Azure Network Watcher

Complete Guide to Monitoring and Troubleshooting Network Health

Table of Contents

Overview of Azure Network Watcher

Azure Network Watcher provides tools to monitor, diagnose, view metrics, and enable or disable logs for resources in an Azure virtual network. It's designed to monitor and repair the network health of IaaS (Infrastructure-as-a-Service) products including Virtual Machines, Virtual Networks, Application Gateways, Load balancers, etc.

🔍 Network Monitoring

Monitor communication between a virtual machine and an endpoint using Connection Monitor

📊 Traffic Analytics

Analyze network traffic patterns and identify security threats

🛠️ Diagnostic Tools

Troubleshoot VPN connectivity, routing issues, and network security groups

📈 Performance Metrics

Capture network packets and analyze performance bottlenecks

Network Watcher Architecture

graph TB subgraph "Azure Subscription" subgraph "Resource Group" NW[Network Watcher] subgraph "Virtual Network" VM1[Virtual Machine 1] VM2[Virtual Machine 2] NSG[Network Security Group] LB[Load Balancer] end subgraph "Storage Account" SA[Network Logs Storage] CM[Connection Monitor Data] TA[Traffic Analytics Data] end end subgraph "Monitoring Services" LA[Log Analytics Workspace] AM[Azure Monitor] AI[Application Insights] end end NW --> VM1 NW --> VM2 NW --> NSG NW --> LB NW --> SA NW --> LA LA --> AM AM --> AI style NW fill:#e1f5fe style VM1 fill:#f3e5f5 style VM2 fill:#f3e5f5 style NSG fill:#fff3e0 style LB fill:#e8f5e8 style SA fill:#fce4ec style LA fill:#f1f8e9 style AM fill:#e3f2fd style AI fill:#fff8e1
Architecture Overview: This diagram illustrates how Azure Network Watcher integrates with various Azure services. Network Watcher acts as the central monitoring hub that collects data from virtual machines, network security groups, and load balancers. The collected data is stored in storage accounts and analyzed through Log Analytics Workspace, which feeds into Azure Monitor for comprehensive monitoring and alerting capabilities.

Initial Setup and Configuration

1Enable Network Watcher

Network Watcher must be enabled in each region where you want to monitor networks. By default, it's automatically enabled when you create a virtual network.

# Enable Network Watcher in a specific region
az network watcher configure \
    --resource-group myNetworkWatcherRG \
    --locations eastus \
    --enabled true
Parameters:
  • --resource-group: Resource group where Network Watcher will be created
  • --locations: Azure regions where you want to enable Network Watcher
  • --enabled true: Enables Network Watcher in the specified regions
Note: This is typically the first step in setting up Network Watcher. Each Azure region requires its own Network Watcher instance.

2Create Resource Group for Network Watcher

# Create a dedicated resource group for Network Watcher
az group create \
    --name NetworkWatcherRG \
    --location eastus
Parameters:
  • --name: Name of the resource group (recommended: NetworkWatcherRG)
  • --location: Azure region for the resource group
Purpose: Creates a dedicated resource group to organize Network Watcher resources. This helps with resource management and billing tracking.

3Create Storage Account for Network Logs

# Create storage account for storing network monitoring data
az storage account create \
    --name networkwatcherstorage001 \
    --resource-group NetworkWatcherRG \
    --location eastus \
    --sku Standard_LRS \
    --kind StorageV2
Parameters:
  • --name: Globally unique storage account name (must be lowercase, 3-24 characters)
  • --sku Standard_LRS: Locally Redundant Storage (cost-effective for logs)
  • --kind StorageV2: General-purpose v2 storage account (recommended)
Alternative SKUs: Standard_GRS (geo-redundant), Standard_ZRS (zone-redundant), Premium_LRS (premium performance)
Purpose: This storage account will store NSG flow logs, packet captures, and other network monitoring data.

Monitoring Features

Connection Monitor

Connection Monitor provides unified end-to-end connection monitoring in Azure Network Watcher. It monitors communication between Azure and hybrid endpoints.

sequenceDiagram participant VM as Source VM participant CM as Connection Monitor participant Target as Target Endpoint participant LA as Log Analytics participant Alert as Alert System VM->>CM: Initiate Connection Test CM->>Target: Send Test Packets Target-->>CM: Response/Timeout CM->>LA: Log Connection Metrics CM->>Alert: Trigger Alert (if threshold exceeded) LA->>Alert: Historical Data Analysis Alert->>VM: Notification Note over CM,Target: Tests: HTTP, TCP, ICMP Note over LA: Stores: Latency, Packet Loss, Topology
Connection Monitor Workflow: This sequence diagram shows how Connection Monitor continuously tests connectivity between source and target endpoints. The monitor sends test packets using various protocols (HTTP, TCP, ICMP), measures response times and packet loss, logs the data to Log Analytics, and triggers alerts when thresholds are exceeded. This provides real-time visibility into network connectivity issues.

Create Connection Monitor

# Create a connection monitor
az network watcher connection-monitor create \
    --name "VM-to-Website-Monitor" \
    --resource-group NetworkWatcherRG \
    --location eastus
Parameters:
  • --name: Descriptive name for the connection monitor
  • --resource-group: Resource group containing Network Watcher
  • --location: Region where Network Watcher is enabled
Next Steps: After creating the base monitor, you'll need to configure endpoints, test configurations, and test groups.

Configure Connection Monitor Endpoints

# Add source endpoint (Azure VM)
az network watcher connection-monitor endpoint add \
    --connection-monitor "VM-to-Website-Monitor" \
    --location eastus \
    --name "source-vm" \
    --resource-id "/subscriptions/{subscription}/resourceGroups/myRG/providers/Microsoft.Compute/virtualMachines/myVM"
Parameters:
  • --connection-monitor: Name of the connection monitor created earlier
  • --name: Friendly name for this endpoint
  • --resource-id: Full Azure resource ID of the source VM
Alternative Endpoint Types: External endpoints (websites), on-premises endpoints, or other Azure resources 
# Add destination endpoint (external website)
az network watcher connection-monitor endpoint add \
    --connection-monitor "VM-to-Website-Monitor" \
    --location eastus \
    --name "target-website" \
    --address "www.microsoft.com"
Parameters:
  • --address: External address (FQDN or IP) to monitor
Purpose: This creates the destination endpoint for connectivity testing. The monitor will test connectivity from the source VM to this external website.

NSG Flow Logs

Network Security Group (NSG) flow logs capture information about IP traffic flowing through NSGs. They provide deep insights into network traffic patterns.

flowchart LR subgraph "Virtual Network" VM1[VM 1] VM2[VM 2] NSG[Network Security Group] end subgraph "Flow Log Process" FL[Flow Logs] SA[Storage Account] LA[Log Analytics] end subgraph "Analysis & Alerting" TA[Traffic Analytics] Dash[Dashboards] Alert[Alerts] end VM1 --> NSG VM2 --> NSG NSG --> FL FL --> SA SA --> LA LA --> TA TA --> Dash TA --> Alert style NSG fill:#ff9999 style FL fill:#99ccff style SA fill:#99ff99 style LA fill:#ffcc99 style TA fill:#cc99ff
NSG Flow Logs Process: This diagram shows how network traffic from VMs passes through Network Security Groups, where flow logs capture detailed information about each connection. The logs are stored in a storage account, then processed by Log Analytics and Traffic Analytics to provide dashboards, insights, and automated alerting capabilities.

Enable NSG Flow Logs

# Enable NSG flow logs
az network watcher flow-log configure \
    --resource-group myResourceGroup \
    --nsg myNetworkSecurityGroup \
    --storage-account networkwatcherstorage001 \
    --enabled true \
    --retention 30
Parameters:
  • --nsg: Name of the Network Security Group to monitor
  • --storage-account: Storage account for storing flow logs
  • --enabled true: Enables flow logging
  • --retention 30: Retains logs for 30 days (0-365 days)
Cost Consideration: Flow logs generate significant data. Consider retention policies and storage costs.

Configure Flow Logs with Traffic Analytics

# Enable flow logs with Traffic Analytics
az network watcher flow-log create \
    --name "MyNSGFlowLog" \
    --nsg "/subscriptions/{subscription}/resourceGroups/myRG/providers/Microsoft.Network/networkSecurityGroups/myNSG" \
    --storage-account "/subscriptions/{subscription}/resourceGroups/NetworkWatcherRG/providers/Microsoft.Storage/storageAccounts/networkwatcherstorage001" \
    --resource