Bird
Raised Fist0
Azurecloud~5 mins

Network Watcher for diagnostics in Azure - Commands & Configuration

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Introduction
Sometimes network problems happen in the cloud, like slow connections or unreachable servers. Network Watcher helps you find and fix these problems by checking your network's health and traffic flow.
When you want to check if a virtual machine can reach another server in your cloud network.
When you need to see the path your data takes through the network to find where delays happen.
When you want to capture network traffic to understand what data is moving in and out of your resources.
When you want to monitor and diagnose VPN or ExpressRoute connections for issues.
When you want to log network events to keep track of security or performance problems.
Commands
This command enables Network Watcher in the East US region for the resource group example-rg. You need Network Watcher active to use its diagnostic tools.
Terminal
az network watcher configure --resource-group example-rg --locations eastus --enabled true
Expected OutputExpected
{"value":[{"location":"eastus","networkWatcherId":"/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/example-rg/providers/Microsoft.Network/networkWatchers/NetworkWatcher_eastus","provisioningState":"Succeeded","enabled":true}]}
--resource-group - Specifies the resource group where Network Watcher is enabled
--locations - Specifies the Azure region to enable Network Watcher
--enabled - Turns Network Watcher on or off
This command tests if the virtual machine named example-vm can reach the IP address 8.8.8.8 (Google DNS). It helps check network connectivity.
Terminal
az network watcher test-connectivity --source-resource example-vm --dest-address 8.8.8.8
Expected OutputExpected
{ "status": "Reachable", "latency": "20ms", "resourceId": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/example-rg/providers/Microsoft.Compute/virtualMachines/example-vm" }
--source-resource - Specifies the source VM to test from
--dest-address - Specifies the destination IP or URL to test connectivity
This command shows the network topology in the East US region for the example-rg resource group. It helps visualize how resources connect.
Terminal
az network watcher show-topology --resource-group example-rg --location eastus
Expected OutputExpected
{ "nodes": [ {"id": "vm1", "type": "VirtualMachine"}, {"id": "vnet1", "type": "VirtualNetwork"} ], "links": [ {"source": "vm1", "target": "vnet1"} ] }
--resource-group - Specifies the resource group to show topology for
--location - Specifies the Azure region of the resources
This command starts capturing network packets on the example-vm virtual machine for 60 seconds. It helps analyze network traffic for problems.
Terminal
az network watcher packet-capture create --resource-group example-rg --vm example-vm --name capture1 --time-limit 60
Expected OutputExpected
{"id":"/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/example-rg/providers/Microsoft.Network/networkWatchers/NetworkWatcher_eastus/packetCaptures/capture1","name":"capture1","provisioningState":"Succeeded"}
--resource-group - Resource group of the VM and Network Watcher
--vm - The virtual machine to capture packets from
--name - Name of the packet capture session
--time-limit - Duration in seconds to capture packets
This command checks the status of the packet capture named capture1 to see if it is running or completed.
Terminal
az network watcher packet-capture show-status --resource-group example-rg --name capture1
Expected OutputExpected
{"status":"Succeeded","bytesCaptured":102400,"filePath":"https://storageaccount.blob.core.windows.net/captures/capture1.cap"}
--resource-group - Resource group where the capture was created
--name - Name of the packet capture session
Key Concept

If you remember nothing else from this pattern, remember: Network Watcher helps you check and fix network problems by testing connections, showing network maps, and capturing traffic.

Common Mistakes
Trying to run connectivity tests before enabling Network Watcher in the region
Network Watcher must be enabled in the region to use its diagnostic commands; otherwise, commands fail.
Always enable Network Watcher first with az network watcher configure before running tests.
Using incorrect resource group or VM names in commands
Commands fail if the specified resource group or VM does not exist or is misspelled.
Double-check resource names and groups with az vm list or az group list before running commands.
Not checking packet capture status before trying to download results
Packet capture may still be running or failed, so results are not ready yet.
Use az network watcher packet-capture show-status to confirm capture completion.
Summary
Enable Network Watcher in your Azure region to start using network diagnostics.
Test connectivity between resources to find network reachability issues.
Visualize your network topology to understand resource connections.
Capture network packets on virtual machines to analyze traffic problems.
Check the status of packet captures before accessing the results.

Practice

(1/5)
1. What is the primary purpose of Azure Network Watcher?
easy
A. To monitor and diagnose network issues in Azure
B. To create virtual machines
C. To manage Azure subscriptions
D. To deploy web applications

Solution

  1. Step 1: Understand Network Watcher role

    Network Watcher is designed to monitor and diagnose network problems in Azure environments.

  2. Step 2: Compare with other options

    Creating VMs, managing subscriptions, and deploying web apps are unrelated to network diagnostics.

  3. Final Answer:

    To monitor and diagnose network issues in Azure -> Option A

  4. Quick Check:

    Network Watcher = Monitor and diagnose network issues [OK]
Hint: Network Watcher = network monitoring tool [OK]
Common Mistakes:
  • Confusing Network Watcher with VM or app services
  • Thinking it manages subscriptions
  • Assuming it deploys applications
2. Which Azure resource is required to enable flow logs in Network Watcher?
easy
A. App Service
B. Virtual Machine
C. Storage Account
D. SQL Database

Solution

  1. Step 1: Identify flow log storage needs

    Flow logs record network traffic and must be saved somewhere persistent.

  2. Step 2: Match resource for storing logs

    Storage Account is used to store flow logs generated by Network Watcher.

  3. Final Answer:

    Storage Account -> Option C

  4. Quick Check:

    Flow logs need Storage Account [OK]
Hint: Flow logs save data in Storage Account [OK]
Common Mistakes:
  • Choosing VM or App Service instead of storage
  • Confusing SQL Database with log storage
  • Not knowing where logs are saved
3. Given this Azure CLI command to enable flow logs, what will it do? 
az network watcher flow-log create --resource-group MyResourceGroup --nsg MyNSG --enabled true --storage-account mystorage
medium
A. Delete flow logs from mystorage
B. Disable flow logs for the NSG
C. Create a new NSG named mystorage
D. Enable flow logs for the NSG and save logs to mystorage

Solution

  1. Step 1: Analyze command parameters

    The command enables flow logs (--enabled true) for the NSG named MyNSG in MyResourceGroup.

  2. Step 2: Understand storage account usage

    Logs will be saved to the storage account named mystorage as specified.

  3. Final Answer:

    Enable flow logs for the NSG and save logs to mystorage -> Option D

  4. Quick Check:

    --enabled true + storage-account = enable logs saved [OK]
Hint: Look for --enabled true and storage-account to confirm enabling logs [OK]
Common Mistakes:
  • Thinking it disables logs
  • Confusing storage account name with NSG
  • Assuming it deletes logs
4. You tried to enable flow logs but received an error: "Storage account not found." What is the most likely cause?
medium
A. Network Watcher is disabled in the region
B. The storage account name is misspelled or does not exist
C. The NSG is not created yet
D. Flow logs are already enabled

Solution

  1. Step 1: Understand error message

    "Storage account not found" means the specified storage account cannot be located.

  2. Step 2: Identify common causes

    Most often this happens if the storage account name is wrong or the account does not exist in the subscription or region.

  3. Final Answer:

    The storage account name is misspelled or does not exist -> Option B

  4. Quick Check:

    Storage account error = wrong or missing storage account [OK]
Hint: Check storage account name spelling and existence first [OK]
Common Mistakes:
  • Assuming NSG or Network Watcher status causes this error
  • Thinking flow logs already enabled causes storage error
  • Ignoring storage account region or subscription
5. You want to monitor network traffic for multiple NSGs across different regions. Which combination of Azure resources and steps is best practice to set up Network Watcher diagnostics?
hard
A. Enable Network Watcher in each region, create one storage account per region, and configure flow logs for each NSG pointing to its region's storage
B. Create one storage account in any region and configure all NSGs to send flow logs there without enabling Network Watcher in regions
C. Enable Network Watcher only in one region and configure flow logs for NSGs in all regions to that single watcher
D. Use Azure Monitor instead of Network Watcher for NSG flow logs

Solution

  1. Step 1: Understand regional scope of Network Watcher

    Network Watcher must be enabled in each Azure region where you want to monitor NSGs.

  2. Step 2: Storage account best practice

    Creating a storage account per region reduces latency and complies with data residency rules.

  3. Step 3: Configure flow logs per NSG

    Each NSG's flow logs should point to the storage account in its region for efficient storage and retrieval.

  4. Final Answer:

    Enable Network Watcher in each region, create one storage account per region, and configure flow logs for each NSG pointing to its region's storage -> Option A

  5. Quick Check:

    Regional watchers + regional storage + per-NSG config = best practice [OK]
Hint: Enable watcher and storage per region for best flow log setup [OK]
Common Mistakes:
  • Using one watcher or storage for all regions
  • Skipping enabling Network Watcher in some regions
  • Confusing Azure Monitor with Network Watcher for flow logs