1.4 Monitor Networks
📘Microsoft Azure Networking Solutions (AZ-700)
1. What is Azure Network Watcher?
Azure Network Watcher is a monitoring and diagnostic service in Azure that helps you:
- See what’s happening in your Azure network.
- Detect problems in connectivity or performance.
- Collect and analyze logs for troubleshooting.
- Monitor resources like virtual networks, gateways, and network security groups.
Think of it as a “network health monitoring tool” inside Azure.
2. Key Capabilities of Network Watcher
- Monitoring
- Tracks network resources like Virtual Networks (VNets), VPNs, and Network Interfaces (NICs).
- Lets you visualize network topology to see how resources are connected.
- Network Diagnostics
- Helps find and fix network issues.
- Examples:
- Connectivity checks: Test if one VM can reach another VM or endpoint.
- Packet capture: Capture network traffic for deeper inspection.
- Next hop analysis: Shows the next hop that packets will take to reach a destination.
- IP flow verify: Checks whether traffic is allowed or denied by a Network Security Group (NSG).
- Logging
- Captures and stores network activity in logs.
- Types of logs:
- Network Security Group (NSG) flow logs: Show which traffic is allowed or denied by NSGs.
- Diagnostic logs: Include data about gateways, VPN connections, and other network resources.
- Logs can be sent to Log Analytics, Storage Account, or Event Hub for analysis.
3. How to Configure Monitoring in Network Watcher
- Enable Network Watcher
- Go to Azure Portal → Network Watcher → Regions.
- Turn on Network Watcher for the region where your network resources are deployed.
- Important: Network Watcher must be enabled per region, not per subscription.
- Monitor Network Topology
- Use the Topology tool to visualize resources in a virtual network.
- Can display:
- VMs
- Subnets
- Network Security Groups
- Gateways
- Helps see connectivity paths and resource dependencies.
- Monitor Network Performance
- Use Connection Monitor to track:
- Latency (ping times)
- Packet loss
- Availability between endpoints
- Can monitor hybrid connections (Azure ↔ On-premises) too.
- Use Connection Monitor to track:
4. How to Configure Network Diagnostics
- Connection Troubleshooting
- Connection Troubleshoot: Test connectivity from a VM to another VM, FQDN, or IP address.
- Shows if the connection is successful or blocked and why.
- IP Flow Verification
- Tests NSG rules.
- Example:
- Check if a VM can send traffic to the internet on port 80.
- Tells you whether the traffic is allowed or denied and which NSG rule caused it.
- Next Hop
- Finds the next hop for a packet leaving a VM.
- Helps understand routing issues.
- Packet Capture
- Captures packets from a VM NIC.
- Helps analyze network traffic, troubleshoot application connectivity, or check security events.
- VPN Diagnostics
- Check the status and performance of Azure VPN Gateways.
- Identify issues like high latency, dropped packets, or misconfiguration.
5. How to Configure Network Logs
- NSG Flow Logs
- Shows inbound/outbound traffic for VMs in a subnet.
- Can include:
- Source/destination IP
- Port
- Protocol
- Allowed/Denied
- Sent to:
- Storage Account: For storage and archiving.
- Log Analytics: For querying and alerting.
- Event Hub: For external monitoring systems.
- Diagnostic Logs
- Enable on resources like VPN gateways, Application Gateways, Load Balancers.
- Can capture:
- Connection metrics
- Error messages
- Resource health events
- Integration with Log Analytics
- Allows querying logs with Kusto Query Language (KQL).
- Create alerts for:
- Blocked traffic
- Connection failures
- Suspicious patterns
6. Exam Tips – What to Remember for AZ-700
- Network Watcher is regional: Must enable in the same region as your resources.
- Key diagnostic tools: Connection troubleshoot, IP flow verify, next hop, packet capture.
- Key monitoring tools: Topology, Connection Monitor.
- Logs: NSG flow logs, diagnostic logs.
- Storage/Analysis: Use Log Analytics for monitoring and alerts.
- Scenario questions: You may be asked:
- Which tool to check connectivity between VMs.
- How to verify NSG rules.
- How to monitor a hybrid network.
✅ Summary Table for Easy Memorization
| Feature | Purpose | Output / Use Case |
|---|---|---|
| Topology | Visualize network resources and connections | Diagram of VMs, subnets, NSGs, gateways |
| Connection Monitor | Monitor latency, packet loss, availability | Reports performance between endpoints |
| Connection Troubleshoot | Test connectivity from VM to endpoint | Shows success/failure and reason |
| IP Flow Verify | Check NSG rules | Allowed/Denied traffic, rule causing it |
| Next Hop | Check routing | Next hop for packet |
| Packet Capture | Capture traffic for analysis | PCAP file for troubleshooting |
| NSG Flow Logs | Logs of network traffic through NSGs | Analyze allowed/denied traffic |
| Diagnostic Logs | Logs for VPNs, Load Balancers, Gateways | Track errors and performance |
