Network Watcher has a number of different tools to help troubleshoot connections. The first one is IP Flow Verify. This tests whether packets are allowed to flow between a VM and an endpoint. It checks them at work security groups that are associated with the VM and tells you which rule allows or denies the connection. 

Okay, let's see how it works. Go into the Azure portal and search for Network Watcher. There it is. First, you have to make sure it's enabled in the region that has the connection you want to monitor. I need Central U.S. enabled. Which it is. If it was disabled, then I can enable it over here. Then click on IP Flow Verify. Select the resource group that contains the VM. Then choose the VM. If it has more than one network interface, then you can select the one you want. This VM only has one interface. Now choose whether you want to test TCP or UDP. Also, tell it whether you want to test inbound or outbound connections for the VM. Let's change it to outbound. It automatically fills in the IP address of the VM you chose, but you have to fill in the IP address of what you're trying to connect to. If you don't know it off the top of your head and it's a VM, then there's a quick way to get it. Change the VM to the one you want to connect to. Copy and paste it's IP address to the remote IP field. And then change the VM back to the original one. 

Okay, now we need to tell it which port we want to test. Let's try port 80. Then click the check button. It normally takes a few seconds. Alright, it says that access is allowed. The security rule that allows it is allow VNet outbound. If you want to look at that security rule in more detail, then you could look up that VM in the portal and go to its networking section, but there's an easier way. You can just go to security group view and look it up there. Set the resource group in the virtual machine and it will bring up the rules for that VM. The allow VNet outbound rule is down here. It's kind of hard to see because it says default rule at the beginning. It adds that because that rule is in the default rule set. If you go to the default tab, you'll see it without the prefix. The other two tabs are for the rules associated with this VM's network interface and this VM subnet. The effective tab shows all three rule sets combined. Note that IP Flow Verify only checks the security groups associated with the VM. It doesn't check the security associated with the endpoint. So if we want to make sure that my VM1 can connect to my VM3 over port 80, then we'll have to run IP Flow Verify in the other direction as well. 

Go back to IP Flow Verify. This time, copy my VM1's IP address to the remote field and then change the virtual machine field to my VM3. Also, make sure that the direction is set to inbound because we're testing connections coming into my VM3. Now set the port to 80 again and click check. This time we get access denied due to a rule called port 80 deny. This was a rule that I added to the network security group for my VM3's network interface. This rule isn't there by default, so if you were following along on your own VM's, you probably didn't get an access denied message. And that's it for IP Flow Verify.