A security administrator is troubleshooting network connectivity to an Azure virtual machine. The VM is behind a network security group (NSG) that has a deny-all inbound rule as the default. The administrator wants to quickly verify whether a specific TCP packet on port 3389 from their client IP (203.0.113.50) would be allowed or blocked by the NSG. Which Azure Network Watcher tool should they use?
Trap 1: Network Performance Monitor.
Network Performance Monitor is used to measure latency, packet loss, and performance across networks, not for rule validation.
Trap 2: Next hop.
Next hop identifies the next hop type and IP address for a packet based on routing, but it does not evaluate NSG rules. It is used for route table diagnosis.
Trap 3: NSG diagnostics (flow logs).
NSG flow logs are used to capture and log all traffic flows for analytics, not for real-time validation of a specific simulated packet.
- A
Network Performance Monitor.
Why wrong: Network Performance Monitor is used to measure latency, packet loss, and performance across networks, not for rule validation.
- B
IP flow verify.
This tool simulates a packet and evaluates NSG rules to determine if the traffic is allowed or denied. It provides immediate feedback for troubleshooting NSG issues.
- C
Next hop.
Why wrong: Next hop identifies the next hop type and IP address for a packet based on routing, but it does not evaluate NSG rules. It is used for route table diagnosis.
- D
NSG diagnostics (flow logs).
Why wrong: NSG flow logs are used to capture and log all traffic flows for analytics, not for real-time validation of a specific simulated packet.