- Visualize the structure and relationships of network resources inside your Azure virtual networks.
- Monitor and analyze connectivity between resources, including on-premises to cloud connections.
- Verify whether a specific IP flow is allowed or denied by Network Security Group (NSG) rules.
- Diagnose and troubleshoot how NSG rules affect traffic flow.
- Identify the next hop for network traffic from a virtual machine.
- Review the effective security rules applied to a network interface.

- Troubleshooting and analyzing VPN gateway and VPN connection issues.
- Capturing and inspecting network traffic for troubleshooting and forensic analysis.
- Checking connectivity and diagnosing network paths between resources.
- Collecting and reviewing NSG flow logs for traffic analysis and reporting.
- Using flow log insights to analyze traffic patterns and detect anomalies.

Network Watcher is enabled per Azure region and per subscription. If you don’t see Network Watcher features in a region, enable the service for that region via the Azure portal or the Network Watcher configuration documentation: Azure Network Watcher overview.
- Topology visualization
- Connection troubleshoot / connectivity checks
- IP flow verify
- NSG diagnostics and flow logs
- Next hop and route diagnostics
- Effective security rules
- Packet capture
- VPN diagnostics and connection monitoring
Quick reference: Network Watcher tools and when to use them
Operational tips and considerations
Some Network Watcher features (packet capture and flow log storage) can incur storage and egress costs. Packet capture requires VM agent permissions and can impact VM performance if run for extended periods—use targeted captures and retention policies.
- Enable Network Watcher in each region you operate in to access topology and diagnostics there.
- Use topology as a first step to visually validate resource placement and identify obvious misconfigurations.
- For connectivity issues, run Connection troubleshoot to get a concise diagnostic and recommended remediation.
- Use IP flow verify before changing NSG rules to ensure you understand the impact of changes.
- Collect NSG flow logs to long-term storage (Log Analytics or Storage Account) for trend analysis and security monitoring; integrate with Azure Monitor for alerts and dashboards.
- Use Next hop and route diagnostics when you suspect UDR or BGP issues to confirm the actual path packets take.
- For packet capture, scope captures carefully (filters, duration, size) and export files to a secure storage location for analysis with tooling such as Wireshark.
Links and references
- Azure Network Watcher overview
- Network Watcher connection troubleshoot
- NSG flow logs and traffic analytics
- Packet capture with Network Watcher