Azure Network Watcher is a monitoring and diagnostics service for Azure networks that provides deep visibility into network traffic and helps troubleshoot connectivity issues, down to the packet level. It offers a suite of tools ranging from topology views of your virtual network to specific IP flow verifications and next-hop analyses. One of its standout capabilities is Packet Capture, which allows you to capture network traffic to and from a virtual machine at the packet level for analysis.
With Packet Capture, you can remotely configure a VM to start capturing packets based on certain criteria and then analyze those packets using familiar tools. For example, if you suspect an application is not receiving data or a certain protocol handshake is failing, you can initiate a packet capture on the VM that runs the application. You can specify filters (e.g., capture only traffic on port 443 to a certain IP) and limits (such as capture duration or file size limits). The Network Watcher agent on the VM will then collect packets that match those filters. These captured packets can be saved either to the VM’s disk or directly to an Azure Storage blob, typically as a .pcap file. After the capture, you can download the .pcap and open it in a protocol analyzer like Wireshark to perform deep inspection of the traffic – examining headers, payloads, and TCP/IP flags just as you would on-premises in a network sniffer.
This is extremely powerful for cloud troubleshooting because it brings packet-level diagnostics to environments where you don’t have direct access to the underlying network devices. For instance, if two Azure VMs can’t communicate, beyond checking NSGs (firewall rules) you might capture packets to see if SYN packets are sent and if any response comes back, or to inspect if there’s an application-layer error. Azure Network Watcher’s Packet Capture effectively gives you similar visibility as plugging into a mirror port on a physical switch, but in Azure’s virtual network.
Network Watcher also provides many other diagnostics: – IP Flow Verify: This tool checks if traffic from a VM to a given destination (or vice versa) would be allowed or denied by the Network Security Groups (NSGs). It tells you which NSG rule is responsible for the decision. For example, you might ask “Would VM X be able to reach IP Y on port 22?” and IP Flow Verify will say “Denied by rule ‘Deny-SSH-Anywhere’ in NSG-XYZ” or “Allowed by rule default AllowInternetOut”. This quickly pinpoints firewall rule issues. – Next Hop: This shows the next hop for traffic leaving a VM towards a destination – useful to verify user-defined routes or Azure’s system routes are working as intended. If a VM can’t reach something, Next Hop can reveal if it’s incorrectly routing to an on-prem VPN when it should go to internet, for instance. – Security Group View (Effective Security Rules): It lists all NSG rules effectively applied to a VM’s NIC after considering all NSGs in effect (NIC-level and subnet-level). – Connection Troubleshoot: It performs a live test of connectivity between a source (like a VM or App Service) and a destination (URI, FQDN, or IP) and reports on the path and where it might be failing. For instance, it can tell you if it was able to TCP handshake or if it timed out or was refused, and latency info – which is similar to an automated combine of ping/traceroute/port probe.
For packet-level analyses, aside from on-demand captures, Azure Network Watcher provides NSG Flow Logs. NSG Flow Logs record 5-tuple flow information through an NSG – i.e., for each allowed or denied flow, it logs source IP, destination IP, source port, dest port, protocol, and bytes transferred (and whether it was allowed or blocked). These logs do not contain packet contents, but they are very useful to get a broad view of traffic patterns: for example, you can see all flows hitting your web server and whether any were blocked by firewall rules. Flow logs can be sent to Azure Storage or Log Analytics and visualized using Traffic Analytics. Traffic Analytics is an Azure solution that takes NSG Flow Logs and presents insights, like which IPs are scanning you, traffic volume by geography, ports most hit, etc., which is great for security analysis and capacity planning.
However, NSG flow logs are being succeeded by the newer Virtual Network Flow Logs with more features and there is a note that classic NSG flow logs will retire by 2027 – but the concept remains: it’s a log of flows at a high level.
When deeper inspection is needed (like payload analysis or troubleshooting a specific protocol nuance), you use Packet Capture. It’s worth noting that one can trigger packet captures proactively or via automation. Network Watcher allows you to set an alert such that, for instance, if a VM’s network traffic spikes or a specific alert triggers, a packet capture can automatically start (using Azure Event Grid or Automation runbooks). This is a clever strategy to catch intermittent issues: e.g., automatically capture packets when an intrusion detection alert fires, so you have packets around the time of the incident for forensic analysis.
Network Watcher is region-specific (you have a Network Watcher instance in each region by default), but accessed through a unified interface. Enabling Network Watcher is straightforward (Azure often enables it by default now). There is minimal performance overhead for packet captures as you typically filter and limit them.
Finally, all the diagnostics tie into Azure Monitor. Packet captures themselves aren’t directly streamed (you have to download them), but metrics and logs from Network Watcher can be integrated. For example, it emits metrics like number of bytes captured, and you can create alerts if too many captures are running, etc. NSG flow logs and other logs can be pushed to Log Analytics and from there to a SIEM like Microsoft Sentinel. In Sentinel, you could even use detection rules on flow logs (for example, alert if a VM that normally doesn’t get incoming traffic suddenly sees a lot of blocked incoming flows, which might indicate a scan or DDoS).
In summary, Azure Network Watcher is an essential toolkit for Azure networking, offering everything from packet-level capture to high-level flow analytics. It helps cloud admins achieve a level of insight similar to on-premises network troubleshooting, which is critical for diagnosing complex network issues and performing detailed security analyses in Azure.