Welcome back In our last episode on advanced networking topics, we're going to talk about some network troubleshooting.
Our objectives include understanding what the network watcher is reviewing network watcher tools and then jumping out to the azure portal to take a look at a demo.
So, first, what is the network watcher? Network watcher is an all in one tool used to troubleshoot network connectivity to Resource is Inside of Azure
Network Watcher can be used to monitor in point communication such as a virtual machine
or even diagnose traffic flows, such as routing issues in capturing network packets to and from a virtual machine
network watcher can also be used to analyze traffic from a network security group. If you remember, the network security group is going to allow or deny traffic to network interface on a virtual machine so we can take a look at the traffic being allowed and denied.
Finally, network watcher is automatically deployed when you create or update a virtual network inside of azure
Network watcher Resource is will be created for each virtual network region,
and the best part is network Watcher is free of charge.
Now let's take a look at some of the tools we have available inside of Network Watcher first is I P flow. Verify
this is gonna check to see if traffic is a louder blocked to a virtual machine. You can choose a direction either inbound or outbound, and then select a local I p in port and then a remote. I pee in port.
Then you'll select a local I P address in port and then a remote I P address in port.
If traffic is blocked, it will tell you the name of the network security rule blocking the traffic.
Our next tool is called Next Top, and this provides the next hop from the target virtual machine to the specified destination I p. Address.
This is useful if you have custom routes and want to verify where the next top for a virtual machine would be for a particular i p address destination. Next, we have effective security rules. This allows you to view all the rules for a virtual machine network interface.
Remember, network security groups can be applied in multiple places such as honest, sub net or on a network interface, so this tool will summarize and let you view all the security rules for the virtual machine. Next, we have packet capture, which you can use for capturing network packets, inbound and outbound from a virtual machine.
And then you can save these network capture fouls for further analysis, either to the virtual machine or a storage account.
Next, we have connection troubleshoot, which will check and verify a direct TCP connection between virtual machines to an F Q D in your eye or I p v for a dress.
And finally, we can enable locking of ingress and egress ivy traffic against our network security groups so we can see what kind of traffic is being allowed in denied.
Let's jump out to the azure portal and take a look at each of these network washer tools.
Harry are back in our azure portal, and during the slides I mentioned that network watcher re sources are deployed automatically if you deploy or change a virtual network and I want to show you what that looks like, so when you see it, you don't inadvertently delete it or not know what it is. Let's go take a look at our resource groups.
Here we have a resource group name, network watcher RG.
And if we go and take a look at its resource is you'll notice that there's currently not anything in here. But if we check the box to show hidden types,
we'll see the instance for East us, where I currently have a virtual network deployed.
Now let's say you accidentally deleted this resource or the entire network watcher RG Resource Group. Not to worry, you can re enable it very easily. Let's go check out our network watcher Resource
and here in the overview page, you can see for our Microsoft Azure standard subscription. It lists 30 regions and our status is partially enabled.
If we expand out regions,
we can see the various regions available inside of Azure,
and if we scroll to the right, we can see where some are enabled and disabled.
So, for instance, if you deleted that resource or the entire resource group,
you can just as easily come back in here. Select the ellipsis and enabled network watcher.
Now let's go take a look at our diagnostic tools.
The first is I P flow. Verify where we can see if we can get packets from one virtual machine to another first select the subscription resource group Virtual Machine in the network interface that you want to use as the source.
Select the packet details in the direction.
I'm gonna change this to Outbound.
We'll set our port to 80
and I'm gonna checked a remote I p address of another virtue machine. And it's another sub net,
and we're gonna check port 80 as well.
And here we can see access is allowed, and it's based off the security role of allowing V net outbound.
You don't have to use the i. P address of another virtual machine. You could easily use a resource outside of Azure as well.
Let's go check out next. Hop
Very similar. We're going to select the subscription Resource group,
Virtual Machine and Network interface and the source I P address.
And then we're gonna enter a destination I P address
here. I'm gonna check against the i p address of a website,
and here we can see the Virtue Machines. Next top is gonna be straight out to the Internet, and this was determined by our default system routes in our route tables.
Next, let's check out effective security rules.
Let me collapse this blade over here
and here. We're gonna select a virtual machine where we want to see all the available security rules that are associated to it.
I'm gonna select Web 03
After that, if it had more than one network interface, we could select the network interface
and we see the Associated Network Security two groups for it.
After that, we see a summary of all the inbound and outbound network security rules that are being applied to it.
This will be useful if you're troubleshooting an issue with a virtual machine, and you want to verify all the network security rules that are placed against it. Remember, network security groups can be placed on sub nets and virtual machine network interfaces.
Next, let's look at packet capture.
This is gonna enable us to do a packet capture directly on the verse machine, much like you might be able to do with the network monitor or wire shark.
will select our target virtual machine and give the packet capture name.
And then we have to define where we're going to store the packet capture. When it's been completed. We have the option of putting it into a storage account.
We can also select, file and enter a foul path on the local machine to store the file
next week. It also select the maximum bytes per packet and procession and then give it a time limit of how long we want the packet captured. A. Lest we also have the option of selecting protocols the local I P address in port or the remote I p address import.
So if you want to just try to narrow down the packet, capture to a specific system port or I p address, you can definitely do that
and filter out all the other traffic that you may not be concerned about.
Next, we have connection Troubleshoot.
This is going to try to make a direct TCP connection from one virtual machine to another, or to other Resource is like an f k d N r I p v for a dress
already got webo one selected, and we're gonna check our connection to Web 03 where I have a basic website running and I s over Port 80.
Now, this connective D check does take a minute or so because it goes through 30 iterations of the test.
After a pause in the video and we're back, we'll take a look here at our results. And it does say that this is unreachable over Port 80.
We can see why it took so long. There were 30 probe sent, and all 30 of them failed. In addition to the grid view, we have the option for a topology view.
Just give us a very simple diagram of the network path that tried to take
obviously a name or complicated scenario. This graph would probably be a lot more interesting.
Finally, let's go take a look at our NSG flow logs.
Here, you can configure your virtual machines to save these log files to a configured storage account.
Let's go check out how to configure this.
You change your status to on.
You'll select a flow long version one or two. Version two is going to give you a little bit more information other than just the I P address. And if it was loud or denied.
Next, you select a storage account to save the data, too,
and if you want to enable Traffic Analytics
that does it for a demo on the network watcher and the diagnostic tools we have available inside of it. Let's jump back to the slides and wrap this up.
That does it for this episode. Coming up next, we're going to take a look at some additional identity and security topics with an introduction to roll based access Control. See you in the next episode.