Network Watcher
The presented resiliency recommendations in this guidance include Network Watcher and associated resources and settings.
Summary of Recommendations
| Recommendation | Category | Impact | State | ARG Query Available |
|---|---|---|---|---|
| NW-1 - Deploy Network Watcher in all regions where you have networking services | Monitoring | Low | Preview | Yes |
| NW-2 - Fix Flow Log configurations in Failed state or Disabled Status | Monitoring | Low | Preview | Yes |
Recommendations Details
NW-1 - Deploy Network Watcher in all regions where you have networking services
Category: Monitoring
Impact: Low
Guidance
Azure Network Watcher provides a suite of tools to monitor, diagnose, view metrics, and enable or disable logs for Azure IaaS (Infrastructure-as-a-Service) resources. Network Watcher enables you to monitor and repair the network health of IaaS products like virtual machines (VMs), virtual networks (VNets), application gateways, load balancers, etc. Network Watcher isn’t designed or intended for PaaS monitoring or Web analytics.
Resources
Resource Graph Query
// Azure Resource Graph Query
// This query will return all locations that do not have a Network Watcher deployed
resources
| where location != "global"
| union (Resources
| where type =~ "microsoft.network/networkwatchers")
| summarize NetworkWatcherCount = countif(type =~ 'Microsoft.Network/networkWatchers') by location
| where NetworkWatcherCount == 0
| project recommendationId = "nw-1", name=location, id="n/a", tags, param1 = strcat("LocationMisingNetworkWatcher:", location)
NW-2 - Fix Flow Log configurations in Failed state or Disabled Status
Category: Monitoring
Impact: Low
Guidance
Network security group flow logging is a feature of Azure Network Watcher that allows you to log information about IP traffic flowing through a network security group. If the flow log is in Failed state, the monitoring data from the associated resource is not being collected.
Resources
Resource Graph Query
// Azure Resource Graph Query
// This query will return all Network Watcher Flow Logs that are not enabled or in a succeeded state
resources
| where type =~ "microsoft.network/networkwatchers/flowlogs" and isnotnull(properties)
| extend targetResourceId = tostring(properties.targetResourceId)
| extend status = iff(properties.enabled =~ 'true', "Enabled", "Disabled")
| extend provisioningState = tostring(properties.provisioningState)
| extend flowLogType = iff(properties.targetResourceId contains "Microsoft.Network/virtualNetworks", 'Virtual network', 'Network security group')
| where provisioningState != "Succeeded" or status != "Enabled"
| project recommendationId = "nw-2", name, id, tags, param1 = strcat("provisioningState:", provisioningState), param2=strcat("Status:", status), param3=strcat("targetResourceId:",targetResourceId), param4=strcat("flowLogType:",flowLogType)