• Notes
• Tasks
  • VM extension
  • Packet Capture
  • IP Flow Verify
  • Next Hop
  • Use Network Topology
  • Capture SFTP traffic

Notes

Network Watcher appears like a normal resource in a resource group, but it is deployed as a single instance per Azure region.

Network Watcher monitoring and diagnostic tools:

• IP Flow Verify
• Next Hop
• Packet Captures link a Network Watcher resource, a target VM, a storage account, and a filter that specifies the characteristics of network traffic (source and destination IP addresses and ports as well as protocol) to capture, as well as a time limit.
• Network Topology

Tasks

VM extension

Set-AzVMExtension -ResourceGroupName ExamRefRG -Location "West Europe" -VMName VM1 -Name networkWatcherAgent -Publisher Microsoft.Azure.NetworkWatcher -Type NetworkWatcherAgentWindows -TypeHandlerVersion 1.4

az vm extension set --vm-name VM1 --resource-group ExamRefRG --publisher Microsoft.Azure.NetworkWatcher --version 1.4 --name NetworkWatcherAgentWindows --extension-instance-name NetworkWatcherAgent

Packet Capture

Get the Network Watcher resource

$nw = Get-AzResource | Where ResourceType -eq "Microsoft.Network/networkWatchers" -and Location -eq "WestEurope"
$networkWatcher = Get-AzNetworkWatcher -Name $nw.Name -ResourceGroupName $nw.ResourceGroupName
$storageAccount = Get-AzStorageAccount -Name examref-storage -ResourceGroupName ExamRefRG

$filter1 = New-AzPacketCaptureFilterConfig -Protocol TCP -RemoteIPAddress "1.1.1.1-255.255.255.255" -LocalIPAddress "10.0.0.3" -LocalPort "1-65535" -RemotePort "20;80;443"
$filter2 = New-AzPacketCaptureFilterConfig -Protocol UDP
$vm = Get-AzVM ` -Name VM1 -ResourceGroupName ExamRefRG

New-AzNetworkWatcherPacketCapture -NetworkWatcher $networkWatcher -TargetVirtualMachineId $vm.Id -PacketCaptureName "PacketCaptureTest" -StorageAccountId $storageAccount.id -TimeLimitInSeconds 60 -Filter $filter1, $filter2

Start packet capture

filter='[ { "protocol": "TCP", "remoteIPAddress": "1.1.1.1-255.255.255.255", "localIPAddress":"10.0.0.3", "remotePort":"20" } ]'
az network watcher packet-capture create --name PacketCaptureTest2 --resource-group ExamRefRG --vm VM1 --time-limit 300 --storage-account examref-storage --filters $filter

Check status

Get-AzNetworkWatcherPacketCapture -NetworkWatcher $networkWatcher -PacketCaptureName "PacketCaptureTest"

az network watcher packet-capture show-status --name PacketCaptureTest --location WestEurope

Stop packet capture

Stop-AzNetworkWatcherPacketCapture -NetworkWatcher $networkWatcher -PacketCaptureName "PacketCaptureTest"

Stop packet capture

az network watcher packet-capture stop --name PacketCaptureTest --location WestEurope

IP Flow Verify

Test outbound connectivity from source VM and port to destination. If any configured filtering rules block traffic between the endpoints, it will return the name of the offending NSG.

Test-AzNetworkWatcherIPFlow

az network watcher test-ip-flow

Next Hop

Get-AzNetworkWatcherNextHop

az network watcher show-next-hop

Use Network Topology

Get-AzNetworkWatcherTopology

az network watcher show-topology

Capture SFTP traffic

$r = Get-AzResource | where ResourceType -eq "Microsoft.Network/networkWatchers" -and Location -eq "EastUS"
$nw = Get-AzNetworkWatcher -Name $r.Name -ResourceGroupName $r.ResourceGroupName
$s = Get-AzStorageAccount -ResourceGroupName "Diagnostics-RG" -Name "Diagnostics-Storage"
$filter = New-AzPacketCaptureFilterConfig -Protocol TCP -RemoteIPAddress "1.1.1.1-255.255.255.255" -LocalIPAddress "10.0.0.4" -LocalPort "1-65535" -RemotePort "22"

New-AzNetworkWatcherPacketCapture -NetworkWatcher $nw -TargetVirtualMachineId $vm.ID -PacketCaptureName "Capture SFTP traffic" -StorageAccountId $s.Id -TimeLimitInSeconds 60 -Filter $filter