This chapter focuses on monitoring and troubleshooting network connectivity. In this chapter, we are going to focus on how you can monitor your virtual networks using Network Watcher. You will learn how to manage your virtual network connectivity and how you can monitor and troubleshoot on-premises connectivity as well as use Network Watcher. We will end this chapter by covering how to troubleshoot external networking.
In this chapter, we are going to cover the following main topics:
To follow along with the hands-on material, you will need the following:
Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope CurrentUser
You can also run the following:
Install-Module -Name Az -Scope CurrentUser -Repository PSGallery -Force
Azure Network Watcher is a network monitoring solution that provides tools to diagnose, monitor, and view metrics and logging for resources in an Azure virtual network. This includes application gateway traffic, load balancers, and ExpressRoute circuits.
Azure Network Watcher offers the following capabilities:
Network Watcher will be automatically enabled when a new virtual network is created or updated. There is no extra charge for enabling Network Watcher inside a subscription.
Top Tip
To make use of Network Watcher, you will require the appropriate role-based access control (RBAC) role permissions, such as Contributor, Owner, or Network Contributor.
Monitoring provides several tools that are useful for monitoring your network traffic as well as creating visibility of your Azure Virtual Network (VNet) resources and how they communicate with each other. The following figure depicts the tools available under the Monitoring context in the Network Watcher blade:
We describe each of these tools in more detail in the following subsections.
The Topology tool enables you to visually understand the interconnections between resources and how they are configured to communicate with each other within a VNet. This can be a great high-level overview of the VNet you are working with.
This is a cloud-based hybrid network monitoring solution that can monitor the communication between virtual machines (VMs) and endpoints. An endpoint can be another VM, a URL, an IPv4 or IPv6 address, or a fully qualified domain name (FQDN). The network communication is monitored at regular intervals and information about latency, network topology changes, and the reachability between a VM and the endpoint is collected. If an endpoint becomes unreachable, Network Watcher will inform the user about the error. The reason for this can be a problem with the memory or CPU of a VM, a security rule for the VM, or the hop type of a custom route.
Network Performance Monitor (NPM) is a hybrid network monitoring solution. It can monitor network connectivity for on-premises and cloud networks, and between various points in your network infrastructure. It can detect issues such as routing errors and blackholing. The monitoring solution is stored inside Azure Log Analytics.
NPM can create alerts and notifications when network performance errors appear, and it can localize the source of the problem to a specific network device or segment.
It offers the following capabilities:
Latency problems are also monitored. The connection monitor will provide the average, minimum, and maximum latency observed over time. The monitoring solution is capable of monitoring network performance between various points in the network infrastructure and it can generate alerts and notifications.
As of July 1, 2021, this has been considered a legacy service; you can no longer add new tests to an existing workspace, nor can you create new workspaces in NPM. You should now use the new Azure Connection Monitor instead and are advised to migrate any tests you had configured in NPM to Azure Connection Monitor.
There are several network diagnostic tools presented to you in Network Watcher. You can, for instance, diagnose network traffic filtering for VMs, determine the next hop of your traffic on route to an intended destination, or even identify why a VM is unable to communicate with other resources because of a security rule.
Using Azure Network Watcher, you can diagnose outbound connections from a VM. You can also diagnose problems with an Azure VNet gateway and connections, capture packets to and from a VM, view security rules for a network interface, and determine relative latencies between Azure regions and internet service providers.
The following tools are available as presented in the following screenshot:
Let's look at them in more detail.
An IP flow can verify and test the communication and inform you as to whether the connection has succeeded or failed. It is used to assess traffic flow to and from the internet and on-premises environments. An IP flow can tell you which security rule allowed or denied the connection and communication. To use IP flow verify, you specify a source (local) and destination (remote) IPv4 address and port. Along with this, you enter the corresponding packet information such as your protocol transmission control protocol / user datagram protocol (TCP/UDP) and direction of traffic flow (Inbound/Outbound):
This tool enables you to identify the net effect of applied network security group (NSG) rules that apply as well as identify all NSGs that will be used. The output will expose the end result allow and deny status for the identified flow. To run NSG diagnostic, you again specify your source and destination. The source can be an IPv4 address or a Classless Inter-Domain Routing (CIDR) range, or it can be a service tag, whereas the destination specified is an IP address only. You also choose your port for the destination, specify your traffic protocol (TCP/UDP/ Internet Control Message Protocol (ICMP)/All) and direction. The diagnostic supports VMs, network interfaces, VM scale set network interfaces, and application gateways.
Network Watcher can also diagnose network routing problems from a VM. When a VNet is created, there are several default outbound routes created for that VNet as well. Outbound traffic from all resources that are deployed in a VNet is routed based on Azure's default routes. In cases where you want to override the default routing rules or create additional rules, Next hop can be used to test the communication between the different routes. When the communication fails, you can then change, add, or remove a route to resolve the problem.
This is used to determine the overall effective security rules applied to your VM and will combine all relevant NSG rules together to display the net rule effect. This can be extremely helpful when assessing why your traffic is blocked and where you have several NSGs.
This is used when there are issues between your VNet gateways and connection endpoints that require troubleshooting. Multiple gateways and connections can be troubleshot at the same time.
The packet capture feature in Network Watcher allows you to capture packets for traffic related to your VM, being both inbound and outbound from the VM. The capture enables you to have more visibility of your network traffic, garnering key insights such as intrusion detection traffic, network statistics, and other network-related communications and traffic. This is enabled as a VM extension and relieves you of running your own VM-hosted packet capture utilities to achieve the same results.
This tool enables you to assess TCP connections between a VM and either a VM, URI, IPv4 address, or even FQDN. The aim of the tool is to reduce the time required in identifying connectivity issues and assist with determining the root cause.
The Metrics category primarily contains usage and quota data as per the following category:
This pane provides an easy mechanism to gain visibility of your usage against each quota, as well as providing the ability to request a quota increase for additional consumption of services:
Next, we will explore what logs are and the types of logs we can collect.
Logs provide several logging tools that are useful for investigating usage and troubleshooting. These logs can be analyzed using several tools, such as the Traffic Analytics feature and Power BI:
Next, we will explore the various log types found in the service.
NSGs are responsible for allowing or denying the inbound and outbound traffic to a network interface in the VM. The NSG flow logs feature can log the port, protocol, whether traffic is allowed or denied, and the source and IP address. The NSG flow logs feature is where you configure the logging of your flows.
This pane allows you to configure the diagnostic logging settings for your resources; it will record NSG events and rule counts as NetworkSecurityGroupEvent and NetworkSecurityGroupRuleCounter. The logs can be stored in a variety of locations such as Log Analytics, Event Hubs, or an Azure storage account.
Traffic Analytics can provide rich visualization of the data that is written to the NSG flow logs.
Top Tip
Network Watcher is a regional service, which means that you need to deploy it for each region that you require the service.
In the sections that follow, we are going to see Network Watcher in action.
Now that you understand what Network Watcher is, we will explore in the following sections how to configure and use the various components available to the service.
In this demonstration, we are going to monitor the network on VMs. For this demonstration, create three Windows Server 2016 data center VMs inside one VNet. We can use these VMs for monitoring. Before we are able to monitor the network using network resource monitoring, we need to install the Network Watcher agent on the three VMs. After that, we are going to inspect the network traffic.
You will set up three VMs labeled networkwatcher1, networkwatcher2, and networkwatcher3. To install the Network Watcher agent on a VM in Azure, take the following steps:
Now that Network Watcher Agent for Windows is installed on all the VMs, we can enable it for a specific region.
To enable Network Watcher in a specific region, take the following steps:
Top Tip
Note that upon deploying your first VNet in an Azure region, Azure will automatically create the associated NetworkWatcher_<region> resource.
Now that Network Watcher is enabled, we can actually start monitoring the network resources.
Network monitoring can be used for monitoring connection reachability, latency, and network topology changes. To do this, you need to set up a Connection Monitor instance.
Take the following steps to set this up:
We are now able to monitor the network connectivity. In the next section, we are going to look at how to manage the connectivity.
As you are now aware, you can manage your VNet connectivity from the Azure portal. In the upcoming section, we are going to look at the possibilities that the Azure portal has to offer to manage the VNet connectivity.
The network topology section in the Azure portal displays an overview of the VNets inside an Azure subscription and a resource group. To view the network topology section, you have to take the following steps:
Top Tip
Note that if you are not able to find your resource group in Topology under Network Watcher, you can also develop this by navigating to your VNet and selecting Diagram under the Monitoring context.
Besides monitoring the networks in Azure, you can also monitor the on-premises connectivity. We are going to look at this in the next section.
You can monitor your on-premises connectivity using Network Watcher as well. It offers two different features for this, NPM and VPN troubleshoot, which, just like the other features, are accessible from the Azure portal.
You can use the next hop feature to specify a source and destination IPv4 address. The communication between these addresses is then tested, and you will get informed about what type of next hop is used to route the traffic. When you experience a routing error or problem, you can add, change, or remove a route to resolve this.
Top Tip
If you don't see your resource group as one of the options in the drop-down selection, give it a few minutes and it should show up as an option. Another option you can try is to trigger a change on your VM such as changing the size.
To see this in action, you need to take the following steps:
You have just evaluated the next hop within the Azure network fabric and understand how your traffic will flow. You now know how to identify whether your traffic is flowing along the intended path to the destination. This tool will help you identify potential initial network flow issues in the future and save you time. In the next section, we are going to look at how to troubleshoot a VPN connection.
For the VPN troubleshoot demonstration, we are going to use the VPN connection that we created in the previous chapter.
You can diagnose the VPN connection by taking the following steps:
Should you have an issue, you can click on the Action tab to see the recommendations:
You can manage external networking using Azure Network Watcher as well. We will cover this in the upcoming section.
Azure Network Watcher offers three features to monitor and troubleshoot external networking. The features are IP flow verify, Effective security rules, and Connection troubleshoot, which are going to be covered in the next sections.
With IP flow verify, you can detect whether a package is allowed or denied to or from a network interface of a VM. Included in the information are the protocol, the local and remote IP addresses, the direction, and the local and remote ports. When a packet is denied, the name of the routing rule that denies the packet is returned. You can use this to diagnose connectivity issues from or in the on-premises environment and to and from the internet. You can basically choose any source or IP address to verify the connectivity.
To run IP flow verify, you need to enable an instance of Network Watcher in the region where you plan to run the tool. This is similar to the demonstration covered in the Enabling Network Watcher section that appeared earlier in this chapter, where we enabled Network Watcher for a particular region.
In this demonstration, we are going to use IP flow verify to test the connection between two of the VMs that we created in the first demonstration. To use IP flow verify, perform the following steps:
We've looked at how to use IP flow verify to test the connection between two of the VMs. In the next part, we are going to look at effective security rules.
The effective security rules feature displays all the security rules that are applied to the network interface and the subnet where the network interface is. It then aggregates both. This will give you a complete overview of all the rules that are applied to a network interface, and it will give you the ability to change, add, or remove rules. You need to select the right subscription, the resource group, and the VM to get an overview of the applied security rules, as shown in the following screenshot:
We've now seen an overview of the security rules that are applied to the network interface. In the next section, we are going to cover connection troubleshoot.
Azure Network Watcher connection troubleshoot enables you to troubleshoot network performance and connectivity issues in Azure. It provides visualization of the hop-by-hop path from source to destination, identifying issues that can potentially impact your network performance and connectivity.
Azure Network Watcher connection troubleshoot provides the following features and insights:
Top Tip
Connection troubleshoot requires that the source VM has the AzureNetworkWatcherExtension VM extension installed. For installing the extension on a Windows VM, you can refer to https://docs.microsoft.com/en-us/azure/virtual-machines/extensions/network-watcher-windows?toc=/azure/network-watcher/toc.json, and for a Linux VM, you can refer to https://docs.microsoft.com/en-us/azure/virtual-machines/extensions/network-watcher-linux?toc=%2Fazure%2Fnetwork-watcher%2Ftoc.json.
To check network connectivity using connection troubleshoot, you have to take the following steps:
We have now checked an outbound connection from a VM using connection troubleshoot and seen both a success and failure message from the system.
In this chapter, we covered the fifth part of the Configuring and Managing Virtual Networking objective by covering how to monitor and troubleshoot your network traffic in Azure Network Watcher. We also covered how to monitor and troubleshoot on-premises and external network connectivity using Network Watcher. You should now feel confident in not only implementing network infrastructure components within Azure but also in the monitoring and management of those services. You should be comfortable in distinguishing the difference between the various services available in Azure, and comfortable in identifying which tools you should use to troubleshoot issues on your networks using Network Watcher.
In the next chapter, we will cover some labs, and you will get to test some of your new-found skills and become more confident in working with networks in Azure.
3.19.63.106