To configure diagnostic capabilities such as IP Flow Verify, Next Hop, and Network Topology in Azure Network Watcher, you need to enable Network Watcher in the appropriate Azure region and ensure the necessary permissions are granted to run diagnostics on your network resources.
Here's a step-by-step guide on how to configure each of these diagnostic tools.
Enable Azure Network Watcher
Before configuring any diagnostics, you must ensure that Network Watcher is enabled in your Azure subscription and region.
If it’s not already enabled, follow these steps.
Enable Network Watcher
Log in to Azure Portal:
Navigate to Network Watcher:
In the search bar, type Network Watcher and select it.
Enable Network Watcher:
In the Network Watcher dashboard, check the Region where your resources (like VNets, VMs, etc.) are deployed.
If Network Watcher is not enabled in that region, you'll see an option to enable it. Click Enable to activate it for that region.
Configure IP Flow Verify
IP Flow Verify helps you simulate traffic and verify whether it is allowed or denied based on Network Security Group (NSG) and route table configurations.
Steps to Configure IP Flow Verify
1. Go to Azure Network Watcher
In the Azure portal, navigate to Network Watcher.
2. Select IP Flow Verify
In the Tools section of Network Watcher, select IP Flow Verify.
3. Provide Required Information
Subscription: Select the subscription where your resources are deployed.
Resource Group: Select the resource group.
Network Interface: Choose the network interface of the resource (such as a VM) you want to test traffic from.
Source IP Address: Specify the source IP address (e.g., the VM's IP address or the starting point of traffic).
Destination IP Address: Specify the destination IP address (e.g., a VM’s IP in the same or different subnet).
Protocol: Choose the protocol (TCP, UDP).
Port: Specify the port for the traffic (e.g., port 80 for HTTP).
Direction: Choose whether the traffic is inbound or outbound.
4. Run the Diagnostic
Click Check to perform the diagnostic.
The tool will simulate the flow and show whether the traffic is allowed or denied and explain which NSG or route table rule is responsible.
Configure Next Hop Diagnostics
The Next Hop diagnostic tool helps determine where traffic will go based on the routing configuration.
Steps to Configure Next Hop
1. Go to Azure Network Watcher
In the Azure portal, navigate to Network Watcher.
2. Select Next Hop
In the Tools section of Network Watcher, click Next Hop.
3. Provide Required Information
Subscription: Choose the appropriate subscription.
Resource Group: Select the resource group.
Source IP Address: Specify the source IP address (e.g., the IP address of a VM).
Destination IP Address: Provide the destination IP address (e.g., the IP of a different VM or a service endpoint).
Network Interface: Choose the network interface of the resource from which you are testing traffic.
4. Run the Diagnostic
Click Check to simulate the traffic flow and get the next hop in the routing path.
The diagnostic will show the next hop (e.g., a Virtual Network Gateway, NVA, or other Azure resources) and details of the route table configuration that determines this path.
Configure Network Topology Visualization
The Network Topology feature in Azure Network Watcher provides a visual map of your network infrastructure, including resources like virtual machines, subnets, network interfaces, and load balancers.
Steps to Configure Network Topology:
1. Go to Azure Network Watcher
In the Azure portal, navigate to Network Watcher.
2. Select Topology
In the Monitoring section of Network Watcher, select Topology.
3. Select Subscription and Resource Group
Choose the subscription and resource group where the virtual network is located.
4. Choose Virtual Network
Select the virtual network (VNet) for which you want to view the topology.
Network Watcher will automatically detect the resources in the VNet and generate a topology map.
5. View Topology
The topology will show the connected resources, such as:
Virtual Machines.
Network Interfaces.
Subnets.
Load Balancers.
VPN Gateways.
Network Security Groups (NSGs).
ExpressRoute circuits.
You can interact with the topology to zoom in/out, filter resources, and click on specific resources to get more details.
6. Export Topology
If needed, you can export the topology as an image for documentation or sharing purposes.
Grant Permissions for Diagnostics
For any of the diagnostic tools to work, make sure that you have the necessary permissions in Azure.
Typically, you need the following roles:
Network Contributor or Owner role at the resource group level to configure and run diagnostics.
Reader role for viewing diagnostic results if you are not the owner or admin.
Using Azure CLI or PowerShell (Optional)
You can also configure these diagnostics using Azure CLI or PowerShell for automation purposes.
For example:
IP Flow Verify with Azure CLI
xxxxxxxxxx41az network watcher flow-log enable \2--resource-group <resource-group-name> \3--workspace <workspace-id> \4--vm <vm-name>Next Hop with Azure CLI
xxxxxxxxxx51az network watcher show-next-hop \2--resource-group <resource-group-name> \3--vm <vm-name> \4--dest-ip <destination-ip> \5--source-ip <source-ip>Summary
To configure and use diagnostic capabilities like IP Flow Verify, Next Hop, and Network Topology in Azure Network Watcher, you need to:
Enable Network Watcher in your region.
Use the respective tools to verify traffic flow, inspect routing configurations, and visualize your network topology.
Ensure you have appropriate permissions for diagnostics to work seamlessly.
These diagnostics are vital for troubleshooting, optimizing, and managing Azure networks effectively, providing insights into traffic flows, routing decisions, and the structure of your network architecture.
Leave a Reply