Network monitoring and diagnostics are essential components for maintaining the smooth functioning and optimal performance of a network infrastructure. This includes real-time monitoring of network services, systems, and traffic to detect problems early before they escalate into major disruptions. By identifying issues promptly, network engineers can take proactive measures to address them, minimizing network downtime and service interruptions. In this chapter, we will cover Azure services and tools that we can use to monitor and diagnose network services.

By the end of this chapter, you will have a good understanding of the following:

• Understanding the network monitoring tools of Network Watcher
• Understanding the network diagnostic tools of Network Watcher
• Understanding NSG flow logs

We have arranged the topics to match the exam objectives. Let’s get started!

To follow along with the instructions in this chapter, you will need the following:

• A PC with an internet connection
• An Azure subscription

Azure Network Watcher is a collection of tools used to monitor and diagnose network connectivity in Azure. It focuses on monitoring and maintaining the network health of Infrastructure-as-a-Service (IaaS) products such as VM, VNets, load balancers, and application gateways. It is important to note that Network Watcher is not suitable for monitoring Platform-as-a-Service (PaaS) resources or conduct ing web analytics. The tools in Network Watcher fall into two main categories – network monitoring and network diagnostics (see Figure 11.1).

Figure 11.1 – Azure Network Watcher tool categories

The network monitoring tools are useful for gaining visibility of the existing state of our networks in Azure, while the network diagnostics tools are useful for troubleshooting and identifying the root cause of network-related problems.

From a design perspective, Network...

Network Watcher's monitoring tools are useful for gaining valuable insight into the current status of our Azure networks. There are two main tools that fall into this category – topology visualization and Connection Monitor. Let us review their functionalities.

Topology visualization

As VNets grow in size and complexity, it becomes challenging to understand the resources that they contain and the relationships between them. The topology visualization tool in Network Watcher addresses this challenge by providing network administrators and engineers with the ability to visualize the network topology.

By using this tool, administrators can create a visual representation of the resources within a VNet and their relationships. An editable version of the picture can also be downloaded in the SVG format. This helps to easily determine the subnets within a VNet, the network interfaces connected to each subnet...

Network Watcher’s diagnostic tools are useful for troubleshooting and identifying the root cause of network-related problems. There are seven main tools that fall into this category – connection troubleshoot, IP flow verify, NSG diagnostics, next hop, VPN troubleshoot, packet capture, and effective security rules. In this section, we will explore six of these tools, starting with connection troubleshoot.

Connection troubleshoot

The connection troubleshoot tool in Network Watcher is similar to the Connection Monitor tool discussed earlier, in that it allows users to validate network communication between a source and a destination endpoint. However, there are key differences between the two. While Connection Monitor provides continuous monitoring of network connectivity, connection troubleshoot allows us to perform tests on demand, which is useful for troubleshooting scenarios.

Connection troubleshoot...

To follow along with the exercises in this chapter, we will provision some Azure resources to work with. We have prepared an Azure ARM template in the GitHub repository of this book for this purpose. The template will deploy a VM, a storage account (with a file share), and an App Service web app in the specified Azure region, as shown in Figure 11.14.

Figure 11.14 – Resources deployed via the provided ARM template

Here are the tasks that we will complete in this exercise:

• Task 1: Initialize template deployment in GitHub, complete the parameters, and deploy a template to Azure

Let’s get into this!

Task 1 – initialize template deployment in GitHub, complete the parameters, and deploy a template to Azure

The steps are:

1. Open a web browser and navigate to https://packt.link/AdmXo.
2. This link will open the GitHub repository...

Here are the exercises that we will complete in this exercise:

• Task 1: Visualize the topology of an Azure VNet
• Task 2: Create an Azure Network Watcher connection monitor
• Task 3: Trigger a network issue and review Connection Monitor

Let us go through the steps to accomplish these tasks:

Task 1 – visualize the topology of an Azure VNet

The steps are:

1. In the Azure portal, in the Search resources, services, and docs textbox at the top of the Azure portal page, type network watcher. Select Network Watcher from the search results.
2. In the Network Watcher window, in the Monitoring section, select Topology and specify the following:
   • Subscription: Select the Azure subscription that you deployed the resources into
   • Resource Group: CharisTechRG-C11
   • Virtual Network: CoreServicesVnet

Figure 11.17 – Specify the network to visualize...

Flow logs are a feature of Azure Network Watcher that records all IP flows moving in and out of an NSG. To filter network traffic to and from Azure resources within a VNet subnet, we can implement NSGs (see Figure 11.28). Rules can then be configured in an NSG to allow or deny traffic by source/destination IP address, source/destination port, and protocol (known as the five-tuple). We can associate an NSG at the subnet level or the VM NIC level (see Figure 11.28).

Figure 11.28 – The NSG at the subnet and VM NIC levels

When enabled, NSG flow logs will record IP flows through the NSG, outside the path of the network traffic, so there is no latency impact. The logs are written in JSON format and can be stored in an Azure Blob Storage container. We can specify the retention period at configuration time, as shown in the following screenshot (see Figure 11.29). We can also collect the logs in a Log Analytics workspace (if Traffic...

Here are the exercises that we will complete in this exercise:

• Task 1: Enable an NSG flow log
• Task 2: Download and review the flow log

Let us go through the steps to accomplish these tasks.

Task 1 – enable an NSG flow log

The steps are:

1. In the Azure portal, in the Search resources, services, and docs textbox at the top of the Azure portal page, type network watcher. Select Network Watcher from the search results.
2. On the left page, in the Logs section, select Flow logs.
3. In Network Watcher | Flow logs, select + Create.
4. In the Create a flow log window, in the Basics tab, configure the following:
   • Subscription: Select your Azure subscription, the subscription of your VM, and its NSG
   • Click on + Select resource

Figure 11.30 – Click to select the NSG resources to monitor

5. In the Select network security group window, select the following NSGs –...

Congratulations! You have come to the end of this not just this chapter but also this book! In this final chapter, we explored and implemented key functionalities of the Azure Network Watcher service. We covered its network monitoring and diagnostic tools and also discussed NSG flow logs and their implementation. The information covered in this chapter has provided you with the skills needed to effectively monitor and diagnose network connectivity issues in Azure. This knowledge forms a critical part of the “Monitor Networks” objective for the AZ-700 – Azure Network Engineer Associate certification exam.

Azure Network Watcher documentation: https://learn.microsoft.com/en-us/azure/network-watcher/