Monitor your networks using Azure network watcher - Training - Microsoft Learn

Azure Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end-to-end network level view. Network diagnostic and visualization tools available with Network Watcher help you understand, diagnose, and gain insights to your network in Azure. Network Watcher is enabled through the creation of a Network Watcher resource, which allows you to utilize Network Watcher capabilities. Network Watcher is designed to monitor and repair the network health of IaaS products which includes Virtual Machines, Virtual Networks, Application Gateways, and Load Balancers.

Network Topology: The topology capability enables you to generate a visual diagram of the resources in a virtual network, and the relationships between the resources.

Verify IP Flow: Quickly diagnose connectivity issues from or to the internet and from or to the on-premises environment. For example, confirming if a security rule is blocking ingress or egress traffic to or from a virtual machine. IP flow verify is ideal for making sure security rules are being correctly applied. When used for troubleshooting, if IP flow verify doesn’t show a problem, you will need to explore other areas such as firewall restrictions.

Next Hop: To determine if traffic is being directed to the intended destination by showing the next hop. This will help determine if networking routing is correctly configured. Next hop also returns the route table associated with the next hop. If the route is defined as a user-defined route, that route is returned. Otherwise, next hop returns System Route. Depending on your situation the next hop could be Internet, Virtual Appliance, Virtual Network Gateway, VNet Local, VNet Peering, or None. None lets you know that while there may be a valid system route to the destination, there is no next hop to route the traffic to the destination. When you create a virtual network, Azure creates several default outbound routes for network traffic. The outbound traffic from all resources, such as VMs, deployed in a virtual network, are routed based on Azure's default routes. You might override Azure's default routes or create additional routes.

Effective security rules: Network Security groups are associated at a subnet level or at a NIC level. When associated at a subnet level, it applies to all the VM instances in the subnet. Effective security rules view returns all the configured NSGs and rules that are associated at a NIC and subnet level for a virtual machine providing insight into the configuration. In addition, the effective security rules are returned for each of the NICs in a VM. Using Effective security rules view, you can assess a VM for network vulnerabilities such as open ports.

VPN Diagnostics: Troubleshoot gateways and connections. VPN Diagnostics returns a wealth of information. Summary information is available in the portal and more detailed information is provided in log files. The log files are stored in a storage account and include things like connection statistics, CPU and memory information, IKE security errors, packet drops, and buffers and events.

Packet Capture: Network Watcher variable packet capture allows you to create packet capture sessions to track traffic to and from a virtual machine. Packet capture helps to diagnose network anomalies both reactively and proactively. Other uses include gathering network statistics, gaining information on network intrusions, to debug client-server communications and much more.

Connection Troubleshoot: Azure Network Watcher Connection Troubleshoot is a more recent addition to the Network Watcher suite of networking tools and capabilities. Connection Troubleshoot enables you to troubleshoot network performance and connectivity issues in Azure.

NSG Flow Logs: NSG Flow Logs maps IP traffic through a network security group. These capabilities can be used in security compliance and auditing. You can define a prescriptive set of security rules as a model for security governance in your organization. A periodic compliance audit can be implemented in a programmatic way by comparing the prescriptive rules with the effective rules for each of the VMs in your network.

configure Network Watcher

When you create or update a virtual network in your subscription, Network Watcher will be enabled automatically in your Virtual Network's region. There is no impact to your resources or associated charge for automatically enabling Network Watcher.

To create a Network Watcher in the Azure portal:

  1. Navigate to All services> Networking>Network Watcher.
    40 References/attachments/53b23f4e2f970aa4d48da827a81ba7db_MD5.jpg
  2. Right-click your subscription and choose Enable network watcher in all regions.
    40 References/attachments/bd4434a21d4ed4112ac89c663311ca3c_MD5.jpg
  3. Note that the status is now showing as Enabled.
    40 References/attachments/daceeba141767d1288b854fa6efe1f81_MD5.jpg
  4. If you expand the regions, you will see that all regions within this subscription are enabled.
    40 References/attachments/bd6c49cef5ba47cd6f38d5e0c4f1ca29_MD5.jpg
  5. When you enable Network Watcher using the portal, the name of the Network Watcher instance is automatically set to NetworkWatcher_region_name where region_name corresponds to the Azure region where the instance is enabled. For example, a Network Watcher enabled in the West US region is named NetworkWatcher_westus.
  6. The Network Watcher instance is automatically created in a resource group named NetworkWatcherRG. The resource group is created if it does not already exist.
    40 References/attachments/33664a8b107c117d0de01877ba06c4f1_MD5.jpg
  7. To disable a Network Watcher for a region in the Azure portal, expand the regions section, right click the name of the region you wish to disable the Network Watcher on, and click Disable network watcher.
    40 References/attachments/75bfd6c82eaef2d5f8d2f781fb5de146_MD5.jpg

Configure NSG Flow Logs

Network security groups (NSG) allow or deny inbound or outbound traffic to a network interface in a VM.

NSG flow logs is a feature of Azure Network Watcher that allows you to log information about IP traffic flowing through an NSG. The NSG flow log capability allows you to log the source and destination IP address, port, protocol, and whether traffic was allowed or denied by an NSG. You can analyze logs using a variety of tools, such as Power BI and the Traffic Analytics feature in Azure Network Watcher.

Common use cases for NSG flow logs are:

You can enable NSG flow logs from any of the following:

  1. To configure the parameters of NSG flow logs in the Azure portal, navigate to the NSG Flow Logs section in Network Watcher.
  2. Click the name of the NSG to bring up the Settings pane for the Flow log.
    40 References/attachments/6cf586b44651d87c42145c8be6cc6560_MD5.jpg
  3. Change the parameters you want and click Save to deploy the changes.

Connection Monitor

Connection Monitor overview

Connection Monitor provides unified end-to-end connection monitoring in Azure Network Watcher. The Connection Monitor feature supports hybrid and Azure cloud deployments. Network Watcher provides tools to monitor, diagnose, and view connectivity-related metrics for your Azure deployments.

40 References/attachments/aefd434494c23d7a51217d35cab6563d_MD5.jpg

Here are some use cases for Connection Monitor:

Connection Monitor combines the best of two features: the Network Watcher Connection Monitor (Classic) feature and the Network Performance Monitor (NPM) Service Connectivity Monitor, ExpressRoute Monitoring, and Performance Monitoring feature.

Here are some benefits of Connection Monitor:

Set up Connection Monitor

There are several key steps you need to perform in order to setup Connection Monitor for monitoring:

  1. Install monitoring agents - Connection Monitor relies on lightweight executable files to run connectivity checks. It supports connectivity checks from both Azure environments and on-premises environments. The executable file that you use depends on whether your VM is hosted on Azure or on-premises. For more information, visit Install monitoring agents.
  2. Enable Network Watcher on your subscription - All subscriptions that have a virtual network are enabled with Network Watcher. When you create a virtual network in your subscription, Network Watcher is automatically enabled in the virtual network's region and subscription. This automatic enabling doesn't affect your resources or incur a charge. Ensure that Network Watcher isn't explicitly disabled on your subscription.
  3. Create a connection monitor - Connection Monitor monitors communication at regular intervals. It informs you of changes in reachability and latency. You can also check the current and historical network topology between source agents and destination endpoints. Sources can be Azure VMs or on-premises machines that have an installed monitoring agent. Destination endpoints can be Microsoft 365 URLs, Dynamics 365 URLs, custom URLs, Azure VM resource IDs, IPv4, IPv6, FQDN, or any domain name.
  4. Set up data analysis and alerts - The data that Connection Monitor collects is stored in the Log Analytics workspace. You set up this workspace when you created the connection monitor. Monitoring data is also available in Azure Monitor Metrics. You can use Log Analytics to keep your monitoring data for as long as you want. Azure Monitor stores metrics for only 30 days by default. For more information, visit Data collection, analysis, and alerts.
  5. Diagnose issues in your network - Connection Monitor helps you diagnose issues in your connection monitor and your network. Issues in your hybrid network are detected by the Log Analytics agents that you installed earlier. Issues in Azure are detected by the Network Watcher extension. You can view issues in the Azure network in the network topology. For more information, visit Diagnose issues in your network.

Create a Connection Monitor

In connection monitors that you create by using Connection Monitor, you can add both on-premises machines and Azure VMs as sources. These connection monitors can also monitor connectivity to endpoints. The endpoints can be on Azure or on any other URL or IP.

Connection Monitor includes the following entities:

40 References/attachments/2d25c8de097a672f96ef01877e66bd48_MD5.jpg

You can create a connection monitor using Azure portal, ARMClient or PowerShell.

To create a monitor in Connection Monitor by using the Azure portal:

  1. On the Azure portal home page, go to Network Watcher.
    40 References/attachments/d23a7c6601a3aea715b48c309c11e2aa_MD5.jpg
  2. In the left pane, under Monitoring, select Connection monitor, and then click Create.
    40 References/attachments/bd2c323bc64c13f01a4545c3a3934f40_MD5.jpg
  3. On the Basics tab of the Create Connection Monitor page, you need to enter the following information for your new connection monitor:
    | Field | Information |
    | ----------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
    | Connection Monitor Name | Enter a name for your connection monitor. Use the standard naming rules for Azure resources. |
    | Subscription | Select your Azure subscription from the list. |
    | Region | Select a region for your connection monitor. You can select only the source VMs that are created in this region. |
    | Workspace configuration | Choose a custom workspace or the default workspace. Your workspace holds your monitoring data.To use the default workspace, select the check box.To choose a custom workspace, clear the check box. Then select the subscription and region for your custom workspace. |
    40 References/attachments/7cef728c3b2ff4a6f41bf9f12cbe6c0a_MD5.jpg
  4. Click Next: Test groups >>.
  5. On the next page, you can add sources, test configurations, and destinations in your test groups. Each test group in a connection monitor includes sources and destinations that get tested on network parameters. They are tested for the percentage of checks that fail and the round-trip-time (RTT) over test configurations.
    40 References/attachments/bff1aff51bf317515bd77cd1809e21ab_MD5.jpg
  6. Click Add Test Group.
    40 References/attachments/8038dbad6498c80f3d8c33e9f10fe69a_MD5.jpg
  7. Click Next: Create Alerts >>.
  8. On the Create alert tab, you can set up alerts on tests that are failing based on the thresholds set in test configurations.
  9. You need to enter the following information for your alert:
    • Create alert (check box): You can select this check box to create a metric alert in Azure Monitor. When you select this check box, the other fields will be enabled for editing. (Note: Additional charges for the alert will be applicable.)
    • Scope (Resource/Hierarchy): The values here are automatically filled in for you, based on the values you specified on the Basics tab.
    • Condition: The alert is created on the Test Result(preview) metric. When the result of the connection monitor test is a failing result, the alert rule will fire.
    • Action group: You can enter your email directly or you can create alerts via action groups. If you enter your email directly, an action group with the name NPM Email ActionGroup is created. The email ID is added to that action group. If you choose to use action groups, you need to select a previously created action group.
    • Alert rule name: This is the name of the connection monitor and is already filled in for you.
    • Enable rule upon creation: Select this check box to enable the alert rule based on the condition (default setting). Disable this check box if you want to create the rule without enabling it - perhaps for evaluation and testing purposes, or because you are just not ready to deploy it yet.
      40 References/attachments/451598f36d08c5f38109c9f4a14b83bd_MD5.jpg
  10. Click Next: Review + create >>.
    40 References/attachments/efd44943684ab311fea19a8e8abd0ab7_MD5.jpg
  11. Review your information, and then click Create.

Traffic Analytics

Traffic Analytics is a cloud-based solution that provides visibility into user and application activity in cloud networks. Traffic Analytics analyzes Network Watcher network security group (NSG) flow logs to provide insights into traffic flow in your Azure cloud and provide rich visualizations of data written to NSG flow logs.

With Traffic Analytics, you can:

How Traffic Analytics works

Traffic analytics examines the raw NSG flow logs and captures reduced logs by aggregating common flows among the same source IP address, destination IP address, destination port, and protocol. For example, Host 1 (IP address: 10.10.10.10) communicating to Host 2 (IP address: 10.10.20.10), 100 times over a period of 1 hour using port (for example, 80) and protocol (for example, http). The reduced log has one entry, that Host 1 & Host 2 communicated 100 times over a period of 1 hour using port 80 and protocol HTTP, instead of having 100 entries. Reduced logs are enhanced with geography, security, and topology information, and then stored in a Log Analytics workspace.

The diagram below illustrates the data flow:

40 References/attachments/583be8b186c6e647fe58be424b8214eb_MD5.jpg

The key components of Traffic Analytics are:

To analyze traffic, you need to have an existing network watcher, or enable a network watcher in each region that you have NSGs that you want to analyze traffic for. Traffic analytics can be enabled for NSGs hosted in any of the supported regions.

Before enabling NSG flow logging, you must have a network security group to log flows for. If you do not have a network security group, then you must create one using the Azure port, the Azure CLI, or PowerShell.

To view Traffic Analytics, search for Network Watcher in the portal search bar. In Network Watcher, to explore traffic analytics and its capabilities, select Traffic Analytics from the left menu.

The example screenshot below shows the Traffic Analytics dashboard.

40 References/attachments/6ad4f8b41b2220f298321d2dbde9f00f_MD5.jpg

Check your knowledge

Which of the following statements about Network Watcher is correct?

Network Watcher must be manually enabled for each virtual network.

Network Watcher is enabled by default for all regions.

Network Watcher is enabled automatically when you create a virtual network.

Which of the following is a component of Traffic Analytics?

Backend pool

Network security group (NSG) flow logs

Availability zones