Configuring Network Watcher
This document provides detailed instructions on how to enable, configure, and manage Azure Network Watcher resources within your Azure environment. Network Watcher is a regional service that enables you to monitor and diagnose networking issues at a network level in Azure.
Enabling Network Watcher
Network Watcher is enabled on a per-region basis. You can enable Network Watcher through the Azure portal, Azure CLI, or Azure PowerShell.
Using the Azure Portal:
- Navigate to the Network Watcher service in the Azure portal.
- Select the desired region from the list. If Network Watcher is not enabled for that region, you will see an option to enable it.
- Click Enable.
Using Azure CLI:
az network watcher enable --resource-group --location Using Azure PowerShell:
Enable-AzNetworkWatcher -ResourceGroupName "" -Location "" Configuring Network Security Group (NSG) Flow Logs
NSG Flow Logs allow you to record information about the IP traffic flowing through your Network Security Groups. This data can be used for security analysis, network traffic analysis, or troubleshooting.
Steps to Configure NSG Flow Logs:
- Enable NSG Flow Logs: Within Network Watcher, navigate to NSG flow logs.
- Select NSG: Choose the Network Security Group you wish to monitor.
- Configure Settings:
- Flow Logs Status: Set to On.
- Retention (days): Specify how long you want to retain the flow log data (1 to 365 days).
- Storage Account: Select or create a storage account where the flow logs will be stored.
- Version: Choose the version of the flow log schema (currently v2 is recommended).
- Save: Click Save to apply the configuration.
Configuring Connection Monitor
Connection Monitor is a feature of Network Watcher that allows you to monitor the connectivity between a virtual machine and an endpoint. It provides insights into network latency, packet loss, and reachability.
Creating a Connection Monitor:
- In Network Watcher, navigate to Connection monitor.
- Click Add.
- Name: Provide a descriptive name for your connection monitor.
- Subscription & Resource Group: Select the appropriate subscription and resource group.
- Location: The location is typically inherited from the Network Watcher resource.
- Monitored Items:
- Endpoints: Add the source and destination endpoints. These can be virtual machines, FQDNs, or IP addresses.
- Tests: Define the parameters for the test, such as protocol (TCP/HTTP/HTTPS), port, and frequency.
- Configure Destination: Specify where the connection monitor results should be sent (e.g., Log Analytics workspace, Event Hubs).
- Create: Click Create.
Configuring Packet Capture
Packet capture allows you to capture network traffic to and from an Azure virtual machine. This is invaluable for in-depth network troubleshooting.
Starting a Packet Capture:
- In Network Watcher, navigate to Packet capture.
- Click Add.
- Name: A name for your packet capture session.
- Subscription & Resource Group: Select appropriate resources.
- Target: Choose the virtual machine to capture traffic from.
- Storage location: Select a storage account to store the capture files.
- Maximum bytes per packet (optional): Limits the size of each packet captured.
- Maximum kilobytes per session (optional): Limits the total size of the capture file.
- Filters (optional): Define filters to capture specific traffic based on IP addresses, ports, or protocols.
- Start: Click Start to begin the capture. You can later stop and download the .cap file.
Resource Groups and Regions
Network Watcher is a regional service. When you enable Network Watcher or configure its features like NSG flow logs or connection monitors, you associate them with a specific Azure region. It's best practice to have Network Watcher enabled in all regions where you have network resources that require monitoring.