Network Watcher is an Azure service that monitors and diagnoses network conditions within, to, and from Azure. It provides tools to visualize network topology, diagnose networking issues, measure network performance metrics, and view logs. Key capabilities include packet capture, IP flow verification, security group viewing, next hop investigation, and VPN troubleshooting. Network Watcher helps understand and gain insights into Azure networks.
3. WHAT IS AZURE NETWORKWATCHER?
Network Watcher is a regional service that enables you to
monitor and diagnose conditions at a network scenario level in,
to, and from Azure. Scenario level monitoring enables you to
diagnose problems at an end to end network level view. Network
diagnostic and visualization tools available with Network Watcher
help you understand, diagnose, and gain insights to your network
in Azure.
4. AZURE NETWORKWATCHER
General Availability in Regions
https://azure.microsoft.com/en-us/regions/services/
Pricing
Documentation
https://docs.microsoft.com/en-us/azure/network-watcher/
Accessibility
Azure Network Watcher Extension
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/extensions-nwa
5. AZURE NETWORKWATCHER
Visualize your network
topology
Topology
Diagnostic tools for
networking related
issues
Network
Diagnostics
Metric
Measure and view your
network performance
and health
Logs
Configure and view
your logs
6. GETTING STARTED
Register the feature
Register-AzureRmProviderFeature -
FeatureName AllowNetworkWatcher -
ProviderNamespace
Microsoft.Network
Register-AzureRmResourceProvider -
ProviderNamespace
Microsoft.Network
Enable NetworkWatcher per
Region
Packet capture extension
enabled perVirtual Machine
7. AZURE NETWORKWATCHER -TOPOLOGY
Visualize your network
topology
Topology
Diagnostic tools for
networking related
issues
Network
Diagnostics
Metric
Measure and view your
network performance
and health
Logs
Configure and view
your logs
9. AZURE NETWORKWATCHER – NETWORK
DIAGNOSTICS
Visualize your network
topology
Topology
Diagnostic tools for
networking related
issues
Network
Diagnostics
Metric
Measure and view your
network performance
and health
Logs
Configure and view
your logs
14. VPNTROUBLESHOOTING
TroubleshootVPN Gateways & Connections
Curate Logs relevant to theVPN State
{
"startTime": "2017-01-12T10:31:41.562646-08:00",
"endTime": "2017-01-12T18:31:48.677Z",
"code": "Degraded",
"results": [
{
"id": "PlatformInActive",
"summary": "We are sorry, your VPN gateway is in standby mode",
"detail": "During this time the gateway will not initiate or accept VPN connections with on
premises VPN devices or other Azure VPN Gateways. This is a transient state while the Azure
platform is being updated.",
"recommendedActions": [
{
"actionText": "If the condition persists, please try resetting your Azure VPN gateway",
"actionUri": "https://azure.microsoft.com/en-us/documentation/articles/vpn-gateway-
resetgw-classic/",
"actionUriText": "resetting the VPN Gateway"
},
{
"actionText": "If your VPN gateway isn't up and running by the expected resolution time,
contact support",
"actionUri": "http://azure.microsoft.com/support",
"actionUriText": "contact support"
}
]
}
]
}
15. AZURE NETWORKWATCHER – METRICS
Visualize your network
topology
Topology
Diagnostic tools for
networking related
issues
Network
Diagnostics
Metric
Measure and view your
network performance
and health
Logs
Configure and view
your logs
17. AZURE NETWORKWATCHER – LOGS
Visualize your network
topology
Topology
Diagnostic tools for
networking related
issues
Network
Diagnostics
Metric
Measure and view your
network performance
and health
Logs
Configure and view
your logs
18. NETWORK SECURITY GROUP FLOW LOGS
View traffic through a NSG
Logs formatted in JSON
Saved to Storage Blob
19. DIAGNOSTIC LOGS
You can now configure
diagnostic logs for all
the network resources
in a resource group
from a single pane.
21. CURRENT LIMITATIONS
Topology mapper only shows items that are in the same Resource Group as
theVNET
If the Resource Group is not in a supported Region, even though theVNET
contained within it is; you will see the error “No network watcher present in
region: <REGION>”
When performing a Packet Capture, and using the File location, the capture
is still stored/written to Azure Storage only
Because this feature is in Public Preview, you need to register the Provider in your Azure subscription via PowerShell
After registering the Provider, you will also need to enable Network Watcher per Azure Region
Finally, you need to have the Packet Capture Extension installed/enabled per Virtual Machine
Visualize the complete network topology of your application
Topology returns the resource objects on a per virtual network basis
The resources returned in the portal view are a subset of the networking components that are graphed. To see the full list of networking resources you can use PowerShell or REST
PowerShell will list/show the NSG Rules
Create packet capture sessions to track traffic to and from a virtual machine
Diagnose network anomalies both reactively and proactivity
Gathering network statistics, gaining information on network intrusions, to debug client-server communications and much more.
Automate packet captures with Virtual machine alerts
DEMO
Checks if a packet is allowed or denied to or from a virtual machine based on 5-tuple information
Shows direction, protocol, local IP, remote IP, local port, and remote port
Network Security Group view returns all the configured NSG and rules that are associated at a NIC and subnet level.
In addition, the effective security rules are returned for each of the NICs in a VM.
Assess a VM for network vulnerabilities such as open ports
Validate if your Network Security Group is working as expected based on a comparison between the configured and the effective security rules.
A download button is provided to easily download all the security rules into a CSV file.
Next hop gets the next hop type and IP address of a packet from a specific virtual machine and NIC
Helps to determine if the packet is being directed to the destination or is the traffic being black holed
Next hop also returns the route table associated with the next hop.
When querying a next hop if the route is defined as a user-defined route, that route will be returned.
Network Watcher diagnoses the health of the virtual network gateway or connection and return the appropriate results
- Allows you to view information about ingress and egress IP traffic through a Network Security Group
- Flow logs are written in JSON format and show outbound and inbound flows on a per rule basis, the NIC the flow applies to, 5-tuple information about the flow (Source/Destination IP, Source/Destination Port, Protocol), and if the traffic was allowed or denied.
Logs have a retention policy that can be set from 1 day to 365 days. If a retention policy is not set, the logs are maintained forever.
Can use PowerBI (Network Watcher PowerBI Flow Logs template) or OMS (Azure Network Security Groups Analytics) for visualization
