az network watcher
Manage the Azure Network Watcher.
Network Watcher assists with monitoring and diagnosing conditions at a network scenario level. To learn more visit https://docs.microsoft.com/azure/network-watcher/.
Commands
| az network watcher configure |
Configure the Network Watcher service for different regions. |
| az network watcher connection-monitor |
Manage connection monitoring between an Azure Virtual Machine and any IP resource. |
| az network watcher connection-monitor create |
Create a connection monitor. |
| az network watcher connection-monitor delete |
Delete a connection monitor for the given region. |
| az network watcher connection-monitor endpoint |
Manage endpoint of a connection monitor. |
| az network watcher connection-monitor endpoint add |
Add an endpoint to a connection monitor. |
| az network watcher connection-monitor endpoint list |
List all endpoints form a connection monitor. |
| az network watcher connection-monitor endpoint remove |
Remove an endpoint from a connection monitor. |
| az network watcher connection-monitor endpoint show |
Show an endpoint from a connection monitor. |
| az network watcher connection-monitor list |
List connection monitors for the given region. |
| az network watcher connection-monitor output |
Manage output of connection monitor. |
| az network watcher connection-monitor output add |
Add an output to a connection monitor. |
| az network watcher connection-monitor output list |
List all output from a connection monitor. |
| az network watcher connection-monitor output remove |
Remove all outputs from a connection monitor. |
| az network watcher connection-monitor query |
Query a snapshot of the most recent connection state of a connection monitor. |
| az network watcher connection-monitor show |
Shows a connection monitor by name. |
| az network watcher connection-monitor start |
Start the specified connection monitor. |
| az network watcher connection-monitor stop |
Stop the specified connection monitor. |
| az network watcher connection-monitor test-configuration |
Manage test configuration of a connection monitor. |
| az network watcher connection-monitor test-configuration add |
Add a test configuration to a connection monitor. |
| az network watcher connection-monitor test-configuration list |
List all test configurations of a connection monitor. |
| az network watcher connection-monitor test-configuration remove |
Remove a test configuration from a connection monitor. |
| az network watcher connection-monitor test-configuration show |
Show a test configuration from a connection monitor. |
| az network watcher connection-monitor test-group |
Manage a test group of a connection monitor. |
| az network watcher connection-monitor test-group add |
Add a test group along with new-added/existing endpoint and test configuration to a connection monitor. |
| az network watcher connection-monitor test-group list |
List all test groups of a connection monitor. |
| az network watcher connection-monitor test-group remove |
Remove test group from a connection monitor. |
| az network watcher connection-monitor test-group show |
Show a test group of a connection monitor. |
| az network watcher flow-log |
Manage network security group flow logging. |
| az network watcher flow-log configure |
Configure flow logging on a network security group. |
| az network watcher flow-log create |
Create a flow log on a network security group. |
| az network watcher flow-log delete |
Delete the specified flow log resource. |
| az network watcher flow-log list |
List all flow log resources for the specified Network Watcher. |
| az network watcher flow-log show |
Get the flow log configuration of a network security group. |
| az network watcher flow-log update |
Update the flow log configuration of a network security group. |
| az network watcher list |
List Network Watchers. |
| az network watcher packet-capture |
Manage packet capture sessions on VMs. |
| az network watcher packet-capture create |
Create and start a packet capture session. |
| az network watcher packet-capture delete |
Delete a packet capture session. |
| az network watcher packet-capture list |
List all packet capture sessions within a resource group. |
| az network watcher packet-capture show |
Show details of a packet capture session. |
| az network watcher packet-capture show-status |
Show the status of a packet capture session. |
| az network watcher packet-capture stop |
Stop a running packet capture session. |
| az network watcher run-configuration-diagnostic |
Run a configuration diagnostic on a target resource. |
| az network watcher show-next-hop |
Get information on the 'next hop' of a VM. |
| az network watcher show-security-group-view |
Get detailed security information on a VM for the currently configured network security group. |
| az network watcher show-topology |
Get the network topology of a resource group, virtual network or subnet. |
| az network watcher test-connectivity |
Test if a connection can be established between a Virtual Machine and a given endpoint. |
| az network watcher test-ip-flow |
Test IP flow to/from a VM given the currently configured network security group rules. |
| az network watcher troubleshooting |
Manage Network Watcher troubleshooting sessions. |
| az network watcher troubleshooting show |
Get the results of the last troubleshooting operation. |
| az network watcher troubleshooting start |
Troubleshoot issues with VPN connections or gateway connectivity. |
az network watcher configure
Configure the Network Watcher service for different regions.
az network watcher configure --locations
[--enabled {false, true}]
[--resource-group]
[--subscription]
[--tags]Examples
Configure Network Watcher for the West US region.
az network watcher configure -g NetworkWatcherRG -l westus --enabled trueRequired Parameters
Space-separated list of locations to configure.
Optional Parameters
Enabled status of Network Watcher in the specified regions.
Name of resource group. Required when enabling new regions.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Space-separated tags: key[=value] [key[=value] ...]. Use "" to clear existing tags.
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Increase logging verbosity. Use --debug for full debug logs.
az network watcher list
List Network Watchers.
az network watcher list [--query-examples]
[--subscription]Examples
List all Network Watchers in a subscription.
az network watcher listOptional Parameters
Recommend JMESPath string for you. You can copy one of the query and paste it after --query parameter within double quotation marks to see the results. You can add one or more positional keywords so that we can give suggestions based on these key words.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Increase logging verbosity. Use --debug for full debug logs.
az network watcher run-configuration-diagnostic
Run a configuration diagnostic on a target resource.
Requires that Network Watcher is enabled for the region in which the target is located.
az network watcher run-configuration-diagnostic --resource
[--destination]
[--direction {Inbound, Outbound}]
[--parent]
[--port]
[--protocol {Http, Https, Icmp, Tcp}]
[--queries]
[--resource-group]
[--resource-type {applicationGateways, networkInterfaces, virtualMachines}]
[--source]
[--subscription]Examples
Run configuration diagnostic on a VM with a single query.
az network watcher run-configuration-diagnostic --resource {VM_ID}
--direction Inbound --protocol TCP --source 12.11.12.14 --destination 10.1.1.4 --port 12100Run configuration diagnostic on a VM with multiple queries.
az network watcher run-configuration-diagnostic --resource {VM_ID}
--queries '[
{
"direction": "Inbound", "protocol": "TCP", "source": "12.11.12.14",
"destination": "10.1.1.4", "destinationPort": "12100"
},
{
"direction": "Inbound", "protocol": "TCP", "source": "12.11.12.0/32",
"destination": "10.1.1.4", "destinationPort": "12100"
},
{
"direction": "Outbound", "protocol": "TCP", "source": "12.11.12.14",
"destination": "10.1.1.4", "destinationPort": "12100"
}]'Required Parameters
Name or ID of the target resource to diagnose. If an ID is given, other resource arguments should not be given.
Optional Parameters
Traffic destination. Accepted values are '*', IP address/CIDR, or service tag.
Direction of the traffic.
The parent path. (ex: virtualMachineScaleSets/vmss1).
Traffic destination port. Accepted values are '*', port number (3389) or port range (80-100).
Protocol to be verified on.
JSON list of queries to use. Use @{path} to load from a file.
Name of resource group. You can configure the default group using az configure --defaults group=<name>.
The resource type.
Traffic source. Accepted values are '*', IP address/CIDR, or service tag.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Increase logging verbosity. Use --debug for full debug logs.
az network watcher show-next-hop
Get information on the 'next hop' of a VM.
Requires that Network Watcher is enabled for the region in which the VM is located. For more information about show-next-hop visit https://docs.microsoft.com/azure/network-watcher/network-watcher-check-next-hop-cli.
az network watcher show-next-hop --dest-ip
--resource-group
--source-ip
--vm
[--nic]
[--subscription]Examples
Get the next hop from a VMs assigned IP address to a destination at 10.1.0.4.
az network watcher show-next-hop -g MyResourceGroup --vm MyVm --source-ip 10.0.0.4 --dest-ip 10.1.0.4Required Parameters
Destination IPv4 address.
Name of the resource group the target VM is in.
Source IPv4 address.
Name or ID of the VM to target. If the name of the VM is provided, the --resource-group is required.
Optional Parameters
Name or ID of the NIC resource to test. If the VM has multiple NICs and IP forwarding is enabled on any of them, this parameter is required.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Increase logging verbosity. Use --debug for full debug logs.
az network watcher show-security-group-view
Get detailed security information on a VM for the currently configured network security group.
For more information on using security group view visit https://docs.microsoft.com/azure/network-watcher/network-watcher-security-group-view-cli.
az network watcher show-security-group-view --resource-group
--vm
[--subscription]Examples
Get the network security group information for the specified VM.
az network watcher show-security-group-view -g MyResourceGroup --vm MyVmRequired Parameters
Name of the resource group the target VM is in.
Name or ID of the VM to target. If the name of the VM is provided, the --resource-group is required.
Optional Parameters
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Increase logging verbosity. Use --debug for full debug logs.
az network watcher show-topology
Get the network topology of a resource group, virtual network or subnet.
For more information about using network topology visit https://docs.microsoft.com/azure/network-watcher/network-watcher-topology-cli.
az network watcher show-topology [--location]
[--resource-group]
[--subnet]
[--subscription]
[--vnet]Examples
Use show-topology to get the topology of resources within a resource group.
az network watcher show-topology -g MyResourceGroupOptional Parameters
Location. Defaults to the location of the target resource group.
The name of the target resource group to perform topology on.
Name or ID of the subnet to target. If name is used, --vnet NAME must also be supplied.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Name or ID of the virtual network to target.
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Increase logging verbosity. Use --debug for full debug logs.
az network watcher test-connectivity
Test if a connection can be established between a Virtual Machine and a given endpoint.
To check connectivity between two VMs in different regions, use the VM ids instead of the VM names for the source and destination resource arguments. To register for this feature or see additional examples visit https://docs.microsoft.com/azure/network-watcher/network-watcher-connectivity-cli.
az network watcher test-connectivity --source-resource
[--dest-address]
[--dest-port]
[--dest-resource]
[--headers]
[--method {Get}]
[--protocol {Http, Https, Icmp, Tcp}]
[--resource-group]
[--source-port]
[--subscription]
[--valid-status-codes]Examples
Check connectivity between two virtual machines in the same resource group over port 80.
az network watcher test-connectivity -g MyResourceGroup --source-resource MyVmName1 --dest-resource MyVmName2 --dest-port 80Check connectivity between two virtual machines in the same subscription in two different resource groups over port 80.
az network watcher test-connectivity --source-resource MyVmId1 --dest-resource MyVmId2 --dest-port 80Required Parameters
Name or ID of the resource from which to originate traffic.
Optional Parameters
The IP address or URI at which to receive traffic.
Port number on which to receive traffic.
Name or ID of the resource to receive traffic.
Space-separated list of headers in KEY=VALUE format.
HTTP method to use.
Protocol to test on.
Name of resource group. You can configure the default group using az configure --defaults group=<name>.
Port number from which to originate traffic.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Space-separated list of HTTP status codes considered valid.
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Increase logging verbosity. Use --debug for full debug logs.
az network watcher test-ip-flow
Test IP flow to/from a VM given the currently configured network security group rules.
Requires that Network Watcher is enabled for the region in which the VM is located. For more information visit https://docs.microsoft.com/azure/network-watcher/network-watcher-check-ip-flow-verify-cli.
az network watcher test-ip-flow --direction {Inbound, Outbound}
--local
--protocol {Http, Https, Icmp, Tcp}
--remote
--vm
[--nic]
[--resource-group]
[--subscription]Examples
Run test-ip-flow verify to test logical connectivity from a VM to the specified destination IPv4 address and port.
az network watcher test-ip-flow -g MyResourceGroup --direction Outbound \
--protocol TCP --local 10.0.0.4:* --remote 10.1.0.4:80 --vm MyVmRequired Parameters
Direction of the packet relative to the VM.
The private IPv4 address for the VMs NIC and the port of the packet in X.X.X.X:PORT format. \* can be used for port when direction is outbound.
Protocol to test.
The IPv4 address and port for the remote side of the packet X.X.X.X:PORT format. \* can be used for port when the direction is inbound.
Name or ID of the VM to target. If the name of the VM is provided, the --resource-group is required.
Optional Parameters
Name or ID of the NIC resource to test. If the VM has multiple NICs and IP forwarding is enabled on any of them, this parameter is required.
Name of the resource group the target VM is in.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Increase logging verbosity. Use --debug for full debug logs.