az network watcher
Manage the Azure Network Watcher. Network Watcher assists with monitoring and diagnosing conditions at a network scenario level. To learn more visit https://docs.microsoft.com/azure/network-watcher/.
Commands
| Name | Description | Type | Status |
|---|---|---|---|
| az network watcher configure |
Configure the Network Watcher service for different regions. |
Core | GA |
| az network watcher connection-monitor |
Manage connection monitoring between an Azure Virtual Machine and any IP resource. |
Core | GA |
| az network watcher connection-monitor create |
Create a connection monitor. |
Core | GA |
| az network watcher connection-monitor delete |
Delete a connection monitor for the given region. |
Core | GA |
| az network watcher connection-monitor endpoint |
Manage endpoint of a connection monitor. |
Core | Preview |
| az network watcher connection-monitor endpoint add |
Add an endpoint to a connection monitor. |
Core | Preview |
| az network watcher connection-monitor endpoint list |
List all endpoints from a connection monitor. |
Core | Preview |
| az network watcher connection-monitor endpoint remove |
Remove an endpoint from a connection monitor. |
Core | Preview |
| az network watcher connection-monitor endpoint show |
Show an endpoint from a connection monitor. |
Core | Preview |
| az network watcher connection-monitor endpoint wait |
Place the CLI in a waiting state until a condition is met. |
Core | Preview |
| az network watcher connection-monitor list |
List connection monitors for the given region. |
Core | GA |
| az network watcher connection-monitor output |
Manage output of connection monitor. |
Core | Preview |
| az network watcher connection-monitor output add |
Add an output to a connection monitor. |
Core | Preview |
| az network watcher connection-monitor output list |
List all output from a connection monitor. |
Core | Preview |
| az network watcher connection-monitor output remove |
Remove all outputs from a connection monitor. |
Core | Preview |
| az network watcher connection-monitor output wait |
Place the CLI in a waiting state until a condition is met. |
Core | Preview |
| az network watcher connection-monitor query |
Query a snapshot of the most recent connection state of a connection monitor. |
Core | GA |
| az network watcher connection-monitor show |
Shows a connection monitor by name. |
Core | GA |
| az network watcher connection-monitor start |
Start the specified connection monitor. |
Core | GA |
| az network watcher connection-monitor stop |
Stop the specified connection monitor. |
Core | GA |
| az network watcher connection-monitor test-configuration |
Manage test configuration of a connection monitor. |
Core | Preview |
| az network watcher connection-monitor test-configuration add |
Add a test configuration to a connection monitor. |
Core | Preview |
| az network watcher connection-monitor test-configuration list |
List all test configurations of a connection monitor. |
Core | Preview |
| az network watcher connection-monitor test-configuration remove |
Remove a test configuration from a connection monitor. |
Core | Preview |
| az network watcher connection-monitor test-configuration show |
Show a test configuration from a connection monitor. |
Core | Preview |
| az network watcher connection-monitor test-configuration wait |
Place the CLI in a waiting state until a condition is met. |
Core | Preview |
| az network watcher connection-monitor test-group |
Manage a test group of a connection monitor. |
Core | Preview |
| az network watcher connection-monitor test-group add |
Add a test group along with new-added/existing endpoint and test configuration to a connection monitor. |
Core | Preview |
| az network watcher connection-monitor test-group list |
List all test groups of a connection monitor. |
Core | Preview |
| az network watcher connection-monitor test-group remove |
Remove test group from a connection monitor. |
Core | Preview |
| az network watcher connection-monitor test-group show |
Show a test group of a connection monitor. |
Core | Preview |
| az network watcher connection-monitor test-group wait |
Place the CLI in a waiting state until a condition is met. |
Core | Preview |
| az network watcher connection-monitor wait |
Place the CLI in a waiting state until a condition is met. |
Core | GA |
| az network watcher flow-log |
Manage network security group flow logging. |
Core | GA |
| az network watcher flow-log create |
Create a flow log on a network security group. |
Core | GA |
| az network watcher flow-log delete |
Delete the specified flow log resource. |
Core | GA |
| az network watcher flow-log list |
List all flow log resources for the specified Network Watcher. |
Core | GA |
| az network watcher flow-log show |
Get the flow log configuration of a network security group. |
Core | GA |
| az network watcher flow-log update |
Update the flow log configuration of a network security group. |
Core | GA |
| az network watcher flow-log wait |
Place the CLI in a waiting state until a condition is met. |
Core | GA |
| az network watcher list |
List Network Watchers. |
Core | GA |
| az network watcher packet-capture |
Manage packet capture sessions on VMs. |
Core | GA |
| az network watcher packet-capture create |
Create and start a packet capture session. |
Core | GA |
| az network watcher packet-capture delete |
Delete a packet capture session. |
Core | GA |
| az network watcher packet-capture list |
List all packet capture sessions within a region. |
Core | GA |
| az network watcher packet-capture show |
Show details of a packet capture session. |
Core | GA |
| az network watcher packet-capture show-status |
Show the status of a packet capture session. |
Core | GA |
| az network watcher packet-capture stop |
Stop a running packet capture session. |
Core | GA |
| az network watcher packet-capture wait |
Place the CLI in a waiting state until a condition is met. |
Core | GA |
| az network watcher run-configuration-diagnostic |
Run a configuration diagnostic on a target resource. |
Core | GA |
| az network watcher show-next-hop |
Get information on the |
Core | GA |
| az network watcher show-security-group-view |
Get detailed security information on a VM for the currently configured network security group. |
Core | GA |
| az network watcher show-topology |
Get the network topology of a resource group, virtual network or subnet. |
Core | GA |
| az network watcher test-connectivity |
Test if a connection can be established between a Virtual Machine and a given endpoint. |
Core | Preview |
| az network watcher test-ip-flow |
Test IP flow to/from a VM given the currently configured network security group rules. |
Core | GA |
| az network watcher troubleshooting |
Manage Network Watcher troubleshooting sessions. |
Core | GA |
| az network watcher troubleshooting show |
Get the results of the last troubleshooting operation. |
Core | GA |
| az network watcher troubleshooting start |
Troubleshoot issues with VPN connections or gateway connectivity. |
Core | GA |
az network watcher configure
Configure the Network Watcher service for different regions.
az network watcher configure --locations
[--enabled {false, true}]
[--resource-group]
[--tags]Examples
Configure Network Watcher for the West US region.
az network watcher configure -g NetworkWatcherRG -l westus --enabled trueRequired Parameters
Space-separated list of locations to configure.
Optional Parameters
Enabled status of Network Watcher in the specified regions.
Name of resource group. Required when enabling new regions.
When a previously disabled region is enabled to use Network Watcher, a Network Watcher resource will be created in this resource group.
Space-separated tags: key[=value] [key[=value] ...]. Use "" to clear existing tags.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
az network watcher list
List Network Watchers.
az network watcher listGlobal Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
az network watcher run-configuration-diagnostic
Run a configuration diagnostic on a target resource.
Requires that Network Watcher is enabled for the region in which the target is located.
az network watcher run-configuration-diagnostic --resource
[--destination]
[--direction {Inbound, Outbound}]
[--no-wait {0, 1, f, false, n, no, t, true, y, yes}]
[--parent]
[--port]
[--protocol {TCP, UDP}]
[--queries]
[--resource-group]
[--resource-type {applicationGateways, networkInterfaces, virtualMachines}]
[--source]Examples
Run configuration diagnostic on a VM with a single query.
az network watcher run-configuration-diagnostic --resource {VM_ID} --direction Inbound --protocol TCP --source 12.11.12.14 --destination 10.1.1.4 --port 12100Run configuration diagnostic on a VM with multiple queries.
az network watcher run-configuration-diagnostic --resource {VM_ID} --queries '[{"direction": "Inbound", "protocol": "TCP", "source": "12.11.12.14", "destination": "10.1.1.4", "destinationPort": "12100"}, {"direction": "Inbound", "protocol": "TCP", "source": "12.11.12.0/32", "destination": "10.1.1.4", "destinationPort": "12100"}, {"direction": "Outbound", "protocol": "TCP", "source": "12.11.12.14", "destination": "10.1.1.4", "destinationPort": "12100"}]'Required Parameters
Name or ID of the target resource to diagnose. If an ID is given, other resource arguments should not be given.
Optional Parameters
Traffic destination. Accepted values are '*', IP address/CIDR, or Service Tag.
Direction of the traffic.
Do not wait for the long-running operation to finish.
Parent path, e.g., virtualMachineScaleSets/vmss1.
Traffic destination port. Accepted values are '*', port number (3389) or port range (80-100).
Protocol to be verified on.
JSON list of queries to use. Use @{path} to load from a file. Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.
Name of the resource group the target resource is in.
Resource type.
Traffic source. Accepted values are '*', IP address/CIDR, or Service Tag.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
az network watcher show-next-hop
Get information on the next hop of a VM.
Requires that Network Watcher is enabled for the region in which the VM is located. For more information about show-next-hop visit https://learn.microsoft.com/en-us/azure/network-watcher/diagnose-vm-network-routing-problem-cli.
az network watcher show-next-hop --dest-ip
--source-ip
--vm
[--nic]
[--no-wait {0, 1, f, false, n, no, t, true, y, yes}]
[--resource-group]Examples
Get the next hop from a VMs assigned IP address to a destination at 10.1.0.4.
az network watcher show-next-hop -g MyResourceGroup --vm MyVm --source-ip 10.0.0.4 --dest-ip 10.1.0.4Required Parameters
Destination IPv4 address.
Source IPv4 address.
Name or ID of the VM to target. If the name of the VM is provided, the --resource-group is required.
Optional Parameters
Name or ID of the NIC resource to test. If the VM has multiple NICs and IP forwarding is enabled on any of them, this parameter is required.
Do not wait for the long-running operation to finish.
Name of the resource group the target VM is in.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
az network watcher show-security-group-view
Get detailed security information on a VM for the currently configured network security group.
For more information on using security group view visit https://learn.microsoft.com/en-us/azure/network-watcher/network-watcher-security-group-view-cli.
az network watcher show-security-group-view --vm
[--no-wait {0, 1, f, false, n, no, t, true, y, yes}]
[--resource-group]Examples
Get the network security group information for the specified VM.
az network watcher show-security-group-view -g MyResourceGroup --vm MyVmRequired Parameters
Name or ID of the VM to target. If the name of the VM is provided, the --resource-group is required.
Optional Parameters
Do not wait for the long-running operation to finish.
Name of the resource group the target VM is in.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
az network watcher show-topology
Get the network topology of a resource group, virtual network or subnet.
For more information about using network topology visit https://learn.microsoft.com/en-us/azure/network-watcher/view-network-topology.
az network watcher show-topology [--location]
[--resource-group]
[--subnet]
[--vnet]Examples
Use show-topology to get the topology of resources within a resource group.
az network watcher show-topology -g MyResourceGroupOptional Parameters
Location. Defaults to the location of the target resource group. Topology information is only shown for resources within the target resource group that are within the specified region.
Name of the target resource group to perform topology on.
Name or ID of the subnet to target. If name is used, --vnet NAME must also be supplied.
Name or ID of the virtual network to target.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
az network watcher test-connectivity
This command is in preview and under development. Reference and support levels: https://aka.ms/CLI_refstatus
Test if a connection can be established between a Virtual Machine and a given endpoint.
To check connectivity between two VMs in different regions, use the VM ids instead of the VM names for the source and destination resource arguments. To register for this feature or see additional examples visit https://learn.microsoft.com/en-us/azure/network-watcher/network-watcher-connectivity-cli.
az network watcher test-connectivity --source-resource
[--dest-address]
[--dest-port]
[--dest-resource]
[--headers]
[--method {Get}]
[--no-wait {0, 1, f, false, n, no, t, true, y, yes}]
[--protocol {Http, Https, Icmp, Tcp}]
[--resource-group]
[--source-port]
[--valid-status-codes]Examples
Check connectivity between two virtual machines in the same resource group over port 80.
az network watcher test-connectivity -g MyResourceGroup --source-resource MyVmName1 --dest-resource MyVmName2 --dest-port 80Check connectivity between two virtual machines in the same subscription in two different resource groups over port 80.
az network watcher test-connectivity --source-resource MyVmId1 --dest-resource MyVmId2 --dest-port 80Required Parameters
Name or ID of the resource from which to originate traffic. Currently only Virtual Machines are supported.
Optional Parameters
IP address or URI at which to receive traffic.
Port number on which to receive traffic.
Name or ID of the resource to receive traffic. Currently only Virtual Machines are supported.
Space-separated list of headers in KEY=VALUE format. Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.
HTTP method to use.
Do not wait for the long-running operation to finish.
Protocol to test on.
Name of the resource group the target resource is in.
Port number from which to originate traffic.
Space-separated list of HTTP status codes considered valid. Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
az network watcher test-ip-flow
Test IP flow to/from a VM given the currently configured network security group rules.
Requires that Network Watcher is enabled for the region in which the VM is located. For more information visit https://learn.microsoft.com/en-us/azure/network-watcher/diagnose-vm-network-traffic-filtering-problem-cli.
az network watcher test-ip-flow --direction {Inbound, Outbound}
--local
--protocol {TCP, UDP}
--remote
--vm
[--nic]
[--no-wait {0, 1, f, false, n, no, t, true, y, yes}]
[--resource-group]Examples
Run test-ip-flow verify to test logical connectivity from a VM to the specified destination IPv4 address and port.
az network watcher test-ip-flow -g MyResourceGroup --direction Outbound --protocol TCP --local 10.0.0.4:* --remote 10.1.0.4:80 --vm MyVmRequired Parameters
Direction of the packet relative to the VM.
Private IPv4 address for the VMs NIC and the port of the packet in X.X.X.X:PORT format. * can be used for port when direction is outbound.
Protocol to test.
IPv4 address and port for the remote side of the packet X.X.X.X:PORT format. * can be used for port when the direction is inbound.
Name or ID of the VM to target. If the name of the VM is provided, the --resource-group is required.
Optional Parameters
Name or ID of the NIC resource to test. If the VM has multiple NICs and IP forwarding is enabled on any of them, this parameter is required.
Do not wait for the long-running operation to finish.
Name of the resource group the target VM is in.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
