Azure maintains the Network fabric and provides the converged or virtualized network layer to customers. In complex or multi-region deployments where applications are spread across multiple servers it is important to have network packet capture tools, troubleshoot VPN related issues or have holistic view of network security rules to identify and solve the problem the application. Azure network watcher solves this problem.
Below are the network diagnostic tools offered by Azure network watcher –
- IP flow verify
- Next hop
- Security group view
- VPN diagnostics
- Packet capture
- Connection troubleshoot
Network Watcher – things to know
- Network Watcher has cost involved and is not a free service from Microsoft
- Packet Capture requires agent deployment & currently Windows and Linux agents are supported. See below for steps to deploy agent
- Network watcher has multiple Azure managed resources and it creates the resources in its own Resource Group within your subscription
- Network Wather doesn’t span across subscriptions. Each subscription and each region where network watcher is needed requires deployment
Install Network Watcher
Login to Azure Portal (https://portal.azure.com) and search for Network Watcher in the list of services. Right click on the regions where you want to deploy Network Watcher and select Enable Network Watcher
Once deployed, you would see Network Watcher resource group in your subscription with resources in enabled location.
Please ensure that you select Show hidden types to see the resources.
IP Flow Verify
IP Flow Verify checks if the packet is allowed to or from a Virtual machine on specific source / target IP address & on specific ports. If the traffic is blocked by a Network Security Group then the NSG that blocks the traffic is listed.
In the example below, we have tested traffic flow from Virtual Machine to a specific web server IP on Port 80. Please note that you can’t select either IP range or Port range with this feature yet, something that I would have liked.
If you have leveraged Express Route, VPN Gateways, VNET Peering and/or User Defined Routing then you would know the importance of knowing the Next Hop address. Azure maintains System table, user defined routing, express route and peering table that defines where the next hop should be. Sometimes if routing misbehaves then it is important to know the Next Hop address using a tool.
In this example, I have
- Virtual Machine 1 – US Region
- Virtual Machine 2 – Europe Region
- Connected both Virtual Networks using Global VNET Peering (see blog here to know more on Global VNET peering)
Now when we fill the section and click on Next Hop , you see that the next hop shown here is System Route.
Security Group View
Security groups can be assigned to Subnets and Network interfaces of a VM. When applied to subnet the rule applies to all Virtual machines associated with the subnet. There can be multiple NSGs applied that can allow or block the traffic.
Security Group view show the NSGs applied to a particular network interface & shows its effective route.
Packet Capture can be used to capture network traffic just like what ethreal does. Please ensure that you capture the logs only when it is needed else the size of log file can be huge based on network traffic.
As mentioned earlier, packet capture require agent installation. Let us install the agent on the one of the VM. Go to Azure Portal, select VM select Extensions and Add –> Network Watcher for Windows
Once installed, Extensions will show in the list of extensions
Once agent is installed. Go to Network Watcher tool in Azure and select Packet Capture & add a packet capture
Once setup correctly, you would see it running to capture the traffic.
Please note that you need to stop the Packet Capture for log to create.
Once stopped the packet capture log, go to the storage account Blob storage and look for captured logs.