Network Watcher is an Azure service that brings together a combo of tools in a central place to diagnose the health of and monitor Azure networking. In your Azure environments, it can also help analyze usage and act as a central logging control for Azure network resources.
Latest posts by Steve Buchanan (see all)

It is important to note that Network Watcher is a regional service; therefore, if you plan to use it across regions, you need to enable it on both ends. In this post, I will provide an overview of what's in Network Watcher and explain how to deploy Network Watcher with a custom Network Watcher instance name resource group. Let's dive right in.

Network Watcher overview ^

We can break down Network Watcher's features and functionality into four main areas: monitoring, diagnostics, metrics, and logs. Here's the high-level breakdown of what Network Watcher offers you:



This displays a virtual network (VNet), its resources, and their relationships with each other. This can be helpful to see the layout of a network topology in Azure.

Connection Monitor

This is a way to track connection reachability between Azure resources, identify latency between resources, and catch changes that will impact connectivity, such as changes to the network configuration or network security group (NSG) rule changes. Connection Monitor often serves to monitor network communication between two infrastructure-as-a-service (IaaS) virtual machines (VMs), but it can also monitor an IP or fully qualified domain name (FQDN). It can probe every 60 seconds looking for failures or changes.

Network Performance Monitor

Network Performance Monitor (NPM) in Network Watcher gives you a centralized place for viewing network monitoring in Log Analytics.


IP flow verify

This tool can verify whether packets are allowed or denied inbound or outbound from a VM. Within the tool, you specify a local and remote port, TCP/UDP, the local IP and remote IP, as well as the VM and the VM's NIC. IP flow verify will also tell you if an NSG rule is denying traffic.

Next hop

Next hop can help identify routing problems. When you run the tool, it returns the next hop in the route. In the tool, you specify a VM to run it from and a destination IP. It will specify the next hop type, such as internet, VNet, VNet peering, or Microsoft Edge. This helps discover traffic that is not routing to the correct place.

Security group view

Use this tool to see which NSG rules are configured and effective for a VM.

VPN troubleshoot

This tool will run diagnostics on a VNet gateway or connection, returning a health diagnosis.

Packet capture

This tool can capture inbound or outbound VM packets. The captured output is a .cap file, typically stored on the VM or Azure Storage for further analysis.

Connection troubleshoot

Detect connectivity issues on a TCP or ICMP connection from a VM to a VM, URI, FQDN, or IP. This tool is useful because it helps identify if connectivity issues are a platform or a user configuration issue. It gives insight into the fault type, such as a guest firewall on a VM, NSG rule, DNS, or a user-defined route (UDR).


Usage + quotas

This gives you a view of usage and quotas, so you can see if you are at risk of hitting a quota.


NSG flow logs

This tool requires collecting NSG logs to a storage account to view data on the ingress and egress IP traffic through an NSG.

Diagnostic logs

This is a central place to enable and disable network resource diagnostic logs for Azure networking resources, such as NSGs, public IPs, load balancers, application gateways, and more. This tool only supports Azure network resources that generate diagnostic logs. We often store and view diagnostic logs using Log Analytics.

Traffic Analytics

Traffic Analytics provides visibility into user and application activity across your cloud networks. The tool gives insights into network activity across subscriptions, security threats (such as open ports), VMs communicating with known bad networks, and traffic flow patterns. This tool requires Log Analytics, which powers it.

Deploying Network Watcher ^

After deploying a VNet in Azure, if you go to Diagram as shown in the following screenshot, you will notice you are not be able to see the network topology. The topology view requires deploying Network Watcher. So now let's move into how to do this.

Blank VNet diagram

Blank VNet diagram

You can deploy Network Watcher two different ways. You can deploy an instance of Network Watcher via the Azure portal or via code (PowerShell/Azure CLI). Note that if you deploy Network Watcher via the Azure Portal, it will give it a default name of NetworkWatcher_REGIONNAMEWILLGOHERE and put it in a default resource group of NetworkWatcherRG. It is common to give Network Watcher a custom name and deploy it in a specific user group. This can happen when deploying a Network Watcher instance via code. To deploy it using the Azure portal, follow these steps:

  1. Open the Azure portal at
  2. Go to All Services > Networking > Network Watcher.
  3. Find the subscription and region you want to enable Network Watcher for, and then click on the ellipsis button () and select Enable network watcher.
Enable Network Watcher

Enable Network Watcher

I put together some PowerShell code that can create a Network Watcher instance with a custom name and place it in a specific resource group, creating a new resource group if necessary. To deploy a custom named Network Watcher and add to or create a new resource group, use the code below.

Note: Change the parameter values (in bold) to what you want.

# Azure Login
Write-Host "Log into Azure Services..."
# Azure Account Login
try {
Login-AzureRmAccount -ErrorAction Stop
catch {
# The exception lands in [Microsoft.Azure.Commands.Common.Authentication.AadAuthenticationCanceledException]
Write-Host "User canceled the authentication" -ForegroundColor Yellow

# Prompt to select an Azure subscription
Get-AzureRmSubscription | Out-GridView -OutputMode Single -Title "Select a subscription" | ForEach-Object {$selectedSubscriptionID = $PSItem.SubscriptionId}

# Set selected Azure subscription
Select-AzureRmSubscription -SubscriptionId $selectedSubscriptionID


# Set parameters
$Location = "East US"

# Check for existing resource group/Create resource group for Network Watcher
if ((Get-AzureRmResourceGroup -Name $NetWatcherRGName -ErrorAction SilentlyContinue) -eq $null) {
    Write-Host `
        -ForegroundColor Green `
        -BackgroundColor Black `
        "Creating New Azure resource group"
    New-AzureRmResourceGroup `
        -Name $NetWatcherRGName `
        -Location $Location
    wait-event -Timeout 5
Else {
    Write-Host `
        -ForegroundColor Yellow `
        -BackgroundColor Black `
        "Resource group already exists"
    wait-event -Timeout 5

# Deploy Network Watcher instance
New-AzureRmNetworkWatcher -Name "$NetworkWatcherInstanceName"  ResourceGroupName "$NetWatcherRGName" -Location "$Location"

From within the Azure portal, if you go back to All Services > Networking > Network Watcher, you will see Network Watcher enabled. Note it is only enabled for the subscription and region specified in the code.

Network watcher enabled

Network watcher enabled

Also, the topology for VNets within the subscription and region with Network Watcher enabled will show the topology as shown in the following screenshot.

Subscribe to 4sysops newsletter!

Populated VNet diagram

Populated VNet diagram

Thanks for reading, and look for more posts coming soon on Azure networking!


Leave a reply

Please enclose code in pre tags

Your email address will not be published. Required fields are marked *


© 4sysops 2006 - 2021


Please ask IT administration questions in the forums. Any other messages are welcome.


Log in with your credentials


Forgot your details?

Create Account