Azure Network Watcher is a regional service designed to monitor, diagnose, and gain insights into network performance and health within Azure. Unlike standard monitoring that focuses on individual resource health, Network Watcher focuses on the Infrastructure-as-a-Service (IaaS) network layer. It p…Azure Network Watcher is a regional service designed to monitor, diagnose, and gain insights into network performance and health within Azure. Unlike standard monitoring that focuses on individual resource health, Network Watcher focuses on the Infrastructure-as-a-Service (IaaS) network layer. It provides a suite of diagnostic tools such as IP Flow Verify to check if traffic is allowed or denied by Network Security Groups (NSGs), Next Hop to identify routing issues, and Packet Capture to perform deep inspection of traffic anomalies directly on Virtual Machines.
A critical component of this service is Connection Monitor. This unified tool provides end-to-end connectivity checking between a source (like an Azure VM or an on-premises machine with a Log Analytics agent) and a destination (another VM, a URI, an FQDN, or an IP address). It supports TCP, ICMP, and HTTP protocols. Connection Monitor measures network performance metrics, specifically Round-Trip Time (RTT) and packet loss, across Azure regions, ExpressRoute connections, and VPNs.
For an Azure Administrator, these tools are vital for maintaining network availability. Connection Monitor visualizes the network topology hop-by-hop, allowing you to pinpoint exactly where a handshake fails or where latency spikes occur. By integrating findings with Azure Monitor and Log Analytics, administrators can configure alerts to trigger when connectivity drops or performance thresholds are breached, ensuring proactive management of hybrid and cloud-native network infrastructures.
Comprehensive Guide to Azure Network Watcher and Connection Monitor for AZ-104
Why is Azure Network Watcher Important? In the Azure Administrator (AZ-104) exam and real-world scenarios, diagnosing networking issues within a virtual network (VNet) is a critical skill. Unlike on-premises networks where you have physical access to switches and routers, Azure is software-defined. Azure Network Watcher provides the necessary tools to monitor, diagnose, view metrics, and enable logs for resources in an Azure virtual network. It is essential for troubleshooting connectivity issues, understanding traffic limitations (NSGs), and diagnosing routing errors.
What is Network Watcher? Azure Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level. This means you must enable a Network Watcher instance in every Azure region where you have Virtual Networks you wish to monitor. It is designed specifically for IaaS (Infrastructure-as-a-Service) monitoring (e.g., Virtual Machines, VNets, Application Gateways).
How it Works: Core Components To answer exam questions correctly, you must map a specific network problem to the specific Network Watcher tool designed to solve it:
1. IP Flow Verify This tool checks strictly against Network Security Group (NSG) rules. It tells you if a packet is allowed or denied to/from a specific IP address and port. If a VM cannot reach a destination, IP Flow Verify is often the first step to confirm if a security rule is blocking the traffic.
2. Next Hop This tool is used to diagnose routing issues. It helps you determine the next destination IP address where traffic is being routed. If traffic is going to the Internet instead of your on-premises VPN, or is being blackholed, Next Hop will reveal if a User Defined Route (UDR) or system route is the cause.
3. Connection Monitor This is the unified end-to-end connectivity monitoring tool. It monitors communication between a source (Azure VM) and a destination (another VM, a URI, or an external IP) at regular intervals. It measures latency and determines reachability. Unlike IP Flow Verify (which is a momentary check), Connection Monitor provides continuous tracking of network health.
4. Packet Capture This allows you to create packet capture sessions to track traffic to and from a virtual machine. This is used for deep analysis (using tools like Wireshark) when you need to inspect the actual data headers or payload, not just connectivity status.
5. NSG Flow Logs and Traffic Analytics NSG Flow Logs capture information about IP traffic flowing through an NSG. Traffic Analytics takes these logs and visualizes them (using Log Analytics), helpful for auditing compliance and understanding traffic patterns (e.g., "Who is talking to whom frequently?").
Exam Tips: Answering Questions on Azure Network Watcher and Connection Monitor When facing AZ-104 questions, search for keywords in the scenario to select the right tool:
Scenario A: "Users cannot connect to a web server on VM1." Decision Logic: Do you suspect a firewall rule? Use IP Flow Verify. Do you need to prove the connection fails over a period of time? Use Connection Monitor.
Scenario B: "Traffic from the VM is going directly to the internet instead of the firewall appliance." Decision Logic: This is a routing issue. The correct answer is Next Hop.
Scenario C: "You need to troubleshoot intermittent connection issues between two VMs and check for latency." Decision Logic: The keyword is "latency" or "intermittent." IP Flow Verify only checks rules statically. You must use Connection Monitor.
Scenario D: "You need to analyze the TCP headers of inbound traffic." Decision Logic: Deep inspection requires raw data. The answer is Packet Capture.
Critical Note on Prerequisites: Remember that for features like Packet Capture and Connection Monitor to work, the target Virtual Machine must have the Network Watcher Agent extension installed. If an exam question asks why a Packet Capture failed to start, the missing agent is often the answer.
Regional Scope: Network Watcher is not global. If you create a VNet in West US and another in East US, you must enable Network Watcher in both regions to monitor resources in both.