IP Flow Verify
IP Flow Verify

When you have network connections that are critical to your business, it’s important to monitor them at all times. Azure Network Watcher is a collection of network monitoring and troubleshooting tools. Not only does it allow you to set up automated monitoring, but it also gives you a suite of tools that will allow you to diagnose almost any network issue.

In this course, you’ll learn about both troubleshooting and monitoring. We’ll start with the troubleshooting tools: IP Flow Verify, Security Group View, Next Hop, Connection Troubleshoot, and VPN Troubleshoot. Then you’ll see how to use the monitoring and analysis tools: Connection Monitor, Logs, Traffic Analytics, and Network Performance Monitor.

Learning Objectives

  • Use Network Watcher’s troubleshooting tools to diagnose Azure networking issues
  • Configure Network Watcher’s monitoring tools to alert you when there are critical network issues
  • Use Network Watcher’s analysis tools to get a more comprehensive view of networking issues

Intended Audience

  • People who want to become Azure cloud architects
  • People who are preparing to take Microsoft’s AZ-303 exam


  • Basic knowledge of Azure virtual networks

To see the full range of Microsoft Azure Content, visit the Azure Training Library.


Network Watcher has a number of different tools to help troubleshoot connections. The first one is IP Flow Verify. This tests whether packets are allowed to flow between a VM and an endpoint. It checks them at work security groups that are associated with the VM and tells you which rule allows or denies the connection. 

Okay, let's see how it works. Go into the Azure portal and search for Network Watcher. There it is. First, you have to make sure it's enabled in the region that has the connection you want to monitor. I need Central U.S. enabled. Which it is. If it was disabled, then I can enable it over here. Then click on IP Flow Verify. Select the resource group that contains the VM. Then choose the VM. If it has more than one network interface, then you can select the one you want. This VM only has one interface. Now choose whether you want to test TCP or UDP. Also, tell it whether you want to test inbound or outbound connections for the VM. Let's change it to outbound. It automatically fills in the IP address of the VM you chose, but you have to fill in the IP address of what you're trying to connect to. If you don't know it off the top of your head and it's a VM, then there's a quick way to get it. Change the VM to the one you want to connect to. Copy and paste it's IP address to the remote IP field. And then change the VM back to the original one. 

Okay, now we need to tell it which port we want to test. Let's try port 80. Then click the check button. It normally takes a few seconds. Alright, it says that access is allowed. The security rule that allows it is allow VNet outbound. If you want to look at that security rule in more detail, then you could look up that VM in the portal and go to its networking section, but there's an easier way. You can just go to security group view and look it up there. Set the resource group in the virtual machine and it will bring up the rules for that VM. The allow VNet outbound rule is down here. It's kind of hard to see because it says default rule at the beginning. It adds that because that rule is in the default rule set. If you go to the default tab, you'll see it without the prefix. The other two tabs are for the rules associated with this VM's network interface and this VM subnet. The effective tab shows all three rule sets combined. Note that IP Flow Verify only checks the security groups associated with the VM. It doesn't check the security associated with the endpoint. So if we want to make sure that my VM1 can connect to my VM3 over port 80, then we'll have to run IP Flow Verify in the other direction as well. 

Go back to IP Flow Verify. This time, copy my VM1's IP address to the remote field and then change the virtual machine field to my VM3. Also, make sure that the direction is set to inbound because we're testing connections coming into my VM3. Now set the port to 80 again and click check. This time we get access denied due to a rule called port 80 deny. This was a rule that I added to the network security group for my VM3's network interface. This rule isn't there by default, so if you were following along on your own VM's, you probably didn't get an access denied message. And that's it for IP Flow Verify.

About the Author
Learning Paths

Guy launched his first training website in 1995 and he's been helping people learn IT technologies ever since. He has been a sysadmin, instructor, sales engineer, IT manager, and entrepreneur. In his most recent venture, he founded and led a cloud-based training infrastructure company that provided virtual labs for some of the largest software vendors in the world. Guy’s passion is making complex technology easy to understand. His activities outside of work have included riding an elephant and skydiving (although not at the same time).