Welcome to the second part of the blog post with a deep dive into the depths of Azure Network Watcher.

To read and understand the basics of Azure Network Watcher and Monitoring features, visit Part -1 of the blog series. In this post, we will discuss the remaining features, which will be discussed in another blog post.

Network Watcher – Network diagnostic tools

Network Watcher – Network diagnostic tools include seven essential network diagnostics tools to help troubleshoot and diagnose network issues effectively:

• IP flow verify:
  • This tool helps to detect the traffic filtering issues for IaaS (VMs) resources.
  • This helps debug whether a packet is allowed or denied to or from an Azure virtual machine, whether it is blocked by NSG rules, and whether it is blocked by Azure Virtual Network Manager admin rules.

• This tool lists the rules that deny traffic. In addition, provides a link to the rules for editing and adding the required network rule changes.
• The following screenshots provide how to use the tool for troubleshooting.

• NSG diagnostics:
  • This tool helps verify that your network security group rules are correctly configured, aiding in troubleshooting network traffic.
  • The NSG diagnostics tool in Azure Network Watcher simulates traffic flows between the source and destination based on the inputs provided for troubleshooting.
  • This tool can check Azure NSG rules on specific resources, such as Azure VMs and their network interfaces, VM scale sets and their network interfaces, and Azure application gateways.
  • The screenshots below provide the NSG diagnostics tool outputs for a test VM in my subscription. I have tested to ensure the outbound connection from the Azure VM to the Google DNS.

• Next hop:
  • The Next Hop feature provides the next-hop type, IP address, and route table ID for a specific destination IP address from an Azure virtual machine.
  • This information helps determine whether traffic reaches its intended destination or is dropped along the way.
  • This feature helps address misconfigured routes that direct traffic to on-premises locations or network virtual appliances, which can cause connectivity issues. If a user-defined route is present, next hop returns the corresponding route table; otherwise, it indicates a system route.
  • The screenshot below shows the next hop as the system route for a virtual machine with a user-defined route.

• Effective security rules:
  • The effective security rules view in Azure Network Watcher shows the aggregated inbound and outbound rules applied to a network interface.
  • This feature helps troubleshoot connectivity issues and ensures compliance with your organisation’s security governance.
  • The effective rules are a combination of those from the associated network security group and the subnet.
  • With this tool, the rules for each network interface are displayed, categorised by inbound and outbound, and can be downloaded as a CSV file.
  • The screenshot below shows how to use this feature and download the NSG rules applied to VMs.

• Connection troubleshoot:
  • The Azure Network Watcher connection troubleshoot feature helps quickly diagnose and resolve network connectivity issues.
  • It reduces Mean Time To Resolution (MTTR) by offering comprehensive checks for network security groups, user-defined routes, and blocked ports.
  • This tool provides the key results, including:
    • Connectivity tests for various destination types (VM, URI, FQDN, IP Address)
    • Identification of configuration issues affecting reachability
    • Latency metrics (minimum, maximum, average)
    • Graphical topology view from source to destination
    • Count of failed probes during checks
  • This feature provides actionable insights with step-by-step guidance for faster resolution.
• Packet capture:
  • Azure Network Watcher lets you create packet capture sessions to monitor traffic to and from a virtual machine (VM) or a scale set. Packet capture aids in diagnosing network anomalies, gathering statistics, detecting intrusions, and debugging communications.
  • This extension can be started remotely via Network Watcher, simplifying the process compared to manual captures. You can initiate packet captures via the portal, PowerShell, Azure CLI, or REST API, and even use VM alerts to trigger them. Captured data can be saved on local disks or Azure storage blobs.
  • Packet capture files from Network Watcher, a popular open-source tool, can be analysed.
• VPN troubleshoot
  • VPN troubleshooting helps diagnose issues with virtual network gateways and their connections, which link on-premises resources to Azure Virtual Networks.
  • Monitoring these gateways is crucial for maintaining connectivity. You can initiate VPN troubleshooting through the Azure portal, PowerShell, the CLI, or the REST API.
  • This process assesses the gateway or connection’s health and delivers results once the diagnosis is complete.

Network Watcher – Traffic

Network Watcher – traffic features include two tools that help you log and visualise network traffic effectively:

• Flow logs:
  • This feature can log traffic via a network security group (NSG) or Azure virtual network. NSG flow logs will be retired on September 30, 2027, with no new logs allowed after June 30, 2025. Migrating to virtual network flow logs is recommended to address limitations in NSG flow logs.  For more information, see the official announcement.
  • The Flow logs record Azure IP traffic and store data in Azure storage.
• Traffic analytics:
  • Traffic analytics is a cloud-based solution that offers visibility into user and application activity within your cloud networks.
  • Specifically, traffic analytics analyses Azure Network Watcher flow logs to deliver insights into traffic flow in your Azure cloud.

That’s the end of the blog post for Azure Network Watcher. I hope you find this blog post informative.