What is Azure Network Watcher?

  • Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to and from Azure.
  • This means that you have to enable the network watcher only in the regions where you have network resources running.
  • Network diagnostic and visualization tools available within Network Watcher help you in understanding, diagnosing and gaining insights to your network in Azure.
  • Most features in the network watcher are there to help you to troubleshoot and easily detect problems within your Azure topology.
  • You can configure the Azure Network Watcher from either Resource Manager Portal or Azure PowerShell or the Azure CLI.
  • The Network Watcher works on the Operating Systems like Ubuntu, Debian, RedHat, Oracle, Suse, CentOS and of course Windows.

Capabilities of Azure Network Watcher

  • It allows you to create a topology diagram.
  • You can create a network capture.
  • IP flow verify helps you to detect flow between two different IP endpoints.
  • You can do diagnostics logging and get detailed reports out of it.
  • Security Group View and NSG Flow Logs help you to get detailed insights on Network Security Groups.
  • You can perform VPN Gateway Troubleshooting.
  • Role Based Access Control helps you to provide administrative level access to network watcher features.


  • Network Level Topology overview shows the various interconnections and associations between network resources in an Azure Resource Group.

Variable Packet Capture

  • It allows you to capture incoming and outgoing network traffic packets of a Virtual Machine and it’s Network Interface Card.

You can find the Network Watcher under Networking in All Services.

The overview would show your subscription and the regions along with which regions you have enabled the network watcher in.

While setting up a VM or after setting up a VM, you can add the Network Watcher Agent for Windows extension to enable it.

Now let us see the Network Watcher topology.

After choosing the subscription, resource group and virtual network, it would display the network topology. You can also download a jpeg file of the same.

Next you can find Packet Capture in the Network Watcher. Click on Add to add new Packet Capture.

Fill out the details. You can either store it in an output file or you can store it inside a storage account. Here I have chosen storage account.

You can give maximum bytes per packet and per session. Also, you can set the time limit of the session. Here I have kept it as 60 seconds. Click on OK.

Once done, you can find it in the Packet Capture blade.

You can go to its storage location directly from there.

And then you can download the capture file. To run that file, you can use either WireShark or Windows Message Analyzer.

IP Flow Verify

  • It is a ‘5 Tuple Packet Parameters’ based verification mechanism to detect if a packet is allowed or denied.

Next HOP

  • It determines the next hop for packets routed in the Azure network topology, mainly helping in troubleshooting User-Defined Routes (UDR).

Connection Troubleshoot

  • Verification mechanism that detects the possibility to establish a direct TCP connection from an Azure Virtual Machine to a specified endpoint.

In the security group view, you can see all the effective rules that are in your security group, both inbound and outbound. You can also download it in a CSV file.

NSG flow logs give you a more detailed view of the logs. Currently it is disabled in my case. You can click on it and turn it on.

VPN Diagnostics

  • By performing a real time analysis between two VPN gateways, it provides the ability to troubleshoot VPN gateways and connections.
  • Log file data is stored in an Azure BLOB storage which can retrieved.

In the VPN Diagnostics blade, you can select the VPN gateways you want to troubleshoot and then click on start troubleshooting. Right now I don’t have any gateways in my subscription. Then you can go to the actions tab to see the report file.

Network Subscription Limits

  • It provides detailed views on network resource usage and map it with subscription limitations.

Here in the Network Subscription Limit, you can see current limit and usage of each resource by location.

  • Azure Network Watcher gives you detailed insights on your Azure Network Components, routing, VPN, etc.
  • Azure Network Watcher can be used from the Portal, PowerShell and Azure CLI.
  • Easy to implement and affordable pricing.