Network Watchers - Get Network Configuration Diagnostic
Gets Network Configuration Diagnostic data to help customers understand and debug network behavior. It provides detailed information on what security rules were applied to a specified traffic flow and the result of evaluating these rules. Customers must provide details of a flow like source, destination, protocol, etc. The API returns whether traffic was allowed or denied, the rules evaluated for the specified flow and the evaluation results.
POST https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/networkWatchers/{networkWatcherName}/networkConfigurationDiagnostic?api-version=2023-09-01
URI Parameters
Name | In | Required | Type | Description |
---|---|---|---|---|
network
|
path | True |
string |
The name of the network watcher. |
resource
|
path | True |
string |
The name of the resource group. |
subscription
|
path | True |
string |
The subscription credentials which uniquely identify the Microsoft Azure subscription. The subscription ID forms part of the URI for every service call. |
api-version
|
query | True |
string |
Client API version. |
Request Body
Name | Required | Type | Description |
---|---|---|---|
profiles | True |
List of network configuration diagnostic profiles. |
|
targetResourceId | True |
string |
The ID of the target resource to perform network configuration diagnostic. Valid options are VM, NetworkInterface, VMSS/NetworkInterface and Application Gateway. |
verbosityLevel |
Verbosity level. |
Responses
Name | Type | Description |
---|---|---|
200 OK |
Request successful. The operation returns the result of network configuration diagnostic. |
|
202 Accepted |
Accepted and the operation will complete asynchronously. |
|
Other Status Codes |
Error response describing why the operation failed. |
Security
azure_auth
Azure Active Directory OAuth2 Flow.
Type:
oauth2
Flow:
implicit
Authorization URL:
https://login.microsoftonline.com/common/oauth2/authorize
Scopes
Name | Description |
---|---|
user_impersonation | impersonate your user account |
Examples
Network configuration diagnostic
Sample Request
POST https://management.azure.com/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/networkWatchers/nw1/networkConfigurationDiagnostic?api-version=2023-09-01
{
"targetResourceId": "/subscriptions/subid/resourceGroups/rg2/providers/Microsoft.Compute/virtualMachines/vm1",
"profiles": [
{
"direction": "Inbound",
"protocol": "TCP",
"source": "10.1.0.4",
"destination": "12.11.12.14",
"destinationPort": "12100"
}
]
}
Sample Response
{
"results": [
{
"profile": {
"direction": "Inbound",
"protocol": "TCP",
"source": "10.1.0.4",
"destination": "12.11.12.14",
"destinationPort": "12100"
},
"networkSecurityGroupResult": {
"securityRuleAccessResult": "Allow",
"evaluatedNetworkSecurityGroups": [
{
"networkSecurityGroupId": "/subscriptions/subid/resourceGroups/rg2/providers/Microsoft.Network/networkSecurityGroups/nsg1",
"appliedTo": "/subscriptions/subid/resourceGroups/rg2/providers/Microsoft.Network/virtualNetworks/vnet/subnets/AppSubnet",
"matchedRule": {
"ruleName": "UserRule_fe_rule",
"action": "Allow"
},
"rulesEvaluationResult": [
{
"name": "UserRule_Cleanuptool-Allow-100",
"protocolMatched": true,
"sourceMatched": false,
"sourcePortMatched": true,
"destinationMatched": true,
"destinationPortMatched": false
},
{
"name": "UserRule_Cleanuptool-Allow-101",
"protocolMatched": true,
"sourceMatched": true,
"sourcePortMatched": true,
"destinationMatched": true,
"destinationPortMatched": false
},
{
"name": "UserRule_Cleanuptool-Allow-102",
"protocolMatched": true,
"sourceMatched": false,
"sourcePortMatched": true,
"destinationMatched": true,
"destinationPortMatched": false
},
{
"name": "UserRule_Cleanuptool-Deny-103",
"protocolMatched": true,
"sourceMatched": true,
"sourcePortMatched": true,
"destinationMatched": true,
"destinationPortMatched": false
},
{
"name": "UserRule_fe_rule",
"protocolMatched": true,
"sourceMatched": true,
"sourcePortMatched": true,
"destinationMatched": true,
"destinationPortMatched": true
}
]
},
{
"networkSecurityGroupId": "/subscriptions/61cc8a98-a8be-4bfe-a04e-0b461f93fe35/resourceGroups/NwRgCentralUSEUAP_copy/providers/Microsoft.Network/networkSecurityGroups/AppNSG",
"appliedTo": "/subscriptions/subid/resourceGroups/rg2/providers/Microsoft.Network/virtualNetworks/vnet/networkInterfaces/nic",
"matchedRule": {
"ruleName": "UserRule_fe_rule",
"action": "Allow"
},
"rulesEvaluationResult": [
{
"name": "UserRule_fe_rule",
"protocolMatched": true,
"sourceMatched": true,
"sourcePortMatched": true,
"destinationMatched": true,
"destinationPortMatched": true
}
]
}
]
}
}
]
}
Location: https:/management.azure.com/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/networkWatchers/nw1/networkConfigurationDiagnostic?api-version=2023-09-01
{
"results": [
{
"profile": {
"direction": "Inbound",
"protocol": "TCP",
"source": "10.1.0.4",
"destination": "12.11.12.14",
"destinationPort": "12100"
},
"networkSecurityGroupResult": {
"securityRuleAccessResult": "Allow",
"evaluatedNetworkSecurityGroups": [
{
"networkSecurityGroupId": "/subscriptions/subid/resourceGroups/rg2/providers/Microsoft.Network/networkSecurityGroups/nsg1",
"appliedTo": "/subscriptions/subid/resourceGroups/rg2/providers/Microsoft.Network/virtualNetworks/vnet/subnets/AppSubnet",
"matchedRule": {
"ruleName": "UserRule_fe_rule",
"action": "Allow"
},
"rulesEvaluationResult": [
{
"name": "UserRule_Cleanuptool-Allow-100",
"protocolMatched": true,
"sourceMatched": false,
"sourcePortMatched": true,
"destinationMatched": true,
"destinationPortMatched": false
},
{
"name": "UserRule_Cleanuptool-Allow-101",
"protocolMatched": true,
"sourceMatched": true,
"sourcePortMatched": true,
"destinationMatched": true,
"destinationPortMatched": false
},
{
"name": "UserRule_Cleanuptool-Allow-102",
"protocolMatched": true,
"sourceMatched": false,
"sourcePortMatched": true,
"destinationMatched": true,
"destinationPortMatched": false
},
{
"name": "UserRule_Cleanuptool-Deny-103",
"protocolMatched": true,
"sourceMatched": true,
"sourcePortMatched": true,
"destinationMatched": true,
"destinationPortMatched": false
},
{
"name": "UserRule_fe_rule",
"protocolMatched": true,
"sourceMatched": true,
"sourcePortMatched": true,
"destinationMatched": true,
"destinationPortMatched": true
}
]
},
{
"networkSecurityGroupId": "/subscriptions/61cc8a98-a8be-4bfe-a04e-0b461f93fe35/resourceGroups/NwRgCentralUSEUAP_copy/providers/Microsoft.Network/networkSecurityGroups/AppNSG",
"appliedTo": "/subscriptions/subid/resourceGroups/rg2/providers/Microsoft.Network/virtualNetworks/vnet/networkInterfaces/nic",
"matchedRule": {
"ruleName": "UserRule_fe_rule",
"action": "Allow"
},
"rulesEvaluationResult": [
{
"name": "UserRule_fe_rule",
"protocolMatched": true,
"sourceMatched": true,
"sourcePortMatched": true,
"destinationMatched": true,
"destinationPortMatched": true
}
]
}
]
}
}
]
}
Definitions
Name | Description |
---|---|
Direction |
The direction of the traffic. |
Error |
Common error details representation. |
Error |
The error object. |
Evaluated |
Results of network security group evaluation. |
Matched |
Matched rule. |
Network |
Parameters to get network configuration diagnostic. |
Network |
Parameters to compare with network configuration. |
Network |
Results of network configuration diagnostic on the target resource. |
Network |
Network configuration diagnostic result corresponded to provided traffic query. |
Network |
Network configuration diagnostic result corresponded provided traffic query. |
Network |
Network security rules evaluation result. |
Security |
Whether network traffic is allowed or denied. |
Verbosity |
Verbosity level. |
Direction
The direction of the traffic.
Name | Type | Description |
---|---|---|
Inbound |
string |
|
Outbound |
string |
ErrorDetails
Common error details representation.
Name | Type | Description |
---|---|---|
code |
string |
Error code. |
message |
string |
Error message. |
target |
string |
Error target. |
ErrorResponse
The error object.
Name | Type | Description |
---|---|---|
error |
Error |
EvaluatedNetworkSecurityGroup
Results of network security group evaluation.
Name | Type | Description |
---|---|---|
appliedTo |
string |
Resource ID of nic or subnet to which network security group is applied. |
matchedRule |
Matched network security rule. |
|
networkSecurityGroupId |
string |
Network security group ID. |
rulesEvaluationResult |
List of network security rules evaluation results. |
MatchedRule
Matched rule.
Name | Type | Description |
---|---|---|
action |
string |
The network traffic is allowed or denied. Possible values are 'Allow' and 'Deny'. |
ruleName |
string |
Name of the matched network security rule. |
NetworkConfigurationDiagnosticParameters
Parameters to get network configuration diagnostic.
Name | Type | Description |
---|---|---|
profiles |
List of network configuration diagnostic profiles. |
|
targetResourceId |
string |
The ID of the target resource to perform network configuration diagnostic. Valid options are VM, NetworkInterface, VMSS/NetworkInterface and Application Gateway. |
verbosityLevel |
Verbosity level. |
NetworkConfigurationDiagnosticProfile
Parameters to compare with network configuration.
Name | Type | Description |
---|---|---|
destination |
string |
Traffic destination. Accepted values are: '*', IP Address/CIDR, Service Tag. |
destinationPort |
string |
Traffic destination port. Accepted values are '*' and a single port in the range (0 - 65535). |
direction |
The direction of the traffic. |
|
protocol |
string |
Protocol to be verified on. Accepted values are '*', TCP, UDP. |
source |
string |
Traffic source. Accepted values are '*', IP Address/CIDR, Service Tag. |
NetworkConfigurationDiagnosticResponse
Results of network configuration diagnostic on the target resource.
Name | Type | Description |
---|---|---|
results |
List of network configuration diagnostic results. |
NetworkConfigurationDiagnosticResult
Network configuration diagnostic result corresponded to provided traffic query.
Name | Type | Description |
---|---|---|
networkSecurityGroupResult |
Network security group result. |
|
profile |
Network configuration diagnostic profile. |
NetworkSecurityGroupResult
Network configuration diagnostic result corresponded provided traffic query.
Name | Type | Description |
---|---|---|
evaluatedNetworkSecurityGroups |
List of results network security groups diagnostic. |
|
securityRuleAccessResult |
The network traffic is allowed or denied. |
NetworkSecurityRulesEvaluationResult
Network security rules evaluation result.
Name | Type | Description |
---|---|---|
destinationMatched |
boolean |
Value indicating whether destination is matched. |
destinationPortMatched |
boolean |
Value indicating whether destination port is matched. |
name |
string |
Name of the network security rule. |
protocolMatched |
boolean |
Value indicating whether protocol is matched. |
sourceMatched |
boolean |
Value indicating whether source is matched. |
sourcePortMatched |
boolean |
Value indicating whether source port is matched. |
SecurityRuleAccess
Whether network traffic is allowed or denied.
Name | Type | Description |
---|---|---|
Allow |
string |
|
Deny |
string |
VerbosityLevel
Verbosity level.
Name | Type | Description |
---|---|---|
Full |
string |
|
Minimum |
string |
|
Normal |
string |