Step by Step Azure Network watcher #Azure #ANW #Network #Cloud #diagnose #troubleshooting   Leave a comment


Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Network diagnostic and visualization tools available with Network Watcher help you understand, diagnose, and gain insights to your network in Azure. Use Network Watcher, a service that enables you to monitor and diagnose conditions at a network scenario level.

Network Watcher currently has the following capabilities:

  • Topology – Provides a network level view showing the various interconnections and associations between network resources in a resource group.
  • Variable Packet capture – Captures packet data in and out of a virtual machine. Advanced filtering options and fine-tuned controls such as being able to set time and size limitations provide versatility. The packet data can be stored in a blob store or on the local disk in .cap format.
  • IP flow verify – Checks if a packet is allowed or denied based on flow information 5-tuple packet parameters (Destination IP, Source IP, Destination Port, Source Port, and Protocol). If the packet is denied by a security group, the rule and group that denied the packet is returned.
  • Next hop – Determines the next hop for packets being routed in the Azure Network Fabric, enabling you to diagnose any misconfigured user-defined routes.
  • Security group view – Gets the effective and applied security rules that are applied on a VM.
  • NSG Flow logging – Flow logs for Network Security Groups enable you to capture logs related to traffic that are allowed or denied by the security rules in the group. The flow is defined by a 5-tuple information – Source IP, Destination IP, Source Port, Destination Port and Protocol.
  • Virtual Network Gateway and Connection troubleshooting – Provides the ability to troubleshoot Virtual Network Gateways and Connections.
  • Network subscription limits – Enables you to view network resource usage against limits.
  • Configuring Diagnostics Log – Provides a single pane to enable or disable Diagnostics logs for network resources in a resource group.
  • Connectivity (Preview) – Verifies the possibility of establishing a direct TCP connection from a virtual machine to a given endpoint.


Lets start with creating the Network Watcher.

Open Powershell  :


Register-AzureRmProviderFeature -FeatureName AllowNetworkWatcher -ProviderNamespace Microsoft.Network

Get-AzureRmProviderFeature -FeatureName AllowNetworkWatcher -ProviderNamespace  Microsoft.Network


Go to the

As you can see I have several with status disabled and one with partially enabled


Enabling the Network Watcher is easy just do a right click on the 3 dots and enable this for all regions or just one, or set this as a default.




Now that we enabled the Network Watcher We create a separate Storage Account for this, as all the logging goes to this storage account. We don’t want to place log files all over the subscription.


Our just run a PowerShell command to do this. I use a own resource group for this

New-AzureRmResourceGroup -Name "rsg-netwatcher01" -Location "westeurope"
New-AzureRmStorageAccount -ResourceGroupName "rsg-netwatcher01" -Location "westeurope" -Name "stnetwatcher01" -SkuName Standard_LRS


Topology – Provides a network level view showing the various interconnections and associations between network resources in a resource group.

TO view the topology from your network could be very handy- Remember this is only ARM so no ASM


and yes the pictures getting large


This is all the basic stuff IP flow verify is the more interesting part.


IP flow verify

IP flow verify checks if a packet is allowed or denied to or from a virtual machine based on 5-tuple information. This information consists of direction, protocol, local IP, remote IP, local port, and remote port. If the packet is denied by a security group, the name of the rule that denied the packet is returned. While any source or destination IP can be chosen, this feature helps administrators quickly diagnose connectivity issues from or to the internet and from or to the on-premises environment.

IP flow verify targets a network interface of a virtual machine. Traffic flow is then verified based on the configured settings to or from that network interface. This capability is useful in confirming if a rule in a Network Security Group is blocking ingress or egress traffic to or from a virtual machine.

Remember If you have multiple regions you must enable Network Watcher in all regions.


The flow is easy the Source Machine and Port number and the destination Machine and Port number. as this is all in the same subnet but If you are running this in more complex networks then this could be very useful.


Checking the Security Groups all settings in just one overview that is also very handy when troubleshooting.


So all thing in the Network Watcher is nice but one this that is always a pain is troubleshoot the VPN connections and get the log files etc.

In the Network Watcher there is an option on troubleshoot the VPN connection

Network Watcher – VPN Diagnostics

This is also the place where the storage container is needed. Just select the Virtual network gateway and add the Storageaccount with the Start Troubleshooting. This could take a few Minutes to complete!

imageimage image

When the trace is done there is a Zipfile placed in the folder with a date folder structure so no overwrite of the file.

In the Zip file are 2 files unless you have issues.


Connectivity State : Connected
Remote Tunnel Endpoint :
Ingress Bytes (since last connected) : 202242292718 B
Egress Bytes (Since last connected) : 2435917732003 B
Connected Since : 8/15/2017 9:41:08 AM

In the connection stats you can see the traffic between the VPN connection.

When you have issues with the VPN connection then there will be more files in the zip file. Beside the ConnectionStats.txt and the CPUStat.txt, we got IKEErrors.txt, Scrubbed-wfpdiag.txt, wfpdiag.txt.sum and wfpdiag.xml.

The IKEErrors.txt and Scrubbed-wpfdiag.txt will get you the most detail about the error of the VPN connection


Pricing details

There are no charges to use Network Watcher today. On October 1, 2017, the pricing model below goes into effect.

Feature Monthly allotment Overage charge
Network Logs Ingested 5 GB €0.422 per GB
Network Diagnostic Tools 1,000 checks €0.844 per 1,000 checks
  • Network logs are stored within a storage account and have a retention policy that can be set from one day to 365 days. If a retention policy is not set, the logs are maintained forever. Corresponding charges will apply for storage, Log Analytics, and event hubs respectively.
  • Network Watcher Diagnostic Tools and Topology features are billed for the number of Network Diagnostic checks initiated via Azure Portal, PowerShell, CLI, or Rest.

As the Cost are minimal and easy to use so enable this today.


Follow Me on Twitter @ClusterMVP

Follow My blog

Linkedin Profile Http://

Google Me :

Bing Me :


Posted August 16, 2017 by Robert Smit [MVP] in Azure

Tagged with

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

  • Twitter

  • RSS Azure and Microsoft Windows Server Blog

  • %d bloggers like this: