Forum Discussion
Network Monitoring
For a single app that is being blocked, I would start with Network Watcher before turning on broader logging.
Use IP flow verify against the VM NIC and test the exact source IP, destination IP, protocol, port, and direction. It will tell you whether the flow is allowed or denied and which NSG rule matched. Then check effective security rules on the NIC, because subnet NSG and NIC NSG rules can combine in ways that are easy to miss.
If you know the destination and port, Connection troubleshoot is also useful because it checks the path, not just the NSG rule.
For ongoing monitoring, enable Virtual Network flow logs or NSG flow logs and send them to Storage/Log Analytics. Flow logs are not full packet capture, but they are usually enough to answer "which source, destination, port, and rule caused the allow/deny?"
Docs:
https://learn.microsoft.com/azure/network-watcher/vnet-flow-logs-overview
https://learn.microsoft.com/azure/network-watcher/nsg-flow-logs-overview
https://learn.microsoft.com/azure/network-watcher/connection-troubleshoot-overview