How to monitor, diagnose problems and gain insights into networking with Azure tools

Network architectures in the public cloud have peculiarities and introduce concepts that substantially differentiate them from traditional ones in the on-premises environment. However, one aspect that unites them is certainly the need to monitor them, constantly checking performance and health status. To do all this effectively, contemplating the intrinsic particularities of the public cloud and hybrid network architectures, it is advisable to have effective tools. This article reports the characteristics of the platform service Azure Network Watcher, that provides a suite of tools to monitor, diagnose and view network resource metrics and logs.

Network Watcher is designed to monitor and check network infrastructure health, even in hybrid environments, specifically for IaaS components (Infrastructure-as-a-Service) attested on Azure virtual networks. Network Watcher does not provide tools to monitor the PaaS infrastructure (Platform-as-a-Service) or to carry out the analysis of web components.

Network Watcher is a regional service, zone-resilient and fully managed. The enabling of the component now occurs by default for each Azure subscription that contains virtual networks. Network Watcher resources are placed by default in the resource group, hidden and created automatically, called NetworkWatcherRG.

The tools included in Azure Network Watcher can be divided into three categories based on the features offered: Monitoring, Diagnostics and Logging

Monitoring tools

Topology view

In particularly complex network architectures it may be useful to identify which resources are attested on a specific virtual network and how they relate to each other. With this tool, you can view directly in the Azure portal a visual diagram of the components on a specific virtual network and the relationships between the various resources.

Figure 1 – Example of a Topology view

Connection Monitor

Connection Monitor was recently revised and in version 2.0 allows you to monitor end-to-end connections both in Azure environments and in the presence of hybrid network architectures.

Among the main strengths of this new solution we find:

  • Unified and intuitive monitor experience for both fully Azure-based environments and hybrid environments.
  • Connectivity monitor, also cross-region, and verify network latencies to endpoints.
  • High probing frequencies that allow to obtain greater visibility on network performance.
  • More immediate alerts to report abnormal conditions in the presence of hybrid network architectures.
  • Ability to perform connectivity checks based on protocols HTTP , TCP, and ICMP.
  • Support for saving data to Azure Monitor metrics and Log Analytics workspaces.

Figure 2 – Connection Monitor Tool Overview

To make Connection Monitor able to recognize Azure VMs as sources for monitor activities, Network Watcher Agent virtual machine extension must be installed on them.

Network Performance Monitor

Network Performance Monitor is now an integral part of Connection Monitor and therefore included in Azure Network Watcher. The solution requires the presence of the Azure Monitor agent and, thanks to the use of synthetic transactions, provides the ability to monitor network parameters in hybrid network architectures, to get performance information, like packet loss and latency. Furthermore, this solution makes it easy to locate the source of a problem in a specific network segment or by identifying a particular device. The solution, tracking retransmission packets and roundtrip time, is able to return a graph of easy and immediate interpretation. Furthermore, allows you to check the performance between the on-premises and Azure environment, even if you have expressroute connectivity.

Diagnostic Tools

IP Flow Verify

Under certain circumstances, it can happen that a virtual machine is unable to communicate with other resources, because of the security rules present. This feature allows you to specify a source and destination IPv4 address, a port, a protocol (TCP or UDP) and the direction of traffic (inbound or outbound). IP Flow Verify verifies the communication and informs if the connection is successful or not. If the connection fails, is indicated which security rule denied the communication, so you can solve the problem.

Next Hop

This tool helps to verify network traffic routes and allows you to detect any routing problems. The Next Hop functionality allows you to specify a source and destination IPv4 address and to verify their communication.

Connection Troubleshoot

This tool allows you to check connectivity and latency between a virtual machine and another network resource on a one-time basis, which can be another virtual machine, an FQDN, a URI or IPv4 address. The test returns information similar to that returned when using Connection Monitor, but the connection check happens at a certain time, instead of making a monitor over time as is the case with Connection Monitor.

Packet Capture

With this tool, you can versatilely capture network traffic on an Azure virtual machine, applying any advanced filtering options and setting time and size limits. Capture can be stored in Azure Storage, on the VM disk or in both locations. Captured network traffic can then be analyzed with several standard analysis tools, such as Wireshark.

VPN Troubleshoot

This tool performs various diagnostic checks on VPN gateways and their connections, useful for solving problems.

The Packet Capture and Connection Troubleshoot features require the presence of the extension Network Watcher on the VMs, as reported for Connection Monitor.

Logging tools

NSG Flow Logs

In Azure to allow or deny network communication to the resources connected with Azure Virtual Networks (VNet) it uses the Network Security Group (NSG), containing a list of access rules. NSGs are usually applied to subnets (recommended) or directly to the network interfaces connected to the virtual machines. Azure platform uses NSG flow logs to maintain visibility of network traffic in and out of Network Security Groups.

Traffic Analytics

Traffic Analytics is based on the analysis of NSG flow logs and after an appropriate aggregation of data, inserting the necessary intelligence concerning security, topology and geographic map, can provide detailed information about the network traffic of your Azure cloud environment.

Figure 3 – Data flow of Traffic Analytics

Using Traffic Analytics you can do the following:

  • View network activities cross Azure subscriptions and identify hotspots.
  • Intercept potential network security threats, in order to take the right remedial actions. This is made possible thanks to the information provided by the solution: which ports are open, what applications attempt to access to Internet and which virtual machines connect to unauthorized networks.
  • Understand network flows between different Azure regions and Internet, in order to optimize their deployment for network performance and capacity.
  • Identify incorrect network configurations that lead to having incorrect communication attempts.

Figure 4 – Virtual Network in Traffic Analytics

The cost of Network Watcher is detailed in the Microsoft's official page and it depends on the use that is made of the various tools included in the solution.


As the complexity of Azure network architectures increases and in hybrid environments, it is useful to have particularly effective and easy-to-use tools to be able to carry out the monitor. Azure provides several tools integrated into the platform that in addition to the monitor allow you to diagnose problems of different kinds and obtain an overall visibility of your network resources in a simple and intuitive way.

Please follow and like us: