Azure Docs

Network Watcher – Capabilities

Network Watcher provides a suite of monitoring and diagnostic tools for Azure networking resources. Below is an overview of the core capabilities you can leverage to gain insights, troubleshoot issues, and ensure the health of your virtual network infrastructure.

1. Topology

Visualize the relationship between network resources across a virtual network.

az network watcher topology --resource-group MyResourceGroup \
    --location eastus --output json

2. Connection Monitor

Continuously monitor connectivity between two endpoints.

az network watcher connection-monitor create \
    --name MyConnectionMonitor \
    --resource-group MyResourceGroup \
    --location eastus \
    --source-resource MyVM \
    --dest-address 10.0.0.4 \
    --dest-port 80

3. Packet Capture

Capture network traffic for an Azure VM or network interface.

az network watcher packet-capture create \
    --resource-group MyResourceGroup \
    --network-watcher-name MyNetworkWatcher \
    --vm MyVM \
    --storage-account MyStorage \
    --file-path capture.pcap

4. IP Flow Verify

Validate whether traffic from a source to a destination is allowed or denied.

az network watcher ip-flow-verify \
    --resource-group MyResourceGroup \
    --direction Outbound \
    --protocol Tcp \
    --local 10.0.0.5 \
    --remote 10.0.0.6 \
    --local-port 80 \
    --remote-port 443

5. Security Group View

Inspect effective security rules applied to a network interface.

az network watcher show-security-group-view \
    --resource-group MyResourceGroup \
    --network-watcher-name MyNetworkWatcher \
    --network-interface MyNic

6. Next Hop

Determine the next hop for a packet from a specific VM.

az network watcher next-hop \
    --resource-group MyResourceGroup \
    --target-resource-id /subscriptions/xxxx/resourceGroups/MyResourceGroup/providers/Microsoft.Compute/virtualMachines/MyVM \
    --source-ip 10.0.0.4 \
    --dest-ip 8.8.8.8

7. VPN Diagnostics

Diagnose VPN tunnel connectivity and health.

az network watcher vpn-diagnostics start \
    --resource-group MyResourceGroup \
    --vpn-gateway MyVpnGateway \
    --protocol IkeV2 \
    --target-id /subscriptions/xxxx/resourceGroups/MyResourceGroup/providers/Microsoft.Network/virtualNetworks/MyVNet

8. Effective Routes

View the routes that are effective for a particular VM.

az network watcher show-effective-routes \
    --resource-group MyResourceGroup \
    --network-watcher-name MyNetworkWatcher \
    --target-resource-id /subscriptions/xxxx/resourceGroups/MyResourceGroup/providers/Microsoft.Compute/virtualMachines/MyVM

For detailed examples and API references, see the Network Watcher Reference page.