Traffic Analysis
Start course

When you have network connections that are critical to your business, it’s important to monitor them at all times. Azure Network Watcher is a collection of network monitoring and troubleshooting tools. Not only does it allow you to set up automated monitoring, but it also gives you a suite of tools that will allow you to diagnose almost any network issue.

In this course, you’ll learn about both troubleshooting and monitoring. We’ll start with the troubleshooting tools: IP Flow Verify, Security Group View, Next Hop, Connection Troubleshoot, and VPN Troubleshoot. Then you’ll see how to use the monitoring and analysis tools: Connection Monitor, Logs, Traffic Analytics, and Network Performance Monitor.

Learning Objectives

  • Use Network Watcher’s troubleshooting tools to diagnose Azure networking issues
  • Configure Network Watcher’s monitoring tools to alert you when there are critical network issues
  • Use Network Watcher’s analysis tools to get a more comprehensive view of networking issues

Intended Audience

  • People who want to become Azure cloud architects
  • People who are preparing to take Microsoft’s AZ-303 exam


  • Basic knowledge of Azure virtual networks

To see the full range of Microsoft Azure Content, visit the Azure Training Library.


Now it's time to show you the most exciting Network Watcher tool. Traffic Analytics gives you a dashboard that makes it easy to see what's happening with your network, and it also lets you drill down into the details when you need to see more. When you click on Traffic Analytics, the dashboard comes up. If you only want to look at the networking in a particular resource group, then you can select that here. The first section shows the overall level of inbound and outbound traffic. Perhaps more importantly, it shows you how much of that traffic is malicious. If you click on the red bar, it will run a log search that comes back with a list of the malicious traffic flows. This is a lot of data to sift through. So, let's go back and get more high-level information about what's happening. One important piece of information is which ports are open to the internet. In this case, there are zero ports receiving traffic from the internet. If there were any ports open, you can click on it to find out which ones. The next section tells you how many regions you deployed resources in, how many virtual networks you have, and how many subnetworks. This tells you how many network security groups you've enabled for Traffic Analytics. If you haven't enabled it on some of your NSGs, you won't get nearly as much information. So, it's a good idea to enable it on all of them. 

View map is a great feature. It gives you a global view of what's happening with your networks. The green circles show regions that are active. Since I've only enabled one region, there's only one green circle. If you hover over it, you get a summary of what's in that region. If you click on it, you'll see the traffic flows. You can hover over each aggregation point to see the flows for individual countries. The red lines are malicious flows. An easier way to see them is to click on malicious. There are quite a few countries hitting my VMs with malicious traffic, but you can't see most of them because the map is getting cut off. I'll zoom out to see the rest. Now we can see all of the countries where malicious traffic originates. 

If you click on the green circle again, there's a more details link at the bottom. When you click on that, it brings up this side panel. The graph shows the traffic over the last 24 hours. If you hover over a particular hour, it will tell you the total number of flows at that time, how many of them were blocked, how many of them were allowed, and how many were malicious. You can see that almost all of them were blocked. Down here, it says how many of the malicious ones were allowed and how many were blocked. You can get even more detailed information by clicking on one of the see more links. Let's go back to the dashboard. The next section is traffic distribution. You can see that one of the VMs has had way more traffic than the others. When you click on a bar, it shows you the details on the right-hand side. So, this bar is for myvm2, and this one is for myvm1. If you go to malicious traffic, you'll see which VMs have been attacked. In this case, all of the malicious traffic went to myvm2. It also shows that China was the number one country where it came from. Next is NSG hits. 

This shows which NSG rules are being invoked the most. In this case, the allowvnetinbound rule is being used by far the most. Next is denialinbound. Then it's allowinternetoutbound. The application port section is quite interesting. The most common port being used is port 443 for HTTPS. However, when I click on malicious traffic, the most common port for attacks is port 445, which is used by Microsoft Directory Services. It's a well-known attack point for exploits such as the WannaCry worm. Interestingly, the attacks are not coming from China but from the US, Thailand, and India. The next most common is the MS SQL S port. For that one, the attacks are coming from China and Indonesia. The third one is the telnet port. As you can see, there are lots of attacks on lots of different ports. The last section shows data about VPN gateways, load balancers, and application gateways. These are the two VPN gateways I used earlier. That's it for Traffic Analytics.

About the Author
Learning Paths

Guy launched his first training website in 1995 and he's been helping people learn IT technologies ever since. He has been a sysadmin, instructor, sales engineer, IT manager, and entrepreneur. In his most recent venture, he founded and led a cloud-based training infrastructure company that provided virtual labs for some of the largest software vendors in the world. Guy’s passion is making complex technology easy to understand. His activities outside of work have included riding an elephant and skydiving (although not at the same time).