Diagnose private connectivity between Azure resources end-to-end: PE → DNS zone → A-record → VNet link → NSG → target firewall. Stops at the first ❌ and tells you exactly how to fix it.
Installation
Launch VS Code Quick Open (Ctrl+P), paste the following command, and press enter.
Stops at the first ❌ and tells you exactly how to fix it.
Diagnose private connectivity between Azure resources end-to-end:
Private Endpoint → Private DNS zone → A-record → VNet link → NSG →
target firewall. No more guessing whether your AI Search, Storage, Key
Vault, Cosmos DB, or Azure OpenAI is actually reachable over the private
path.
Why you want it
Private-link misconfigurations are the single most common cause of
"works on portal, fails from app" outages. The portal scatters the
evidence across 6 blades; this extension gathers them into one ordered
checklist with copy-paste fixes.
Get started in 30 seconds
Install the extension (from the Marketplace or a .vsix).
Make sure the Azure CLI is on PATH and you're logged in:
az login
az account set --subscription <YOUR_SUBSCRIPTION_ID>
Click the stethoscope icon in the activity bar.
Pick a preset (AI Search, Storage, Key Vault, Cosmos DB, Azure
OpenAI) or "Diagnose Private Connectivity" for a custom kind.
Enter the resource group + name + (optionally) source VNet.
Watch the tree fill in. The first ❌ is your problem — click it
to copy the az fix.
Features
🩺 Activity-bar tree view — every check, live, with state icons.
📋 One-click copy fix — every ❌ has a ready-to-run az command.
📄 Full report webview — share with a colleague or paste into a
ticket.
⚡ Presets for AI Search · Storage · Key Vault · Cosmos DB · Azure
OpenAI.
🔒 No telemetry. No outbound calls. Talks only to your local az.
Settings
Setting
Default
Description
pnd.azCliPath
az
Path to the Azure CLI executable.
pnd.defaultSubscription
""
Default subscription ID for diagnostics.
Commands
All under the Network Doctor category in the Command Palette
(Ctrl+Shift+P):
Diagnose Private Connectivity — full custom run
Preset: AI Search / Storage Account / Key Vault / Cosmos DB /
Azure OpenAI
Open Full Report — Markdown webview
Copy Fix Command
Refresh
Requirements
VS Code 1.90+
Azure CLI (az) installed and on PATH
An az login session with Reader rights on the resource(s) you
diagnose. The extension makes no write calls.
Known limitations
Reads only — never modifies any Azure resource.
Cross-tenant scenarios require az login --tenant first.
For Cognitive Services / Azure OpenAI with VNet injection, the
redeploy fix must be applied via Bicep (the extension prints the
exact Bicep snippet to use).
Troubleshooting
Symptom
What to try
"az: command not found"
Set pnd.azCliPath to the full path of az.
Empty tree, no checks
Run az login again; check az account show.
403 on every step
The signed-in identity lacks Reader on the resource group.
Privacy
This extension shells out to your local Azure CLI using your existing
login. It never transmits anything to any third-party service. See
SECURITY.md
for the threat model.
