的步驟會在 Azure Cloud Shell 中以互動方式執行 Azure CLI 命令。 若要在 Cloud Shell 中執行命令,請選取程式碼區塊右上角的 [開啟 Cloud Shell]。 選取 [複製] 以複製程式碼,並將它貼到 Cloud Shell 中以執行。 您也可以從 Azure 入口網站內執行 Cloud Shell。
您也可以在本機安裝 Azure CLI 以執行命令。 如果您在本機執行 Azure CLI,請使用 az login 命令登入 Azure。
注意
- 若要在 Windows 虛擬機上安裝擴充功能,請參閱適用於 Windows 的代理程式 VM 擴充功能 網路監看員。
- 若要在Linux虛擬機上安裝擴充功能,請參閱 網路監看員Linux的代理程式 VM 擴充功能。
- 若要更新已安裝的擴充功能,請參閱將 網路監看員 代理程式 VM 擴充功能更新為最新版本。
測試虛擬機的連線能力
在本節中,您會測試從一部虛擬機到相同虛擬網路中另一部虛擬機的遠端桌面埠 (RDP) 連線能力。
使用 az network watcher test-connectivity 執行診斷測試的連線疑難解答,以測試透過埠 3389 連線至虛擬機的連線:
# Test connectivity between two virtual machines that are in the same resource group over port 3389.
az network watcher test-connectivity --resource-group 'myResourceGroup' --source-resource 'VM1' --dest-resource 'VM2' --protocol 'TCP' --dest-port '3389'
如果虛擬機器不在相同的資源群組中,請使用其資源識別碼,而不是其名稱:
# Test connectivity between two virtual machines that are in two different resource groups over port 3389.
az network watcher test-connectivity --source-resource '/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/myResourceGroup1/providers/Microsoft.Compute/virtualMachines/VM1' --dest-resource '/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/myResourceGroup2/providers/Microsoft.Compute/virtualMachines/VM2' --protocol 'TCP' --dest-port '3389'
如果兩部虛擬機通訊時沒有任何問題,您會看到下列結果:
{ "avgLatencyInMs": 2, "connectionStatus": "Reachable", "hops": [ { "address": "10.0.0.4", "id": "aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb", "issues": [], "links": [ { "context": {}, "issues": [], "linkType": "VirtualNetwork", "nextHopId": "bbbbbbbb-1111-2222-3333-cccccccccccc", "resourceId": "", "roundTripTimeAvg": 2, "roundTripTimeMax": 2, "roundTripTimeMin": 2 } ], "nextHopIds": [ "bbbbbbbb-1111-2222-3333-cccccccccccc" ], "previousHopIds": [], "previousLinks": [], "resourceId": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/myResourceGroup/providers/Microsoft.Compute/virtualMachines/VM1", "type": "Source" }, { "address": "10.0.0.5", "id": "bbbbbbbb-1111-2222-3333-cccccccccccc", "issues": [], "links": [], "nextHopIds": [], "previousHopIds": [ "aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb" ], "previousLinks": [ { "context": {}, "issues": [], "linkType": "VirtualNetwork", "nextHopId": "aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb", "resourceId": "" } ], "resourceId": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/myResourceGroup/providers/Microsoft.Compute/virtualMachines/VM2", "type": "VirtualMachine" } ], "maxLatencyInMs": 8, "minLatencyInMs": 1, "probesFailed": 0, "probesSent": 66 }
- 線上狀態為 [可 連線] (目的地虛擬機可透過埠 3389 連線)。
- 已成功將66個探查傳送至目的地虛擬機。
- 兩部虛擬機之間的路徑中有兩個躍點(兩部 VM 之間路徑中沒有設備或其他資源)。
如果目的地虛擬機具有拒絕連入 RDP 連線的網路安全組,您會看到下列結果:
{ "connectionStatus": "Unreachable", "hops": [ { "address": "10.0.0.4", "id": "aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb", "issues": [], "links": [ { "context": {}, "issues": [], "linkType": "VirtualNetwork", "nextHopId": "bbbbbbbb-1111-2222-3333-cccccccccccc", "resourceId": "" } ], "nextHopIds": [ "bbbbbbbb-1111-2222-3333-cccccccccccc" ], "previousHopIds": [], "previousLinks": [], "resourceId": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/myResourceGroup/providers/Microsoft.Compute/virtualMachines/VM1", "type": "Source" }, { "address": "10.0.0.5", "id": "bbbbbbbb-1111-2222-3333-cccccccccccc", "issues": [ { "context": [ { "key": "RuleName", "value": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/myResourceGroup/providers/Microsoft.Network/networkSecurityGroups/VM2-nsg/SecurityRules/Deny3389Inbound" } ], "origin": "Inbound", "severity": "Error", "type": "NetworkSecurityRule" }, { "context": [], "origin": "Local", "severity": "Error", "type": "NoListenerOnDestination" } ], "links": [], "nextHopIds": [], "previousHopIds": [ "aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb" ], "previousLinks": [ { "context": {}, "issues": [], "linkType": "VirtualNetwork", "nextHopId": "aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb", "resourceId": "" } ], "resourceId": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/myResourceGroup/providers/Microsoft.Compute/virtualMachines/VM2", "type": "VirtualMachine" } ], "probesFailed": 30, "probesSent": 30 }
- 線上狀態為 [無法 連線] (目的地虛擬機無法透過埠 3389 連線)。
- 已傳送 30 個探查,且無法連線到目的地虛擬機。
- 兩部虛擬機之間的路徑中有兩個躍點(兩部 VM 之間路徑中沒有設備或其他資源)。
- 網路安全組中
VM2-nsg
的安全性規則Deny3389Inbound
會拒絕對目的地虛擬機的輸入連線。
解決方案:更新目的地虛擬機上的網路安全組,以允許輸入 RDP 流量。
如果來源虛擬機具有拒絕目的地 RDP 連線的網路安全組,您會看到下列結果:
{ "connectionStatus": "Unreachable", "hops": [ { "address": "10.0.0.4", "id": "aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb", "issues": [ { "context": [ { "key": "RuleName", "value": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/myResourceGroup/providers/Microsoft.Network/networkSecurityGroups/VM1-nsg/SecurityRules/Deny3389Outbound" } ], "origin": "Outbound", "severity": "Error", "type": "NetworkSecurityRule" } ], "links": [ { "context": {}, "issues": [], "linkType": "VirtualNetwork", "nextHopId": "bbbbbbbb-1111-2222-3333-cccccccccccc", "resourceId": "" } ], "nextHopIds": [ "bbbbbbbb-1111-2222-3333-cccccccccccc" ], "previousHopIds": [], "previousLinks": [], "resourceId": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/myResourceGroup/providers/Microsoft.Compute/virtualMachines/VM1", "type": "Source" }, { "address": "10.0.0.5", "id": "bbbbbbbb-1111-2222-3333-cccccccccccc", "issues": [ { "context": [], "origin": "Local", "severity": "Error", "type": "NoListenerOnDestination" } ], "links": [], "nextHopIds": [], "previousHopIds": [ "aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb" ], "previousLinks": [ { "context": {}, "issues": [], "linkType": "VirtualNetwork", "nextHopId": "aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb", "resourceId": "" } ], "resourceId": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/myResourceGroup/providers/Microsoft.Compute/virtualMachines/VM2", "type": "VirtualMachine" } ], "probesFailed": 30, "probesSent": 30 }
- 線上狀態為 [無法 連線] (目的地虛擬機無法透過埠 3389 連線)。
- 已傳送 30 個探查,且無法連線到目的地虛擬機。
- 兩部虛擬機之間的路徑中有兩個躍點(兩部 VM 之間路徑中沒有設備或其他資源)。
- 來自來源虛擬機的輸出連線遭到網路安全組中
VM1-nsg
的安全性規則Deny3389Outbound
拒絕。
解決方案:更新來源虛擬機上的網路安全組,以允許輸出 RDP 流量。
如果目的地虛擬機上的操作系統不接受埠 3389 上的連入連線,您會看到下列結果:
{ "connectionStatus": "Unreachable", "hops": [ { "address": "10.0.0.4", "id": "aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb", "issues": [], "links": [ { "context": {}, "issues": [], "linkType": "VirtualNetwork", "nextHopId": "bbbbbbbb-1111-2222-3333-cccccccccccc", "resourceId": "" } ], "nextHopIds": [ "bbbbbbbb-1111-2222-3333-cccccccccccc" ], "previousHopIds": [], "previousLinks": [], "resourceId": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/myResourceGroup/providers/Microsoft.Compute/virtualMachines/VM1", "type": "Source" }, { "address": "10.0.0.5", "id": "bbbbbbbb-1111-2222-3333-cccccccccccc", "issues": [ { "context": [], "origin": "Local", "severity": "Error", "type": "NoListenerOnDestination" }, { "context": [], "origin": "Local", "severity": "Error", "type": "GuestFirewall" } ], "links": [], "nextHopIds": [], "previousHopIds": [ "aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb" ], "previousLinks": [ { "context": {}, "issues": [], "linkType": "VirtualNetwork", "nextHopId": "aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb", "resourceId": "" } ], "resourceId": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/myResourceGroup/providers/Microsoft.Compute/virtualMachines/VM2", "type": "VirtualMachine" } ], "probesFailed": 30, "probesSent": 30 }
- 線上狀態為 [無法 連線] (目的地虛擬機無法透過埠 3389 連線)。
- 已傳送 30 個探查,且無法連線到目的地虛擬機。
- 兩部虛擬機之間的路徑中有兩個躍點(兩部 VM 之間路徑中沒有設備或其他資源)。
- 目的地虛擬機無法連線到埠 3389(輸出在目的地虛擬機上有
NoListenerOnDestination
和GuestFirewall
錯誤)。
解決方案:設定目的地虛擬機上的操作系統以接受輸入 RDP 流量。
測試網站的連線能力
在本節中,您會測試虛擬機與網站之間的連線能力。
使用 az network watcher test-connectivity 執行連線疑難解答,以測試 對 www.bing.com
的連線能力:
# Test connectivity from a virtual machine to www.bing.com.
az network watcher test-connectivity --resource-group 'myResourceGroup' --source-resource 'VM1' --dest-address 'www.bing.com' --protocol 'TCP' --dest-port '443'
如果
www.bing.com
可從來源虛擬機連線,您會看到下列結果:{ "avgLatencyInMs": 9, "connectionStatus": "Reachable", "hops": [ { "address": "10.0.0.4", "id": "aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb", "issues": [], "links": [ { "context": {}, "issues": [], "linkType": "Internet", "nextHopId": "bbbbbbbb-1111-2222-3333-cccccccccccc", "resourceId": "", "roundTripTimeAvg": 9, "roundTripTimeMax": 9, "roundTripTimeMin": 9 } ], "nextHopIds": [ "bbbbbbbb-1111-2222-3333-cccccccccccc" ], "previousHopIds": [], "previousLinks": [], "resourceId": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/myResourceGroup/providers/Microsoft.Compute/virtualMachines/VM1", "type": "Source" }, { "address": "104.117.244.81", "id": "bbbbbbbb-1111-2222-3333-cccccccccccc", "issues": [], "links": [], "nextHopIds": [], "previousHopIds": [ "aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb" ], "previousLinks": [ { "context": {}, "issues": [], "linkType": "Internet", "nextHopId": "aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb", "resourceId": "" } ], "type": "Internet" } ], "maxLatencyInMs": 13, "minLatencyInMs": 7, "probesFailed": 0, "probesSent": 66 }
- 線上狀態為 [可 連線] (
www.bing.com
可從 VM1 連線)。 - 成功傳送 66 個探查,
www.bing.com
平均延遲為 9 毫秒。 - 下一個躍點類型為
Internet
。
- 線上狀態為 [可 連線] (
如果
www.bing.com
因為安全性規則而無法從來源虛擬機連線,您會看到下列結果:{ "connectionStatus": "Unreachable", "hops": [ { "address": "10.0.0.4", "id": "aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb", "issues": [ { "context": [ { "key": "RuleName", "value": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/myResourceGroup/providers/Microsoft.Network/networkSecurityGroups/VM1-nsg/SecurityRules/DenyInternetOutbound" } ], "origin": "Outbound", "severity": "Error", "type": "NetworkSecurityRule" } ], "links": [ { "context": {}, "issues": [], "linkType": "Internet", "nextHopId": "bbbbbbbb-1111-2222-3333-cccccccccccc", "resourceId": "" } ], "nextHopIds": [ "bbbbbbbb-1111-2222-3333-cccccccccccc" ], "previousHopIds": [], "previousLinks": [], "resourceId": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/myResourceGroup/providers/Microsoft.Compute/virtualMachines/VM1", "type": "Source" }, { "address": "23.198.7.184", "id": "bbbbbbbb-1111-2222-3333-cccccccccccc", "issues": [], "links": [], "nextHopIds": [], "previousHopIds": [ "aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb" ], "previousLinks": [ { "context": {}, "issues": [], "linkType": "Internet", "nextHopId": "aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb", "resourceId": "" } ], "type": "Internet" } ], "probesFailed": 30, "probesSent": 30 }
- 線上狀態為 [無法 連線] (
www.bing.com
無法從 VM1 連線)。 - 已傳送 30 個探查,且無法連線
www.bing.com
。 - 來自來源虛擬機的輸出連線遭到網路安全組中
VM1-nsg
的安全性規則DenyInternetOutbound
拒絕。 - 下一個躍點類型為
Internet
。
解決方案:更新來源虛擬機上的網路安全組,以允許對的
www.bing.com
輸出流量。- 線上狀態為 [無法 連線] (
測試IP位址的連線能力
在本節中,您會測試虛擬機與另一部虛擬機 IP 位址之間的連線。
使用 az network watcher test-connectivity 執行連線疑難解答,以測試 RDP 連線能力:10.10.10.10
# Test connectivity from a virtual machine to 10.10.10.10 over port 3389.
az network watcher test-connectivity --resource-group 'myResourceGroup' --source-resource 'VM1' --dest-address '10.10.10.10' --protocol 'TCP' --dest-port 3389
如果IP位址可連線,您會看到下列結果:
{ "avgLatencyInMs": 2, "connectionStatus": "Reachable", "hops": [ { "address": "10.0.0.4", "id": "aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb", "issues": [], "links": [ { "context": {}, "issues": [], "linkType": "VirtualNetwork", "nextHopId": "bbbbbbbb-1111-2222-3333-cccccccccccc", "resourceId": "", "roundTripTimeAvg": 2, "roundTripTimeMax": 2, "roundTripTimeMin": 2 } ], "nextHopIds": [ "bbbbbbbb-1111-2222-3333-cccccccccccc" ], "previousHopIds": [], "previousLinks": [], "resourceId": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/myResourceGroup/providers/Microsoft.Compute/virtualMachines/VM1", "type": "Source" }, { "address": "10.10.10.10", "id": "bbbbbbbb-1111-2222-3333-cccccccccccc", "issues": [], "links": [], "nextHopIds": [], "previousHopIds": [ "aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb" ], "previousLinks": [ { "context": {}, "issues": [], "linkType": "VirtualNetwork", "nextHopId": "aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb", "resourceId": "" } ], "resourceId": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/myResourceGroup/providers/Microsoft.Network/networkInterfaces/vm2375/ipConfigurations/ipconfig1", "type": "VirtualNetwork" } ], "maxLatencyInMs": 7, "minLatencyInMs": 1, "probesFailed": 0, "probesSent": 66 }
- 線上狀態為 [可 連線] (
10.10.10.10
可透過埠 3389 連線)。 - 成功傳送 66 個探查,
10.10.10.10
平均延遲為 2 毫秒。 - 兩部虛擬機之間的路徑中有兩個躍點(兩部 VM 之間路徑中沒有設備或其他資源)。
- 線上狀態為 [可 連線] (
如果IP位址無法連線,因為目的地虛擬機未執行,您會看到下列結果:
{ "connectionStatus": "Unreachable", "hops": [ { "address": "10.0.0.4", "id": "aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb", "issues": [], "links": [ { "context": {}, "issues": [], "linkType": "VirtualNetwork", "nextHopId": "bbbbbbbb-1111-2222-3333-cccccccccccc", "resourceId": "" } ], "nextHopIds": [ "bbbbbbbb-1111-2222-3333-cccccccccccc" ], "previousHopIds": [], "previousLinks": [], "resourceId": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/myResourceGroup/providers/Microsoft.Compute/virtualMachines/VM1", "type": "Source" }, { "address": "10.10.10.10", "id": "bbbbbbbb-1111-2222-3333-cccccccccccc", "issues": [], "links": [], "nextHopIds": [], "previousHopIds": [ "aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb" ], "previousLinks": [ { "context": {}, "issues": [], "linkType": "VirtualNetwork", "nextHopId": "aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb", "resourceId": "" } ], "resourceId": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/myResourceGroup/providers/Microsoft.Network/networkInterfaces/vm2375/ipConfigurations/ipconfig1", "type": "VirtualNetwork" } ], "probesFailed": 30, "probesSent": 30 }
- 線上狀態為 [無法 連線] (
10.10.10.10
無法透過埠 3389 連線)。 - 已傳送 30 個探查,且無法連線
10.10.10.10
。 - 來源虛擬機中沒有任何問題。
- 沒有任何問題
10.10.10.10
。
解決方案:啟動目的地虛擬機。
- 線上狀態為 [無法 連線] (
如果來源虛擬機的路由表中沒有IP位址的路由(例如,IP 位址不在 VM 虛擬網路或其對等互連虛擬網路的位址空間中),您會看到下列結果:
{ "connectionStatus": "Unreachable", "hops": [ { "address": "10.0.0.4", "id": "aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb", "issues": [ { "context": [], "origin": "Local", "severity": "Error", "type": "RouteMissing" }, { "context": [ { "key": "ErrorMessage", "value": "NextHop Type None, NextHop IP " } ], "origin": "Outbound", "severity": "Error", "type": "UserDefinedRoute" }, { "context": [ { "key": "RuleName", "value": "DefaultRule_DenyAllOutBound" } ], "origin": "Outbound", "severity": "Error", "type": "NetworkSecurityRule" } ], "links": [ { "context": {}, "issues": [], "linkType": "VirtualNetwork", "nextHopId": "bbbbbbbb-1111-2222-3333-cccccccccccc", "resourceId": "" } ], "nextHopIds": [ "bbbbbbbb-1111-2222-3333-cccccccccccc" ], "previousHopIds": [], "previousLinks": [], "resourceId": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/myResourceGroup/providers/Microsoft.Compute/virtualMachines/VM1", "type": "Source" }, { "address": "10.10.10.10", "id": "bbbbbbbb-1111-2222-3333-cccccccccccc", "issues": [], "links": [], "nextHopIds": [], "previousHopIds": [ "aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb" ], "previousLinks": [ { "context": {}, "issues": [], "linkType": "VirtualNetwork", "nextHopId": "aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb", "resourceId": "" } ], "type": "Destination" } ], "probesFailed": 30, "probesSent": 30 }
- 線上狀態為 [無法 連線] (
10.10.10.10
無法透過埠 3389 連線)。 - 已傳送 30 個探查,且無法連線
10.10.10.10
。 - 來源虛擬機路由表中沒有路由至
10.10.10.10
(來源虛擬機的輸出發生RouteMissing
錯誤)。 - 下一個躍點類型為 None ,因為沒有通往
10.10.10.10
的路由。 - 來自來源虛擬機的輸出連線遭到網路安全組中
VM1-nsg
的安全性規則DefaultRule_DenyAllOutBound
拒絕。
解決方案:將路由表與來源虛擬機子網的正確路由產生關聯。
- 線上狀態為 [無法 連線] (