Azure

Network Watcher

Overview

Azure Network Watcher provides monitoring and diagnostic capabilities for Azure networking resources. It helps you to gain insights into your network topology, capture traffic, and troubleshoot connectivity issues.

Key capabilities include:

  • Topology visualization
  • Connection Monitor
  • Packet capture
  • IP flow verification
  • Network security group (NSG) diagnostics

Features

Network Topology

Visualize how your resources are interconnected across virtual networks, subnets, and gateways.

Connection Monitor

Continuously monitor connectivity between two endpoints and receive alerts on failures.

Packet Capture

Capture and analyze network traffic on Virtual Machines, Application Gateways, and Load Balancers.

IP Flow Verify

Check whether traffic is allowed or denied by a Network Security Group (NSG) rule.

Security Group View

Inspect NSG rules and see their impact on inbound/outbound traffic.

Getting Started

Enable Network Watcher in the region where your resources reside.

az network watcher configure --resource-group MyResourceGroup --locations westus2 --enabled true

Once enabled, you can start using the various tools from the Azure portal, CLI, or PowerShell.

Azure CLI

Capture Traffic

# Create a packet capture
az network watcher packet-capture create \
  --resource-group MyResourceGroup \
  --network-watcher-name MyNetworkWatcher \
  --vm myVM \
  --storage-account MyStorageAccount \
  --capture-name MyCapture

# List captures
az network watcher packet-capture list --resource-group MyResourceGroup

PowerShell

Run Connection Monitor

# Start a connection monitor
$watcher = Get-AzNetworkWatcher -ResourceGroupName "MyResourceGroup"
Add-AzNetworkWatcherConnectionMonitor -NetworkWatcher $watcher -Name "MyMonitor" -SourceResourceId $vm.Id -DestinationAddress "8.8.8.8" -DestinationPort 53

# Get monitor status
Get-AzNetworkWatcherConnectionMonitor -NetworkWatcher $watcher -Name "MyMonitor"

REST API

Use the Network Watcher REST endpoints to integrate monitoring into your applications.

GET https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/networkWatchers/{networkWatcherName}/connectionMonitors?api-version=2024-01-01

Troubleshooting

If you encounter issues, verify that Network Watcher is enabled in the correct region and that you have sufficient permissions (Network Contributor or higher).

  • Check the status of your packet capture jobs.
  • Review the logs in Azure Monitor for any errors.
  • Ensure your VM has the Azure diagnostics extension installed for packet capture.