az network watcher

Manage the Azure Network Watcher.

Network Watcher assists with monitoring and diagnosing conditions at a network scenario level. To learn more visit https://docs.microsoft.com/azure/network-watcher/.

Commands

az network watcher configure Configure the Network Watcher service for different regions.
az network watcher connection-monitor Manage connection monitoring between an Azure Virtual Machine and any IP resource.
az network watcher connection-monitor create Create a connection monitor.
az network watcher connection-monitor delete Delete a connection monitor for the given region.
az network watcher connection-monitor list List connection monitors for the given region.
az network watcher connection-monitor query Query a snapshot of the most recent connection state of a connection monitor.
az network watcher connection-monitor show Shows a connection monitor by name.
az network watcher connection-monitor start Start the specified connection monitor.
az network watcher connection-monitor stop Stop the specified connection monitor.
az network watcher flow-log Manage network security group flow logging.
az network watcher flow-log configure Configure flow logging on a network security group.
az network watcher flow-log show Get the flow log configuration of a network security group.
az network watcher list List Network Watchers.
az network watcher packet-capture Manage packet capture sessions on VMs.
az network watcher packet-capture create Create and start a packet capture session.
az network watcher packet-capture delete Delete a packet capture session.
az network watcher packet-capture list List all packet capture sessions within a resource group.
az network watcher packet-capture show Show details of a packet capture session.
az network watcher packet-capture show-status Show the status of a packet capture session.
az network watcher packet-capture stop Stop a running packet capture session.
az network watcher run-configuration-diagnostic Run a configuration diagnostic on a target resource.
az network watcher show-next-hop Get information on the 'next hop' of a VM.
az network watcher show-security-group-view Get detailed security information on a VM for the currently configured network security group.
az network watcher show-topology Get the network topology of a resource group, virtual network or subnet.
az network watcher test-connectivity Test if a connection can be established between a Virtual Machine and a given endpoint.
az network watcher test-ip-flow Test IP flow to/from a VM given the currently configured network security group rules.
az network watcher troubleshooting Manage Network Watcher troubleshooting sessions.
az network watcher troubleshooting show Get the results of the last troubleshooting operation.
az network watcher troubleshooting start Troubleshoot issues with VPN connections or gateway connectivity.

az network watcher configure

Configure the Network Watcher service for different regions.

az network watcher configure --locations
[--enabled {false, true}]
[--resource-group]
[--subscription]
[--tags]

Examples

Configure Network Watcher for the West US region.

az network watcher configure -g NetworkWatcherRG  -l westus --enabled true

Required Parameters

--locations -l

Space-separated list of locations to configure.

Optional Parameters

--enabled

Enabled status of Network Watcher in the specified regions.

accepted values: false, true
--resource-group -g

Name of resource group. Required when enabling new regions.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--tags

Space-separated tags in 'key[=value]' format. Use "" to clear existing tags.

az network watcher list

List Network Watchers.

az network watcher list [--subscription]

Examples

List all Network Watchers in a subscription.

az network watcher list

Optional Parameters

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

az network watcher run-configuration-diagnostic

Run a configuration diagnostic on a target resource.

az network watcher run-configuration-diagnostic --resource
[--destination]
[--direction {Inbound, Outbound}]
[--parent]
[--port]
[--protocol {Http, Https, Icmp, Tcp}]
[--queries]
[--resource-group]
[--resource-type {applicationGateways, networkInterfaces, virtualMachines}]
[--source]
[--subscription]

Examples

Run configuration diagnostic on a VM with a single query.

az network watcher run-configuration-diagnostic --resource {VM_ID}
   --direction Inbound --protocol TCP --source 12.11.12.14 --destination 10.1.1.4 --port 12100

Run configuration diagnostic on a VM with multiple queries.

az network watcher run-configuration-diagnostic --resource {VM_ID}
    --queries '[
    {
        "direction": "Inbound", "protocol": "TCP", "source": "12.11.12.14",
        "destination": "10.1.1.4", "destinationPort": "12100"
    },
    {
        "direction": "Inbound", "protocol": "TCP", "source": "12.11.12.0/32",
        "destination": "10.1.1.4", "destinationPort": "12100"
    },
    {
        "direction": "Outbound", "protocol": "TCP", "source": "12.11.12.14",
        "destination": "10.1.1.4", "destinationPort": "12100"
    }]'

Required Parameters

--resource

Name or ID of the target resource to diagnose. If an ID is given, other resource arguments should not be given.

Optional Parameters

--destination

Traffic destination. Accepted values are '*', IP address/CIDR, or service tag.

--direction

Direction of the traffic.

accepted values: Inbound, Outbound
--parent

The parent path. (ex: virtualMachineScaleSets/vmss1).

--port

Traffic destination port. Accepted values are '*', port number (3389) or port range (80-100).

--protocol

Protocol to be verified on.

accepted values: Http, Https, Icmp, Tcp
--queries

JSON list of queries to use. Use @{path} to load from a file.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

--resource-type -t

The resource type.

accepted values: applicationGateways, networkInterfaces, virtualMachines
--source

Traffic source. Accepted values are '*', IP address/CIDR, or service tag.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

az network watcher show-next-hop

Get information on the 'next hop' of a VM.

az network watcher show-next-hop --dest-ip
--resource-group
--source-ip
--vm
[--nic]
[--subscription]

Examples

Get the next hop from a VMs assigned IP address to a destination at 10.1.0.4.

az network watcher show-next-hop -g MyResourceGroup --vm MyVm --source-ip 10.0.0.4 --dest-ip 10.1.0.4

Required Parameters

--dest-ip

Destination IPv4 address.

--resource-group -g

Name of the resource group the target VM is in.

--source-ip

Source IPv4 address.

--vm

Name or ID of the VM to target. If the name of the VM is provided, the --resource-group is required.

Optional Parameters

--nic

Name or ID of the NIC resource to test. If the VM has multiple NICs and IP forwarding is enabled on any of them, this parameter is required.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

az network watcher show-security-group-view

Get detailed security information on a VM for the currently configured network security group.

az network watcher show-security-group-view --resource-group
--vm
[--subscription]

Examples

Get the network security group information for the specified VM.

az network watcher show-security-group-view -g MyResourceGroup --vm MyVm

Required Parameters

--resource-group -g

Name of the resource group the target VM is in.

--vm

Name or ID of the VM to target. If the name of the VM is provided, the --resource-group is required.

Optional Parameters

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

az network watcher show-topology

Get the network topology of a resource group, virtual network or subnet.

az network watcher show-topology [--location]
[--resource-group]
[--subnet]
[--subscription]
[--vnet]

Examples

Use show-topology to get the topology of resources within a resource group.

az network watcher show-topology -g MyResourceGroup

Optional Parameters

--location -l

Location. Defaults to the location of the target resource group.

--resource-group -g

The name of the target resource group to perform topology on.

--subnet

Name or ID of the subnet to target. If name is used, --vnet NAME must also be supplied.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--vnet

Name or ID of the virtual network to target.

az network watcher test-connectivity

Test if a connection can be established between a Virtual Machine and a given endpoint.

az network watcher test-connectivity --source-resource
[--dest-address]
[--dest-port]
[--dest-resource]
[--headers]
[--method {Get}]
[--protocol {Http, Https, Icmp, Tcp}]
[--resource-group]
[--source-port]
[--subscription]
[--valid-status-codes]

Examples

Check connectivity between two virtual machines in the same resource group over port 80.

az network watcher test-connectivity -g MyResourceGroup --source-resource MyVmName1 --dest-resource MyVmName2 --dest-port 80

Check connectivity between two virtual machines in the same subscription in two different resource groups over port 80.

az network watcher test-connectivity --source-resource MyVmId1 --dest-resource MyVmId2 --dest-port 80

Required Parameters

--source-resource

Name or ID of the resource from which to originate traffic.

Optional Parameters

--dest-address

The IP address or URI at which to receive traffic.

--dest-port

Port number on which to receive traffic.

--dest-resource

Name or ID of the resource to receive traffic.

--headers

Space-separated list of headers in KEY=VALUE format.

--method

HTTP method to use.

accepted values: Get
--protocol

Protocol to test on.

accepted values: Http, Https, Icmp, Tcp
--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

--source-port

Port number from which to originate traffic.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--valid-status-codes

Space-separated list of HTTP status codes considered valid.

az network watcher test-ip-flow

Test IP flow to/from a VM given the currently configured network security group rules.

az network watcher test-ip-flow --direction {Inbound, Outbound}
--local
--protocol {Http, Https, Icmp, Tcp}
--remote
--vm
[--nic]
[--resource-group]
[--subscription]

Examples

Run test-ip-flow verify to test logical connectivity from a VM to the specified destination IPv4 address and port.

az network watcher test-ip-flow -g MyResourceGroup --direction Outbound \
    --protocol TCP --local 10.0.0.4:* --remote 10.1.0.4:80 --vm MyVm

Required Parameters

--direction

Direction of the packet relative to the VM.

accepted values: Inbound, Outbound
--local

The private IPv4 address for the VMs NIC and the port of the packet in X.X.X.X:PORT format. \* can be used for port when direction is outbound.

--protocol

Protocol to test.

accepted values: Http, Https, Icmp, Tcp
--remote

The IPv4 address and port for the remote side of the packet X.X.X.X:PORT format. \* can be used for port when the direction is inbound.

--vm

Name or ID of the VM to target. If the name of the VM is provided, the --resource-group is required.

Optional Parameters

--nic

Name or ID of the NIC resource to test. If the VM has multiple NICs and IP forwarding is enabled on any of them, this parameter is required.

--resource-group -g

Name of the resource group the target VM is in.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.