Error Medic

Resolving 'Connection Refused' on Azure VMs: Throttling & Network Diagnostics

Fix Azure VM 'connection refused' errors. Learn how to diagnose NSG rules, identify SNAT port exhaustion, and resolve Azure network throttling issues.

Last updated:
Last verified:
931 words
Key Takeaways
  • Network Security Group (NSG) misconfigurations are the most common cause of connection refused errors.
  • High outbound connection rates can lead to SNAT port exhaustion, resulting in Azure VM network throttling and dropped packets.
  • Guest OS firewall rules (iptables, firewalld, or Windows Firewall) might be blocking the port even if Azure NSGs allow it.
  • Quick Fix: Verify NSG inbound port rules and check VM effective security rules using Azure Network Watcher.
Connection Refused Fix Approaches Compared
MethodWhen to UseTimeRisk
Azure Network Watcher IP Flow VerifyInitial diagnosis of NSG/routing issues5 minsLow
Guest OS Firewall InspectionNSGs are correct but connection still fails10 minsLow
SNAT Port Allocation ScalingExperiencing outbound connection throttling/drops15 minsMedium
Service Status & Port Binding CheckVM is reachable but application is not responding5 minsLow

Understanding the Error

When you encounter a Connection refused (or ECONNREFUSED in Node.js/Python) error while trying to connect to an Azure Virtual Machine, it explicitly means that the connection attempt reached a host, but the host actively rejected it. This is fundamentally different from a connection timeout, where packets are silently dropped. However, in the context of cloud infrastructure like Azure, 'connection refused' can also bubble up from intermediate load balancers or due to severe network throttling.

Common Error Messages

You might see errors like:

  • ssh: connect to host 203.0.113.5 port 22: Connection refused
  • curl: (7) Failed to connect to 203.0.113.5 port 80: Connection refused
  • java.net.ConnectException: Connection refused (Connection refused)

Step 1: Diagnose Network Security Groups (NSGs)

Azure NSGs act as a virtual firewall for your VM. If an NSG rule denies traffic, Azure typically drops the packet (resulting in a timeout), but if the traffic reaches the VM and the OS firewall blocks it, or no service is listening, you get a refusal.

First, check the Effective Security Rules for the VM's Network Interface (NIC). This shows the actual rules applied after merging subnet and NIC-level NSGs.

Use the Azure CLI to verify IP flow:

az network watcher test-ip-flow \
  --resource-group MyResourceGroup \
  --vm MyVm \
  --nic MyVmNic \
  --direction Inbound \
  --protocol TCP \
  --local 10.0.0.4:80 \
  --remote 203.0.113.10:45678

Step 2: Investigate Azure VM Throttling and SNAT Port Exhaustion

If you are seeing intermittent Connection refused errors, especially on outbound connections to APIs or database services, you might be hitting Azure VM throttling limits, specifically SNAT (Source Network Address Translation) port exhaustion.

Azure Standard Load Balancers allocate a default number of SNAT ports per VM. If your application opens too many concurrent outbound connections (e.g., failing to use connection pooling), you will exhaust these ports.

Symptoms of SNAT Exhaustion:

  • Intermittent connection failures.
  • Azure Monitor metrics showing high SNAT Connection Count or Allocated SNAT Ports.

Resolution:

  1. Implement Connection Pooling: Ensure your application reuses HTTP or database connections.
  2. Use NAT Gateway: Assign an Azure NAT Gateway to your subnet. NAT Gateways provide up to 64,512 SNAT ports per public IP address and vastly reduce the risk of exhaustion.
  3. Scale Out: Distribute the load across multiple VMs or use Virtual Machine Scale Sets (VMSS).

Step 3: Guest OS Configuration

If the Azure network layer allows the traffic, the issue is within the VM.

  1. Verify the service is running and listening on the correct interface: Often, services default to listening on 127.0.0.1 (localhost) instead of 0.0.0.0 (all interfaces).

  2. Check the Guest OS Firewall: On Linux, iptables, ufw, or firewalld might be blocking the port. On Windows, check the Advanced Security settings in Windows Defender Firewall.

Frequently Asked Questions

bash
# 1. Check if the service is listening on all interfaces (0.0.0.0)
sudo ss -tulpn | grep LISTEN

# 2. Check local UFW firewall status (Ubuntu/Debian)
sudo ufw status verbose

# 3. Check firewalld status (RHEL/CentOS)
sudo firewall-cmd --list-all

# 4. Azure CLI: Check effective NSG rules for a specific VM NIC
az network nic list-effective-nsg \
  --resource-group MyResourceGroup \
  --name MyNicName \
  --output table

# 5. Test specific port connectivity bypassing ICMP blocks
curl -v telnet://<azure-vm-public-ip>:80
E

Error Medic Editorial

Error Medic Editorial comprises seasoned Site Reliability Engineers and Cloud Architects dedicated to dissecting complex infrastructure issues and providing pragmatic, production-ready solutions.

Sources

Related Guides

Fixing 'Connection Refused' on Azure VMs: A Comprehensive Troubleshooting Guide
Diagnose and resolve 'Connection Refused' (ERR_CONNECTION_REFUSED) and SSH/RDP timeouts on Azure Virtual Machines. Learn to fix NSGs, firewalls, and throttling.
AWS CloudFront 403 Forbidden: Complete Troubleshooting Guide (Rate Limits, Timeouts & Fixes)
Fix AWS CloudFront 403 Forbidden errors fast. Step-by-step diagnosis covering S3 OAC misconfig, WAF blocks, geo-restrictions, signed URL expiry, and rate limits
AWS ECS 502 Bad Gateway: Complete Troubleshooting Guide
Fix AWS ECS 502 Bad Gateway errors fast. Covers health check misconfig, security group blocks, port mismatches, and timeout issues with exact CLI commands.
AWS Lambda Timeout, 403 Forbidden, 502 Bad Gateway & Throttling: The Complete Troubleshooting Guide
Fix AWS Lambda timeout, 403 Forbidden, 502 Bad Gateway, throttling, and access denied errors with step-by-step diagnosis commands and proven configuration fixes