iCompaas Support

Description:

Network Watcher is a powerful monitoring and diagnostic tool for Azure virtual networks. It provides capabilities like network performance monitoring, flow logging, packet capture, connection troubleshoot, and network topology visualization. Ensuring that Network Watcher is enabled in all Azure regions where your resources (such as Virtual Networks and Network Security Groups) are deployed is critical for comprehensive network monitoring and troubleshooting.

Enabling Network Watcher in regions helps you gain visibility into network traffic, optimize performance, and quickly diagnose network issues, enhancing security and operational efficiency.

Rationale:

By enabling Network Watcher in every region where your resources are deployed, you ensure continuous network monitoring, which helps in:

• Detecting network performance issues and bottlenecks.
  

• Monitoring flow logs for security and traffic analysis.
  

• Troubleshooting connectivity problems between Azure resources.
  

• Enhancing compliance and security posture by auditing network configurations.
  

This ensures that all network activities in all regions are captured, analyzed, and stored for real-time troubleshooting, compliance monitoring, and security analysis.

Impact:

Enabling Network Watcher in all regions ensures complete coverage of your Azure network monitoring needs, but it may incur some additional costs related to data collection, log storage, and monitoring services. However, the operational benefits far outweigh these costs by improving network performance, reducing downtime, and enhancing security.

Default Value:

By default, Network Watcher is not enabled in all regions. You need to manually enable it for each region in which you deploy resources.

Pre-requisites:

• Azure subscription with access to Azure Network Watcher.
  

• Global Administrator or Network Contributor role permissions to enable Network Watcher in different regions.
  

• Network Security Groups (NSG) or Virtual Networks deployed in Azure regions.
  

Audit:

1. Sign in to Azure portal as a Global Administrator or Network Contributor.
   

2. Navigate to Network Watcher.
   

3. Verify that Network Watcher is enabled in the regions where your resources are deployed.
   

Implementation Steps (Automated):

1. Sign in to Azure portal:
   

   • Use an account with Global Administrator or Network Contributor permissions.
     

2. Navigate to Network Watcher:
   

   • In the Azure portal, search for Network Watcher in the top search bar.
     

   • Go to Network Watcher.
     

3. Check the Status of Network Watcher in All Regions:
   

   • In the Network Watcher dashboard, go to Regions in the left-hand menu.
     

   • Review the list of Azure regions where Network Watcher is currently enabled.
     

   • The regions where Network Watcher is not enabled will be listed as Disabled.
     

4. Enable Network Watcher for Required Regions:
   

   • To enable Network Watcher in a region, click on the "Enable" button next to the region name.
     

   • Ensure that Network Watcher is enabled in all regions where your resources (e.g., Virtual Networks, NSGs, VPNs, etc.) are deployed.
     

5. Automate Enabling of Network Watcher via Azure CLI: To enable Network Watcher in all regions using Azure CLI, use the following commands:
   

   • First, ensure that you are logged into Azure CLI and have sufficient permissions to manage Network Watcher.
     

To enable Network Watcher in a specific region, run:

az network watcher configure --enabled true --locations <region-name>

•  Replace <region-name> with the desired Azure region (e.g., eastus, westeurope).
  

To enable Network Watcher for all regions, use a loop or iterate through the available regions like so:

for region in $(az account list-locations --query "[].name" -o tsv)

do

  az network watcher configure --enabled true --locations $region

done

•  This script will automatically enable Network Watcher for all regions in your subscription.
  

6. Verify Configuration:
   

   • After enabling Network Watcher for the necessary regions, navigate to Network Watcher in the Azure portal and verify that all required regions are listed as Enabled.
     

You can also verify that Network Watcher is active by using the Azure CLI:

az network watcher show --location <region-name>

7. Monitor Network Watcher Logs and Alerts:
   

   • Once enabled, ensure that Network Watcher is collecting relevant data, such as Flow Logs, Packet Captures, and Connection Troubleshoot data.
     

   • Set up Azure Monitor alerts to notify you if any network issues are detected based on the logs collected by Network Watcher.
     

Backout Plan (Automated):

1. Sign in to Azure portal:
   

   • Use an account with Global Administrator or Network Contributor permissions.
     

2. Navigate to Network Watcher:
   

   • Go to Network Watcher in the Azure portal.
     

3. Disable Network Watcher in Unused Regions:
   

   • In the Regions section of Network Watcher, locate any regions where Network Watcher has been enabled but is no longer required.
     

   • Click on Disable next to the region name to turn off Network Watcher for that region.
     

Automate Disabling via Azure CLI: To disable Network Watcher in specific regions using Azure CLI, run:

az network watcher configure --enabled false --locations <region-name>

4. Verify Disabled Status:
   

Ensure that Network Watcher has been successfully disabled in the unneeded regions by reviewing the Network Watcher status in the Azure portal or using the Azure CLI:

az network watcher show --location <region-name>

References:

• Enable or Disable Network Watcher in Azure
  

• Azure CLI - Network Watcher Commands
  Azure Network Watcher Overview