Monitoring with Network Watcher
Complete the full lesson to earn 25 points
Work through each section, then tap “Mark as Complete” on the last one.
✦ Skip the page breaks and see fewer ads — read each lesson on a single page with Pro
Lesson: Monitoring Virtual Networks with Network Watcher
Introduction: Why Network Observability Matters
In the modern era of cloud computing, infrastructure has shifted from static, physical hardware to dynamic, software-defined virtual environments. While this agility allows for rapid scaling and global deployment, it introduces a significant challenge: visibility. In a traditional on-premises data center, you could physically trace a cable or plug in a packet analyzer to troubleshoot connectivity issues. In a virtual network, the infrastructure is abstracted away, making it difficult to understand how traffic flows between virtual machines, load balancers, and gateways.
Network Watcher serves as the primary diagnostic and monitoring service for cloud environments. It provides the tools necessary to monitor, diagnose, view metrics, and enable or disable logs for resources in a virtual network. Without these tools, security teams are essentially operating in the dark. If a database server suddenly stops accepting connections from an application server, you need to know immediately if the issue is a misconfigured Network Security Group (NSG) rule, a route table error, or an underlying platform issue.
By mastering Network Watcher, you transition from reactive troubleshooting—where you spend hours guessing why a connection failed—to proactive network management. This lesson explores the various components of Network Watcher, how to implement them, and how to use them to secure and optimize your virtual network architecture.
Understanding the Core Components of Network Watcher
Network Watcher is not a single tool, but a suite of utilities designed to address different aspects of network health and security. To effectively manage a virtual network, you must understand the specific utility required for each scenario. These utilities are generally categorized into three buckets: monitoring, diagnostics, and logging.
Monitoring Utilities
Monitoring tools provide a continuous stream of data regarding the state of your network. These tools help you understand the health of your network over time and alert you when performance or availability drops below a defined threshold.
- Connection Monitor: This is perhaps the most critical tool for day-to-day operations. It allows you to monitor connectivity between two endpoints (e.g., a virtual machine and a SQL database) at regular intervals. It tracks latency, packet loss, and configuration changes, providing a comprehensive view of the end-to-end network path.
- Network Performance Monitor: While often used for hybrid scenarios, this tool provides real-time insights into the performance of network links between your on-premises locations and your cloud virtual networks. It is essential for identifying bottlenecks in transit.
Diagnostic Utilities
Diagnostic tools are "on-demand" utilities. You invoke them when you suspect a problem, and they return immediate results based on the current state of the network.
- IP Flow Verify: This tool checks if a packet is allowed or denied to or from a virtual machine based on your NSG security rules. It is the first place you should look when troubleshooting blocked traffic.
- Next Hop: If you have complex routing—such as forced tunneling or virtual network appliances—Next Hop tells you exactly where a packet is going. It identifies the specific interface or gateway the packet will traverse to reach its destination.
- VPN Troubleshoot: This utility diagnoses issues with Virtual Network Gateways and connections, providing health checks and detailed error messages that go beyond simple "up/down" status.
Logging Utilities
Logging is the backbone of security auditing and incident response. It captures the raw data of network interactions for later analysis.
- NSG Flow Logs: These logs capture information about IP traffic flowing through a Network Security Group. They include source and destination IP addresses, ports, protocols, and whether the traffic was allowed or denied.
- Packet Capture: This is the most granular tool available. It allows you to trigger a capture of actual network traffic packets on a virtual machine. This is typically used for deep-packet inspection when other diagnostic tools fail to identify the root cause of a complex application issue.
Callout: Monitoring vs. Diagnostics It is important to distinguish between these two approaches. Monitoring is a continuous process that alerts you to changes or issues before they impact the end user. Diagnostics are reactive; you use them to investigate a specific event or failure. A mature network strategy requires both: monitoring to maintain uptime, and diagnostics to resolve incidents quickly.
Implementing NSG Flow Logs for Security Auditing
Security auditing is a non-negotiable requirement for compliant infrastructure. NSG Flow Logs allow you to record every attempt to access your network resources. By default, NSG flow logs are not enabled; you must explicitly configure them for each Network Security Group you wish to monitor.
Step-by-Step: Enabling NSG Flow Logs
- Create a Storage Account: Flow logs require a storage account to archive the data. It is best practice to keep this storage account in the same region as the virtual network to minimize latency and costs.
- Enable the Network Watcher Resource Provider: Ensure the
Microsoft.Networkprovider is registered in your subscription. - Configure the Flow Log: Navigate to the Network Watcher service, select "NSG Flow Logs," and choose the specific NSG you want to monitor.
- Retention Policy: Define how long the logs should be stored. For compliance reasons, many organizations store these for at least 90 days.
- Traffic Analytics: Enable Traffic Analytics to process the raw flow log data. This transforms the JSON-based logs into a visual dashboard that displays top talkers, malicious traffic patterns, and geographic distribution of traffic.
Note: Enabling Traffic Analytics incurs additional costs. However, the value provided by the dashboard—which visualizes your security posture—often outweighs the expense of manual log parsing.
Code Example: Enabling Flow Logs via CLI
You can automate the deployment of flow logs using the Command Line Interface (CLI). This ensures consistency across all your environments.
# Define your variables
NSG_NAME="my-security-group"
RG_NAME="my-resource-group"
STORAGE_ID="/subscriptions/{sub-id}/resourceGroups/{rg}/providers/Microsoft.Storage/storageAccounts/{account-name}"
WS_ID="/subscriptions/{sub-id}/resourceGroups/{rg}/providers/Microsoft.OperationalInsights/workspaces/{workspace-name}"
# Enable the flow log
az network watcher flow-log create \
--name MyFlowLog \
--resource-group NetworkWatcherRG \
--nsg $NSG_NAME \
--storage-account $STORAGE_ID \
--workspace $WS_ID \
--interval 10 \
--enabled true
In the example above, the --interval parameter defines how often the logs are processed (10 minutes is the standard). The --workspace parameter links the logs to a Log Analytics workspace, which is required for advanced querying and visualization.
Troubleshooting Connectivity with IP Flow Verify
One of the most common sources of frustration in virtual networking is the "silent drop." You attempt to connect to a service, the request times out, and you are left wondering if the firewall blocked it or if the application is down. IP Flow Verify removes the guesswork.
Using IP Flow Verify
When you run IP Flow Verify, you provide the following parameters:
- Source IP and Port: The origin of the connection.
- Destination IP and Port: The target service.
- Protocol: TCP or UDP.
- Direction: Inbound or outbound.
The tool then simulates the packet flow through your NSG rules. It will explicitly tell you if the traffic is allowed or denied. If it is denied, it identifies the specific rule name that caused the block. This allows you to fix the configuration in seconds rather than digging through complex rule sets.
Common Pitfalls in Network Security Groups
Many engineers create "Security Groups" that are overly permissive because they fear breaking applications. However, this creates a massive security risk. Instead of using Allow Any/Any rules, follow these practices:
- Principle of Least Privilege: Only open the specific ports required by the application.
- Use Application Security Groups (ASGs): Instead of managing IP addresses, group your virtual machines into ASGs (e.g., "WebServers," "DBServers") and write rules based on these groups.
- Prioritize Rules: NSGs process rules by priority number (lowest number first). Ensure that your most specific "Deny" rules are at the top, and your "Allow" rules are appropriately scoped.
Advanced Diagnostics: Using Packet Capture
When standard diagnostics like IP Flow Verify indicate that traffic is permitted, but the application still fails, you may need to look at the traffic itself. Packet Capture is a powerful tool that allows you to record the actual TCP/IP traffic entering or leaving a network interface.
When to use Packet Capture
- Protocol Mismatches: If an application expects a specific handshake that is being malformed by a load balancer.
- Intermittent Failures: When a connection works 99% of the time, capturing packets over a period can reveal the 1% of packets that are being dropped or reset.
- Security Investigations: If you suspect a compromised VM is communicating with a known malicious C2 (Command and Control) server, packet captures provide the forensic evidence needed to confirm the activity.
Best Practices for Packet Capture
- Limit the Duration: Packet capture files (PCAP) grow very large, very quickly. Always set a time limit or a maximum file size for your captures.
- Filter Traffic: If possible, apply filters to capture only relevant traffic. Capturing everything on a busy server will result in unreadable logs and storage exhaustion.
- Secure the Storage: PCAP files contain sensitive data, potentially including unencrypted credentials or payload information. Ensure the storage account where these files are saved has strict access control policies.
Warning: Never leave a Packet Capture running in a production environment indefinitely. Not only does this consume excessive storage, but it also introduces a significant performance overhead on the virtual machine's network interface.
Comparing Diagnostic Tools: A Quick Reference
When a network issue occurs, choosing the right tool is essential for a quick resolution. Use the table below to decide which utility fits your current requirement.
| Utility | Best Used For | Primary Output |
|---|---|---|
| IP Flow Verify | Verifying NSG rule configuration | Allowed/Denied status + Rule Name |
| Next Hop | Identifying routing path issues | Next hop IP and route table source |
| VPN Troubleshoot | Diagnosing gateway connectivity | Health status and detailed error logs |
| Packet Capture | Deep-dive forensic analysis | PCAP file for Wireshark analysis |
| Connection Monitor | Proactive health monitoring | Latency, jitter, and packet loss stats |
Monitoring with Connection Monitor
Connection Monitor is the most robust way to ensure that your services remain reachable. It moves beyond simple "ping" tests by providing multi-protocol support (TCP, HTTP, HTTPS, ICMP) and testing from multiple geographic locations simultaneously.
Configuring a Connection Monitor
To set up a monitor, you define a Test Group. A test group consists of:
- Sources: The virtual machines or on-premises agents that will initiate the connection.
- Destinations: The endpoints you are testing (e.g., an internal load balancer or an external API).
- Configurations: The frequency of the test, the protocol, and the port.
Once configured, the monitor creates a dashboard that visualizes the "Path" between the source and destination. If a hop in that path fails, the monitor highlights exactly which segment of the network is causing the degradation.
Integration with Alerts
The power of Connection Monitor is its integration with alerting systems. You can set up thresholds for latency or packet loss. For example, if the latency between your web tier and database tier exceeds 50 milliseconds, you can trigger an automatic email or SMS notification to the site reliability engineering team. This allows you to resolve performance issues before they result in a full-blown outage.
Best Practices for Secure Virtual Networking
Maintaining a secure virtual network is an ongoing process. Relying solely on the tools provided by Network Watcher is not enough; you must pair these tools with a sound architectural strategy.
1. Centralize Logging
Do not store logs within the resource group of the application. Instead, use a centralized Log Analytics workspace or a dedicated security storage account. This prevents an attacker who gains access to a specific application from deleting the logs that prove their malicious activity.
2. Automate Remediation
Manual monitoring is prone to human error. Use automation tools to respond to Network Watcher alerts. For example, if a "Deny" flow log shows a suspicious IP address attempting to brute-force a login, you can trigger a function that automatically updates an NSG rule to block that IP address globally.
3. Regular Audits
Perform a "Network Health Check" at least once a quarter. Use the "Next Hop" and "IP Flow Verify" tools to audit your critical pathways. Ensure that the routes and security rules you configured six months ago still align with your current infrastructure.
4. Use Network Watcher for Compliance
If your organization is subject to regulatory frameworks like PCI-DSS or HIPAA, you are required to keep audit trails of network access. NSG Flow Logs provide the necessary documentation to satisfy auditors that your network is segmented and that access is being controlled according to policy.
Common Pitfalls and How to Avoid Them
Even experienced cloud engineers fall into common traps when monitoring virtual networks. Here are a few to watch out for:
Over-reliance on "Allow All"
It is common to start a project by opening all ports to ensure the application works, with the intention of "tightening it up later." In reality, "later" rarely comes. Always define your NSG rules strictly from the start, or use a "deny-by-default" approach and add rules only as you verify the traffic flow.
Ignoring the "Next Hop"
Many troubleshooters assume that a packet is blocked by an NSG when, in reality, it is being routed to the wrong place. If your virtual network has custom route tables, always check the "Next Hop" tool before you start modifying security groups. Routing errors are often mistaken for firewall issues.
Misinterpreting Latency
Connection Monitor might report high latency, but that does not always mean your network is congested. High latency can be caused by the application itself taking too long to process a request. Always use the "TCP" protocol in your monitor settings to isolate network latency from application-level response time.
Forgetting About Global VNET Peering
When you connect virtual networks together, the traffic flows across the backbone. Security rules are still enforced at the individual VNET level. A common mistake is to secure the source VNET but forget that the traffic must also be permitted by the destination VNET's security groups. Always verify the rules on both sides of a peering connection.
Mini-FAQ: Common Questions
Q: Does Network Watcher cost money? A: Yes, Network Watcher is a pay-as-you-go service. You are charged based on the amount of data processed by flow logs and the number of tests configured in Connection Monitor. Always check the current pricing page to estimate your monthly costs.
Q: Can I use Network Watcher to monitor resources in other clouds? A: Network Watcher is specific to the cloud platform it is hosted on. However, you can install agents on on-premises machines or virtual machines in other clouds to report back to your central monitoring workspace, allowing for a unified view of your hybrid network.
Q: How long should I keep my flow logs? A: This depends on your regulatory requirements. Most businesses choose to keep them for 30, 60, or 90 days in "hot" storage, and then move them to "cold" or "archive" storage for long-term compliance.
Q: Is Packet Capture safe for production? A: It is safe, but it can impact performance if left running. Use it sparingly and always filter the traffic to minimize the impact on the virtual machine's CPU and network interface.
Key Takeaways
- Observability is Essential: In virtual environments, you cannot rely on physical access to troubleshoot. Network Watcher provides the necessary visibility into the "black box" of your virtual network.
- Diagnostics vs. Monitoring: Use continuous monitoring (Connection Monitor) for uptime and performance, and on-demand diagnostics (IP Flow Verify, Next Hop) for rapid incident response.
- Logs are Evidence: NSG Flow Logs are the foundation of security auditing. Ensure they are enabled, centralized, and integrated with a dashboard like Traffic Analytics to make the data actionable.
- Avoid Rule Bloat: Use Application Security Groups (ASGs) to simplify rule management and avoid the security risks associated with overly permissive "Allow All" rules.
- Forensics Matter: When traditional methods fail, Packet Capture provides the granular data needed to solve complex application issues or conduct security investigations.
- Automation is Key: Do not rely on manual checks. Automate the response to network alerts to ensure that your security posture remains strong even when your team is not actively watching the console.
- Routine Audits: A network is a living thing. Regularly audit your routes, security groups, and monitoring configurations to ensure they still meet your business and security requirements.
By implementing these practices, you transform your network from a complex, opaque infrastructure into a transparent, secure, and manageable asset. Remember that the goal is not just to collect data, but to use that data to make informed decisions about your network’s health and security. As you continue your journey in cloud networking, make Network Watcher your first stop whenever a connection fails or an audit requirement arises.
Enjoying the courses?
Everything stays free. Pro shows fewer ads, doubles your daily points limit so you progress twice as fast, and lets you read each lesson on one page.
- ✓ Fewer advertisements
- ✓ 2× daily points limit
- ✓ Distraction-free lessons