0
0
Azurecloud~5 mins

Network Watcher for diagnostics in Azure - Commands & Configuration

Choose your learning style9 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime
Introduction
Sometimes network problems happen in the cloud, like slow connections or unreachable servers. Network Watcher helps you find and fix these problems by checking your network's health and traffic flow.
When you want to check if a virtual machine can reach another server in your cloud network.
When you need to see the path your data takes through the network to find where delays happen.
When you want to capture network traffic to understand what data is moving in and out of your resources.
When you want to monitor and diagnose VPN or ExpressRoute connections for issues.
When you want to log network events to keep track of security or performance problems.
Commands
This command enables Network Watcher in the East US region for the resource group example-rg. You need Network Watcher active to use its diagnostic tools.
Terminal
az network watcher configure --resource-group example-rg --locations eastus --enabled true
Expected OutputExpected
{"value":[{"location":"eastus","networkWatcherId":"/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/example-rg/providers/Microsoft.Network/networkWatchers/NetworkWatcher_eastus","provisioningState":"Succeeded","enabled":true}]}
--resource-group - Specifies the resource group where Network Watcher is enabled
--locations - Specifies the Azure region to enable Network Watcher
--enabled - Turns Network Watcher on or off
This command tests if the virtual machine named example-vm can reach the IP address 8.8.8.8 (Google DNS). It helps check network connectivity.
Terminal
az network watcher test-connectivity --source-resource example-vm --dest-address 8.8.8.8
Expected OutputExpected
{ "status": "Reachable", "latency": "20ms", "resourceId": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/example-rg/providers/Microsoft.Compute/virtualMachines/example-vm" }
--source-resource - Specifies the source VM to test from
--dest-address - Specifies the destination IP or URL to test connectivity
This command shows the network topology in the East US region for the example-rg resource group. It helps visualize how resources connect.
Terminal
az network watcher show-topology --resource-group example-rg --location eastus
Expected OutputExpected
{ "nodes": [ {"id": "vm1", "type": "VirtualMachine"}, {"id": "vnet1", "type": "VirtualNetwork"} ], "links": [ {"source": "vm1", "target": "vnet1"} ] }
--resource-group - Specifies the resource group to show topology for
--location - Specifies the Azure region of the resources
This command starts capturing network packets on the example-vm virtual machine for 60 seconds. It helps analyze network traffic for problems.
Terminal
az network watcher packet-capture create --resource-group example-rg --vm example-vm --name capture1 --time-limit 60
Expected OutputExpected
{"id":"/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/example-rg/providers/Microsoft.Network/networkWatchers/NetworkWatcher_eastus/packetCaptures/capture1","name":"capture1","provisioningState":"Succeeded"}
--resource-group - Resource group of the VM and Network Watcher
--vm - The virtual machine to capture packets from
--name - Name of the packet capture session
--time-limit - Duration in seconds to capture packets
This command checks the status of the packet capture named capture1 to see if it is running or completed.
Terminal
az network watcher packet-capture show-status --resource-group example-rg --name capture1
Expected OutputExpected
{"status":"Succeeded","bytesCaptured":102400,"filePath":"https://storageaccount.blob.core.windows.net/captures/capture1.cap"}
--resource-group - Resource group where the capture was created
--name - Name of the packet capture session
Key Concept

If you remember nothing else from this pattern, remember: Network Watcher helps you check and fix network problems by testing connections, showing network maps, and capturing traffic.

Common Mistakes
Trying to run connectivity tests before enabling Network Watcher in the region
Network Watcher must be enabled in the region to use its diagnostic commands; otherwise, commands fail.
Always enable Network Watcher first with az network watcher configure before running tests.
Using incorrect resource group or VM names in commands
Commands fail if the specified resource group or VM does not exist or is misspelled.
Double-check resource names and groups with az vm list or az group list before running commands.
Not checking packet capture status before trying to download results
Packet capture may still be running or failed, so results are not ready yet.
Use az network watcher packet-capture show-status to confirm capture completion.
Summary
Enable Network Watcher in your Azure region to start using network diagnostics.
Test connectivity between resources to find network reachability issues.
Visualize your network topology to understand resource connections.
Capture network packets on virtual machines to analyze traffic problems.
Check the status of packet captures before accessing the results.