Azure Network Watcher

Azure Network Watcher is a comprehensive network monitoring and diagnostic tool provided by Microsoft Azure, designed to help you monitor, diagnose, and gain insights into your Azure network resources. It provides several tools and features to troubleshoot network issues, analyze traffic flow, and improve network security and performance. Here’s a detailed beginner’s guide to Azure Network Watcher, covering its concepts, features, setup, configuration, management, monitoring, and examples.

1. Overview of Azure Network Watcher

Azure Network Watcher enables you to monitor, diagnose, and gain insights into your network environment in Azure. It helps with troubleshooting connectivity issues, understanding network topology, capturing network traffic, and ensuring security. Network Watcher can be enabled per region and allows you to perform diagnostics on resources in that specific region.

Key Use Cases for Azure Network Watcher:

• Diagnosing network connectivity issues in Virtual Networks (VNets).
• Monitoring packet flow between virtual machines.
• Checking security and compliance through security group view.
• Troubleshooting VPN Gateway and Azure Firewall.

2. Core Concepts and Features

Azure Network Watcher includes several tools and features:

• Connection Monitor: Monitors end-to-end connectivity between source and destination resources, such as VMs or URLs.
• IP Flow Verify: Tests whether a packet is allowed or denied through a Network Security Group (NSG) rule.
• Next Hop: Identifies the next hop in the route that network traffic will take to reach a destination.
• Network Topology: Provides a visual representation of your network resources.
• Security Group View: Displays effective NSG rules for a VM or subnet.
• Network Performance Monitor (NPM): Monitors latency, packet loss, and connectivity between network resources.
• Packet Capture: Captures network traffic data for further analysis, useful for deep troubleshooting.
• VPN Troubleshoot: Diagnoses issues with Azure VPN Gateway connections.

3. Step-by-Step Guide to Setting Up and Using Azure Network Watcher

Step 1: Enable Network Watcher in Your Region

1. Go to the Azure portal.
2. Search for Network Watcher in the search bar and select it.
3. Under Network Watcher in the left-hand menu, select Network Watcher and enable it for each region where you want to monitor network resources.

Once enabled, you can access Network Watcher’s tools and start using them for diagnostics.

Step 2: Using Connection Monitor for End-to-End Connectivity

The Connection Monitor feature allows you to test connectivity between two endpoints, such as VMs or an external IP address.

1. In Network Watcher, select Connection Monitor > + New Connection Monitor.
2. Enter the following details:

• Name: Provide a name for the monitor (e.g., VMConnectivityMonitor).
• Region: Choose the region where Network Watcher is enabled.

1. Configure Source and Destination:

• Source: Choose the source resource (e.g., a virtual machine).
• Destination: Enter the destination resource, which could be another VM, a public IP, or a URL.

1. Add Alert Settings: Define thresholds for packet loss, latency, and round-trip time (RTT) to trigger alerts if they are exceeded.
2. Select OK to start monitoring. Network Watcher will continuously monitor the connection, and you can view real-time results under Connection Monitor.

Step 3: Verify Network Security Group (NSG) Rules with IP Flow Verify

IP Flow Verify helps you test if a specific traffic flow is allowed or denied by the NSG rules associated with a VM’s network interface.

1. In Network Watcher, select IP Flow Verify.
2. Choose the Network Interface of the VM to test and enter details for the traffic flow:

• Direction: Choose Inbound or Outbound.
• Protocol: Select TCP or UDP.
• Local IP and Remote IP: Enter the source and destination IP addresses.
• Local Port and Remote Port: Enter the ports being used.

1. Select Check. IP Flow Verify will display whether the traffic is allowed or denied and which NSG rule is responsible.

Step 4: Determine Next Hop for Network Traffic

The Next Hop tool helps determine the next hop IP address and route taken by traffic from a specific source to a destination, which is helpful in troubleshooting routing issues.

1. In Network Watcher, select Next Hop.
2. Choose the Network Interface of the VM to test and enter the destination IP Address.
3. Select Next Hop to view the next hop information. This helps identify if the traffic follows the correct path or is misrouted.

Step 5: Visualize Network Topology

The Network Topology tool provides a visual diagram of your network resources, helping you understand their interconnections and relationships.

1. In Network Watcher, select Topology.
2. Choose your Subscription, Resource Group, and Virtual Network to visualize.
3. View the network topology map, which shows resources like VMs, subnets, and network interfaces, with connections between them.

Step 6: Capture Network Packets for Deep Analysis

Packet Capture allows you to capture and inspect network traffic on a VM to troubleshoot complex networking issues.

1. In Network Watcher, select Packet Capture > + Add.
2. Choose the Target VM where you want to capture traffic.
3. Define Capture Settings:

• Capture name
• Protocol (TCP, UDP, or both)
• Storage Account where the capture file will be saved.

1. Optionally, set Filters (e.g., IP address, port number) to capture specific traffic.
2. Select OK to start capturing. Once the capture is complete, download the file from the storage account to analyze using tools like Wireshark.

Step 7: Diagnose VPN Connectivity Issues

The VPN Troubleshoot tool helps you diagnose issues with Azure VPN Gateway connections.

1. In Network Watcher, select VPN Troubleshoot.
2. Select your VPN Gateway and the specific connection you want to diagnose.
3. Run the troubleshooting process to identify issues such as misconfigurations, connectivity problems, or authentication failures. Network Watcher provides detailed logs to assist in identifying and fixing the problem.

4. Managing and Monitoring Azure Network Watcher Tools

Enabling Diagnostics and Alerts

Network Watcher integrates with Azure Monitor and Log Analytics to monitor diagnostics and set alerts for different network metrics, including packet loss, latency, and VM connection issues.

1. Go to Network Watcher > Diagnostics Settings.
2. Select the resources (e.g., VMs, VNets) you want to monitor, and enable diagnostic logging.
3. Choose a Log Analytics Workspace to store the logs and set up alerts based on log entries.

Setting Up Custom Alerts

1. In Azure Monitor, go to Alerts > + New Alert Rule.
2. Select a target resource (e.g., VM, connection) and define a condition, such as monitoring latency or packet loss.
3. Choose Actions to send notifications when an alert is triggered.

Viewing and Analyzing Logs

1. Go to Log Analytics Workspace and enter queries to filter logs by IP, port, protocol, and actions (allow, deny, etc.).
2. Use Network Performance Monitor (NPM) to view detailed insights and historical data, such as average latency, RTT, and packet loss.

5. Working and Usage Examples

Example 1: Troubleshooting a VM Connection Issue with Connection Monitor

Suppose an application hosted on a VM isn’t accessible to users, and you need to troubleshoot connectivity:

1. Use Connection Monitor to test the connection between the VM and the client’s IP address.
2. Check for any alerts indicating packet loss or latency issues.
3. If issues are found, use IP Flow Verify to check if an NSG rule is blocking the traffic.
4. Adjust the NSG rule if necessary to allow the connection.

Example 2: Ensuring Web Traffic Reaches the Correct Server Using Next Hop

You want to verify that web traffic is routed correctly to a specific VM in a VNet.

1. Use Next Hop to trace the route from the source IP to the destination IP.
2. Check if the next hop corresponds to the expected network resource, such as the VM’s IP address.
3. If traffic is misrouted, check and update route tables as needed.

Example 3: Capturing Network Traffic for a Web Application

You need to inspect incoming HTTP requests to your web server for potential security issues:

1. Use Packet Capture on the VM hosting the web application.
2. Set filters for HTTP traffic (port 80 or 443).
3. Analyze the captured data to identify suspicious patterns or unauthorized IP addresses accessing the server.

Example 4: Diagnosing a VPN Gateway Connectivity Issue

Suppose users are having trouble connecting to your corporate network through a VPN Gateway.

1. Use VPN Troubleshoot to analyze the VPN connection.
2. Review logs for common issues, such as authentication errors or IP address conflicts.
3. Fix any identified issues and rerun the VPN troubleshoot tool to ensure the problem is resolved.

6. Best Practices for Using Azure Network Watcher

• Enable Network Watcher in All Regions: Make sure Network Watcher is enabled in each region where you have resources to monitor all network activity.
• Use Alerts for Critical Network Issues: Set up alerts for latency, packet loss, and connection failures to get proactive notifications.
• Capture Only Necessary Traffic: When using Packet Capture, filter traffic by IP, port, or protocol to avoid excessive data collection.
• Regularly Review Topology Diagrams: Use Network Topology to verify that your resources are connected as expected.
• Secure Diagnostic Logs: Store logs in a secure Log Analytics Workspace and restrict access to sensitive data.
• Run Periodic Connectivity Checks: Use Connection Monitor to perform regular tests and identify any latency issues or downtime early.

Summary

Azure Network Watcher provides a comprehensive suite of diagnostic tools and monitoring capabilities to troubleshoot and optimize network resources in Azure. By following this guide, you can effectively set up, configure, and use Network Watcher to ensure secure, reliable, and efficient network operations. Whether you’re diagnosing connection issues, monitoring traffic, or analyzing network performance, Network Watcher is a valuable tool for maintaining the health and security of your Azure environment.