6.1.4. Utilize Network Watcher
š” First Principle: Network Watcher provides a suite of tools for monitoring, diagnosing, and gaining insight into Azure network resources, enabling administrators to troubleshoot connectivity and performance issues without needing direct access to virtual machines.
Scenario: Your application running on an Azure Virtual Machine cannot connect to an external API. You suspect a network security group rule or a routing issue is blocking the traffic. You need to quickly diagnose this without logging into the VM. You also want to continuously log all traffic passing through your NSGs for security auditing.
What It Is: Network Watcher is a collection of network monitoring and troubleshooting tools in Azure.
Key Network Watcher Tools:
- IP flow verify: Checks if a packet is allowed or denied to/from a VM based on NSG rules.
- NSG flow logs: Records detailed logs of IP traffic through an NSG.
- Connection troubleshoot: Tests connectivity between a source VM and a destination, providing a step-by-step path analysis.
- Next hop: Determines the next hop for outbound traffic from a VM, clarifying routing behavior.
- VPN troubleshoot: Diagnoses VPN gateway issues.
Visual: Network Watcher Tools
Loading diagram...
ā ļø Common Pitfall: Trying to troubleshoot network issues by logging into VMs and using tools like ping or traceroute. These tools can be misleading in a software-defined network like Azure. Network Watcher provides a more accurate, platform-level view of network connectivity.
Key Trade-Offs:
- Detailed Logging (Flow Logs) vs. Cost: NSG Flow Logs generate a significant amount of data, which can lead to storage costs. It's important to enable them strategically on critical subnets.
Reflection Question: How does configuring Network Watcher tools (e.g., IP flow verify, NSG flow logs, connection troubleshoot) fundamentally provide end-to-end network diagnostics and troubleshooting, ensuring optimal connectivity and performance across Azure environments?