Last updated: May 2026

Azure Networking Intermediate AZ-104 ⏱ 12 min read

Azure Network Watcher

Azure Network Watcher is a regional network monitoring and diagnostics service. When a VM can't connect to a database, when traffic isn't reaching an endpoint, when you need to understand what path traffic takes through your network — Network Watcher has the tools to diagnose and resolve these issues. It's the Swiss Army knife of Azure network troubleshooting.

What you'll learn IP Flow Verify — test if traffic is allowed/blocked · Next Hop — see where traffic is routed · Packet Capture — capture network packets · NSG Flow Logs — log all NSG traffic decisions · Connection Monitor — continuous connectivity testing · VPN Diagnostics · Network Topology view

Table of Contents

What is Network Watcher?
IP Flow Verify
Next Hop
Packet Capture
NSG Flow Logs
Connection Monitor
VPN Diagnostics
Network Topology
Practice Questions

What is Network Watcher?

Network Watcher is automatically enabled in each region when you create a VNet. It provides monitoring, diagnostics, and logging capabilities for Azure IaaS networking. All tools are accessible from the Azure Portal under Network Watcher.

ℹ️

Network Watcher is Regional Network Watcher is deployed per region. It automatically appears in your subscription when you create a VNet in a region — usually in a resource group called NetworkWatcherRG. You don't need to manually create it.

IP Flow Verify

IP Flow Verify tests whether traffic between a VM and a specific endpoint is allowed or denied by NSG rules — and which specific rule is responsible. The most useful first-step troubleshooting tool when connectivity fails.

What You Specify

VM and its NIC
Direction (inbound or outbound)
Protocol (TCP or UDP)
Local IP and port
Remote IP and port

What You Get

Allowed or Denied — and the name of the specific NSG rule causing the allow/deny decision.

Azure CLIIP Flow Verify

# Check if inbound TCP port 80 from internet is allowed
az network watcher test-ip-flow \
  --direction Inbound \
  --protocol TCP \
  --remote-ip 1.2.3.4 \
  --remote-port 80 \
  --local-ip 10.0.1.4 \
  --local-port 80 \
  --vm myVM \
  --resource-group myRG

Next Hop

Next Hop shows the routing path — where would a packet go from a VM to a destination IP? This reveals whether traffic is being routed correctly, going through Azure Firewall, or taking an unexpected route.

Next Hop Type	Meaning
Internet	Packet exits to the internet
VirtualNetwork	Packet stays within the VNet
VirtualNetworkGateway	Packet goes to VPN/ER gateway
VirtualAppliance	Packet routes to NVA (firewall IP)
None	No route — packet is dropped

Azure CLIGet next hop for a packet

# Find next hop from VM to destination IP
az network watcher show-next-hop \
  --dest-ip 8.8.8.8 \
  --vm myVM \
  --source-ip 10.0.1.4 \
  --resource-group myRG

Packet Capture

Packet Capture records network packets flowing through a VM's NIC — similar to running Wireshark on the VM. Useful for deep-dive traffic analysis, performance issues, or security investigations.

How It Works

Requires the Network Watcher agent extension on the VM
Captures to a Storage Account blob or local VM file
You can filter by protocol, local/remote IP, port
Stops automatically after a time limit or file size limit

Azure CLIStart a packet capture

# Start packet capture (saves to storage account)
az network watcher packet-capture create \
  --name myCapture \
  --resource-group myRG \
  --vm myVM \
  --storage-account mystorageaccount2026 \
  --time-limit 60 \
  --filters '[{"protocol":"TCP","remotePort":"443"}]'

NSG Flow Logs

NSG Flow Logs record information about IP traffic flowing through an NSG. Every connection attempt — allowed or denied — is logged with: source/destination IP, port, protocol, direction, and allow/deny decision.

Flow Log Versions

Version 1 — Basic flow information
Version 2 — Adds bytes and packets transferred per flow

Traffic Analytics

Process NSG Flow Logs through Traffic Analytics (requires Log Analytics workspace) for visualisations, anomaly detection, and query-based investigation across your entire network.

Azure CLIEnable NSG Flow Logs

# Enable flow logs on an NSG
az network watcher flow-log create \
  --name myFlowLog \
  --nsg myNSG \
  --resource-group myRG \
  --storage-account mystorageaccount2026 \
  --enabled true \
  --format JSON \
  --log-version 2 \
  --retention 30

Connection Monitor

Connection Monitor provides continuous end-to-end monitoring of network connections. Unlike IP Flow Verify (one-time test), Connection Monitor runs periodically and alerts you when connectivity degrades or fails.

What It Monitors

Latency between source and destination
Packet loss percentage
Pass/fail of connectivity checks
Hop-by-hop path analysis

Sources can be Azure VMs or on-premises servers (with monitoring agent). Destinations can be Azure resources, internet endpoints, or on-premises resources.

VPN Diagnostics

Diagnose issues with VPN Gateway connections — tests the health of a VPN connection and generates a detailed diagnostic report about the gateway, tunnels, and traffic flows. Useful when S2S VPN connections fail or have intermittent issues.

Network Topology

Generates a visual map of your network resources — VNets, subnets, VMs, NICs, NSGs, public IPs, and their relationships. Gives a bird's-eye view of your entire network architecture without having to manually trace relationships.

Azure CLIGet network topology

# Export topology for a resource group
az network watcher show-topology \
  --resource-group myRG \
  --location centralindia

💡

AZ-104 Troubleshooting Toolkit The exam loves network troubleshooting scenarios. Know which tool to use: Can't connect? → IP Flow Verify. Wrong routing? → Next Hop. Need packet-level data? → Packet Capture. Audit all traffic? → NSG Flow Logs. Continuous monitoring? → Connection Monitor. VPN issues? → VPN Diagnostics.

📝 Practice Questions

Click an option to check your answer.

Q1. A VM cannot connect to a web server on port 443. You suspect an NSG rule is blocking traffic. Which Network Watcher tool should you use first?

A — IP Flow Verify

B — Packet Capture

C — NSG Flow Logs

D — Connection Monitor

Q2. Traffic from a VM should go through Azure Firewall but you suspect it's bypassing it. Which Network Watcher tool diagnoses this?

A — IP Flow Verify

B — Next Hop

C — Packet Capture

D — Network Topology

Q3. A security team wants to audit all traffic accepted and rejected by an NSG over the past 30 days. Which feature provides this?

A — IP Flow Verify

B — Packet Capture

C — NSG Flow Logs

D — Connection Monitor

Q4. What does Connection Monitor provide that IP Flow Verify does not?

A — Tests NSG rule evaluation

B — Continuous monitoring with latency and packet loss tracking over time, with alerts

C — Shows which NSG rule is blocking traffic

D — Captures packet content for analysis

Q5. What does a "None" result from the Next Hop tool indicate?

A — Traffic is routed to the internet by default

B — No route exists — packets are dropped at that point

C — Traffic is routed to the VPN Gateway

D — Next Hop cannot determine the routing path

← PreviousAzure Private Endpoints Next →Back to All Modules

Comments

Disclaimer: RedKite Cloud is an independent educational resource and is not affiliated with Microsoft Corporation.