The following is from Azure Administrator Training lab for AZ-103
Azure Monitor Service
Monitoring is the act of collecting and analyzing data to determine theperformance, health, and availability of your business application and theresources that it depends on. An effective monitoring strategy helps youunderstand the detailed operation of the components of your application. Italso helps you increase your uptime by proactively notifying you of criticalissues so that you can resolve them before they become problems.
Azure includes multiple services that individually perform a specific role ortask in the monitoring space. Together, these services deliver a comprehensivesolution for collecting, analyzing, and acting on telemetry from yourapplication and the Azure resources that support them. They can also work tomonitor critical on-premises resources to provide a hybrid monitoringenvironment. Understanding the tools and data that are available is the firststep in developing a complete monitoring strategy for your application.
The next diagram gives a high-level view of Azure Monitor. At the center ofthe diagram are the data stores for metrics and logs, which are the twofundamental types of data use by Azure Monitor. On the left are the sources ofmonitoring data that populate these data stores. On the right are the differentfunctions that Azure Monitor performs with this collected data such asanalysis, alerting, and streaming to external systems.
For more information, you can see:
Azure Monitor Documentation- https://docs.microsoft.com/en-us/azure/azure-monitor/
Video – Azure Monitor Overview –
Key Capabilities
Azure Monitor provides three main capabilities.
- Monitor and visualize metrics. Metrics are numerical values availablefrom Azure resources helping you understand the health, operation andperformance of your system.
- Query and analyze logs. Logs are activity logs, diagnostic logs, andtelemetry from monitoring solutions; analytics queries help withtroubleshooting and visualizations.
- Setup alerts and actions. Alerts notify you of critical conditions and potentially take automated corrective actions based on triggers from metrics or logs.
Monitoring Data Platform
All data collected by Azure Monitor fits into one of two fundamental types,metrics and logs.
- Metrics are numerical values that describe some aspect of a system at aparticular point in time. They are lightweight and capable of supportingnear real-time scenarios.
- Logs contain different kinds of data organized into records with differentsets of properties for each type. Telemetry such as events and traces arestored as logs in addition to performance data so that it can all becombined for analysis.
For many Azure resources, you’ll see data collected by Azure Monitor right intheir Overview page in the Azure portal. Have a look at any virtual machinefor example, and you’ll see several charts displaying performance metrics.Click on any of the graphs to open the data in Metric explorer in the Azureportal, which allows you to chart the values of multiple metrics over time. You can view the charts interactively or pin them to a dashboard to view them with other visualizations.
Log Data
Log data collected by Azure Monitor is stored in Log Analytics whichincludes a rich query language to quickly retrieve, consolidate, and analyzecollected data. You can create and test queries using the Log Analytics pagein the Azure portal and then either directly analyze the data using these toolsor save queries for use with visualizations or alert rules.
Azure Monitor uses a version of the Data Explorer query language that issuitable for simple log queries but also includes advanced functionality suchas aggregations, joins, and smart analytics. You can quickly learn the querylanguage using multiple lessons. Particular guidance is provided to users whoare already familiar with SQL and Splunk.
The fake Windows update is a never ending process which can prank your friends when you open it in full screen (F11) on their computer.
Data Types
Azure Monitor can collect data from a variety of sources. You can think ofmonitoring data for your applications in tiers ranging from your application,any operating system and services it relies on, down to the platform itself.Azure Monitor collects data from each of the following tiers:
- Application monitoring data: Data about the performance andfunctionality of the code you have written, regardless of its platform.
- Guest OS monitoring data: Data about the operating system on whichyour application is running. This could be running in Azure, anothercloud, or on-premises.
- Azure resource monitoring data: Data about the operation of an Azureresource.
- Azure subscription monitoring data: Data about the operation andmanagement of an Azure subscription, as well as data about the healthand operation of Azure itself.
- Azure tenant monitoring data: Data about the operation of tenant-levelAzure services, such as Azure Active Directory.
As soon as you create an Azure subscription and start adding resources suchas virtual machines and web apps, Azure Monitor starts collecting data.Activity Logs record when resources are created or modified. Metrics tell youhow the resource is performing and the resources that it’s consuming.
Extend the data you’re collecting into the actual operation of the resources byenabling diagnostics and adding an agent to compute resources. This willcollect telemetry for the internal operation of the resource and allow you toconfigure different data sources to collect logs and metrics from Windows andLinux guest operating systems.
✔️ Azure Monitor can collect log data from any REST client using the DataCollector API. This allows you to create custom monitoring scenarios andextend monitoring to resources that don’t expose telemetry through othersources.
Azure Advisor
Advisor is a personalized cloud consultant that helps you follow bestpractices to optimize your Azure deployments. It analyzes your resourceconfiguration and usage telemetry and then recommends solutions that canhelp you improve the cost effectiveness, performance, high availability, andsecurity of your Azure resources.
The Advisor cost recommendations page helps you optimize and reduce youroverall Azure spend by identifying idle and underutilized resources.
Select the recommended action for a recommendation to implement therecommendation. A simple interface will open that enables you to implementthe recommendation or refer you to documentation that assists you withimplementation.
✔️ Advisor provides recommendations for virtual machines, availability sets,application gateways, App Services, SQL servers, and Redis Cache.
Activity Log
The Azure Activity Log is a subscription log that provides insight intosubscription-level events that have occurred in Azure. This includes a rangeof data, from Azure Resource Manager operational data to updates onService Health events.
With the Activity Log, you can determine the ‘what, who, and when’ for anywrite operations (PUT, POST, DELETE) taken on the resources in yoursubscription. You can also understand the status of the operation and otherrelevant properties. Through activity logs, you can determine:
- What operations were taken on the resources in your subscription.
- Who started the operation.
- When the operation occurred.
- The status of the operation.
- The values of other properties that might help you research theoperation.
✔️ Activity logs are kept for 90 days. You can query for any range of dates,as long as the starting date isn’t more than 90 days in the past. You canretrieve events from your Activity Log using the Azure portal, CLI,PowerShell cmdlets, and Azure Monitor REST API.
Query the Activity Log
In the Azure portal, you can filter your Activity Log by these fields:
- Subscription. One or more Azure subscription names.
- Timespan. The start and end time for events.
- Event Severity. The severity level of the event (Informational, Warning,Error, Critical).
- Resource group. One or more resource groups within thosesubscriptions.
- Resource (name). The name of a specific resource.
- Resource type. The type of resource, for example,Microsoft.Compute/virtualmachines.
- Operation name. The name of an Azure Resource Manager operation,for example, Microsoft.SQL/servers/Write.
- Event initiated by. The ‘caller,’ or user who performed the operation.
- Event Category. The event category is described in the next topic.
- Search. This is an open text search box that searches for that stringacross all fields in all events.
✔️ Once you have defined a set of filters, you can pin the filtered state to thedashboard or download the search results as a CSV file.
Extract or delete HTML tags based on their name or whether or not they contain some attributes or content with the HTML editor pro online program.
Event Categories
The Activity Log provides several event categories. You may select one ormore.
- Administrative. This category contains the record of all create, update,delete, and action operations performed through Resource Manager.Examples of the types of events you would see in this category include“create virtual machine” and “delete network security group”. TheAdministrative category also includes any changes to role-based accesscontrol in a subscription.
- Service Health. This category contains the record of any service healthincidents that have occurred in Azure. An example of the type of eventyou would see in this category is “SQL Azure in East US is experiencingdowntime.” Service health events come in five varieties: ActionRequired, Assisted Recovery, Incident, Maintenance, Information, orSecurity.
- Alert. This category contains the record of all activations of Azure alerts.An example of the type of event you would see in this category is “CPU% on myVM has been over 80 for the past 5 minutes.”
- Autoscale. This category contains the record of any events related to theoperation of the autoscale engine based on any autoscale settings youhave defined in your subscription. An example of the type of event youwould see in this category is “Autoscale scale up action failed.”
- Recommendation. This category contains recommendation events fromcertain resource types, such as web sites and SQL servers. These eventsoffer recommendations for how to better utilize your resources.
- Security. This category contains the record of any alerts generated byAzure Security Center. An example of the type of event you would see inthis category is “Suspicious double extension file executed.”
- Policy and Resource Health. These categories do not contain anyevents; they are reserved for future use.
Azure Alerts
Azure Monitor Alerts
Alerting is now available with Azure Monitor.
The Monitor Alerts experience has many benefits.
- Better notification system. All newer alerts use action groups, which arenamed groups of notifications and actions that can be reused in multiplealerts.
- A unified authoring experience. All alert creation for metrics, logs andactivity log across Azure Monitor, Log Analytics, and ApplicationInsights is in one place.
- View Log Analytics alerts in Azure portal. You can now also see LogAnalytics alerts in your subscription. Previously these were in a separateportal.
- Separation of Fired Alerts and Alert Rules. Alert Rules (the definitionof the condition that triggers an alert), and Fired Alerts (an instance ofthe alert rule firing) are differentiated, so the operational andconfiguration views are separated.
- Better workflow. The new alerts authoring experience guides the useralong the process of configuring an alert rule, which makes it simpler todiscover the right things to get alerted on.
For more information, you can see:
The new alerts experience in Azure Monitor – https://docs.microsoft.com/en-us/azure/monitoring-and-diagnostics/monitoring-overview-unified-alerts
Creating Alert Rules
Alerts proactively notify you when important conditions are found in yourmonitoring data. They allow you to identify and address issues before theusers of your system notice them. Alerts consists of alert rules, action groups,and monitor conditions.
Alert rules are separated from alerts and the actions that are taken when analert fires. The alert rule captures the target and criteria for alerting. Thealert rule can be in an enabled or a disabled state. Alerts only fire whenenabled. The key attributes of an alert rule are:
- Target Resource – Defines the scope and signals available for alerting.A target can be any Azure resource. Example targets: a virtual machine,a storage account, a virtual machine scale set, a Log Analyticsworkspace, or an Application Insights resource. For certain resources (like Virtual Machines), you can specify multiple resources as the targetof the alert rule.
- Signal – Signals are emitted by the target resource and can be of severaltypes. Metric, Activity log, Application Insights, and Log.
- Criteria – Criteria is a combination of Signal and Logic applied on aTarget resource. Examples: + Percentage CPU > 70%; Server ResponseTime > 4 ms; and Result count of a log query > 100.
- Alert Name – A specific name for the alert rule configured by the user.
- Alert Description – A description for the alert rule configured by theuser.
- Severity – The severity of the alert once the criteria specified in the alertrule is met. Severity can range from 0 to 4.
- Action – A specific action taken when the alert is fired. See the ActionGroups topic coming up.
Action Groups
An action group is a collection of notification preferences defined by theowner of an Azure subscription. Azure Monitor and Service Health alerts useaction groups to notify users that an alert has been triggered. Various alertsmay use the same action group or different action groups depending on theuser’s requirements.
When an action is configured to notify a person by email or SMS the personwill receive a confirmation indicating he / she has been added to the actiongroup.
- Email – Emails will be sent to the email addresses. Ensure that youremail filtering is configured appropriately. You may have up to 1000email actions in an Action Group.
- ITSM – You may have up to 10 ITSM actions in an Action Group ITSMAction requires an ITSM Connection.
- Logic App – You may have up to 10 Logic App actions in an ActionGroup.
- Function App – The function keys for Function Apps configured asactions are read through the Functions API.
- Runbook – You may have up to 10 Runbook actions in an Action Group.
- SMS – You may have up to 10 SMS actions in an Action Group.
- Voice – You may have up to 10 Voice actions in an Action Group.
- Webhook – You may have up to 10 Webhook actions in an Action Group.Retry logic – The timeout period for a response is 10 seconds. Thewebhook call will be retried a maximum of 2 times when the followingHTTP status codes are returned: 408, 429, 503, 504 or the HTTPendpoint does not respond. The first retry happens after 10 seconds. Thesecond and last retry happens after 100 seconds.
✔️ You may have up to 10 Azure app actions in an Action Group. At this timethe Azure app action only supports ServiceHealth alerts.
The best HTML CheatSheet has its own visual editor where you can apply your own CSS code as well. Web developers and designers love this free online resource!
Managing Alerts
You can alert on metrics and logs as described in monitoring data sources.These include but are not limited to:
- Metric values
- Log search queries
- Activity Log events
- Health of the underlying Azure platform
- Tests for web site availability
Alert states
You can set the state of an alert to specify where it is in the resolution process.When the criteria specified in the alert rule is met, an alert is created or fired,it has a status of New. You can change the status when you acknowledge analert and when you close it. All state changes are stored in the history of thealert. The following alert states are supported.
| State | Description |
| New | The issue has just been detected andhas not yet been reviewed. |
| Acknowledged | An administrator has reviewed thealert and started working on it. |
| Closed | The issue has been resolved. Afteran alert has been closed, you canreopen it by changing it to anotherstate. |
✔️ Alert state is different and independent of the monitor condition. Alertstate is set by the user. Monitor condition is set by the system. When an alertfires, the alert’s monitor condition is set to fired. When the underlyingcondition that caused the alert to fire clears, the monitor condition is set toresolved. The alert state isn’t changed until the user changes it.
Alerts Experience
The default Alerts page provides a summary of alerts that are created within aparticular time window. It displays the total alerts for each severity withcolumns that identify the total number of alerts in each state for each severity.
| Column | Description |
| Subscription | Select up to five Azuresubscriptions. Only alerts in theselected subscriptions are includedin the view. |
| Resource group | Select a single resource group. Onlyalerts with targets in the selectedresource group are included in theview. |
| Time range | Only alerts fired within the selectedtime window are included in theview. Supported values are the pasthour, the past 24 hours, the past 7days, and the past 30 days. |
✔️ You can select Total Alerts, Smart Groups, and Total Alert Rules to open anew page.
Article edited with the online wysiwyg HTML editor. Subscribe for a HTMLG membership to stop adding promotional messages to your documents.
Alert Detail Page
The Alert detail page is displayed when you select an alert. It provides details of the alert and enables you to change its state.
| Section | Description |
| Essentials | Displays the properties and other significant information about the alert. |
| History | Lists each action taken by the alert and any changes made to the alert. Currently limited to state changes. |
| Smart group | Information about the smart group the alert is included in. The alert count refers to the number of alerts that are included in the smart group. Includes other alerts in the same smart group that were created in the past 30 days regardless of the time filter in the alerts list page. Select an alert to view its detail. |
| More details | Displays further contextual information for the alert, which is typically specific to the type of source that created the alert. |
Create an Alert
Alerts can be authored in a consistent manner regardless of the monitoringservice or signal type. All fired alerts and related details are available insingle page. You create a new alert rule with the following three steps:
- Resource. Select the resource you want to monitor. For example,resource group, virtual machine, or storage account.
- Condition. Select the signal and define its logic. The signal could be All,Metrics, or Activity log.
- Action Group. Notify your team via email and text messages orautomate actions using webhooks, runbooks, functions, logic apps orintegrating with external ITSM solutions.
- Alert rule name. Specify a name to identify your alert.
- Description. Provide a description for your alert rule.
- Enable rule upon creation. You can enable and disable your alert rules.
✔️ We currently support configuring only two metrics signals or one logsearch signal or one activity log signal per alert rule. An alert will betriggered when the conditions for all the above configured criteria are met.
Log Analytics
Log Analytics Scenarios
One of the challenges with any broad data analytics solution is figuring outwhere you’re going to see value for your organization. Out of all the thingsthat are possible, what does your business need? What we hear fromcustomers is that the following areas all have the potential to deliversignificant business value:
Example 1 – Assessing updates
An important part of the daily routine for any IT administrator is assessingsystems update requirements and planning patches. Accurate scheduling iscritical, as it directly relates to SLAs to the business and can seriously impactbusiness functions. In the past, you had to schedule an update with onlylimited knowledge of how long the patching would take. OperationsManagement Suite collects data from all customers performing patches anduses that data to provide an average patching time for specific missingupdates. This use of “crowd-sourced” data is unique to cloud systems, and isa great example of how Log Analytics can help meet strict SLAs.
Example 2 – Change tracking
Troubleshooting an operational incident is a complex process, requiringaccess to multiple data streams. With Operations Management Suite, you caneasily perform analysis from multiple angles, using data from a wide varietyof sources through a single interface for correlation of information. Bytracking changes throughout the environment, Log Analytics helps to easilyidentify things like abnormal behavior from a specific account, usersinstalling unapproved software, unexpected system reboots or shutdowns,evidence of security breaches, or specific problems in loosely coupledapplications.
Create a Workspace
To get started with Log Analytics you need to add a workspace. In the Azureportal, click All services. In the list of resources, type Log Analytics. As youbegin typing, the list filters based on your input. Select Log Analytics.
You can them click Create and select your choices for the new workspace.
- Provide a name for the new Log Analyics workspace, such asDefaultLAWorkspace.
- Select a Subscription from the drop-down list.
- For Resource Group, select an existing resource group that contains oneor more Azure virtual machines.
- Select the Location your VMs are deployed to. See which regions LogAnalytics is available in.
- The workspace will automatically use the Per GB pricing plan.
Connected Sources
Connected Sources are the computers and other resources that generate datacollected by Log Analytics. This can include agents installed on Windows andLinux computers that connect directly or agents in a connected System CenterOperations Manager management group . Log Analytics can also collect datafrom Azure storage.
This following diagram shows how Connected Sources flow data to the LogAnalytics service.
Ensure you can locate each of the following.
- The Log Analytics service (1) collects data and stores it in the OMSrepository (2). The OMS Repository is hosted in Azure. ConnectedSources provide information to the Log Analytics service.
- Computer agents (3) generate data to the Log Analytics service. Theseagents can run on Windows or Linux computers, virtual or physicalcomputers, on-premises or cloud computers, and Azure or other cloudproviders.
- A System Center Operations Manager (SCOM) management group canbe connected to Log Analytics. SCOM agents (4) communicate withmanagement servers which forward events and performance data to LogAnalytics.
- An Azure storage account (5) can also collect Azure Diagnostics datafrom a worker role, web role, or virtual machine in Azure. Thisinformation can be sent to the Log Analytics service.
Data Sources
Data sources are the different kinds of data collected from each connected source. These can include events and performance data from Windows and Linux agents, in addition to sources such as IIS logs and custom text logs. You configure each data source that you want to collect, and the configuration is automatically delivered to each connected source.
When you configure the Log Analytics settings you can see the data sources that are available. Data sources include: Windows Event Logs, Windows Performance Counters, Linux Performance Counters, IIS Logs, Custom Fields, Custom Logs, and Syslog. Each data source has additional configuration options. For example, the Windows Event Log can be configured to forward Error, Warning, or Informational messages.
Log Analytics Querying
Log Analytics provides a query syntax to quickly retrieve and consolidatedata in the repository. You can create and save Log Searches to directlyanalyze data in the OMS portal or have log searches run automatically tocreate an alert if the results of the query indicate an important condition.
To give a quick graphical view of the health of your overall environment, youcan add visualizations for saved log searches to your dashboard. To analyzedata outside of Log Analytics, you can export the data from the repositoryinto tools such as Power BI or Excel. You can also leverage the Log SearchAPI to build custom solutions that leverage Log Analytics data or to integratewith other systems.
Querying Language Syntax
When you build a query, you start by determining which tables have the datathat you’re looking for. Each data source and solution stores its data indedicated tables in the Log Analytics workspace. Documentation for eachdata source and solution includes the name of the data type that it creates anda description of each of its properties. Many queries will only require datafrom a single table, but others may use a variety of options to include datafrom multiple tables.
Some common query tables are: Event, Syslog, Heartbeat, and Alert.
The basic structure of a query is a source table followed by a series ofoperators separated by a pipe character |. You can chain together multipleoperators to refine the data and perform advanced functions. For example,this query returns a count of the top 10 errors in the Event log during the lastday. The results are in descending order.
Event | where (EventLevelName == "Error") | where (TimeGenerated > ago(1days)) | summarize ErrorCount = count() by Computer | top 10 by ErrorCount desc
Some common operators are:
- count – Returns the number of records in the input record set.
StormEvents | count
- limit – Return up to the specified number of rows.
T | limit 5
- summarize – Produces a table that aggregates the content of the inputtable.
T | summarize count(), avg(price) by fruit, supplier
- top – Returns the first N records sorted by the specified columns.
T | top 5 by Name desc nulls last
- where – Filters a table to the subset of rows that satisfy a predicate.
T | where fruit==”apple”
For more information, you can see:
Azure Monitor log queries – https://docs.microsoft.com/en-us/azure/azure-monitor/log-query/query-language
Network Watching
Network Watcher
Azure Network Watcher provides tools to monitor, diagnose, view metrics,and enable or disable logs for resources in an Azure virtual network.
- Automate remote network monitoring with packet capture. Monitorand diagnose networking issues without logging in to your virtualmachines (VMs) using Network Watcher. Trigger packet capture bysetting alerts, and gain access to real-time performance information atthe packet level. When you see an issue, you can investigate in detail forbetter diagnoses.
- Gain insight into your network traffic using flow logs. Build a deeperunderstanding of your network traffic pattern using Network SecurityGroup flow logs. Information provided by flow logs helps you gatherdata for compliance, auditing and monitoring your network securityprofile.
- Diagnose VPN connectivity issues. Network Watcher provides you theability to diagnose your most common VPN Gateway and Connectionsissues. Allowing you, not only, to identify the issue but also to use thedetailed logs created to help further investigate.
Network Watcher is a regional service that enables you to monitor anddiagnose conditions at a network scenario level.
For more information, you can see:
Network Watcher – https://azure.microsoft.com/en-us/services/network-watcher/
Monitoring and Visualization
Connection monitor
Connection monitor is a feature of Network Watcher that can monitorcommunication between a virtual machine and an endpoint. The connectionmonitor capability monitors communication at a regular interval and informsyou of reachability, latency, and network topology changes between the VMand the endpoint.
For example, you might have a web server VM that communicates with adatabase server VM. Someone in your organization may, unknown to you,apply a custom route or network security rule to the web server or databaseserver VM or subnet. If an endpoint becomes unreachable, connectiontroubleshoot informs you of the reason. Potential reasons might be DNS nameresolution problem, the CPU, memory, or firewall within the operating systemof a VM, or the hop type of a custom route, or security rule for the VM orsubnet of the outbound connection. Connection monitor also provides theminimum, average, and maximum latency observed over time.
Network performance monitor
Network performance monitor is a cloud-based hybrid network monitoringsolution that helps you monitor network performance between various pointsin your network infrastructure. It also helps you monitor network connectivityto service and application endpoints and monitor the performance of AzureExpressRoute. Network performance monitor detects network issues liketraffic blackholing, routing errors, and issues that conventional networkmonitoring methods aren’t able to detect. The solution generates alerts andnotifies you when a threshold is breached for a network link. It also ensurestimely detection of network performance issues and localizes the source of theproblem to a particular network segment or device.
Topology
Network Watcher’s Topology capability enables you to generate a visualdiagram of the resources in a virtual network, and the relationships betweenthe resources. The following picture shows an example topology diagram fora virtual network that has three subnets, two VMs, network interfaces, publicIP addresses, network security groups, route tables, and the relationshipsbetween the resources:
✔️ To use Network Watcher capabilities, the account you log into Azure with,must be assigned to the Owner, Contributor, or Network contributor built-inroles, or assigned to a custom role. A custom role can be given permissions toread, write, and delete the Network Watcher.
Diagnostics – IP Flow Verify
Verify IP Flow Purpose: Quickly diagnose connectivity issues from or to theinternet and from or to the on-premises environment. For example,confirming if a security rule is blocking ingress or egress traffic to or from avirtual machine.
Example
When you deploy a VM, Azure applies several default security rules to the VMthat allow or deny traffic to or from the VM. You might override Azure’sdefault rules or create additional rules. At some point, a VM may becomeunable to communicate with other resources, because of a security rule.
The IP flow verify capability enables you to specify a source and destinationIPv4 address, port, protocol (TCP or UDP), and traffic direction (inbound oroutbound). IP flow verify then tests the communication and informs you if theconnection succeeds or fails. If the connection fails, IP flow verify tells youwhich security rule allowed or denied the communication, so that you canresolve the problem.
If IP flow verify does not return the expected behavior you can investigate thesecurity rule that was involved to determine what is going wrong and make anadjustment.
✔️ IP flow verify is ideal for making sure security rules are being correctlyapplied. When used for troubleshooting, if IP flow verify doesn’t show aproblem, you will need to explore other areas such as firewall restrictions.
Diagnostics – Next Hop
Next Hop Purpose: To determine if traffic is being directed to the intendeddestination by showing the next hop. This will help determine if networkingrouting is correctly configured.
When you create a virtual network, Azure creates several default outboundroutes for network traffic. The outbound traffic from all resources, such asVMs, deployed in a virtual network, are routed based on Azure’s defaultroutes. You might override Azure’s default routes or create additional routes.
Example
You may find that a VM can no longer communicate with other resourcesbecause of a specific route. The next hop capability enables you to specify asource and destination IPv4 address. Next hop then tests the communicationand informs you what type of next hop is used to route the traffic. You canthen remove, change, or add a route, to resolve a routing problem.
Next hop also returns the route table associated with the next hop. If the routeis defined as a user-defined route, that route is returned. Otherwise, next hopreturns System Route. Depending on your situation the next hop could beInternet, Virtual Appliance, Virtual Network Gateway, VNet Local, VNetPeering, or None. None lets you know that while there may be a valid systemroute to the destination, there is no next hop to route the traffic to thedestination.
The online HTML CheatSheet website should be the first bookmark of every web developer. It is the best one-page resource to generate the desired markup.
Diagnostics – VPN Diagnostics
VPN Diagnostics Purpose: Troubleshoot gateways and connections.
Example
Virtual Network Gateways provide connectivity between on-premisesresources and other virtual networks within Azure. Monitoring gateways andtheir connections are critical to ensuring communication is working asexpected. VPN diagnostics can troubleshoot the health of the gateway, orconnection, and provide detailed logging. The request is a long runningtransaction and results are returned once the diagnosis is complete.
VPN Diagnostics returns a wealth of information. Summary information isavailable in the portal and more detailed information is provided in log files.The log files are stored in a storage account and include things likeconnection statistics, CPU and memory information, IKE security errors,packet drops, and buffers and events.
✔️ You can select multiple gateways or connections to troubleshootsimultaneously or you can focus on an individual component.
NSG Flow Logs
NSG flow logs allows you to view information about ingress and egress IPtraffic through an NSG. Flow logs are written in JSON format and showoutbound and inbound flows on a per rule basis. The JSON format can bevisually displayed in Power BI or third-party tools like Kibana.
You can download flow logs from configured storage accounts. Navigate tothe storage container and look for the PT1H.JSON file.
✔️ These capabilities can be used in security compliance and auditing. Youcan define a prescriptive set of security rules as a model for securitygovernance in your organization. A periodic compliance audit can beimplemented in a programmatic way by comparing the prescriptive rules withthe effective rules for each of the VMs in your network. Explore this featurewith NSG Auditing practice.
Connection Troubleshoot
Azure Network Watcher Connection Troubleshoot is a more recent addition tothe Network Watcher suite of networking tools and capabilities. ConnectionTroubleshoot enables you to troubleshoot network performance andconnectivity issues in Azure.
This adds to the current capabilities of Network Watcher in providing evenmore ways for you troubleshoot networking operations. You can useConnection Troubleshoot to:
- Check connectivity between source (VM) and destination (VM, URI,FQDN, IP Address).
- Identify configuration issues that are impacting reachability.
- Provide all possible hop by hop paths from the source to destination.
- Hop by hop latency.
- Latency – min, max, and average between source and destination.
- View the number of packets dropped during the connection troubleshootcheck.
- Connection Troubleshoot can also provide a topology (graphical) viewfrom your source to destination, as shown in the following illustration.
Example Scenario
Connection Troubleshoot supports all networking scenarios where the sourceand destination is an Azure VM, FQDN, URI or an IPv4 Address.
In this example, an instance of Network Watcher is configured to checkconnectivity to a destination VM over port 80. When you open ConnectionTroubleshoot and select the VM and port to test, once you click Check,connectivity between the VMs on the port specified is checked. In this case,the destination VM is unreachable, and a listing of hops is shown.
Further examples of different supported network troubleshooting scenariosinclude:
- Checking the connectivity and latency to a remote endpoint, such as forwebsites and storage endpoints.
- Connectivity between an Azure VM and an Azure resource like AzureSQL server, where all Azure traffic is tunneled through an on-premisesnetwork.
- Connectivity between VMs in different VNets connected using VNetpeering.
For more information, see:
Troubleshoot connections with Azure Network Watcher using the Azure portal- https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-connectivity-portal
References
https://github.com/MicrosoftLearning/AZ-103-MicrosoftAzureAdministrator