Azure Network Watcher on Microsoft Azure
Azure Network Watcher is a network monitoring and diagnostics service for Azure networks. The service provides a comprehensive tool collection for monitoring, diagnosing, and analyzing network connections, traffic flows, and network issues in Azure Virtual Networks.
Unlike pure monitoring tools, Network Watcher offers active diagnostic functions such as connection tests, packet capture, next hop analysis, and IP flow verify. Integration with Azure Monitor enables historical analysis and trend observation of network metrics.
Network Watcher is available in all Azure regions and meets GDPR requirements when using European regions.
Typical Use Cases
Diagnosing connectivity issues: Connection Troubleshoot checks reachability between VMs, Application Gateways, or other resources and identifies issues like NSG blocks or routing errors.
Traffic analysis: NSG Flow Logs combined with Traffic Analytics provide insights into network traffic patterns, top talkers, and potential security risks.
Packet-level debugging: Packet Capture enables recording of network packets at VM level for detailed protocol analysis without installing additional software.
Compliance and security audits: Topology view and Connection Monitor document network architecture and connectivity for compliance evidence.
Frequently Asked Questions about Azure Network Watcher
What is the difference between Connection Monitor and Connection Troubleshoot?
Connection Monitor is designed for continuous, proactive monitoring and checks connections at regular intervals. Connection Troubleshoot is an on-demand tool for ad-hoc diagnostics of acute connectivity problems.
How does IP Flow Verify work?
IP Flow Verify checks whether a packet with specific parameters (source/destination IP, port, protocol) is allowed or blocked from or to a VM. The tool shows which NSG rule blocks or allows the packet.
Can NSG Flow Logs be analyzed retroactively?
Yes, NSG Flow Logs are stored by default in Storage Accounts and can be analyzed retroactively via Traffic Analytics or custom tools. Retention period is configurable.
What does Azure Network Watcher cost?
Network Watcher itself is free, but individual features incur costs: Connection Monitor approximately €0.30 per test/month, Packet Capture approximately €0.11/GB, NSG Flow Logs approximately €0.50/GB. Storage costs for logs are additional.
Can Network Watcher also monitor on-premises networks?
Network Watcher is limited to Azure resources. For hybrid scenarios, Connection Monitor tests can be configured to on-premises endpoints if they are reachable via VPN or ExpressRoute.
How does Network Watcher integrate with Azure Sentinel?
NSG Flow Logs and Traffic Analytics data can be forwarded to Azure Sentinel via Log Analytics Workspace. There they can be used for security analytics, threat detection, and incident response.
Does Network Watcher support IPv6?
Yes, most Network Watcher features support IPv6, including NSG Flow Logs, IP Flow Verify, and Connection Monitor. Packet Capture has limited IPv6 support.
Alternatives
alternatives:
- provider: “aws” product: “vpc-flow-logs”
- provider: “gcp” product: “network-intelligence-center”
Integration with innFactory
As a Microsoft Solutions Partner, innFactory supports you in implementing comprehensive network monitoring strategies with Azure Network Watcher. We help with setup, troubleshooting workflows, and integration into existing monitoring systems.
Contact us for a non-binding consultation on Azure Network Watcher.
