Step-by-Step: Enable Network Monitoring in Azure.

Hello folks,

When building network infrastructures in the cloud live VNets, ExpressRoute, Application Gateways, Load balancers, and more… You need tools and processes to monitor and troubleshoot any issues that may arise.

We have just released two of those tools to the preview program.

  • Network Watcher – Provides scenario-based monitoring including packet capture, next hop, IP flow verify, security group view, NSG flow logs. This gives you a way to get an end to end view of network resources in your environment.
  • Resource monitoring – This allows you to generate
    • diagnostic logs
    • metrics
    • troubleshooting
    • and resource health




Today we will look at how we enable the Network Watcher service and take advantage of all the capabilities it provides. Capabilities like:

  • Topology - a network level view including all the interconnections and associations between network resources within a resource group.
  • Variable Packet capture - Captures packet data in and out of a vm. The captured data can be stored in an azure blob storage or on the local disk in .cap format.
  • IP flow verify - Checks if a packet is allowed or denied based Destination IP, Source IP, Destination Port, Source Port, and Protocol.
  • Next hop – Identify the next hop for traffic routed in the Azure Network Fabric, enabling you to diagnose any misconfigured user-defined routes.
  • Security group view – View the effective and applied security rules that are applied on a VM.
  • NSG Flow logging - Flow logs for Network Security Groups show a you what traffic was allowed or denied by the NSG rules
  • Virtual Network Gateway and Connection troubleshooting – Gives you the ability to troubleshoot Vnet Gateways and Connections.
  • Network subscription limits - Enables you to view network resource usage against your subscription limits.
  • Configuring Diagnostics Log – Provides a single pane to enable or disable Diagnostics logs for network resources in a resource group.

But for now, let look at how we enable it.

Enabling the Preview of Network Watcher in your subscription

To access the Network Watcher you need to select Monitor (1) and Network Watcher (2)




To enable it, we will use PowerShell and register the feature. First login to your subscription in the Resource Manager mode.



Once you’re logged in, use the following command to register the service in your subscription.


 Register-AzureRmProviderFeature -FeatureName AllowNetworkWatcher -ProviderNamespace Microsoft.Network




It will take a few minutes to register the service, but you can check the status by using the following command:


 Get-AzureRmProviderFeature -FeatureName AllowNetworkWatcher -ProviderNamespace  Microsoft.Network




Create a Network Watcher in the portal

Navigate to More Services (1), and Network Watcher (2) in the Networking section.



Select all the subscriptions you want to enable Network Watcher for.

Expand the regions (1), select the region to enable (2), right-click it and select Enable network watcher(3).




*** Please note that since this is preview, not all regions will be available

Once it’s enabled, you are now ready to test the features.




Let’s try the Topology. After selecting it in the menu. I selected my subscription, the resource group and the vnet. The topology blade displayed the infrastructure in-place.




Go ahead, load it up! Start monitoring your virtual networks. Or at least testing the monitoring since this is still just preview.




Pierre Roman