Az104 — Azure Network Watcher

· Network Watcher is an Azure service that combines tools in a central place to diagnose the health of Azure networks.

· The Network Watcher tools are divided into two categories:

• Monitoring tools
• Topology
• The topology tool generates a graphical display of your Azure virtual network, its resources, its interconnections, and their relationships with each other.
• Connection Monitor
• The Connection Monitor tool provides a way to check that connections work between Azure resources.
• Use this tool to check that two VMs can communicate if you want them to.
• This tool also measures the latency between resources.
• Network Performance Monitor
• The Network Performance Monitor tool enables you to track and alert on latency and packet drops over time.
• It gives you a centralized view of your network.

§ You can use Network Performance Monitor to monitor endpoint-to-endpoint connectivity:

• Between branches and datacenters.
• Between virtual networks.
• For your connections between on-premises and the cloud.
• For Azure ExpressRoute circuits.
• Diagnostic tools
• IP flow verify
• The IP flow verify tool tells you if packets are allowed or denied for a specific virtual machine.
• If a network security group denies a packet, the tool tells you the name of that group so that you can fix the problem.
• Next hop
• Next destination of network packets
• Effective security rules
• The effective security rules tool in Network Watcher displays all the effective NSG rules applied to a network interface.
• Packet capture
• You use the packet capture tool to record all of the packets sent to and from a VM.
• Connection troubleshoot
• You use the connection troubleshoot tool to check TCP connectivity between a source and destination VM.

§ Fault types include:

• CPU. The connection failed because of high CPU utilization.
• Memory. The connection failed because of high memory utilization.
• GuestFirewall. The connection was blocked by a firewall outside Azure.
• DNSResolution. The destination IP address couldn’t be resolved.
• NetworkSecurityRule. The connection was blocked by an NSG.
• UserDefinedRoute. There’s an incorrect user route in a routing table.
• VPN troubleshoot
• You can use the VPN troubleshoot tool to diagnose problems with virtual network gateway connections.
• This tool runs diagnostics on a virtual network gateway connection and returns a health diagnosis.
• Only one instance of Network Watcher is required per subscription per region.
• This instance gives you a view of usage and quotas so that you can see if you’re at risk of hitting a quota.

· Network diagnostic logs provide granular data.

· You’ll use this data to understand connectivity and performance issues better.

· There are three log display tools in Network Watcher:

• NSG Flow logs
• In flow logs, you can view information about ingress and egress IP traffic on network security groups.
• Flow logs store data in a JSON file.
• Diagnostic logs
• Diagnostic logs are a central place to enable and disable logs for Azure network resources.
• Traffic analytics

§ Use traffic analytics to investigate user and application activity across your cloud networks.

§ The tool gives insights into network activity across subscriptions.

§ This tool requires Log Analytics.

§ The Log Analytics workspace must exist in a supported region.

• NSG flow logging requires the Microsoft.Insights provider.