🔒 Guided

Pre-launch preview. Authorised access only.

Incorrect code

Guided by A Guide to Cloud
Explore AB-900 AI-901
Guided AZ-700 Domain 1
Domain 1 — Module 6 of 7 86%
6 of 26 overall

AZ-700 Study Guide

Domain 1: Core Networking Infrastructure

  • Virtual Networks: Your Cloud Foundation Free
  • IP Addressing: Public, Private & Prefixes Free
  • Name Resolution: Azure DNS Free
  • Routing: UDRs, Route Server & NAT Gateway Free
  • VNet Peering and Connectivity
  • Network Monitoring and Diagnostics
  • DDoS Protection and Security Posture

Domain 2: Connectivity Services

  • Site-to-Site VPN: Connecting On-Premises
  • Point-to-Site VPN: Remote Access
  • ExpressRoute Fundamentals
  • ExpressRoute: Advanced Features
  • Azure Virtual WAN
  • Choosing Your Hybrid Connection

Domain 3: Application Delivery Services

  • Azure Load Balancer: Layer 4
  • Traffic Manager: DNS-Based Routing
  • Application Gateway: Layer 7
  • Azure Front Door: Global Delivery
  • Choosing the Right Load Balancer

Domain 4: Private Access to Azure Services

  • Private Link and Private Endpoints
  • Private Endpoint DNS
  • Service Endpoints: When and How

Domain 5: Network Security Services

  • NSGs and Application Security Groups
  • Flow Logs, IP Flow Verify & Network Manager Security
  • Azure Firewall: SKUs and Deployment
  • Azure Firewall Manager and Policies
  • Web Application Firewall (WAF)

AZ-700 Study Guide

Domain 1: Core Networking Infrastructure

  • Virtual Networks: Your Cloud Foundation Free
  • IP Addressing: Public, Private & Prefixes Free
  • Name Resolution: Azure DNS Free
  • Routing: UDRs, Route Server & NAT Gateway Free
  • VNet Peering and Connectivity
  • Network Monitoring and Diagnostics
  • DDoS Protection and Security Posture

Domain 2: Connectivity Services

  • Site-to-Site VPN: Connecting On-Premises
  • Point-to-Site VPN: Remote Access
  • ExpressRoute Fundamentals
  • ExpressRoute: Advanced Features
  • Azure Virtual WAN
  • Choosing Your Hybrid Connection

Domain 3: Application Delivery Services

  • Azure Load Balancer: Layer 4
  • Traffic Manager: DNS-Based Routing
  • Application Gateway: Layer 7
  • Azure Front Door: Global Delivery
  • Choosing the Right Load Balancer

Domain 4: Private Access to Azure Services

  • Private Link and Private Endpoints
  • Private Endpoint DNS
  • Service Endpoints: When and How

Domain 5: Network Security Services

  • NSGs and Application Security Groups
  • Flow Logs, IP Flow Verify & Network Manager Security
  • Azure Firewall: SKUs and Deployment
  • Azure Firewall Manager and Policies
  • Web Application Firewall (WAF)
Domain 1: Core Networking Infrastructure Premium ⏱ ~12 min read

Network Monitoring and Diagnostics

Master Azure Network Watcher tools, Connection Monitor, Traffic Analytics, and Azure Monitor for Networks to diagnose and troubleshoot networking issues.

Network Monitoring and Diagnostics

When traffic doesn’t flow, you need tools to find out why. Azure Network Watcher and Azure Monitor provide a comprehensive diagnostic toolkit. The exam frequently tests which tool to use for which problem.

🎬 Video coming soon

Network Monitoring and Diagnostics

Network Monitoring and Diagnostics

~12:00
☕ Simple explanation

Network monitoring is your CCTV system for cloud traffic. Without it, you’re blind when a VM can’t reach a database or a VPN tunnel drops. Azure gives you two toolkits: Network Watcher for specific diagnostic tests and Azure Monitor for big-picture metrics, alerts, and dashboards.

Azure network monitoring has two layers: Azure Network Watcher for diagnostic and visualisation tools (IP Flow Verify, Next Hop, Connection Troubleshoot, packet capture, flow logs) and Azure Monitor for Networks for centralised monitoring dashboards showing health, metrics, and alerts for all networking resources.

Network Watcher Tools

Network Watcher is automatically enabled per region when you have networking resources. Here are the key diagnostic tools:

ToolWhat It DoesWhen to Use
IP Flow VerifyChecks if a packet is allowed or denied between two points, showing which NSG rule is responsible”Why can’t VM-A talk to VM-B on port 443?”
Next HopShows which next hop Azure routing will use for a specific source/destination”Where is traffic to 10.20.5.10 going?”
Connection TroubleshootTests end-to-end connectivity (TCP/ICMP) between source and destination, showing latency and hops”Is the path from VM to SQL working?”
Packet CaptureCaptures network packets on a VM NIC for deep analysis (saves to .cap file)“I need to see exactly what traffic a VM is sending/receiving”
VPN TroubleshootDiagnoses VPN gateway connection issues, checks config, shows logs”Why is my S2S VPN tunnel down?”
Effective Security RulesShows all NSG rules applied to a NIC (combined from subnet and NIC NSGs)“What’s the effective ruleset on this VM?”

IP Flow Verify in Action

🏢 Ravi’s scenario: A developer reports that a VM in the Finance spoke (10.20.1.10) can’t reach a web server in the hub (10.10.10.20) on port 443.

Ravi runs IP Flow Verify:

  • Source: 10.20.1.10 (Finance VM)
  • Destination: 10.10.10.20 (Hub web server)
  • Port: 443
  • Protocol: TCP
  • Direction: Outbound

Result: “Access denied — NSG rule DenyAllOutbound at priority 4096 on subnet nsg-finance”

Ravi checks the NSG on the Finance subnet and finds there’s no explicit allow rule for port 443 to the hub. He adds the rule, and connectivity is restored.

Connection Monitor

Connection Monitor provides continuous monitoring of connectivity between Azure resources, on-premises machines, and external endpoints.

🏪 Sam’s scenario: Harbour Retail needs to continuously monitor the connection between Azure VMs and their payment provider’s API endpoint. Sam sets up Connection Monitor:

  1. Test group: AzureVMs-to-PaymentAPI
  2. Sources: VMs in the backend subnet (requires Network Watcher extension)
  3. Destinations: payment.provider.com on port 443
  4. Test configuration: TCP, check every 30 seconds
  5. Alerts: Notify if failure rate exceeds 10% in a 5-minute window

Connection Monitor tracks:

  • Connectivity success/failure over time
  • Round-trip latency trends
  • Hop-by-hop path analysis
  • Alerts on degradation or failures

Exam Tip: Connection Monitor replaces the older “Network Performance Monitor” and “Connection Monitor (classic).” The exam references the current version.

Traffic Analytics

Traffic Analytics processes NSG flow logs and VNet flow logs to show visual, query-ready insights about your network traffic patterns.

What it reveals:

  • Which VMs communicate the most
  • Top talkers and bandwidth usage
  • Allowed vs denied traffic flows
  • Geographic traffic distribution
  • Malicious traffic detection (if integrated with Threat Intelligence)

Exam Tip — Flow Log Types: Azure has two flow log types:

  • NSG flow logs — the original, captures per-NSG rule decisions
  • VNet flow logs — the modern replacement, captures all traffic in a VNet regardless of NSG. VNet flow logs are simpler to manage and provide better coverage. The exam may test that VNet flow logs are the recommended approach.

Both flow log types write to a Storage Account. Traffic Analytics reads from storage, processes with a Log Analytics workspace, and presents dashboards.

Azure Monitor for Networks

Azure Monitor provides Network Insights — a unified dashboard for all network resources:

ResourceKey Metrics to Monitor
VPN GatewayTunnel bandwidth, tunnel ingress/egress bytes, P2S connection count, BGP peer status
ExpressRouteCircuit bandwidth utilisation, BGP availability, bits per second in/out
Load BalancerHealth probe status, SNAT connection count, data path availability, byte/packet counts
Application GatewayHealthy/unhealthy host count, throughput, response status (2xx/4xx/5xx), backend response time
Azure FirewallThroughput, rule hits, SNAT utilisation, latency, application/network rule processing time

Setting up network monitoring:

  1. Diagnostic settings — route resource logs to Log Analytics, Storage, or Event Hub
  2. Metrics — available automatically; create alerts on thresholds
  3. Network Insights — pre-built dashboards in Azure Monitor
Network Watcher vs Azure Monitor for Networks
AspectNetwork WatcherAzure Monitor for Networks
Primary purposeDiagnostic and troubleshooting tools for specific issuesUnified monitoring dashboards, metrics, and alerting
ScopePer-resource diagnostics (specific VM, NSG, VPN)Cross-resource monitoring (all network resources)
Key toolsIP Flow Verify, Next Hop, Connection Troubleshoot, Packet CaptureNetwork Insights dashboards, metrics, log queries
AlertingConnection Monitor alerts on connectivity degradationMetric alerts, log alerts, and action groups
Flow analysisNSG flow logs and VNet flow logs with Traffic AnalyticsLog Analytics workspace queries on diagnostic logs
CostFree (except storage for flow logs and packet captures)Log Analytics ingestion and retention costs
💡 Building Network Alerts

Essential alerts for production networks:

VPN Gateway:

  • Tunnel connected state drops below 1 (tunnel down)
  • Tunnel bandwidth drops below threshold

ExpressRoute:

  • BGP availability drops below 100%
  • Circuit utilisation exceeds 80%

Load Balancer:

  • Health probe status drops below 100% (backend unhealthy)
  • SNAT connection count approaching limit

Azure Firewall:

  • Health state drops below 100%
  • SNAT utilisation exceeds 80%

Use Azure Monitor action groups to send alerts via email, SMS, webhook, or trigger Logic Apps for automated remediation.

Key Takeaways

  • IP Flow Verify tells you which NSG rule is blocking/allowing traffic
  • Next Hop shows routing decisions; Connection Troubleshoot tests end-to-end
  • Connection Monitor provides continuous connectivity monitoring with alerts
  • VNet flow logs are the modern replacement for NSG flow logs
  • Azure Monitor Network Insights gives a unified view across all network resources

Test Your Knowledge

Question

What's the difference between IP Flow Verify and Next Hop?

Click or press Enter to reveal answer

Answer

IP Flow Verify checks NSG rules — is the packet allowed or denied? Next Hop checks routing — where will Azure send the packet? Use IP Flow Verify for security issues, Next Hop for routing issues.

Click to flip back
Question

What are VNet flow logs and how do they differ from NSG flow logs?

Click or press Enter to reveal answer

Answer

VNet flow logs capture all traffic flowing through a VNet regardless of NSG rules. NSG flow logs only capture traffic evaluated by a specific NSG. VNet flow logs are the modern, recommended approach — simpler to manage and better coverage.

Click to flip back
Question

What does Connection Monitor do?

Click or press Enter to reveal answer

Answer

Continuously monitors connectivity between sources (Azure VMs, on-prem machines) and destinations (Azure resources, external endpoints). Tracks success/failure, latency, and path. Supports alerting on degradation.

Click to flip back
Question

Which Network Watcher tool helps diagnose VPN tunnel issues?

Click or press Enter to reveal answer

Answer

VPN Troubleshoot — it diagnoses VPN gateway and connection issues, checking configuration, certificate validity, and showing detailed logs. Connection Troubleshoot can also test end-to-end connectivity through the VPN.

Click to flip back
Knowledge Check

Ravi's VM can't reach a web server. He suspects an NSG is blocking the traffic. Which Network Watcher tool should he use first?
Knowledge Check

Sam needs to continuously monitor the connection between his Azure VMs and an external payment API, with alerts on failure. What should he configure?

Next up: DDoS Protection and Security Posture — Protect your networks from DDoS attacks and assess your security posture with Microsoft Defender for Cloud.

← Previous

VNet Peering and Connectivity

Next →

DDoS Protection and Security Posture

Guided

I learn, I simplify, I share.

A Guide to Cloud YouTube Feedback

© 2026 Sutheesh. All rights reserved.

Guided is an independent study resource and is not affiliated with, endorsed by, or officially connected to Microsoft. Microsoft, Azure, and related trademarks are property of Microsoft Corporation. Always verify information against Microsoft Learn.