Network Insights

Azure Monitor Network Insights offers a complete and visual overview of your deployed network resources, showcasing their topology, health, and metrics—all without the need for configuration. It also grants access to powerful network monitoring tools, including Connection Monitor, NSG flow logs, VNet flow logs, and Traffic Analytics, along with Network Watcher diagnostic tools.

The core components of Azure Monitor Network Insights are structured around:

• Topology
• Network health and metrics
• Connectivity
• Traffic
• Diagnostic Toolkit

Topology

Topology offers a visual representation of Azure virtual networks and their connected resources, helping you understand the network's overall structure. With an interactive interface, you can explore resources and their relationships across multiple subscriptions, regions, and resource groups in Azure. You can also drill down into individual resources, such as a virtual machine (VM), to view its traffic and connectivity insights, and access network diagnostic tools to troubleshoot any network issues affecting the VM.

Network Health and Metrics

The Azure Monitor Network Insights page provides a straightforward way to visualize your network resource inventory, along with resource health and alerts. It is organized into four key areas: search and filtering, resource health and metrics, alerts, and resource view.

Search and Filtering

To tailor the resource health and alerts view within the Network Health tab, you can apply filters such as Subscription, Resource Group, and Type. Resources can also be sorted by name or by resource count.

Additionally, you can use the search box to find specific resources and their associated components. For instance, searching for "agwpip," a public IP linked to an application gateway, will return both the public IP and the associated application gateway.

Resource Health and Metrics

In the Network Health tab, you can monitor the health and metrics of all resources across selected subscriptions and resource groups. Each tile represents a specific resource type, showing the number of instances deployed across the chosen subscriptions and resource groups, along with their health status. For example, if there are 6 ExpressRoute and VPN connections deployed, the tile will indicate that 4 are healthy and 2 are unavailable.

In the ER and VPN connections tile, select the unavailable ExpressRoute and VPN connections to see their metrics:

To check the health status of any unavailable connections, click the red icon next to the connection in the Health column. To view specific alerts and metrics for the connection, select the value in the Alert column.

Alerts

The Alerts box on the right side of the page displays all alerts generated for a particular resource type across the selected subscriptions and resource groups. Click on the alert counts to navigate to a detailed alerts page.

Resource View

The resource view allows you to visualize how a resource is configured. For example, to access the resource view of an application gateway, click the topology icon next to the application gateway's name in the metrics grid view.

The resource view for an application gateway offers a clear visual representation of how the front-end IPs are connected to listeners, rules, and the backend pool. The connecting lines are color-coded to reflect the health of the backend pool and provide additional details. This view also includes detailed metrics for the application gateway itself and all associated backend pools, such as virtual machines and virtual machine scale set instances.

The resource view allows for easy navigation to configuration settings. By right-clicking on a backend pool, you can access additional information. For instance, if the backend pool is a virtual machine (VM), you can directly access VM insights and use Azure Network Watcher for connection troubleshooting to identify any connectivity issues.

Connectivity

The Connectivity tab offers a simple way to visualize all tests configured through Connection Monitor and Connection Monitor (classic) for the selected subscriptions.

Tests are organized into Source and Destination tiles, displaying the reachability status for each. Reachable settings allow you to easily configure your reachability criteria based on failed checks (%) and round-trip time (RTT) in milliseconds. Once you've set these values, the status for each test updates according to the selected criteria.

You can select any source or destination tile to open a metric view:

You can interact with any item in the grid view. Click the icon in the Reachability column to navigate to the Connection Monitor portal page, where you can view the hop-by-hop topology and identify connectivity issues. To access alerts, click the value in the Alert column. To view detailed metrics for the selected connection monitor, click the graphs in the Checks Failed Percent and Round-Trip Time (ms) columns.

The Alert box on the right side of the page provides an overview of all alerts generated from connectivity tests configured across all subscriptions. Click the alert counts to access a detailed alerts page.

Traffic

The Traffic tab lists all network security groups (NSGs) within the selected subscriptions, resource groups, and locations, highlighting those configured for NSG flow logs and Traffic analytics. The search functionality allows you to identify NSGs associated with a specific IP address in your environment. Additionally, the tiled regional view displays all NSGs along with the configuration status of NSG flow logs and Traffic analytics.

If you select any region tile, a grid view appears. The grid provides NSG flow logs and Traffic analytics in a view that's easy to read and configure:

You can interact with any item in the grid view. Click the icon in the Flowlog Configuration Status column to edit the NSG flow log and Traffic Analytics settings. To view traffic alerts for a specific NSG, select the value in the Alert column. Similarly, you can access the Traffic Analytics view by selecting the Traffic Analytics Workspace.

The Alert box on the right side of the page displays all alerts based on Traffic Analytics workspaces across all subscriptions. Click the alert counts to access a detailed alerts page.

Diagnostic Toolkit

The Diagnostic Toolkit provides access to all available diagnostic features for troubleshooting your network. Use the drop-down list to access tools such as packet capture, VPN troubleshooting, connection troubleshooting, next hop, and IP flow verification.

Azure Network Watcher        

Azure Network Watcher offers a comprehensive suite of tools for monitoring, diagnosing, viewing metrics, and managing logs for Azure IaaS (Infrastructure-as-a-Service) resources. It helps you oversee and resolve network health issues for IaaS products such as virtual machines (VMs), virtual networks (VNets), application gateways, and load balancers. Note that Network Watcher is not intended for PaaS monitoring or web analytics.

Network Watcher includes three primary sets of tools and capabilities:

• Monitoring
• Network Diagnostic Tools
• Traffic

Monitoring

Network Watcher offers two key monitoring tools to help you view and oversee resources:

Topology

Topology provides a visual representation of your entire network, allowing you to understand network configurations. It offers an interactive interface to explore resources and their relationships across multiple subscriptions, resource groups, and locations.

Connection Monitor

Connection Monitor offers end-to-end connection monitoring for both Azure and hybrid endpoints. It helps you assess network performance between various endpoints within your network infrastructure.

Network Diagnostic Tools

Network Watcher includes seven diagnostic tools for troubleshooting and diagnosing network issues:

IP Flow Verify

IP Flow Verify detects traffic filtering issues at the virtual machine level. It checks whether a packet is allowed or denied to or from an IP address (IPv4 or IPv6) and identifies the security rule responsible.

NSG Diagnostics

NSG Diagnostics identifies traffic filtering issues at the level of virtual machines, virtual machine scale sets, or application gateways. It checks if packets are allowed or denied to or from IP addresses, IP prefixes, or service tags, and allows you to add new security rules with higher priority.

Next Hop

Next Hop helps detect routing issues by verifying if traffic is correctly routed to its intended destination. It provides information on the Next Hop type, IP address, and Route Table ID for a specific destination IP address.

Effective Security Rules

Effective Security Rules shows all security rules applied to a network interface, including those from the subnet and the network interface itself.

Connection Troubleshoot

Connection Troubleshoot allows you to test connectivity between a virtual machine, virtual machine scale set, application gateway, or Bastion host, and another virtual machine, FQDN, URI, or IPv4 address. It provides similar insights to Connection Monitor but tests connectivity at a specific point in time.

Packet Capture

Packet Capture enables remote creation of packet capture sessions to monitor traffic to and from a virtual machine (VM) or a virtual machine scale set.

VPN Troubleshoot

VPN troubleshooting helps diagnose issues with virtual network gateways and their connections.

Traffic

Network Watcher provides two tools for logging and visualizing network traffic:

Flow Logs

Flow Logs record information about Azure IP traffic and store the data in Azure storage. You can log IP traffic passing through network security groups or Azure virtual networks. .

Traffic Analytics

Traffic Analytics offers rich visualizations of flow log data.

Usage + Quotas

The Usage + Quotas feature in Network Watcher offers a summary of your deployed network resources within a subscription and region. It displays current usage along with the corresponding limits for each resource. For details on the limits for each Azure network resource by region and subscription, refer to [Networking Limits](#). This information is valuable for planning future resource deployments, as you cannot create additional resources if you reach the set limits within your subscription or region.