Introduction to connectivity check in Azure Network Watcher

The connectivity feature of Network Watcher provides the capability to check a direct TCP connection from a virtual machine to a virtual machine (VM), fully qualified domain name (FQDN), URI, or IPv4 address. Network scenarios are complex, they are implemented using Network Security Groups, firewalls, User-defined routes, and resources provided by Azure. Complex configurations make troubleshooting connectivity issues challenging. Network Watcher helps reduce the amount of time to find and detect connectivity issues. The results returned can provide insights into whether a connectivity issue is due to a platform or a user configuration issue. Connectivity can be checked with PowerShell, Azure CLI, and REST API.


Network Watcher connectivity check is currently in public preview release and may not have the same level of availability and reliability as features that are in general availability release. Certain features may not be supported, may have constrained capabilities, and may not be available in all Azure locations. For the most up-to-date notifications on availability and status of this feature, check the Azure Network Watcher updates page.


Connectivity check requires a virtual machine extension AzureNetworkWatcherExtension. For installing the extension on a Windows VM visit Azure Network Watcher Agent virtual machine extension for Windows and for Linux VM visit Azure Network Watcher Agent virtual machine extension for Linux.

Register the preview capability

Connectivity check is currently in public preview, to use this feature it needs to be registered. To do this, run the following PowerShell sample:

Register-AzureRmProviderFeature -FeatureName AllowNetworkWatcherConnectivityCheck  -ProviderNamespace Microsoft.Network
Register-AzureRmResourceProvider -ProviderNamespace Microsoft.Network

To verify the registration was successful, run the following Powershell sample:

Get-AzureRmProviderFeature -FeatureName AllowNetworkWatcherConnectivityCheck  -ProviderNamespace  Microsoft.Network

If the feature was properly registered, the output should match the following:

FeatureName         ProviderName      RegistrationState
-----------         ------------      -----------------
AllowNetworkWatcherConnectivityCheck  Microsoft.Network Registered


The following table shows the properties returned when a connectivity check has finished running.

Property Description
ConnectionStatus The status of the connectivity check. Possible results are Reachable and Unreachable.
AvgLatencyInMs Average latency during the connectivity check in milliseconds. (Only shown if check status is reachable)
MinLatencyInMs Minimum latency during the connectivity check in milliseconds. (Only shown if check status is reachable)
MaxLatencyInMs Maximum latency during the connectivity check in milliseconds. (Only shown if check status is reachable)
ProbesSent Number of probes sent during the check. Max value is 100.
ProbesFailed Number of probes that failed during the check. Max value is 100.
Hops Hop by hop path from source to destination.
Hops[].Type Type of resource. Possible values are Source, VirtualAppliance, VnetLocal, and Internet.
Hops[].Id Unique identifier of the hop.
Hops[].Address IP address of the hop.
Hops[].ResourceId ResourceID of the hop if the hop is an Azure resource. If it is an internet resource, ResourceID is Internet.
Hops[].NextHopIds The unique identifier of the next hop taken.
Hops[].Issues A collection of issues that were encountered during the check at that hop. If there were no issues, the value is blank.
Hops[].Issues[].Origin At the current hop, where issue occurred. Possible values are:
Inbound - Issue is on the link from the previous hop to the current hop
Outbound - Issue is on the link from the current hop to the next hop
Local - Issue is on the current hop.
Hops[].Issues[].Severity The severity of the issue detected. Possible values are Error and Warning.
Hops[].Issues[].Type The type of issue found. Possible values are:
Hops[].Issues[].Context Details regarding the issue found.
Hops[].Issues[].Context[].key Key of the key value pair returned.
Hops[].Issues[].Context[].value Value of the key value pair returned.

The following is an example of an issue found on a hop.

"Issues": [
        "Origin": "Outbound",
        "Severity": "Error",
        "Type": "NetworkSecurityRule",
        "Context": [
                "key": "RuleName",
                "value": "UserRule_Port80"

Fault types

The connectivity check returns fault types about the connection. The following table provides a list of the current fault types returned.

Type Description
CPU High CPU utilization.
Memory High Memory utilization.
GuestFirewall Traffic is blocked due to a virtual machine firewall configuration.
DNSResolution DNS resolution failed for the destination address.
NetworkSecurityRule Traffic is blocked by an NSG Rule (Rule is returned)
UserDefinedRoute Traffic is dropped due to a user defined or system route.

Next steps

Learn how to verify connectivity to a resource by visiting: Check connectivity with Azure Network Watcher.