Azure Network Watcher and Monitoring

Azure Network Watcher is a suite of monitoring, diagnostic, and analytics tools designed to help you understand, diagnose, and gain insights into your Azure networking. It is your primary toolkit for troubleshooting connectivity issues, analysing traffic patterns, and ensuring your network is healthy and secure.

---

What Is Network Watcher?

Network Watcher is a regional service automatically enabled in every Azure region where you have networking resources. It provides tools across three categories:

Category	Purpose
Monitoring	Visualise and track network topology and health.
Diagnostics	Troubleshoot connectivity, routing, and security issues.
Traffic analytics	Analyse traffic flow patterns and detect anomalies.

---

Monitoring Tools

Topology

The Topology view provides a visual map of your network resources and their relationships — VNets, subnets, NICs, VMs, NSGs, load balancers, and gateways.

This interactive diagram helps you:

• Understand how resources are connected
• Identify missing or misconfigured associations
• Document your network architecture

Connection Monitor

Connection Monitor continuously tests connectivity between sources and destinations, alerting you when connections fail or latency exceeds thresholds.

Supported sources:

• Azure VMs
• Azure VMSSs
• On-premises machines (via Log Analytics agent)

Supported destinations:

• Azure VMs
• Azure endpoints (Storage, SQL)
• External URLs or IP addresses
• Any IP:port combination

Use cases:

• Monitor VM-to-VM connectivity across VNets
• Track latency between a web tier and a database tier
• Verify VPN or ExpressRoute tunnel health
• Alert when an endpoint becomes unreachable

Flow Logs

NSG Flow Logs capture metadata about traffic flowing through Network Security Groups:

• Source and destination IP addresses
• Source and destination ports
• Protocol (TCP/UDP)
• Whether traffic was allowed or denied
• Flow direction
• Bytes and packets transferred

Flow logs are stored in an Azure Storage account as JSON files. They are the raw data source for Traffic Analytics.

VNet Flow Logs are the next generation, capturing traffic at the VNet level (not just NSG), including traffic between VMs in the same subnet.

---

Diagnostic Tools

IP Flow Verify

IP Flow Verify tests whether a packet is allowed or denied by your NSGs. You specify:

• Source VM and IP
• Destination IP and port
• Protocol

It tells you:

• Whether the traffic is allowed or denied
• Which NSG rule caused the decision

This is the fastest way to diagnose "why can't VM A reach VM B?" problems.

Next Hop

Next Hop shows you the next hop for a packet leaving a specific VM. This helps you understand and troubleshoot routing, especially when you have:

• Custom route tables (UDRs)
• Network virtual appliances (firewalls)
• BGP routes from VPN or ExpressRoute gateways

The result shows the next hop type (VNet, internet, virtual appliance, etc.) and the next hop IP address.

Effective Security Rules

Effective Security Rules aggregates all NSG rules applied to a NIC — from both subnet-level and NIC-level NSGs — and shows the effective set of rules after combining and ordering them.

This is essential when you have NSGs at both levels and need to understand the resulting security posture.

Connection Troubleshoot

Connection Troubleshoot performs a one-time connectivity check between a source and destination, reporting:

• Reachability (success or failure)
• Latency
• Number of hops
• Each hop's latency and issues

Think of it as a cloud-native traceroute with NSG awareness.

Packet Capture

Packet Capture records packets on a VM's NIC for analysis. Captures are stored as .cap files (compatible with Wireshark).

Use cases:

• Deep-dive investigation of application issues
• Verifying encryption or protocol behaviour
• Capturing traffic for compliance or forensic analysis

You can filter captures by: