Monitor and troubleshoot network health using Azure Network Watcher

1.4 Monitor Networks

📘Microsoft Azure Networking Solutions (AZ-700)

Azure Network Watcher is a monitoring and diagnostic service in Azure that helps you check the health of your network, troubleshoot problems, and understand how your network traffic flows. Think of it as a toolkit for network visibility and troubleshooting in the cloud.

1. What is Azure Network Watcher?

  • Network Watcher is an Azure service that monitors and diagnoses network issues in your virtual networks (VNets), subnets, virtual machines (VMs), and other network resources.
  • It helps ensure that your network is healthy, secure, and performing well.
  • It provides tools like connection monitoring, packet capture, topology visualization, NSG diagnostics, and logging.

2. Key Features of Network Watcher

Here’s what Network Watcher can do:

FeaturePurposeExam Focus
TopologyVisual map of your virtual network, showing connections between VNets, subnets, VMs, and gateways.Helps understand network layout and connectivity.
Connection MonitorChecks connectivity between VMs or from VMs to endpoints (like a database or storage).Verifies if resources can communicate and detects latency.
IP Flow VerifyTests whether traffic from a VM is allowed or denied based on NSG rules.Helps troubleshoot blocked traffic.
Next HopDetermines the next hop a packet takes from a VM to its destination.Useful for routing troubleshooting.
Packet CaptureCaptures network traffic from a VM to analyze issues.Helps investigate abnormal traffic or security issues.
NSG (Network Security Group) Flow LogsLogs allowed and denied traffic through NSGs.Important for security and auditing.
Network Performance MonitorMonitors network performance like latency, packet loss, and throughput.Useful for detecting slow connections.

3. How to Use Network Watcher to Monitor Network Health

Step 1: Enable Network Watcher

  • Network Watcher must be enabled per region.
  • You can do this in the Azure Portal or via PowerShell / CLI.
  • Once enabled, you can use all monitoring features in that region.

Step 2: Check Network Topology

  • Use the Topology tool to view:
    • VNets, subnets, VMs
    • Gateways and VPN connections
    • Route tables
  • This helps visually confirm that resources are connected as expected.

Step 3: Test Connectivity

  • Use Connection Monitor:
    • Example: Check if a VM in VNet1 can reach a SQL database in VNet2.
    • Reports if the connection is successful and shows latency and hop details.

Step 4: Troubleshoot NSG Rules

  • Use IP Flow Verify:
    • Example: A web server is not reachable; check if the NSG allows port 80/443.
    • Network Watcher tells you if traffic is allowed or denied and which NSG rule applies.

Step 5: Diagnose Routing Issues

  • Use Next Hop:
    • Example: VM cannot reach storage; check which route the traffic is taking.
    • Confirms whether it’s going through the correct virtual appliance or gateway.

Step 6: Capture Network Traffic

  • Use Packet Capture:
    • Captures incoming/outgoing packets from a VM.
    • Can export data to Wireshark for detailed analysis.
    • Helps find malicious traffic or misconfigurations.

Step 7: Analyze NSG Flow Logs

  • Enable NSG Flow Logs to:
    • See which traffic is allowed or denied by your NSGs.
    • Store logs in Azure Storage or send to Azure Monitor/Log Analytics.
    • Useful for auditing and troubleshooting security issues.

4. Important Exam Tips

  1. Connection Monitor vs. IP Flow Verify
    • Connection Monitor: Checks if connectivity is successful (end-to-end test).
    • IP Flow Verify: Checks NSG rules specifically for allow/deny decisions.
  2. Topology Tool
    • Only shows resources in the same region.
    • Useful to verify network layout and routing.
  3. Next Hop
    • Exam may ask: “Which tool tells you the next hop for a packet?” → Next Hop
  4. Packet Capture
    • Can capture specific ports or protocols.
    • Exam may ask: “Which tool helps you capture packets for troubleshooting?” → Packet Capture
  5. NSG Flow Logs
    • Logs every allowed and denied connection through NSGs.
    • Can be used for security auditing and traffic analysis.

5. Real-World IT Usage in Azure

  • Detecting blocked traffic: If a web server VM can’t reach a database VM, use IP Flow Verify.
  • Visualizing network setup: Use Topology to check if all subnets, VMs, and gateways are correctly connected.
  • Analyzing performance: Use Connection Monitor or Network Performance Monitor to detect latency issues between data centers.
  • Security auditing: Use NSG Flow Logs to see if any traffic was denied incorrectly.
  • Debugging complex issues: Use Packet Capture to examine what packets are actually sent and received.

Key Takeaways for AZ-700 Exam

  • Azure Network Watcher is your network diagnostic and monitoring toolkit.
  • Remember Topology, Connection Monitor, IP Flow Verify, Next Hop, Packet Capture, NSG Flow Logs.
  • Know when to use each tool and what kind of information it provides.
  • Can be enabled per region, and integrates with Azure Monitor and Log Analytics.
Buy Me a Coffee

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by