You use an Azure Resource Manager (ARM) template to deploy a virtual network (VNet) that contains two Windows Server virtual machines (VMs).
You need to verify connectivity between the newly deployed VMs. Your tests include the following requirements:
* Determine whether line-of-business (LOB) traffic is allowed between the VMs.
* Isolate any network security group(s) that may block valid inter-VM network traffic.
* Minimize cost, time, and troubleshooting complexity.
What should you do first?
To run all desired tests efficiently, you should first enable Network Watcher in the target Azure region. Network Watcher includes two tools that are directly relevant to your troubleshooting scenario:
* IP flow verify: Tests point-to-point connectivity between Azure VMs and identifies any network security group (NSG) rules at play
* Security group view: Displays the effective NSG rules applied to a VNet subnet and/or a VM's VNet interface
You should not deploy the Network Performance Monitor (NPM) management solution. First, this solution fails to meet the scenario requirements of minimal administrative overhead, complexity, and cost. Second, NPM monitors the health of VNets and subnets. It does not have the point-to-point connectivity check tools offered by Network Watcher.
You should not run the Test-NetConnection PowerShell cmdlet from your administrative workstation. While this cmdlet is useful to test connectivity between Azure VMs, it provides no insights into NSG rules that may prevent a connection.
You should not configure an Azure Automation runbook to perform a packet capture on the target VNet. Network Watcher does integrate with Azure Automation, but this solution involves far more complexity than simply using the native Network Watcher tools.