Configuring Network Watcher
Complete the full lesson to earn 25 points
Work through each section, then tap “Mark as Complete” on the last one.
✦ Skip the page breaks and see fewer ads — read each lesson on a single page with Pro
Configuring Network Watcher: A Comprehensive Guide to Azure Network Monitoring
Introduction: Why Network Visibility Matters
In the world of cloud computing, the network is the nervous system of your infrastructure. When you deploy virtual machines, load balancers, and application gateways in Azure, you are building a complex web of connectivity. However, when things go wrong—when a packet is dropped, a connection is blocked, or latency spikes—identifying the root cause can feel like searching for a needle in a haystack. This is where Azure Network Watcher becomes an essential part of your administrative toolkit.
Azure Network Watcher is a regional service that provides tools to monitor, diagnose, view metrics, and enable or disable logs for resources in an Azure virtual network. It is not just a monitoring tool; it is a diagnostic suite that allows you to visualize your network topology, troubleshoot connectivity issues between virtual machines, and analyze traffic flows. Without tools like Network Watcher, you are essentially flying blind, relying on guesswork or trial-and-error configuration changes whenever a network-related issue arises.
Understanding how to configure and utilize Network Watcher is a fundamental skill for any cloud administrator. Whether you are managing a small development environment or a global enterprise footprint, the ability to trace a packet from source to destination, verify security group rules, and capture traffic for deep analysis is what separates efficient troubleshooting from hours of downtime. In this lesson, we will explore the core components of Network Watcher, how to deploy it, and how to use its features to maintain a healthy and secure network.
Understanding the Core Components of Network Watcher
Network Watcher is organized into several distinct categories of tools, each serving a specific purpose in the lifecycle of network management. Before diving into configuration, it is important to understand what these tools do so you know which one to reach for when a problem occurs.
Monitoring Tools
Monitoring tools are designed to provide ongoing visibility into your network's health.
- Connection Monitor: This is arguably the most powerful tool in the suite. It allows you to monitor connectivity between endpoints (VMs, URLs, IP addresses) at regular intervals. It tracks latency, packet loss, and path changes over time.
- Network Performance Monitor: While largely transitioning toward other Azure services, this tool historically provided insight into hybrid network performance, tracking latency and packet loss across your on-premises and cloud environments.
Diagnostic Tools
When an incident occurs, diagnostic tools help you pinpoint the exact location of the failure.
- IP Flow Verify: This tool checks if a packet is allowed or denied to or from a virtual machine based on your Network Security Group (NSG) rules. It is the first place you should look if you suspect a firewall rule is blocking traffic.
- Next Hop: If you have complex routing tables, it can be difficult to determine where a packet is going. Next Hop tells you the next destination for a packet, helping you identify misconfigured User Defined Routes (UDRs).
- Effective Security Rules: This provides a view of all security rules applied to a network interface, including inherited rules and those applied to subnets.
Traffic and Topology Tools
- Topology: This provides a visual map of your virtual network, showing how resources are connected and how they relate to each other. It is invaluable for documentation and identifying "orphan" resources.
- NSG Flow Logs: This feature logs information about IP traffic flowing through your Network Security Groups. It is essential for security auditing, compliance, and analyzing traffic patterns for potential threats.
- Packet Capture: This allows you to trigger a packet capture on a virtual machine to inspect the raw data moving across the network interface. This is the "nuclear option" for debugging complex application-level issues.
Callout: Monitoring vs. Diagnostics It is helpful to categorize Network Watcher tools by their intent. Monitoring tools are proactive; they run in the background to alert you when something changes or degrades over time. Diagnostic tools are reactive; they are used in the moment to investigate a specific problem or verify a hypothesis about a configuration change. Understanding this distinction saves time during incident response.
Step-by-Step: Enabling Network Watcher
Network Watcher is a regional service. This means you must enable it in every region where you have resources that you want to monitor. Azure typically enables Network Watcher automatically in a subscription when you create a virtual network, but it is important to know how to verify and manage this status manually.
Enabling via the Azure Portal
- Navigate to the Network Watcher service in the Azure Portal.
- In the left-hand menu, select Regions.
- You will see a list of all Azure regions. Look for the status column. If it says "Disabled," click the three dots (...) next to the region.
- Select Enable Network Watcher.
- Wait a few moments for the service to provision the necessary background resources (such as the Network Watcher resource group).
Enabling via Azure CLI
If you manage your infrastructure as code or prefer the command line, you can enable Network Watcher for a specific region using the following command:
# Enable Network Watcher in the East US region
az network watcher configure --locations eastus --enabled true
Note: Enabling Network Watcher does not incur a direct cost for the service itself. However, the features you use—such as Flow Logs (which store data in a Storage Account) or Connection Monitor (which uses Log Analytics)—will incur costs based on the storage and data ingestion rates. Always check the Azure Pricing Calculator before enabling high-volume logging features.
Deep Dive: Using Connection Monitor
Connection Monitor is the backbone of proactive network health monitoring. It allows you to define a source (like a web server) and a destination (like a database or an external API) and continuously test the connectivity between them.
Configuring a Connection Monitor
To set up a monitor, you must define:
- Test Groups: These contain the source and destination endpoints.
- Test Configurations: These define the protocol (TCP, ICMP, HTTP/S), the port, and the frequency of the tests.
Example: Monitoring an Internal Web Server
Suppose you have a web application on a VM (Web-VM-01) that needs to reach a SQL database (SQL-Server-01). You want to ensure that the port 1433 is always open.
- In the Network Watcher menu, select Connection Monitor.
- Click Create.
- Provide a name, such as
Web-to-SQL-Monitor. - Add a Test Group. Define the source as your
Web-VM-01and the destination as yourSQL-Server-01using its private IP. - Set the Test Configuration to TCP, port 1433, with a frequency of 60 seconds.
- Click Create.
Once the monitor is running, you can view the dashboard to see a timeline of latency and availability. If the connection fails, the monitor will show exactly when the failure occurred and provide details on the path, which helps in identifying if the issue is a sudden NSG change or a routing problem.
Troubleshooting with IP Flow Verify
One of the most common issues in Azure networking is a misconfigured Network Security Group (NSG). You might have added a rule to block traffic, but accidentally blocked your own management access. IP Flow Verify allows you to simulate a packet flow to see if it would be permitted or denied.
Practical Scenario: Validating Access
Imagine you cannot access your web server over port 80, even though you think you opened the port.
- Go to Network Watcher > IP Flow Verify.
- Select the Subscription and the Resource Group containing the VM.
- Select the Virtual Machine and the specific Network Interface.
- Set the Protocol to TCP, Direction to Inbound, and Local Port to 80.
- Enter the Remote IP Address (your client IP) and the Remote Port (any).
- Click Verify.
If the result is "Denied," the tool will tell you the exact name of the NSG rule that caused the block. This is significantly faster than manually inspecting every rule in your NSG, especially when multiple rules are involved.
Warning: Avoid Rule Overlap A common mistake is creating "deny" rules that are too broad. Always remember that Azure processes rules in order of priority. If you have an "Allow" rule with a lower priority (a higher number) than a "Deny" rule, the "Deny" rule will always win. Always use the IP Flow Verify tool after creating new rules to ensure they are behaving as you intend.
Analyzing Traffic with NSG Flow Logs
While IP Flow Verify is for "point-in-time" testing, NSG Flow Logs provide a historical record of all traffic entering and leaving your subnets. This is critical for security investigations. If a breach is suspected, you need to know which IP addresses were communicating with your resources.
Configuring Flow Logs
- Navigate to Network Watcher > NSG Flow Logs.
- Click Create.
- Select the Network Security Group you want to monitor.
- Select a Storage Account where the logs will be archived.
- Enable Traffic Analytics. This is a crucial step because it processes the raw logs into a readable format using Log Analytics.
Why Traffic Analytics Matters
Raw flow logs are difficult to read—they are essentially JSON files filled with IP addresses, ports, and metadata. Traffic Analytics transforms this data into visual reports. You can see:
- Which countries are accessing your services.
- Which VMs are generating the most traffic.
- Malicious traffic patterns (e.g., a single IP address attempting to connect to thousands of ports).
Callout: Best Practices for Flow Logs Always retain your flow logs in a storage account with a lifecycle policy. You do not need to keep every log forever. A common industry standard is to keep them for 30 to 90 days for incident investigation purposes, then move them to "Cool" or "Archive" storage tiers to save costs.
Visualizing Network Topology
Topology is a feature that creates a visual map of your network. It displays your virtual networks, subnets, route tables, application gateways, and connections between them.
Why Use Topology?
When you inherit an environment from another team, documentation is often outdated or non-existent. Topology is a "source of truth" that is generated directly from your Azure configuration. It helps you identify:
- Dead Resources: Resources that are no longer attached to anything but are still incurring costs.
- Routing Bottlenecks: Seeing how traffic must traverse through a firewall or a VPN gateway.
- Unexpected Dependencies: Discovering that a VM is connected to a specific subnet you didn't know it was using.
To use this, simply go to Network Watcher > Topology, select your Virtual Network, and click View Topology. It will generate a dynamic map that you can interact with to see the status of each component.
Best Practices and Industry Standards
To get the most out of Network Watcher, follow these established industry practices:
- Standardize Naming Conventions: Ensure that your NSGs and VMs are clearly named. When you are looking at a list of 500 flow logs, having a clear naming convention makes it much easier to filter for the right resource.
- Enable Diagnostic Settings: Beyond Network Watcher, ensure that you have diagnostic settings enabled for all network resources to push logs to a central Log Analytics workspace. This creates a unified view of your infrastructure.
- Automate with Infrastructure as Code (IaC): Use Terraform or Bicep to enable Network Watcher and configure Connection Monitors. This ensures that every new environment you deploy has monitoring enabled from day one.
- Regularly Review Alerts: Connection Monitor allows you to set up alerts. Do not create alerts that you ignore. If a monitor is "flapping" (going up and down), investigate the root cause rather than simply silencing the alert.
- Use Traffic Analytics for Security: Use the findings from Traffic Analytics to refine your NSG rules. If you see a specific IP range consistently hitting your ports with invalid requests, block that entire range at the NSG level.
Comparison Table: Network Watcher Features
| Feature | Best For | Frequency |
|---|---|---|
| Connection Monitor | Checking uptime and latency | Ongoing / Proactive |
| IP Flow Verify | Debugging blocked connections | Ad-hoc / Reactive |
| Next Hop | Debugging routing issues | Ad-hoc / Reactive |
| NSG Flow Logs | Security audits and traffic patterns | Ongoing / Historical |
| Topology | Visualizing architecture | Ad-hoc / Planning |
Common Pitfalls and How to Avoid Them
Even with a powerful tool like Network Watcher, administrators often fall into common traps. Here is how to navigate the most frequent challenges:
1. Forgetting to Enable in Every Region
Network Watcher is a regional service. If you have production resources in West Europe and East US, you must enable it in both. A common mistake is to enable it in the primary region and then forget about the secondary region, leaving you blind when an issue occurs in the secondary site.
2. Misinterpreting "Allowed" Traffic
Just because IP Flow Verify says "Allowed" does not mean the application is working. It only means the NSG allows the traffic. The application might be down, the port might not be listening, or there might be an OS-level firewall (like iptables or Windows Firewall) blocking the traffic. Always check the OS firewall if Network Watcher reports that the traffic is allowed.
3. Ignoring Cost Management
Flow logs can generate a significant amount of data, especially in high-traffic environments. If you enable flow logs on every single NSG without a plan, your storage costs will climb quickly. Audit your NSGs and only enable flow logs on those that are critical to your security or compliance requirements.
4. Over-complicating Connection Monitors
Creating a monitor for every single possible connection in your network will create noise. Focus on "critical paths"—the connections that, if broken, would cause a business impact (e.g., Frontend to Backend, App to Database, On-premises VPN to Cloud).
Advanced Troubleshooting: Packet Capture
When standard tools fail, Packet Capture is the final resort. It allows you to record the actual TCP/IP traffic on a network interface and save the results as a .cap file. You can then download this file and open it in tools like Wireshark.
How to Initiate a Packet Capture
- Go to Network Watcher > Packet Capture.
- Click Add.
- Select the target VM.
- Specify the storage account to save the capture.
- Define filters (e.g., only capture traffic on port 80 or from a specific IP).
- Click Start.
Warning: Performance Impact Packet capture is resource-intensive. Running a long-duration packet capture on a busy production server can impact its performance and fill up your storage account rapidly. Only run captures for as long as necessary to reproduce the issue, and always remember to stop the capture when you are finished.
Integrating Network Watcher with Azure Monitor Alerts
The true power of Network Watcher is realized when it is integrated with the broader Azure Monitor ecosystem. By setting up alerts, you can be notified via email, SMS, or webhook when a connection monitor fails or when a specific traffic pattern is detected.
Creating an Alert
- In the Connection Monitor dashboard, select your monitor.
- Click on the Alerts tab.
- Select Create Alert.
- Define the condition (e.g., "If packet loss is greater than 10% for 5 minutes").
- Assign an Action Group to define who gets notified and how.
This allows you to move from a reactive posture—where you check the portal after a user complains—to a proactive posture, where you are alerted to the issue before the users even notice.
Summary and Key Takeaways
Configuring and mastering Network Watcher is a foundational aspect of maintaining a reliable Azure environment. It provides the visibility required to diagnose complex issues and the data needed to secure your infrastructure.
Key Takeaways:
- Regional Deployment: Always ensure Network Watcher is enabled in all regions where you host resources. It is the prerequisite for all other diagnostic tools.
- Proactive Monitoring: Utilize Connection Monitor to keep a constant eye on critical network paths. This is your first line of defense against silent failures.
- Diagnostic Precision: Use IP Flow Verify and Next Hop as your primary tools for troubleshooting connectivity issues. They remove the guesswork from NSG rules and routing tables.
- Security Insight: Implement NSG Flow Logs and Traffic Analytics to maintain a record of network activity. This data is essential for security auditing and understanding how your applications communicate.
- Cost Awareness: Monitor the storage and ingestion costs associated with flow logs. Use lifecycle policies to manage data retention effectively.
- Performance Caution: Use Packet Capture sparingly and only for deep-dive investigations, as it can impact resource performance and generate large amounts of data.
- Integrated Alerts: Leverage Azure Monitor alerts to ensure that you are notified of issues in real-time, allowing for rapid response and minimal downtime.
By incorporating these tools into your daily operations, you transform your network from a "black box" into a transparent and observable component of your cloud architecture. Whether you are debugging a failed database connection or auditing traffic for security compliance, Network Watcher provides the insights necessary to keep your services running smoothly.
Frequently Asked Questions (FAQ)
Q: Is Network Watcher free to use? A: The service itself is enabled at no cost. However, you pay for the resources it consumes, such as storage for flow logs, data ingestion for Log Analytics, and the execution of connection monitors.
Q: Can I use Network Watcher to monitor resources in other subscriptions? A: Network Watcher is a regional service tied to a specific subscription. To monitor resources across different subscriptions, you will need to enable it in each subscription and potentially use a central Log Analytics workspace to aggregate the data.
Q: Why don't I see my VM in the Packet Capture list? A: Ensure that the Network Watcher Agent extension is installed on the VM. In many cases, the extension is installed automatically when you trigger a capture, but if the VM is restricted by NSG rules from reaching the Azure management endpoints, the extension may fail to install.
Q: What is the difference between NSG Flow Logs and Virtual Network Flow Logs? A: NSG Flow Logs are tied to the Network Security Group, while Virtual Network Flow Logs are tied to the Virtual Network itself. NSG Flow Logs are generally more granular and are the standard for most security and troubleshooting scenarios.
Q: How long should I keep my flow logs? A: This depends on your organizational compliance requirements. Many companies keep logs for 30 days for immediate troubleshooting and archive them for 1 year or more to satisfy regulatory audit requirements. Always consult your security team for the exact retention policy.
Continue the course
Enjoying the courses?
Everything stays free. Pro shows fewer ads, doubles your daily points limit so you progress twice as fast, and lets you read each lesson on one page.
- ✓ Fewer advertisements
- ✓ 2× daily points limit
- ✓ Distraction-free lessons