Troubleshooting network connectivity within the context of the Azure Administrator Associate (AZ-104) exam focuses on diagnosing communication interruptions between Azure resources, on-premises networks, and the internet. The primary suite of tools used for this purpose is **Azure Network Watcher**…Troubleshooting network connectivity within the context of the Azure Administrator Associate (AZ-104) exam focuses on diagnosing communication interruptions between Azure resources, on-premises networks, and the internet. The primary suite of tools used for this purpose is **Azure Network Watcher**, which is enabled on a per-region basis.
When detailed diagnosis is required, administrators should start with **IP Flow Verify**. This tool checks if a packet is allowed or denied to/from a specific Virtual Machine based on the effective Network Security Group (NSG) rules. It quickly identifies if a firewall rule is the root cause of a blockage.
If security rules are configured correctly, the issue may be routing. The **Next Hop** tool helps determine where traffic destined for a specific IP is being sent (e.g., Internet, Virtual Network, Virtual Appliance, or None). This is essential for troubleshooting misconfigured User Defined Routes (UDRs) that might be blackholing traffic.
For a holistic view, **Connection Troubleshoot** tests the connectivity between a source VM and a destination (another VM, FQDN, or IP). It validates the path, checks for latency, and identifies the reachable status hop-by-hop. Specific to hybrid connectivity, **VPN Troubleshoot** gathers health diagnostics for Virtual Network Gateways and connections.
Administrators must also consider **NSG Flow Logs** and **Traffic Analytics** for historical data on traffic patterns, which aid in spotting intermittent issues. finally, outside of Azure-specific tools, one must verify **OS-level firewalls** (like Windows Firewall or iptables) and **VNet DNS settings**, as these are common points of failure that Azure infrastructure tools might report as successful connections despite the application failing.
Troubleshoot Network Connectivity for Azure Administrator (AZ-104)
Why is this important? In a distributed cloud environment like Azure, network connectivity issues are inevitable. Whether it is a broken VPN tunnel, a misconfigured firewall rule, or an incorrect routing path, an Azure Administrator must diagnose the root cause quickly to minimize downtime. For the AZ-104 exam, this topic is critical because Microsoft prioritizes accurate diagnostic skills over simple configuration. You must demonstrate not only that you can build a network, but that you can fix it when packets stop flowing.
What is it? Troubleshooting network connectivity in Azure revolves principally around Azure Network Watcher, a regional service that provides a suite of tools to monitor, diagnose, and view metrics of your Azure virtual networks. Unlike standard monitoring which checks the health of the service, these tools analyze the actual traffic flow.
How it works: Key Tools & Components To successfully troubleshoot, you must understand which specific tool within Network Watcher applies to a specific problem:
1. IP Flow Verify This tool checks if a packet is allowed or denied to or from a virtual machine. It looks at the 5-tuple information (Source IP, Source Port, Destination IP, Destination Port, and Protocol) and evaluates the Network Security Groups (NSGs) applied to the subnet and the network interface. It tells you which rule is blocking traffic.
2. Next Hop This tool helps identify routing issues. If traffic isn't getting to its destination, Next Hop tells you where the packet goes next (e.g., Internet, Virtual Appliance, Virtual Network Gateway, or None). This is essential for debugging User Defined Routes (UDRs).
3. Connection Troubleshoot / Connection Monitor This checks the TCP or ICMP connectivity between a source VM and a destination (another VM, an FQDN, an IP). It tests the reachability and latency. If the connection fails, it often provides the reason (e.g., CPU high, Port closed).
4. Packet Capture This allows you to create capture sessions on specific VMs to record network traffic. The resulting `.cap` files can be analyzed in tools like Wireshark. This is used for deep-level debugging of dropped packets or data corruption.
5. VPN Troubleshoot Specific diagnostics for Virtual Network Gateways and connections to diagnose why a site-to-site or point-to-site VPN is failing.
How to Answer Questions on the Exam Exam questions in this domain are almost exclusively scenario-based. The question will describe a symptom, and you must select the correct tool to diagnose it.
Scenario 1: Firewall/Blocking Issues If the scenario states that 'User A cannot reach VM B' or 'Traffic on port 80 is timing out,' the issue is likely a security rule. You should look for IP Flow Verify or Effective Security Rules.
Scenario 2: Routing/Pathing Issues If the scenario mentions 'Traffic is directed to the internet instead of the firewall' or 'Traffic is dropped because of a missing route,' the answer is almost always Next Hop.
Scenario 3: Intermittent or Packet Level Issues If the scenario involves application errors, fragmented packets, or intermittent data loss, the answer is Packet Capture.
Exam Tips: Answering Questions on Troubleshoot network connectivity
1. Verify vs. Next Hop: Memorize this distinction: Use IP Flow Verify for NSG/Firewall problems. Use Next Hop for Ruling/UDR problems.
2. Hierarchy of Rules: Remember that 'Effective Security Rules' shows the result of combining NSGs at the Subnet level and the NIC level. The exam may give you a scenario where a rule is open on the Subnet but closed on the NIC; traffic will be blocked.
3. Network Watcher Activation: Network Watcher is a regional service. You cannot use these tools if Network Watcher is not enabled in the region where your VNet resides.
4. VPN Diagnosis: If a question asks how to view the health of a site-to-site VPN connection or why the shared key is invalid, look for VPN Troubleshoot, not Connection Monitor.
5. System Routes vs. Custom Routes: In 'Next Hop' questions, remember that User Defined Routes (UDRs) override System Default routes. If traffic is going to 'None', it means the packet is being dropped because there is no valid path.