Understanding Azure Network Watcher

Sometimes there are situations where it becomes difficult to identify problems and troubleshoot due to an error in the configuration in on-prem networks. Similarly, when you create a flexible yet complex setup in Azure to connect many virtual machines (VMs), it may cause connectivity issues. In this case, a network watcher can help to diagnose and troubleshoot the problem at the network level.

In this article, we will discuss Azure Network Watcher and how it works.

What is Azure Network Watcher?

Azure Network Watcher has the tools to diagnose, monitor, enable or disable logs for resources, and view metrics in an Azure virtual Network. It is made for monitoring and repairing the network health of IaaS products, including Virtual Networks, Load balancers, Virtual Machines, etc. 

It must be noted that Network Watchers does not suit Platform-as-a-Service (PaaS) services or Web Analytics. You may check Azure services such as Log Analytics, Application insights, or Azure Monitor to monitor PaaS resources. 

Elements of Azure Network Watcher 

There are several tools in Network Watcher to manage IaaS resources. These tools are given below.


The monitoring tool in Network Watcher is used to monitor communication between an endpoint and a virtual machine. Also, it helps view resources in a virtual network and their relationships. 

Monitor communication between a virtual machine and an endpoint

Network Watcher can monitor different endpoints, including virtual machines, an IPv4 address, uniform resource identifiers (URI), or a fully qualified domain name. The connection monitor informs you about the reachability, changes in network topology, and latency between the endpoint and the VM by monitoring communication at regular intervals.

The connection troubleshoot will inform you of the reason if any endpoint is unreachable. Some potential reasons can be the CPU, a DNS name resolution problem, memory, or a firewall within the OS of a virtual machine.

The network performance monitor can verify and inform you about the performance between multiple network infrastructure endpoints. Also, it uses a VPN or Azure ExpressRoute to monitor network links to on-prem infrastructure.

View resources in a virtual network and their relationship

With more resources in a virtual network, it may become difficult to understand what resources are present in a network and their relation with each other. The network topology capability in the Network Watcher lets you make a visual diagram of those resources and the relationship between them. Following is an illustration of a topology diagram for a virtual network, having two VMs, network security groups, three subnets, public IP addresses, route tables, network interfaces, and their relationship with each other.


Network Security Groups (NSG) have rules to determine if the network traffic can flow between two endpoints or not. Diagnostic tools enable you to:

Diagnose a network traffic filtering problem to or from a virtual machine

When deploying a virtual machine, Azure places multiple default security rules to the virtual machine that enables or denies traffic to or from it. Azure allows you to override default rules or make additional ones. The IP flow verify capability allows you to specify a resource and destination protocol, port, IPv4 addresses, and inbound and outbound traffic direction.

Diagnose outbound connections from a virtual machine

The connection troubleshoot capability in diagnostic tools allows you to test a connection between a virtual machine and an FQDN, another VM, a URI, or an IPv4 address. This test will return the same information returned using the connection monitor capability.

Diagnose network routing problems for a virtual machine

Azure makes multiple default outbound routes for network traffic when a virtual network is created. This traffic from all resources, including virtual machines, deployed in a virtual network, is directed based on the default routes. Also, you can override or create more Azure default routes. 

Capture packets to and from a virtual machine

This includes fine-tuned controls and advanced filtering options, including the capability to set size limitations and time and provide versatility. You can store the capture on the VM’s disk, in Azure Storage, or both. 

Diagnose problems with the Azure virtual network gateway and connections

Virtual network gateway enables connectivity between Azure virtual networks and on-prem resources. Monitoring the gateway and its connections is necessary to make sure communication is stable. The VPN diagnostic capability enables you to diagnose connections and gateways.

Logging Capabilities 

Network monitoring logs enable you to examine traffic to or from an NSG. Network security group allows or denies internal or external traffic to a network interface in a virtual machine. Also, you can get insights into diagnostic logs for Azure networking resources, including public IP addresses, NSGs, load balancers, and application gateways. 

Go through the image below to get information about traffic analytics from NSG flow log data.

Network Watcher Automatic Enablement

To automatically enable Network Watcher in your Virtual Network’s region, create or update a virtual network. Automatically enabling Network Watcher doesn’t charge or impact your resources. You may check Network Watcher create for more information. 

Plan Your Log Maintenance & Diagnostics with Awsome LLC Cloud Solutions!

While Azure Network Watcher is a free resource for diagnosing and troubleshooting network problems in your environment, using multiple components does have a cost. Planning accordingly may become a tiresome task. Put your trust in Awsome LLC to handle Azure-associated concerns.

Awsome LLC provides Azure consulting services to assist you with planning migrations, creating Azure-based apps, and reducing redundant cloud-associated costs. To learn more about our services, book a free demo today!

Leave a Reply

Your email address will not be published. Required fields are marked *