Microsoft Azure Network Watcher

What is Microsoft Azure Network Watcher?

Azure Network Watcher is a comprehensive cloud service in the Azure ecosystem designed to assess and maintain the health of Azure networks.

It consolidates various tools into a centralized platform, offering functionalities such as monitoring, diagnosis, metric viewing, and log analysis.

In this blog post, we are going to explore the Azure network watcher, its features, use cases, and how to configure it in detail.

Let’s dig in!

What is Microsoft Azure Network Watcher?

Azure Network Watcher offers a set of tools to monitor and diagnose the Azure networks. It is mainly used by the system administrators to ease the monitoring, diagnosing, and gain insights about the health and performance of the network by analyzing the network metrics along with the virtual machines.

Network Watcher offers a comprehensive set of tools designed to monitor, diagnose, view metrics, and manage logs for Infrastructure-as-a-Service (IaaS) resources. These resources include virtual machines, virtual networks, application gateways, load balancers, and other components within an Azure virtual network.

It is also employed to troubleshoot connectivity issues, networking issues, and network traffic issues related to security. Azure network watcher helps to keep track of the respective network between the endpoint and virtual machine. 

To find out any performance issues and improve your network performance, you can monitor the network performance metrics such as latency, bandwidth utilization, and packet loss.

Microsoft Azure Network Watcher Elements

Azure Network Watcher comprises three primary tools, each serving distinct functions:

1. Monitoring Elements

  • Network Monitoring: Monitors endpoints like virtual machines (VMs), fully qualified domain names (FQDNs), URIs, or IPv4 addresses. Connection Monitor reports on communication metrics such as reachability, latency, and network topology changes between two endpoints.
  • Network Performance Monitor: Verifies and reports on performance between various network infrastructure endpoints, including detection of issues like traffic blackholing and routing errors. It also monitors network links to on-premises infrastructure through VPN or Azure ExpressRoute.
  • Infrastructure Topology Diagrams: Provides visual representations of infrastructure topology, outlining virtual networks, subnets, resources, and network security groups.

2. Network Diagnostic Tools

Diagnosing Network Traffic Filtering Issues for a Virtual Machine: When deploying a virtual machine in Azure, default security rules are applied to control incoming and outgoing traffic. Users can customize or add rules as needed. The IP flow verify capability allows specific configuration of resources, destination protocols, ports, IPv4 addresses, and traffic directions to troubleshoot and diagnose network traffic filtering problems.

Diagnosing Network Routing Problems for a Virtual Machine: Azure establishes default outbound routes for network traffic when creating a virtual network. These routes guide traffic from all resources, including virtual machines within the virtual network. Users have the flexibility to override default routes or create additional Azure default routes to address and diagnose network routing issues for virtual machines.

Capturing Packets to and from a Virtual Machine: Azure provides comprehensive packet capture capabilities with fine-tuned controls and advanced filtering options. Users can set size limitations and time parameters, offering versatility in capturing packets. Captured data can be stored on the virtual machine’s disk, in Azure Storage, or both, facilitating effective diagnosis of network communication issues.

Diagnosing Azure Virtual Network Gateway and Connections Issues: The Azure virtual network gateway establishes connectivity between Azure virtual networks and on-premises resources. Monitoring the gateway and its connections is crucial to ensure stable communication. The VPN diagnostic capability provides tools to diagnose connections and gateways, allowing users to identify and resolve issues affecting the virtual network’s connectivity and performance.

  • IP Flow Verify Tool: Tests communication endpoints, identifying successful connections and pinpointing the specific rule (allowing or denying traffic) within Network Security Groups (NSG).
  • Other Diagnostic Tools: Include NSG diagnostics, next hop analysis, packet capture sessions, and connection troubleshooting for comprehensive verification of IaaS infrastructure.

3. Logging Capabilities

  • NSG Flow Log: Logs traffic allowed or denied by NSGs. Analyzing these logs, potentially with tools like Microsoft’s PowerBI and traffic analytics, provides insights into network activity.
  • Diagnostic Logging: Enables logging for various Azure resources, including NSGs, VM network interfaces, public IP addresses, load balancers, virtual network gateways, and application gateways. Each resource can have up to 5 diagnostic settings, with logs exportable to destinations such as Log Analytics workspace, Event Hubs, and Azure Storage.

These tools collectively empower users to monitor, diagnose, and analyze the performance and security of their Azure infrastructure, enhancing overall network management and troubleshooting capabilities.

Azure Network Watcher pricing

Azure Network Watcher pricing varies based on the region and service availability. When you create a Network Watcher in Azure, there is no impact on other resources or associated charges for enabling it. 

However, specific elements within Network Watcher may incur costs.

For instance, if you collect up to 5 GB per month of network logs, Microsoft charges $0.50 per additional GB of logs collected. These logs are stored in a storage account, and you can set a retention policy for up to 365 days. If no retention policy is set, Azure retains the logs indefinitely. 

Network Watcher includes 1,000 checks per month for the Network Diagnostic Tool. Once this limit is reached, Microsoft charges $1 per additional 1,000 checks. The Connections Monitor includes 10 tests per month, with tier-based charging for additional tests:

Azure Network Watcher incurs a monthly subscription fee starting from $0.3. It provides six distinct plans with the following pricing:

  1. Plan 1 is priced at $0.50 per month.
  2. Plan 2 has a monthly cost of $1.
  3. Plan 3 is available at a monthly rate of $0.30.
  4. Plan 4 is offered at a monthly cost of $3.
  5. Opt for Plan 5 at a monthly rate of $0.30.
  6. Plan 6 is priced at $3.50 per month.

Features of Network Watcher

Here are some features of Microsoft Azure Network Watcher:

  1. Flow logs: Network security group flow logs help us build a deeper insight into our network traffic patterns. You can also get the data for the monitoring, auditing, and compliance with the network profiles by using this tool. 
  2. Remote network monitoring Automation: You can monitor and diagnose the problems without logging into the virtual machines by the packet capture triggering. The packet capture can be triggered by enabling the alerts. We can use those data to gain real-time performance data at the packet level and carry out the investigation in detail for effective diagnoses.
  3. Diagnose VPN connectivity issues: Detailed logs can be used to investigate the connection and VPN gateway-related issues and diagnose them.
  4. Troubleshoot connection: You can identify and troubleshoot network connectivity and performance issues that may evolve in Azure.
  5. VPN Diagnostics: Utilize VPN diagnostics for troubleshooting connections and gateways, providing both summarized information in the portal and more detailed data in log files. This information encompasses connection statistics, packet drops, buffers, memory usage, CPU performance, and events.
  6. Confirm IP flow: This functionality is primarily used to validate the accurate application of security rules and identify potential connectivity issues to or from the internet or the on-premises environment.
  7. Next hop: Check if traffic is correctly routed to the intended destination, ensuring the proper configuration of network routing. When creating a virtual network, Azure automatically establishes various default outbound routes for network traffic, which can be reviewed, overridden, or supplemented with additional routes based on specific requirements.
  8. Visualize the network topology: Network Watcher aids in generating a visual representation of the resources within a virtual network and their interconnections. This graphical display illustrates the relationships between resources, making it straightforward for new administrators to comprehend the virtual network structure and troubleshoot any issues.

Azure Network Watcher vs. Azure Monitor

Differences between Azure network watcher and Azure monitor

Azure Network Watcher Limits

Network Watcher has the following limits:

Resource Limit
Network Watcher instances per subscription 1 (One instance allowed per region)
Connection monitors per subscription 100
Maximum test groups per connection monitor 20
Maximum sources and destinations per connection monitor 100
Maximum test configurations per connection monitor 20
Packet capture sessions per subscription 10,000 (Number of sessions, captures not saved)
VPN Troubleshoot operations per subscription 1 (Concurrent operations allowed)

How to configure Azure Network Watcher?

To configure Azure Network Watcher, follow these steps:

  1. Go to the Azure portal.
  2. Click on “All Services” on the homepage.
  3. In the search bar, type “network watcher.”
  4. Access the network watcher service by clicking on it. Explore different tabs for monitoring, diagnosis, and logs related to your virtual network.

To add virtual networks to Network Watcher:

  1. Click on the “+Add” option.
  2. Choose the Azure subscription and regions where your virtual networks are located.
  3. Select the subscription and regions from the list, then click “Add” to include the virtual networks.
  4. Deployment may take 3-4 minutes.
  5. Click “Refresh” to view the newly added resource on the overview page for each region.

Azure Network Watcher Use Cases

Some notable use cases of Azure network watcher such as:

  1. Topology: You will know how the virtual machines, subnets, and network security groups are relevant to one another with the help of topology and you can detect any misconfiguration in the network. 
  2. Network performance monitoring: The performance of the network infrastructure can be tracked and performance metrics include networking devices, applications, and connections with the help of a network performance monitor. Also, you can eliminate performance concerns and manage the network architecture with the real-time updates generated by the NPM.
  3. Traffic analytics: You can be able to spot security loopholes and fix those networking concerns by keeping an eye on the incoming traffic to the virtual network. 
  4. Monitoring connection: The connection monitor allows you to monitor the network connection between the virtual machines, Azure services, and subnets. You can also find and diagnose the connectivity concerns and receive alerts whenever the connection is lost.


Is Azure Network Watcher free?

Azure Network Watcher doesn’t offer a free plan. Azure generally follows a pay-as-you-go model, where users are billed based on their usage of Azure services, including Azure Network Watcher.

How does Network Watcher work?

Network Watcher observes various endpoints, including virtual machines (VMs), fully qualified domain names (FQDNs), uniform resource identifiers (URIs), and IPv4 addresses. The connection monitor assesses the communication between two endpoints, providing insights into factors such as reachability, latency, and alterations in network topology.

What is the main purpose of Azure Network Watcher?

Azure Network Watcher is used for diagnosing and troubleshooting common issues related to VPN (Virtual Private Network) Gateways and connections within the Azure cloud environment. 

Its primary purpose is to provide users with the capability to identify and address issues that may arise in VPN connections. By leveraging detailed logs and diagnostic tools, Network Watcher helps users diagnose problems effectively and enables further investigation into the root causes of connectivity issues associated with VPN Gateways and connections.


Hope this blog brings us to the end of the blog on the Microsoft Azure Network Watcher. We hope you can benefit from the same.

Users looking for comprehensive monitoring solutions for their entire Azure environment may need to complement Azure Network Watcher with additional tools or services tailored for PaaS monitoring.

Overall, Azure Network Watcher serves as a valuable tool for maintaining the health of Azure network infrastructure.

About Dharmendra Digari

Dharmalingam carries years of experience as a product manager. He pursued his MBA, which honed his skills of seeing products differently than others perceive. He specialises in products from the information technology and services domain, with a proven history of expertise. His skills include AWS, Google Cloud Platform, Customer Relationship Management, IT Business Analysis and Customer Service Operations. He has specifically helped many companies in the e-commerce domain establish themselves with refined and well-developed products, carving a niche for themselves.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top