Alerts, Insights & Network Watcher
Monitoring data is useless if nobody sees it. Alerts notify the right people when things go wrong. Insights give you pre-built dashboards for VMs and networks. Network Watcher helps you diagnose connectivity issues. Learn to configure all three.
What are Azure Monitor Alerts?
Alerts are like the smoke detector in your house — they watch for specific conditions and scream when something goes wrong.
You define the condition (“if CPU stays above 90% for 5 minutes”), and Azure Monitor watches for it. When the condition is met, the alert fires and triggers an action group — which is the list of things to do: send an email, call a webhook, create a ticket, or run an Azure Function. You can also create alert processing rules to suppress alerts during maintenance windows.
Types of alert rules
| Alert Type | Data Source | Use Case |
|---|---|---|
| Metric alert | Azure Monitor metrics | CPU above 90%, disk space below 10%, response time above 2 seconds |
| Log search alert | Log Analytics (KQL query) | More than 50 failed logins in 1 hour, error count by type, custom patterns |
| Activity log alert | Azure Activity Log | VM deleted, resource group created, role assignment changed, service health issue |
Alert severity levels:
| Severity | Label | Typical Use |
|---|---|---|
| Sev 0 | Critical | Production down, data loss imminent |
| Sev 1 | Error | Functionality impacted |
| Sev 2 | Warning | Potential issue, not yet impacting |
| Sev 3 | Informational | Normal but noteworthy event |
| Sev 4 | Verbose | Detailed diagnostics |
Action groups
An action group defines WHO gets notified and HOW. A single action group can have multiple actions:
| Action Type | What It Does |
|---|---|
| Email/SMS/Push/Voice | Sends notification to a person |
| Azure Function | Runs a serverless function |
| Logic App | Triggers a Logic App workflow |
| Webhook | Calls an external HTTP endpoint |
| ITSM | Creates a ticket in ServiceNow or similar |
| Automation Runbook | Runs an Azure Automation script |
| Event Hub | Streams alert data to Event Hubs |
An action group can be shared across multiple alert rules. For example, a “Critical Operations Team” action group used by all severity 0 and 1 alerts.
Exam tip: Action groups vs alert processing rules
Action groups define WHO gets notified and HOW (email, SMS, webhook). Alert processing rules control WHEN and WHERE — they can suppress alerts during a maintenance window or add additional action groups based on resource group, severity, or other filters.
Key distinction: action groups are referenced BY alert rules at creation. Alert processing rules are applied AFTER an alert fires and can override the action group behaviour.
Alert processing rules
Alert processing rules (formerly called action rules) let you modify alert behaviour after the alert fires:
Common uses:
- Suppress alerts during a scheduled maintenance window (e.g., every Saturday 2-6am)
- Route alerts from a specific resource group to a different action group
- Add action groups to existing alerts without modifying each alert rule
Real-world: TechCorp's maintenance windows
TechCorp Solutions runs weekly patching every Saturday night. During the 4-hour maintenance window, VMs restart and health probes fail — triggering dozens of alerts. Alex creates an alert processing rule:
- Scope: Production resource group
- Filter: Severity 2 and above (Warning, Informational)
- Action: Suppress notifications
- Schedule: Every Saturday, 22:00 to 02:00
Critical alerts (Sev 0, Sev 1) still fire and notify the team, but routine warnings during patching are suppressed.
Azure Monitor Insights
Insights are pre-built monitoring experiences for specific resource types:
VM Insights
VM Insights provides:
- Performance dashboards — CPU, memory, disk, and network trends for individual VMs or across all VMs
- Dependency mapping — visual map of processes running on VMs and their network connections to other systems
- Requires: Log Analytics agent or Azure Monitor Agent installed on VMs
Network Insights
Network Insights provides a topology view of your network resources — VNets, subnets, NSGs, load balancers — with health status and metrics overlaid.
Storage Insights
Storage Insights shows performance, capacity, and availability across all storage accounts in a unified view — helping identify accounts approaching limits.
Network Watcher
Network Watcher is a suite of tools for diagnosing Azure networking issues. It must be enabled per region where you have resources.
| Tool | Purpose |
|---|---|
| IP flow verify | Tests if a packet is allowed or denied by NSG rules between two endpoints |
| Next hop | Shows which route table entry a packet will follow |
| Connection troubleshoot | Tests end-to-end TCP/ICMP connectivity and reports latency |
| Packet capture | Captures packets on a VM NIC for deep analysis |
| NSG diagnostics | Shows effective NSG rules and whether they allow/deny specific traffic |
| Connection Monitor | Ongoing monitoring of connectivity between endpoints (replaces Network Performance Monitor) |
| Topology | Visual diagram of your network resources |
Exam tip: Network Watcher must be enabled per region
Network Watcher is automatically enabled when you create a VNet in a region, but you should verify it exists. It creates a resource group called “NetworkWatcherRG” with a Network Watcher resource per region. Connection Monitor is the replacement for the deprecated Network Performance Monitor — if the exam mentions “continuous monitoring of connectivity between VMs,” the answer is Connection Monitor.
Real-world: Alex uses Connection Monitor
CloudFirst Labs has web servers in East US and a database in West US. Alex sets up Connection Monitor to continuously test TCP connectivity from web servers to the database on port 1433. It runs checks every 30 seconds and alerts via the Operations action group if latency exceeds 100ms or connectivity drops.
When a peering misconfiguration broke connectivity for 5 minutes, Connection Monitor detected it immediately — before any users reported issues.
Knowledge check
TechCorp Solutions needs an alert that fires when more than 100 failed login attempts occur in any 1-hour window. Which alert type should Alex create?
Meridian Financial needs to suppress all non-critical alerts every Sunday from 00:00 to 06:00 during their maintenance window. What should Alex configure?
Alex suspects an NSG rule is blocking traffic from a web server VM to a database VM. Which Network Watcher tool should he use first?
🎬 Video coming soon