Network Watcher frequently asked questions (FAQ)

This article provides answers to some of the frequently asked questions asked about Azure Network Watcher.


What is Network Watcher?

Network Watcher provides a suite of tools to monitor, diagnose, view metrics, and enable or disable logs for IaaS (Infrastructure-as-a-Service) resources, which include virtual machines, virtual networks, application gateways, load balancers, and other resources in an Azure virtual network. It isn't a solution for monitoring PaaS (Platform-as-a-Service) infrastructure or getting web/mobile analytics.

What tools does Network Watcher provide?

Network Watcher provides three major sets of capabilities

  • Monitoring
    • Topology view shows you the resources in your virtual network and the relationships between them.
    • Connection monitor allows you to monitor connectivity and latency between endpoints inside and outside Azure.
  • Network diagnostic tools
    • IP flow verify allows you to detect traffic filtering issues at a virtual machine level.
    • NSG diagnostics allows you to detect traffic filtering issues at a virtual machine, virtual machine scale set, or application gateway level.
    • Next hop helps you verify traffic routes and detect routing issues.
    • Connection troubleshoot enables a one-time connectivity and latency check between a virtual machine and Bastion host, application gateway, or another virtual machine.
    • Packet capture enables you to capture your virtual machine traffic.
    • VPN troubleshoot runs multiple diagnostics checks on your VPN gateways and connections to help debug issues.
  • Traffic
    • NSG flow logs and VNet flow logs (preview) allow you to log network traffic passing through your network security groups (NSGs) and virtual networks respectively.
    • Traffic analytics processes your NSG flow log data enabling you to visualize, query, analyze, and understand your network traffic.

For more detailed information, see Network Watcher overview.

How does Network Watcher pricing work?

See Network Watcher pricing for pricing details about different Network Watcher components.

In which regions is Network Watcher currently supported and available?

See Network Watcher regions to learn about the regions that support Network Watcher.

What permissions are required to use Network Watcher?

See Azure RBAC permissions required to use Network Watcher for a detailed list of required permissions for each of capability of Network Watcher.

How do I enable Network Watcher?

The Network Watcher service is automatically enabled for every subscription. You must manually enable Network Watcher if you opted out Network Watcher automatic enablement. For more information, see Enable or disable Azure Network Watcher.

What is the Network Watcher deployment model?

The Network Watcher parent resource is deployed with a unique instance in every region. Default naming format: NetworkWatcher_RegionName. Example: NetworkWatcher_centralus is the Network Watcher resource for the "Central US" region. You can customize the name of Network Watcher instance using PowerShell or REST API.

Why does Azure allow only one instance of Network Watcher per region?

Network Watcher just needs to be enabled once per a region per a subscription for its features to work. Network Watcher is enabled in a region by creating a Network Watcher instance in that region.

How can I manage Network Watcher resource?

The Network Watcher resource represents the backend service for Network Watcher, which is fully managed by Azure. However, you can create or delete the Network Watcher resource to enable or disable it in a particular region. For more information, see Enable or disable Azure Network Watcher.

Can I move Network Watcher instance from one region to another?

No, moving Network Watcher resource or any of its child resources across regions isn't supported. For more information, see Move operation support for networking resources.

Can I move Network Watcher instance from one resource group to another?

Yes, moving Network Watcher resource between resource groups is supported. For more information, see Move operation support for networking resources.

What is the NetworkWatcherRG?

NetworkWatcherRG is a resource group that's automatically created for Network Watcher resources. For example, Network Watcher regional instances and the NSG flow log resources are created in NetworkWatcherRG resource group. You can customize the name of Network Watcher resource group using PowerShell, Azure CLI, or REST API.

Does Network Watcher store customer data?

Azure Network Watcher doesn't store customer data, except for the Connection monitor. Connection monitor stores customer data, which is automatically stored by Network Watcher in a single region to satisfy in-region data residency requirements.

What are the resource limits on Network Watcher?

Network Watcher has the following limits:

Resource Limit
Network Watcher instances per region per subscription 1 (One instance in a region to enable access to the service in the region)
Connection monitors per region per subscription 100
Maximum test groups per a connection monitor 20
Maximum sources and destinations per a connection monitor 100
Maximum test configurations per a connection monitor 20
Packet capture sessions per region per subscription 10,000 (Number of sessions only, not saved captures)
VPN troubleshoot operations per subscription 1 (Number of operations at one time)

Service availability and redundancy

Is the Network Watcher zone resilient?

Yes, the Network Watcher service is zone-resilient by default.

How do I configure the Network Watcher service to be zone-resilient?

No configuration is necessary to enable zone-resiliency. Zone-resiliency for Network Watcher resources is available by default and managed by the service itself.

Network Watcher Agent

Why do I need to install the Network Watcher agent?

The Network Watcher agent is required for any Network Watcher feature that generates or intercepts traffic from a virtual machine.

Which features require the Network Watcher agent?

The Packet capture, Connection troubleshoot and Connection monitor features require the Network Watcher extension to be present.

What is the latest version of the Network Watcher agent?

The latest version of the Network Watcher extension is 1.4.2798.1. For more information, see Update Azure Network Watcher extension to the latest version.

What ports does the Network Watcher agent use?

  • Linux: the Network Watcher agent uses available ports starting from port 50000 and above until it reaches port 65535.
  • Windows: the Network Watcher agent uses the ports that the operating system responds with when queried for available ports.

Connection monitor

Does connection monitor support classic VMs?

No, connection monitor doesn't support classic VMs. We recommended that you migrate infrastructure as a service (IaaS) resources from classic to Azure Resource Manager because classic resources will be deprecated. For more information, see Migrate IaaS resources from classic to Azure Resource Manager.

What if my topology isn't decorated or my hops have missing information?

Topology can be decorated from non-Azure to Azure only if the destination Azure resource and the connection monitor resource are in the same region.

What happens if the connection monitor creation fails with the following error: "We don't allow creating different endpoints for the same VM"?

The same Azure VM can't be used with different configurations in the same connection monitor. For example, using same VM with a filter and without a filter in the same connection monitor isn't supported.

What happens if the test failure reason is "Nothing to display"?

Issues that are displayed on the connection monitor dashboard are found during topology discovery or hop exploration. There can be cases where the threshold set for % loss or RTT is reached but no issues are found on hops.

When migrating an existing connection monitor (classic) to the latest connection monitor, what happens if the external endpoint tests are migrated with the TCP protocol only?

There's no protocol selection option in connection monitor (classic). Tests in connection monitor (classic) only use the TCP protocol, and that's why, during the migration, we create a TCP configuration in tests in the new connection monitor.

Flow logs

What does NSG flow logs do?

Flow logs enable you to log 5-tuple flow information about your Azure IP traffic that passes through a network security group or Azure virtual network. The raw flow logs are written to an Azure storage account. From there, you can further process, analyze, query, or export them as needed.

Do flow logs affect network latency or performance?

Flow log data is collected outside the path of your network traffic, so it doesn't affect network throughput or latency. You can create or delete flow logs without any risk of impact to network performance.

Can I log ESP and AH traffic using NSG flow logs?

No, NSG flow logs don't support ESP and AH protocols.

Can I log ICMP traffic using flow logs?

No. NSG flow logs and VNet flow logs don't support ICMP protocol.

Can I use a storage account in a different subscription than the network security group or virtual network that the flow log is enabled for?

Yes, you can use a storage account from a different subscription as long as this subscription is associated with the same Microsoft Entra tenant of the network security group or virtual network's subscription.

How do I use NSG flow logs with a storage account behind a firewall?

To use a storage account behind a firewall, you have to provide an exception for Trusted Microsoft Services to access your storage account:

  1. Go to the storage account by entering the storage account's name in the search box at the top of the portal.
  2. Under the Security + networking, select Networking, then select Firewalls and virtual networks.
  3. In Public network access, select Enabled from selected virtual networks and IP addresses. Then under Exceptions, check the box next to Allow Azure services on the trusted services list to access this storage account.
  4. Enable NSG flow logs by creating a flow log for your target network security group using the storage account. For more information, see Create a flow log.

You can check the storage logs after a few minutes. You should see an updated TimeStamp or a new JSON file created.

Can NSG flow logs send data to a storage account using an Azure Private Endpoint?

Yes, Network Watcher supports sending NSG flow logs data to a storage account enabled with a private endpoint.

How do I use NSG flow logs with a storage account behind a Service Endpoint?

NSG flow logs are compatible with Service Endpoints without requiring any extra configuration. For more information, see Enable a service endpoint.

What is the difference between flow logs versions 1 and 2?

Flow logs version 2 introduces the concept of flow state and stores information about bytes and packets transmitted. For more information, see NSG flow log format.

Can I create a flow log for a network security group that has a read-only lock?

No, a read-only lock on a network security group prevents the creation of the corresponding NSG flow log.

Can I create a flow log for a network security group that has a cannot-delete lock?

Yes, a cannot-delete lock on the network security group doesn't prevent the creation or modification of the corresponding NSG flow log.

Can I automate NSG flow logs?

Yes, you can automate NSG flow logs via Azure Resource Manager templates (ARM templates). For more information, see Configure NSG flow logs using an Azure Resource Manager (ARM) template.