Description:

Azure Network Watcher is a regional network monitoring and diagnostic service that provides visibility into network resources. It enables essential features such as NSG Flow Logs, Connection Monitor, packet capture, and network diagnostics. Network Watcher must be enabled in all regions where virtual networks, NSGs, or virtual machines exist to ensure full network observability and support for security investigations.


Rationale:

If Network Watcher is disabled in any region, NSG Flow Logs cannot be collected, diagnostic tools are unavailable, and network issues cannot be investigated effectively. Missing Network Watcher coverage results in non-compliance with monitoring and visibility requirements and reduces the ability to analyze or detect network threats.


Impact:

  • Provides network flow and security logging capabilities.

  • Enables detailed network diagnostics for troubleshooting.

  • Supports compliance by ensuring network activity is tracked and observable.

  • Ensures NSG Flow Logs and Connection Monitor features work across regions.


Default Value:

Azure may auto-enable Network Watcher when network resources are deployed, but it is not guaranteed and may remain disabled in unused regions.


Pre-requisites:

  • Permission to manage Network Watcher

  • Azure Portal access

  • Network Watcher must be enabled per region


Test Plan:

  1. Sign in to the Microsoft Azure Portal at https://portal.azure.com

  2. In the search bar, search for Network Watcher.

  3. Open Network Watcher.

  4. Review the Regions list and verify that Network Watcher is enabled for each region where network resources exist.

  5. If Network Watcher is not enabled in any required region, follow the implementation steps.




Implementation Steps:

  1. Sign in to the Microsoft Azure Portal at https://portal.azure.com

  2. In the search bar, type Network Watcher and open it.

  3. Select the correct Subscription from the top filter.

  4. If Network Watcher shows Disabled or no watcher exists:

  5. Click + Create (or Add Network Watcher)

  1. Provide the following details:

  2. Subscription: Select the target subscription

  3. Region: Select the required Azure region

  1. Click Review + Create.

  2. Repeat the steps for each region where Azure network resources exist.


Backout Plan:

  1. Sign in to the Microsoft Azure Portal at https://portal.azure.com

  2. Search for Network Watcher.

  3. Select the correct Subscription.

  4. Select the Network Watcher resource for the region.

  5. Click Delete and confirm.


Reference: