Troubleshooting Azure Virtual Machine Connectivity Issues

on

 

Troubleshooting Azure Virtual Machine Connectivity Issues – A Step-by-Step Guide for Azure Administrators









Introduction

As an Azure Administrator, ensuring that virtual machines (VMs) remain accessible and functional is a top priority. However, network connectivity issues can crop up unexpectedly, causing downtime and impacting productivity.

In this blog, we’ll walk through a real-world troubleshooting scenario where an Azure Virtual Machine suddenly became unreachable over Remote Desktop Protocol (RDP) and how we resolved the issue step-by-step.



Scenario

A Windows Server 2016/2019/2022 VM hosted in Azure suddenly became inaccessible over RDP.
Pinging the VM’s public IP returned a timeout, and the application hosted inside the VM was also unavailable.


Key symptoms:

  • RDP connection failed with:
    "Remote Desktop can’t connect to the remote computer..."

  • ping returned Request Timed Out

  • Application endpoint was unreachable

  • Azure portal showed the VM was still running



Root Cause Analysis

Connectivity issues like this in Azure can stem from:

  1. NSG (Network Security Group) rules blocking inbound traffic

  2. Firewall misconfiguration inside the VM

  3. Public IP or DNS issues

  4. VM NIC misconfiguration

  5. Service outage in Azure region (rare but possible)




Step-by-Step Troubleshooting & Solution




Step 1 – Check VM Status in Azure Portal

  • Go to Azure Portal → Virtual Machines

  • Confirm the VM status is Running

  • If it’s Stopped (Deallocated), start it

✅ Our VM was running — so the issue wasn’t a stopped state.



Step 2 – Use Azure Network Watcher

  1. Open Network Watcher in the Azure Portal

  2. Select Connection Troubleshoot

  3. Test connectivity from an Azure resource to the VM’s public/private IP

Result: Test showed “Port 3389 not reachable” — indicating an inbound connection issue.



Step 3 – Verify NSG Rules

  • Navigate to Networking under the VM

  • Check Inbound port rules

  • Ensure that there is an Allow rule for TCP 3389 from the correct source (e.g., Any or specific IPs)

Finding: The RDP rule had been accidentally deleted during recent security updates.



Step 4 – Add/Restore RDP Rule

We re-added the rule:

Priority: 100
Name: Allow-RDP
Port: 3389
Protocol: TCP
Action: Allow
Source: Any (or your office IP for security)
Destination: Any





Step 5 – Restart VM (Optional)


In most cases, NSG changes take effect instantly. 
However, we restarted the VM to ensure all connections reset.


Step 6 – Verify Access
    

  • Tried RDP again: ✅ Success
    • 

  • Ping still failed (expected — ICMP is blocked by default in Azure)
    • 

  • Application was back online



Best Practices for Azure Administrators


    

  1. Always document NSG changes to avoid accidental rule deletion.
    2. 

  2. Restrict RDP access to known IP addresses for better security
    3. 

  3. Enable Azure Bastion for secure browser-based RDP without exposing port 3389.
    4. 

  4. Regularly run Network Watcher diagnostics to detect potential issues early.
    5. 

  5. Use Azure Activity Logs to track configuration changes.



Conclusion


Azure’s networking model is powerful but requires careful configuration.

By systematically using tools like Network Watcher, checking NSG rules, 
and maintaining security best practices, Azure Administrators can quickly 
identify and fix connectivity issues — ensuring uptime and smooth operations.







Comments

Post a Comment