Keeping an eye on today's cloud-connected networks can be a daunting task for today's network administrators. Fortunately for those of us who leverage the power and capabilities of Microsoft Azure cloud offerings there's a feature that takes the pain out of keeping track of what's going on with your network. Azure Network Watcher gives you the tools you need as an administrator to monitor, diagnose, view metrics, and enable or disable logs for the resources you've provisioned for your organization provisioned in Azure virtual networks. The capabilities of Network Watcher include such things as the ability to view all the resources in a virtual network and their relationships with one another, monitor communications between virtual machines and endpoints in your network, and diagnose problems involving latency, connections, routing, gateways, and packet filtering. You can also use Network Watcher to gather metrics about how your network resources are deployed in Azure and gather traffic to or from network security groups (NSGs) to analyze traffic using PowerBI.
I’ve personally found Azure Network Watcher an especially useful tool for monitoring and troubleshooting Azure resources. But I don’t consider myself an expert on using this powerful tool, and many of my colleagues who are using Azure in their companies still haven’t yet explored the capabilities of this tool. To help remedy this situation and beef up my own understanding of how to use Network Watcher I recently asked my colleague Sasha Kranjac to take us on a tour of the features and capabilities of this tool by presenting us with a short walkthrough with lots of screenshots since a picture is worth, oh, about 1111101000 or 3E8 words. Sasha is a security and Azure specialist and instructor with more than two decades of experience in the field. He began programming in Assembler on Sir Clive Sinclair’s ZX, met Windows NT 3.5 and the love exists since. Sasha can be spotted speaking at numerous conferences or delivering Microsoft, EC-Council and his own Azure and Security Courses internationally. He is a Microsoft MVP, Microsoft Certified Trainer (MCT), MCT Regional Lead, Certified EC-Council Instructor (CEI) and holds few other certifications as well. You can follow Sasha on Twitter: @SasaKranjac
The challenge of monitoring Azure virtual networks
Today, using Microsoft Azure, setting up computing environments is easier than ever. You can create multiple networks, subnets, virtual machines and other numerous networking components in an eye blink. Managing these complex networks and topologies can become cumbersome and difficult over time. Trying to grasp what-connects-to-what and where exactly that load balancer or subnet is, becomes increasingly difficult in larger environments. Especially when the time comes to troubleshooting and diagnosing problems in such large networks.
Microsoft has an ace up in their sleeve, however, that is here to help us with these daunting tasks and its name is Azure Network Watcher. It is not just a Big Brother or all-seeing-eye (like Sauron’s eye, if you’re into “Lord of the Rings”) but it is a friendly tool that jumps to help in the dark times when it comes to monitoring, troubleshooting, and diagnosing problems with our networks. And as Microsoft constantly updates and enhances Azure components and services, this also applies to Azure Network Watcher as well and you will notice additions and functionality enhancements over time.
Exploring the capabilities of Azure Network Watcher
Okay, what makes Azure Network Watcher so special? How it can help you?
There are a lot of features in it, but before you can use them, you must enable Network Watcher in a subscription and the region where it will be used. If you have multiple subscriptions, it must be enabled for each subscription and region where it will be used:
There are four main sections in Network Watcher blade: Monitoring, Network diagnostic tools, Metrics, and Logs. Each section has tools that can help you perform a specific task:
The Topology tool
The Monitoring section is home to Topology tool. Well, you can call it a tool or a feature, but its power becomes evident as soon as you have even slightly complex network infrastructure. It draws a network topology map of your Azure resources and presents it in a nice, graphical way, containing resource-specific icons, resource names, connections between resources, and network names.
First, select a Subscription, then select a Resource Group and you will be presented with a topology of the whole Resource Group. If you have many resource groups, networks, subnets, virtual machines, and other resources, the topology diagram might be too big to work with. In this case, you’ll want to narrow the view down to a particular virtual network:
Now, with the specific virtual network selected, the topology diagram is much smaller and easily understood. For added convenience, you can also download the topology diagram you are viewing and save it in scalable vector graphics (SVG) format. This file format support many modern and popular programs such as most of the popular browsers, Microsoft Visio, Adobe Illustrator, Adobe Photoshop, CorelDraw, and many more.
But this is not all! If you click on a resource in the topology diagram, it will open a settings blade for that resource:
How convenient — if you need to make changes to a resource or view its settings you don’t have to navigate away from the current blade. The resource is just a click away and when you are done with the task, simply close the resource blade and you’ll be back in the Network Watcher Topology view.
The Connection Monitor
The Connection Monitor is the tool that can help you establish the reliability, reachability, speed, and latency of your network infrastructure, as well as possible changes in the topology. In addition, it will tell you what the problem might be and how to fix it:
To monitor the connectivity between two resources, click +Add and the blade opens:
Here you specify the unique name of the monitor, as well as the source and the destination of the resources, that is — virtual machines, you are monitoring:
The source can be any virtual machine from any resource group within a previously selected subscription. As a destination, you can select a virtual machine or specify the resource manually. The manual choice can point to any URL, FQDN or IPv4 of your choice, whether located in Azure or anywhere on the Internet. And yes, it does not have to be a virtual machine, it can be a physical machine or a cloud service if it can answer back on the service ports. Of course, the destination resource is supposed to be reachable, but you can create a monitor even if it’s not reachable and monitor the reachability and availability as you proceed with the troubleshooting process. When you specify the destination port, the monitor assumes the source and destination ports are the same. If that is not the case, in advanced settings, specify a custom source port and probing interval. If you do not specify the probing interval, the default value is 60 seconds and the minimum value is 30 seconds:
Once created, the Monitor will — guess what — yes, monitor the connectivity between the source and the destination! No, it is not so trivial — it will show the graph of the monitoring activity for the past 1, 6 or 12 hours or even for 1, 7 or 30 days:
The graph shows the average packet round trip time and percent of the packets that never reached the destination. As trivial as it might seem at first, the data gathered presents invaluable information about your network and gives you an incredible insight in how the network behaves. Additionally, it shows the information in grid view:
And in topology view:
It displays the resources’ IP addresses, connections, and names.
The Security Group view
The next Network Monitor hero in line is Security Group View, which can show you the information related to the Network Security Groups associated to a virtual machine. Especially useful if you have many NSG rules, this view can save you a lot of headaches — it shows you effective NSG rules, so you know exactly which rule is preventing or allowing inbound or outbound traffic. It’ll show you the list and the information about the associated subnets and attached network interfaces:
Another common connectivity issue that arises in the networking — not only related to on-premises hardware but also to its virtual, cloud-based counterpart — is a VPN connection. VPN Troubleshoot tool in Network Watcher can assist in resolving connectivity issues related to VPN connections. It needs a Storage Account, or, to be more precise, it needs a container with access permissions defined where it will store diagnostic data gathered during the troubleshooting process. Once created, the hunt for VPN connectivity problems can begin:
With storage and region defined, click on Start troubleshooting to begin:
In a few minutes, it will tell you what the problems are or what the problems might be, depending on the complexity of the problem itself. It returns the status of the troubleshooting process — that is, the reason why the connection is lost, for example:
And it will show you the actions recommended to solve the connectivity problem, with corresponding links to further enhance the knowledge about the steps:
To perform a deeper troubleshooting process, that goes beyond the infrastructure itself and relates to the monitoring resources, you have the packet capture capability available. Without the need to install the monitoring software on either monitoring node, this convenient feature can be started in just a few clicks:
The capture configuration allows you to store the captured network packets in the Azure storage account and locally in a .cap file. It allows tweaking the capture process a little, setting maximum bytes per captured packet, maximum bytes per session, and setting a capture session duration time:
Moreover, fine-tuning can be done by creating a capture filter, by protocol or local or remote IP addresses. Once the capture process is done, you can further examine and dissect .cap file in your favorite program:
And last but not least, there is also a detailed overview of resource diagnostic logs. The diagnostics is not enabled by default and if you are in the process of setting up a network and expect connectivity issues to occur, it would be good to enable logging to be able to gather data and analyze it further.
Just scratching the surface
This is an introduction of some of the Azure Network Watcher features and is not a definitive list of its capabilities or functionality. Hope it was interesting and valuable and I wish you successful troubleshooting process using Azure Network Watcher.
Featured image: Shutterstock