Azure Network Watcher is a comprehensive monitoring and diagnostic service for Azure virtual networks. For the AZ-104 exam, this topic appears in approximately 5-8% of questions, primarily in the 'Monitoring' domain (Objective 5.4). This chapter covers all Network Watcher capabilities: topology, connection monitor, network performance monitor, packet capture, IP flow verify, next hop, NSG flow logs, security group view, and VPN diagnostics. You will learn how each tool works, when to use it, and exactly what the exam tests.
Jump to a section
Imagine a large office building with multiple floors, rooms, and complex plumbing and electrical systems. The building has a central diagnostic system that includes: (1) security cameras (NSG Flow Logs) that record every person who enters or leaves each room, (2) a network of sensors (Connection Monitor) that measure how long it takes water to flow from one tap to another, (3) a tool that can trace a specific pipe from end to end (Next Hop) to see exactly where it goes, (4) a packet sniffer (Packet Capture) that can record the actual water flow for a short period to analyze contamination, (5) a tool that checks if a specific light switch works (IP Flow Verify) by simulating a command, and (6) a VPN troubleshooting tool (VPN Diagnostics) that checks the building's secure tunnel to another building. The building manager (the Azure administrator) uses these tools to diagnose why a room has no water pressure (network latency), why a pipe is leaking (packet loss), or whether a security door is properly locked (NSG rule verification). Without this system, the manager would have to manually check every pipe and wire, which is impossible at scale.
What is Azure Network Watcher and Why It Exists
Azure Network Watcher is a regional service that provides tools to monitor, diagnose, and gain insights into your Azure virtual network. It is designed to help network administrators troubleshoot connectivity issues, verify network security rules, capture packets for deep analysis, and monitor network performance. Network Watcher is not a single tool but a suite of capabilities that work together. It is enabled automatically when you create a virtual network in a region, but you must explicitly enable certain features like flow logs.
How Network Watcher Works Internally
Network Watcher operates as a set of Azure resource providers and agents that run on Azure infrastructure. For each capability, there is a specific mechanism:
Topology: Uses Azure Resource Manager to query the network resources in a virtual network and their relationships. It generates a graph of resources like VMs, subnets, NSGs, and load balancers.
Connection Monitor: Leverages Azure Monitor agents installed on VMs to send probes (TCP SYN packets) to a destination IP and port. It measures latency, packet loss, and jitter. The probes are sent at configurable intervals (default 60 seconds) and results are stored in Log Analytics.
Packet Capture: Deploys a lightweight agent (Network Watcher Agent) on the VM to capture packets. The agent uses WinPcap (Windows) or libpcap (Linux) to capture traffic. Captures are stored in a storage account or on the VM's local disk. The capture can be filtered by protocol, IP, port, and direction.
IP Flow Verify: Sends a simulated packet from a source VM to a destination IP/port, and checks whether the packet would be allowed or denied by NSG rules. It returns the rule name and priority that matched.
Next Hop: Queries the Azure routing table to determine the next hop type (e.g., VirtualNetworkGateway, Internet, VirtualAppliance) and IP address for a given source and destination.
NSG Flow Logs: Captures information about IP traffic flowing through an NSG. Logs include source/destination IP, port, protocol, traffic direction, and whether the traffic was allowed or denied. Logs are stored in a storage account and can be sent to Log Analytics or Event Hubs.
Security Group View: Returns the effective security rules applied to a network interface, including both NSG and Azure default rules.
VPN Diagnostics: Queries the VPN gateway for diagnostics data, including tunnel status, bandwidth, and packet drops.
Key Components, Values, Defaults, and Timers
Packet Capture: Maximum capture duration is 5 hours (configurable). Default per-session limit is 1 GB. Capture filters support up to 5 parameters.
NSG Flow Logs: Logs are version 2 by default (includes flow state and bytes/packets). Retention is configurable up to 365 days or indefinitely. Logs are written to a storage account in the same region.
Connection Monitor: Probes are sent every 60 seconds by default. Minimum probe interval is 10 seconds. Test groups can have up to 20 sources and 20 destinations.
IP Flow Verify: Test results are returned within seconds. The tool only checks NSG rules, not application-level firewalls.
Next Hop: Returns the next hop type and IP address. The next hop is determined by Azure's routing algorithm, which considers system routes, BGP routes, and user-defined routes.
Topology: Generated on demand. The visualization shows resources and their connections. It is not real-time but reflects the current state.
VPN Diagnostics: Retrieves data from the VPN gateway's diagnostic logs. You must enable diagnostics on the VPN gateway first.
Configuration and Verification Commands
To enable Network Watcher in a region:
Register-AzProviderFeature -ProviderNamespace Microsoft.Network -FeatureName AllowNetworkWatcherTo create a packet capture:
$vm = Get-AzVM -ResourceGroupName "myRG" -Name "myVM"
New-AzNetworkWatcherPacketCapture -NetworkWatcherName "nw-eastus" -ResourceGroupName "NetworkWatcherRG" -PacketCaptureName "Capture1" -TargetVirtualMachineId $vm.Id -StorageLocation "https://mystorage.blob.core.windows.net/packetcaptures" -Filter @{Protocol="TCP"; RemoteIPStart="10.0.0.0"; RemoteIPEnd="10.0.0.10"; LocalPort="80"}To verify IP flow:
Test-AzNetworkWatcherIPFlow -NetworkWatcherName "nw-eastus" -ResourceGroupName "NetworkWatcherRG" -TargetVirtualMachineId $vm.Id -Direction "Outbound" -Protocol "TCP" -LocalIPAddress "10.0.0.4" -RemoteIPAddress "13.107.42.14" -LocalPort "443" -RemotePort "443"To get next hop:
Get-AzNetworkWatcherNextHop -NetworkWatcherName "nw-eastus" -ResourceGroupName "NetworkWatcherRG" -TargetVirtualMachineId $vm.Id -SourceIPAddress "10.0.0.4" -DestinationIPAddress "8.8.8.8"To enable NSG flow logs:
$nsg = Get-AzNetworkSecurityGroup -ResourceGroupName "myRG" -Name "myNSG"
Set-AzNetworkWatcherConfigFlowLog -NetworkWatcherName "nw-eastus" -ResourceGroupName "NetworkWatcherRG" -Enabled $true -TargetResourceId $nsg.Id -StorageAccountId $storageAccount.Id -RetentionInDays 90To view topology:
Get-AzNetworkWatcherTopology -NetworkWatcherName "nw-eastus" -ResourceGroupName "NetworkWatcherRG" -TargetResourceGroupName "myRG"How It Interacts with Related Technologies
Network Watcher integrates with: - Azure Monitor: Connection Monitor and NSG Flow Logs can send data to Log Analytics for analysis. - Azure Storage: Packet captures and flow logs are stored in blobs. - Event Hubs: Flow logs can be streamed to Event Hubs for real-time processing. - Virtual Machines: Packet capture requires the Network Watcher Agent VM extension. - VPN Gateway: VPN diagnostics pull logs from the gateway. - Network Security Groups: IP flow verify and flow logs depend on NSGs.
Network Watcher does not replace tools like Azure Monitor or Traffic Analytics; it complements them by providing network-specific diagnostics.
Enable Network Watcher
Network Watcher is automatically enabled in a region when you create a virtual network. However, for older subscriptions or when using ARM templates, you may need to enable it explicitly. Use the Register-AzProviderFeature command to register the AllowNetworkWatcher feature. The service is created as a resource named 'NetworkWatcher_<region>' in the 'NetworkWatcherRG' resource group. If you delete this resource, Network Watcher will be disabled. On the exam, remember that Network Watcher is regional and must be enabled per region.
Install Network Watcher Agent
For packet capture, you must install the Network Watcher Agent VM extension on the target VM. This agent is available for Windows and Linux. On Windows, it installs as a Windows service. On Linux, it runs as a daemon. The agent captures packets using WinPcap/libpcap. Without the agent, packet capture will fail. The agent is not required for IP flow verify or next hop, as these use Azure's control plane.
Configure Packet Capture
Define a packet capture session by specifying the target VM, storage location (Azure Storage blob or local disk), and optional filters. Filters can include protocol (TCP, UDP, Any), local/remote IP ranges, and port numbers. The capture will run until the maximum duration (default 5 hours) or size limit (default 1 GB) is reached, or until stopped manually. The captured .pcap file can be downloaded and analyzed with tools like Wireshark. On the exam, know that packet capture does not support capturing traffic from a VM scale set directly; you must capture on individual instances.
Run IP Flow Verify
Select a source VM, specify direction (inbound/outbound), protocol, local and remote IP/port. Network Watcher simulates the packet and checks against all NSGs applied to the VM's subnet and NIC. It returns whether the traffic is allowed or denied, and which NSG rule (name and priority) matched. This is useful for verifying connectivity without actually sending traffic. Note: IP flow verify only checks NSG rules; it does not account for application-level firewalls or Azure Firewall rules.
Analyze NSG Flow Logs
Enable flow logs on an NSG. Logs are written to a storage account every 60 seconds (aggregated). Each log record includes source/destination IP, port, protocol, traffic direction, and whether allowed/denied. Flow logs are version 2, which includes flow state (e.g., 'B' for begin, 'C' for continuing, 'E' for end). Logs can be sent to Log Analytics for analysis using Traffic Analytics. Retention is set per storage account; you can also use Azure Policy to enforce flow log deployment.
Scenario 1: Troubleshooting Intermittent Connectivity to a Web App
An enterprise runs a three-tier application on Azure VMs. Users report slow page loads and occasional timeouts. The network team uses Connection Monitor to probe from the web tier to the database tier on port 1433. They set probes every 30 seconds and find that latency spikes to 200ms during peak hours, with 2% packet loss. They then run IP Flow Verify from the web VM to the database IP to confirm NSG rules allow traffic. Next, they enable NSG Flow Logs on the database subnet's NSG and use Traffic Analytics to identify that a misconfigured NSG rule is rate-limiting traffic from a specific source IP range. They adjust the rule and latency drops to 10ms.
Scenario 2: Security Audit for Compliance
A financial institution needs to verify that no outbound traffic to the internet is allowed from their production subnet. They use IP Flow Verify to test outbound connections to various public IPs. They also enable NSG Flow Logs on all NSGs and stream logs to Event Hubs for real-time analysis. Using Security Group View, they audit effective rules on each VM. They discover that a new VM was added to a subnet with a default NSG that allows all outbound traffic. They remediate by applying a custom NSG.
Scenario 3: Diagnosing VPN Connectivity Issues
A company uses a Site-to-Site VPN to connect on-premises to Azure. Users report that the connection is dropping every few hours. The network engineer uses VPN Diagnostics on the VPN gateway to retrieve logs. The logs show that the tunnel is rekeying every 3600 seconds, but the on-premises device has a rekey timeout of 3000 seconds, causing a mismatch. They also use Next Hop to verify that traffic to on-premises goes through the VPN gateway. After adjusting the on-premises device's rekey interval, the connection stabilizes.
Common Misconfigurations: Forgetting to install the Network Watcher Agent leads to packet capture failures. Not enabling flow logs on all NSGs leaves blind spots. Using IP Flow Verify when application firewalls are in place gives false positives. Overlooking the regional nature of Network Watcher causes issues when resources span regions.
The AZ-104 exam tests Network Watcher under Objective 5.4 'Monitor and troubleshoot virtual networking'. Specific sub-objectives include: configure and use Network Watcher, troubleshoot connectivity issues, and analyze network traffic. Expect 3-5 questions on this topic.
Common Wrong Answers: 1. 'IP Flow Verify checks both NSG and Azure Firewall rules.' – Wrong. It only checks NSG rules. Azure Firewall rules are not evaluated. 2. 'Packet Capture can be run without installing any agent.' – Wrong. The Network Watcher Agent VM extension is required. 3. 'NSG Flow Logs are enabled by default.' – Wrong. They must be explicitly enabled per NSG. 4. 'Connection Monitor uses ICMP probes by default.' – Wrong. It uses TCP SYN packets.
Specific Numbers and Terms:
Packet capture max duration: 5 hours.
Packet capture max size: 1 GB.
NSG Flow Logs version: 2 (includes flow state).
Connection Monitor default probe interval: 60 seconds.
Flow logs are written every 60 seconds.
Next hop types: VirtualNetworkGateway, VNetLocal, Internet, VirtualAppliance, None.
Network Watcher is regional, not global.
Edge Cases:
If a VM has multiple NICs, you must specify the NIC when using IP Flow Verify.
Packet capture on a VM with accelerated networking enabled may not capture all packets.
Flow logs for an NSG associated with a subnet will capture traffic for all VMs in that subnet.
Connection Monitor requires the Azure Monitor agent (not just the Network Watcher agent).
How to Eliminate Wrong Answers:
If the question asks about 'checking if a packet would be allowed,' look for IP Flow Verify.
If it asks about 'capturing packets for analysis,' look for Packet Capture.
If it asks about 'logging all traffic through an NSG,' look for NSG Flow Logs.
If it asks about 'tracing the path of traffic,' look for Next Hop.
If it asks about 'monitoring latency over time,' look for Connection Monitor.
Remember that Traffic Analytics is an add-on that analyzes flow logs, not a standalone tool.
Network Watcher is a regional service; you must enable it per region.
Packet Capture requires the Network Watcher Agent VM extension.
IP Flow Verify only checks NSG rules, not Azure Firewall or application firewalls.
NSG Flow Logs are version 2 by default and must be explicitly enabled per NSG.
Connection Monitor uses TCP SYN probes by default with a 60-second interval.
Next Hop returns the next hop type (e.g., VirtualNetworkGateway, Internet).
VPN Diagnostics requires diagnostic logs to be enabled on the VPN gateway.
Network Watcher can be used with Traffic Analytics to analyze flow logs.
Packet capture maximum duration is 5 hours and maximum size is 1 GB.
Security Group View shows effective NSG rules applied to a NIC.
These come up on the exam all the time. Here's how to tell them apart.
IP Flow Verify
Checks if a specific packet would be allowed or denied by NSG rules.
Returns the matching rule name and priority.
Does not log actual traffic; it's a simulation.
Useful for troubleshooting specific connectivity issues.
No agent required; works via Azure control plane.
NSG Flow Logs
Logs actual traffic flowing through an NSG.
Includes source/destination IP, port, protocol, and action (allow/deny).
Logs are stored in a storage account and can be analyzed.
Useful for security auditing and traffic analysis.
Requires enabling per NSG and incurs storage costs.
Packet Capture
Captures full packet contents for deep analysis.
Requires Network Watcher Agent on the VM.
Useful for application-level troubleshooting.
Captures a snapshot over a short period.
Can be filtered by protocol, IP, and port.
Connection Monitor
Monitors connectivity and latency over time.
Uses TCP probes from Azure Monitor agents.
Useful for performance monitoring and SLAs.
Provides continuous monitoring with alerts.
Does not capture packet contents.
Mistake
Network Watcher is a single tool that does everything.
Correct
Network Watcher is a suite of separate tools: Topology, Connection Monitor, Packet Capture, IP Flow Verify, Next Hop, NSG Flow Logs, Security Group View, and VPN Diagnostics. Each has a specific purpose.
Mistake
IP Flow Verify checks both NSG and Azure Firewall rules.
Correct
IP Flow Verify only checks Network Security Group rules. It does not evaluate Azure Firewall or application-level firewall rules.
Mistake
Packet Capture automatically captures all traffic on a VM.
Correct
Packet Capture requires explicit filters (protocol, IP, port). Without filters, it captures all traffic, which can be huge. You must also install the Network Watcher Agent.
Mistake
NSG Flow Logs are enabled by default.
Correct
NSG Flow Logs must be explicitly enabled per NSG. They are not enabled by default and incur storage costs.
Mistake
Connection Monitor uses ICMP probes.
Correct
Connection Monitor uses TCP SYN packets to measure connectivity and latency. It does not use ICMP by default, though you can configure it to use ICMP if needed.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
No, IP Flow Verify does not require any agent. It simulates a packet using Azure's control plane and checks NSG rules. The target VM does not need the Network Watcher Agent. However, you must specify the VM's resource ID.
Network Watcher is regional. Each region has its own Network Watcher instance. To monitor resources in multiple regions, you must enable Network Watcher in each region. Some tools like Connection Monitor can test connectivity between regions, but the source and destination must be in regions where Network Watcher is enabled.
NSG Flow Logs capture raw flow data (IP, port, protocol, action) and store them in a storage account. Traffic Analytics is an add-on that processes flow logs and provides interactive dashboards, top talkers, and traffic patterns. Traffic Analytics requires flow logs to be sent to a Log Analytics workspace.
Use VPN Diagnostics to retrieve logs from the VPN gateway. This shows tunnel status, bandwidth, and errors. You can also use Next Hop to verify that traffic destined for on-premises goes through the VPN gateway. For end-to-end latency, use Connection Monitor.
Packet Capture does not support virtual machine scale sets directly. You must capture packets on individual VM instances. The Network Watcher Agent must be installed on each instance you want to capture from.
Next hop type 'None' means that Azure could not determine a route to the destination. This typically occurs when the destination IP is not reachable via any configured route (e.g., a private IP with no route). It can also indicate a misconfiguration.
Some features incur costs: Packet Capture (storage and data transfer), NSG Flow Logs (storage and data processing), Connection Monitor (probe data), and Traffic Analytics (data ingestion). Topology, IP Flow Verify, Next Hop, and Security Group View are free. Check the Azure pricing page for current rates.
You've just covered Azure Network Watcher — now see how well it sticks with free AZ-104 practice questions. Full explanations included, no account needed.
Done with this chapter?