Network Watcher

What is Azure Network Watcher?

Azure Network Watcher provides tools to monitor, diagnose, view metrics, and enable or disable logs for resources in an Azure virtual network. Virtual Network Gateways provide connectivity between on-premises resources and other virtual networks within Azure. Monitoring gateways and their connections are critical to ensuring communication is not broken. Network Watcher provides the capability to troubleshoot gateways and connections

Network Watcher is designed to monitor and repair the network health of IaaS (Infrastructure-as-a-Service) products which includes Virtual Machines, Virtual Networks, Application Gateways, Load balancers, etc. Note: It is not intended for and will not work for PaaS monitoring or Web analytics.

Diagnose network traffic filtering problems to or from a VM

Quickstart: Diagnose a virtual machine network traffic filter problem using the Azure portalIP flow verify 

When you deploy a VM, Azure applies several default security rules to the VM that allow or deny traffic to or from the VM. You might override Azure’s default rules, or create additional rules. At some point, a VM may become unable to communicate with other resources, because of a security rule. The IP flow verify capability enables you to specify a source and destination IPv4 address, port, protocol (TCP or UDP), and traffic direction (inbound or outbound). IP flow verify then tests the communication and informs you if the connection succeeds or fails. If the connection fails, IP flow verify tells you which security rule allowed or denied the communication, so that you can resolve the problem.

Questions about Network Watcher from AZ-104 version 575 pages

IP flow Verify

The IP flow verify capability enables you to specify a source and destination IPv4 address, port, protocol
(TCP or UDP), and traffic direction (inbound or outbound). IP flow verify then tests the communication and
informs you if the connection succeeds or fails. If the connection fails, IP flow verify tells you which security
rule allowed or denied the communication, so that you can resolve the problem.

  • Question 1 / 5 /575 E. IP flow verify in Azure Network Watcher (You discover that VM3 does NOT meet the technical requirements -Litware Lab)

Connection troubleshoot

The connection troubleshoot feature of Network Watcher provides the capability to check a direct TCP connection from a virtual machine to a virtual machine (VM), fully qualified domain name (FQDN), URI, or IPv4 address. Network scenarios are complex, they are implemented using network security groups, firewalls, user-defined routes, and resources provided by Azure. Complex configurations make troubleshooting connectivity issues challenging. Network Watcher helps reduce the amount of time to find and detect connectivity issues. The results returned can provide insights into whether a connectivity issue is due to a platform or a user configuration issue.

The connection troubleshoot capability enables you to test a connection between a VM and another VM,
an FQDN, a URI, or an IPv4 address. The test returns similar information returned when using the
connection monitor capability, but tests the connection at a point in time, rather than monitoring it over
time, as connection monitor does

Connection monitor

  • QUESTION 93 / 112 /575 D. Connection monitor (You need to view the average round-trip time (RTT) of the packets from VM1 to VM2)
  • QUESTION 143/242/575 A. Yes you propose to create a connection monitor You need to monitor traffic between VM1 and VM2 for a period of five hours.

NSG flow log

  • QUESTION 111 / 126 /575 WRONG ANSWERCDE

A. Register the Microsoft.Insights resource provider
E. Create an Azure Storage account
F. Enable Azure Network Watcher flow log

Traffic Analytics

  • QUESTION 117 / 130 /575 YES Owner Role (You need to ensure that an Azure Active Directory (Azure AD) user named Admin1 is assigned the required role to enable Traffic Analytics for an Azure subscription)
  • QUESTION 118 / 130/575 YES Reader Role
  • QUESTION 116 / 130/575 YES Network Contributor Role
  • QUESTION 137 / 141/575 YES Traffic Manager Contributor Role
  • QUESTION 104 / 218/575 YES Traffic Manager Contributor Role at the subscription level to Admin1

Capture packets to and from a VM Introduction to variable packet capture in Azure Network Watcher

Learn how you can manage packet captures through the portal by visiting Manage packet capture in the Azure portal 

  • QUESTION 131/137 /575 NO – From Azure Monitor, you create a metric on Network In and Network Out. (You need to inspect all the network traffic from VM1 to VM2 for a period of three hours. = QUESTION 76/107 /575 NO
  • QUESTION 72/195 /575 NO – From Performance Monitor, you create a Data Collector Set (DCS) = QUESTION 77/197 /575 NO
  • QUESTION 73/195 /575 YES – From Azure Network Watcher, you create a packet capture. = QUESTION 75/196 /575 YES
  • QUESTION 74/196 /575 NO – From Azure Network Watcher, you create a connection monitor.

Azure Application Gateway

Azure Application Gateway features

  • QUESTION 109/220 /575 A. Metrics in Application Gateway You are troubleshooting a performance issue for an Azure Application Gateway. You need to compare the total requests to the failed requests during the past six hours