2023-05-04
      No Comments
      Sharyl Barnes

VPN troubleshoot

For the VPN troubleshoot demonstration, we are going to use the VPN connection that we created in the previous chapter.

You can diagnose the VPN connection by taking the following steps:

  1. From the Network Watcher blade, select VPN troubleshoot from under Network diagnostics tools.
  2. In the VPN troubleshoot blade, you can filter your VPN gateway choice by selecting the subscription, resource group, and location:

Figure 18.23 – VPN troubleshoot

  1. You can start the troubleshooting diagnostic by selecting the checkbox next to your corresponding gateway. You also need to select or create a storage account for storing the diagnostic information. After selecting the checkbox, you can start the troubleshooting process by clicking Start troubleshooting in the top menu, as shown in the following screenshot:

Figure 18.24 – VPN troubleshoot, Start troubleshooting

  1. This willstart the troubleshooting process, and, in my case, the VPN connections seem healthy:

Figure 18.25 – VPN troubleshoot, troubleshooting

Should you have an issue, you can click on the Action tab to see the recommendations:

Figure 18.26 – VPN troubleshoot, Action

You can manage external networking using Azure Network Watcher as well. We will cover this in the upcoming section.

Troubleshooting external networking

Azure Network Watcher offers three features to monitor and troubleshoot external networking. The features are IP flow verify, Effective security rules, and Connection troubleshoot, which are going to be covered in the next sections.

IP flow verify

With IP flow verify, you can detect whether a package is allowed or denied to or from a network interface of a VM. Included in the information are the protocol, the local and remote IP addresses, the direction, and the local and remote ports. When a packet is denied, the name of the routing rule that denies the packet is returned. You can use this to diagnose connectivity issues from or in the on-premises environment and to and from the internet. You can basically choose any source or IP address to verify the connectivity.

To run IP flow verify, you need to enable an instance of Network Watcher in the region where you plan to run the tool. This is similar to the demonstration covered in the Enabling Network Watcher section that appeared earlier in this chapter, where we enabled Network Watcher for a particular region.