Skip to main content
Monitor and troubleshoot your Azure networking environment with Azure Network Watcher. Azure Network Watcher is a cloud-native monitoring and diagnostics service that helps you visualize, analyze, and diagnose networking issues across Azure Virtual Networks and hybrid connections. This guide summarizes its primary monitoring tools, shows when to use each capability, and explains how Network Watcher helps you verify connectivity, security, and traffic flows.
A presentation slide titled "Learning Objectives" about Azure Network Watcher. It lists four goals: understand features and diagnostics, visualize network resource relationships, monitor connectivity (including on-premises to cloud), and verify IP flow to/from virtual machines.
This article covers:
  • Visualizing the topology and relationships of network resources within a Virtual Network.
  • Monitoring and diagnosing connectivity between resources, including on-premises to Azure scenarios.
  • Verifying whether specific IP flows are allowed or denied by Network Security Group (NSG) rules.
  • Troubleshooting NSG rules that affect traffic, identifying the next hop for VM-originated traffic, and reviewing effective security rules applied to network interfaces.
A presentation slide titled "Learning Objectives" with a teal gradient sidebar. It lists three objectives about diagnosing NSG rules, identifying the next hop for VM network routes, and viewing/analyzing effective security rules on network interfaces.
We also discuss:
  • Troubleshooting VPN Gateway and VPN connection issues.
  • Capturing and analyzing packets for troubleshooting and forensic investigations.
  • Checking end-to-end connectivity and diagnosing network paths between resources.
  • Collecting and analyzing NSG flow logs for traffic patterns, reporting, and anomaly detection.
This module is compact but focuses on the most commonly used Network Watcher tools you’ll rely on for operational monitoring and incident response.
Key Azure Network Watcher capabilities include topology visualization, Connection Troubleshoot (connection checks), IP Flow Verify, NSG diagnostics, Next Hop analysis, Effective Security Rules review, packet capture, VPN diagnostics, Connection Monitor, NSG flow logs, and Traffic Analytics.

When to use each Network Watcher tool

FeatureUse caseExample
TopologyVisualize resource relationships in a VNetInspect subnets, NVA, gateways, and peering connections
Connection Troubleshoot (Connection Check)Validate end-to-end connectivity and latencyVerify connectivity from VM to on-premises SQL server
IP Flow VerifyCheck if NSG rules allow or deny specific trafficConfirm whether port 443 is permitted from a public IP to a VM
NSG diagnosticsIdentify NSG rules that block or allow trafficFind which rule denied SSH traffic to a VM
Next HopDetermine the next hop for outbound traffic from a VMSee whether traffic routes to an NVA, gateway, or internet
Effective Security RulesReview aggregated security rules on a NICValidate combined allow/deny order affecting a VM interface
Packet captureCapture and analyze network packets for forensicsCollect packet traces for intermittent connection drops
VPN diagnosticsTroubleshoot VPN Gateway and connection healthDiagnose IPSec/IKE negotiation or tunnel disconnections
Connection MonitorContinuous monitoring of connectivity and performanceTrack availability and latency between endpoints over time
NSG flow logs & Traffic AnalyticsAnalyze traffic patterns and detect anomaliesGenerate reports for top talkers, ports, and security incidents

Practical guidance and operational tips

  • Use Topology to get a quick, visual understanding of how VNets, subnets, gateways, and NVAs relate to one another. This helps locate misconfigurations quickly.
  • Run Connection Troubleshoot for intermittent or one-off connectivity checks and use Connection Monitor for continuous, SLA-style monitoring.
  • When a VM cannot reach an endpoint, use IP Flow Verify first to see whether NSG rules block traffic; then use Next Hop to determine routing behavior if NSGs allow the flow.
  • For detailed packet-level analysis, use Packet Capture on the affected NIC or VM and export captures to tools like Wireshark for deep inspection.
  • Enable NSG Flow Logs (via Network Watcher) and integrate with Traffic Analytics for broader traffic analysis, threat detection, and reporting.
Network Watcher features must be enabled per subscription and region. Before running diagnostics, confirm Network Watcher is enabled in the target region via the Azure portal, CLI, or ARM templates to avoid missing telemetry or diagnostic options.
Use these resources to dive deeper into each feature and to find step-by-step instructions for enabling Network Watcher, running diagnostics, and exporting logs for analysis.

Watch Video