First 10 Minutes: Connectivity¶

Quick Context¶

Use this checklist when the symptom is reachability, packet loss, intermittent failure, or latency. The first goal is to separate DNS, path, policy, and target health.

mermaid flowchart TD A[Reachability symptom] --> B{Name resolves correctly?} B -->|No| C[Switch to DNS checklist] B -->|Yes| D{Next hop expected?} D -->|No| E[Switch to Routing checklist] D -->|Yes| F{Policy allows flow?} F -->|No| G[Open policy/routing playbook] F -->|Yes| H[Check listener, probes, or latency]

Step 1: Prove whether this is name-based or IP-based¶

• Run an IP-only test and a name-based test.
• Good signal: both fail the same way, meaning DNS is less likely.
• Bad signal: IP works but FQDN fails, meaning DNS is likely primary.

Step 2: Check the expected path¶

• Use effective routes or next-hop diagnostics.
• Good signal: traffic takes the intended peering, gateway, or internet path.
• Bad signal: traffic exits to an unexpected NVA, gateway, or public path.

Step 3: Check allow/deny outcome¶

• Use effective NSG, IP Flow Verify, and firewall/NVA logs.
• Good signal: an allow path clearly matches source, destination, and port.
• Bad signal: implicit or explicit deny matches first.

Step 4: Confirm listener or probe health¶

• For inbound issues, validate frontend IP, backend health, and probe status.
• For outbound issues, validate dependency listener and port reachability.
• Good signal: TCP handshake reaches the correct listener.
• Bad signal: probe unhealthy, port closed, or connection reset/refused.

Step 5: If the issue is time-based, switch to timeline mode¶

• Compare failures against load, route changes, DNS TTL expiry, or tunnel events.
• Good signal: stable baseline with no time-based spikes.
• Bad signal: repeated burst windows or periodic flapping.

Decision points¶

• Inbound path issue -> Inbound Connectivity Issues
• Outbound path issue -> Outbound Connectivity Issues
• Private Endpoint issue -> Cannot Reach Private Endpoint
• Intermittent issue -> Intermittent Network Failures
• Latency or loss -> Latency and Packet Loss

az network watcher test-connectivity --source-resource <source-id> --dest-address <fqdn-or-ip> --dest-port 443
az network nic show-effective-route-table --resource-group <resource-group> --name <nic-name>
az network nic list-effective-nsg --resource-group <resource-group> --name <nic-name>

See Also¶

• DNS Checklist
• Routing Checklist
• Evidence Map
• Playbooks Index

Sources¶

• Connection troubleshoot in Azure Network Watcher
• Diagnose VM network routing problems