Network Watcher for Virtual WAN
Azure Network Watcher provides capabilities to monitor, diagnose, and view metrics for your Azure network resources. When using Azure Virtual WAN, Network Watcher offers invaluable insights into the health and performance of your wide area network.
Key Benefits:
- Diagnose connectivity issues between Virtual Hubs, VPN sites, and ExpressRoute circuits.
- Visualize traffic flow with Connection Monitor.
- Analyze packet captures for detailed troubleshooting.
- Monitor network health and performance metrics.
Key Network Watcher Features for Virtual WAN
Connection Monitor
Connection Monitor is a powerful tool for monitoring the health and performance of connections between endpoints. For Virtual WAN, it can be used to:
- Monitor connectivity from Azure VMs within a Virtual Hub to on-premises locations.
- Track latency and packet loss between spokes connected via Virtual WAN.
- Assess the reliability of VPN tunnels and ExpressRoute circuits.
To set up Connection Monitor for Virtual WAN:
- Navigate to Network Watcher in the Azure portal.
- Select "Connection Monitor" and click "Create".
- Choose your workspace and define the monitoring endpoints. For Virtual WAN scenarios, these typically include VMs within your Virtual Hubs or on-premises network segments.
- Configure the test groups, including protocols, intervals, and thresholds.
Packet Capture
Packet Capture allows you to capture network traffic on your Virtual WAN components, such as Virtual Hub routers or VPN gateways, to diagnose low-level connectivity problems. This is particularly useful for identifying:
- TCP handshake failures.
- Unusual traffic patterns.
- MTU issues.
Usage:
- Identify the specific Virtual Hub or gateway you want to monitor.
- Initiate a packet capture session through the Azure portal or Azure CLI.
- Specify filters (e.g., IP addresses, ports) to narrow down the captured traffic.
- Download and analyze the captured packets using tools like Wireshark.
IP Flow Verify and NSG Flow Logs
While primarily used for individual VMs, these tools can indirectly help in understanding traffic flow within your Virtual WAN if you are experiencing issues with traffic reaching specific resources:
- IP Flow Verify: Helps determine if traffic is allowed or denied by network security group (NSG) rules associated with the network interfaces connected to your Virtual Hubs or spoke VNETs.
- NSG Flow Logs: Provide insights into traffic flowing to and from network interfaces, allowing you to audit traffic and identify potential security group misconfigurations affecting Virtual WAN connectivity.
Troubleshooting Virtual WAN Connectivity
When diagnosing connectivity issues within your Virtual WAN:
- Start with high-level checks: Ensure VPN tunnels and ExpressRoute circuits are established and healthy.
- Use Connection Monitor: Identify if specific paths are experiencing latency or packet loss.
- Leverage Packet Capture: For deeper analysis, capture traffic at critical points like VPN gateways or Virtual Hub routers.
- Check NSG Rules: If traffic isn't reaching a specific VM within a spoke VNET, verify NSG rules for that VM.
Important Note: Network Watcher features, when applied to Virtual WAN components like the Virtual Hub, leverage the underlying infrastructure to provide diagnostics. Ensure you have the necessary permissions to access and configure these resources.