az network watcher

Manage the Azure Network Watcher.

Network Watcher assists with monitoring and diagnosing conditions at a network scenario level. To learn more visit https://docs.microsoft.com/azure/network-watcher/.

Commands

az network watcher configure

Configure the Network Watcher service for different regions.

az network watcher connection-monitor

Manage connection monitoring between an Azure Virtual Machine and any IP resource.

az network watcher connection-monitor create

Create a connection monitor.

az network watcher connection-monitor delete

Delete a connection monitor for the given region.

az network watcher connection-monitor endpoint

Manage endpoint of a connection monitor.

az network watcher connection-monitor endpoint add

Add an endpoint to a connection monitor.

az network watcher connection-monitor endpoint list

List all endpoints form a connection monitor.

az network watcher connection-monitor endpoint remove

Remove an endpoint from a connection monitor.

az network watcher connection-monitor endpoint show

Show an endpoint from a connection monitor.

az network watcher connection-monitor list

List connection monitors for the given region.

az network watcher connection-monitor output

Manage output of connection monitor.

az network watcher connection-monitor output add

Add an output to a connection monitor.

az network watcher connection-monitor output list

List all output from a connection monitor.

az network watcher connection-monitor output remove

Remove all outputs from a connection monitor.

az network watcher connection-monitor query

Query a snapshot of the most recent connection state of a connection monitor.

az network watcher connection-monitor show

Shows a connection monitor by name.

az network watcher connection-monitor start

Start the specified connection monitor.

az network watcher connection-monitor stop

Stop the specified connection monitor.

az network watcher connection-monitor test-configuration

Manage test configuration of a connection monitor.

az network watcher connection-monitor test-configuration add

Add a test configuration to a connection monitor.

az network watcher connection-monitor test-configuration list

List all test configurations of a connection monitor.

az network watcher connection-monitor test-configuration remove

Remove a test configuration from a connection monitor.

az network watcher connection-monitor test-configuration show

Show a test configuration from a connection monitor.

az network watcher connection-monitor test-group

Manage a test group of a connection monitor.

az network watcher connection-monitor test-group add

Add a test group along with new-added/existing endpoint and test configuration to a connection monitor.

az network watcher connection-monitor test-group list

List all test groups of a connection monitor.

az network watcher connection-monitor test-group remove

Remove test group from a connection monitor.

az network watcher connection-monitor test-group show

Show a test group of a connection monitor.

az network watcher flow-log

Manage network security group flow logging.

az network watcher flow-log configure

Configure flow logging on a network security group.

az network watcher flow-log create

Create a flow log on a network security group.

az network watcher flow-log delete

Delete the specified flow log resource.

az network watcher flow-log list

List all flow log resources for the specified Network Watcher.

az network watcher flow-log show

Get the flow log configuration of a network security group.

az network watcher flow-log update

Update the flow log configuration of a network security group.

az network watcher list

List Network Watchers.

az network watcher packet-capture

Manage packet capture sessions on VMs.

az network watcher packet-capture create

Create and start a packet capture session.

az network watcher packet-capture delete

Delete a packet capture session.

az network watcher packet-capture list

List all packet capture sessions within a resource group.

az network watcher packet-capture show

Show details of a packet capture session.

az network watcher packet-capture show-status

Show the status of a packet capture session.

az network watcher packet-capture stop

Stop a running packet capture session.

az network watcher run-configuration-diagnostic

Run a configuration diagnostic on a target resource.

az network watcher show-next-hop

Get information on the 'next hop' of a VM.

az network watcher show-security-group-view

Get detailed security information on a VM for the currently configured network security group.

az network watcher show-topology

Get the network topology of a resource group, virtual network or subnet.

az network watcher test-connectivity

Test if a connection can be established between a Virtual Machine and a given endpoint.

az network watcher test-ip-flow

Test IP flow to/from a VM given the currently configured network security group rules.

az network watcher troubleshooting

Manage Network Watcher troubleshooting sessions.

az network watcher troubleshooting show

Get the results of the last troubleshooting operation.

az network watcher troubleshooting start

Troubleshoot issues with VPN connections or gateway connectivity.

az network watcher configure

Configure the Network Watcher service for different regions.

az network watcher configure --locations
                             [--enabled {false, true}]
                             [--resource-group]
                             [--subscription]
                             [--tags]

Examples

Configure Network Watcher for the West US region.

az network watcher configure -g NetworkWatcherRG  -l westus --enabled true

Required Parameters

--locations -l

Space-separated list of locations to configure.

Optional Parameters

--enabled

Enabled status of Network Watcher in the specified regions.

accepted values: false, true
--resource-group -g

Name of resource group. Required when enabling new regions.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--tags

Space-separated tags: key[=value] [key[=value] ...]. Use "" to clear existing tags.

az network watcher list

List Network Watchers.

az network watcher list [--query-examples]
                        [--subscription]

Examples

List all Network Watchers in a subscription.

az network watcher list

Optional Parameters

--query-examples

Recommend JMESPath string for you. You can copy one of the query and paste it after --query parameter within double quotation marks to see the results. You can add one or more positional keywords so that we can give suggestions based on these key words.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

az network watcher run-configuration-diagnostic

Run a configuration diagnostic on a target resource.

Requires that Network Watcher is enabled for the region in which the target is located.

az network watcher run-configuration-diagnostic --resource
                                                [--destination]
                                                [--direction {Inbound, Outbound}]
                                                [--parent]
                                                [--port]
                                                [--protocol {Http, Https, Icmp, Tcp}]
                                                [--queries]
                                                [--resource-group]
                                                [--resource-type {applicationGateways, networkInterfaces, virtualMachines}]
                                                [--source]
                                                [--subscription]

Examples

Run configuration diagnostic on a VM with a single query.

az network watcher run-configuration-diagnostic --resource {VM_ID}
   --direction Inbound --protocol TCP --source 12.11.12.14 --destination 10.1.1.4 --port 12100

Run configuration diagnostic on a VM with multiple queries.

az network watcher run-configuration-diagnostic --resource {VM_ID}
    --queries '[
    {
        "direction": "Inbound", "protocol": "TCP", "source": "12.11.12.14",
        "destination": "10.1.1.4", "destinationPort": "12100"
    },
    {
        "direction": "Inbound", "protocol": "TCP", "source": "12.11.12.0/32",
        "destination": "10.1.1.4", "destinationPort": "12100"
    },
    {
        "direction": "Outbound", "protocol": "TCP", "source": "12.11.12.14",
        "destination": "10.1.1.4", "destinationPort": "12100"
    }]'

Required Parameters

--resource

Name or ID of the target resource to diagnose. If an ID is given, other resource arguments should not be given.

Optional Parameters

--destination

Traffic destination. Accepted values are '*', IP address/CIDR, or service tag.

--direction

Direction of the traffic.

accepted values: Inbound, Outbound
--parent

The parent path. (ex: virtualMachineScaleSets/vmss1).

--port

Traffic destination port. Accepted values are '*', port number (3389) or port range (80-100).

--protocol

Protocol to be verified on.

accepted values: Http, Https, Icmp, Tcp
--queries

JSON list of queries to use. Use @{path} to load from a file.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

--resource-type -t

The resource type.

accepted values: applicationGateways, networkInterfaces, virtualMachines
--source

Traffic source. Accepted values are '*', IP address/CIDR, or service tag.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

az network watcher show-next-hop

Get information on the 'next hop' of a VM.

Requires that Network Watcher is enabled for the region in which the VM is located. For more information about show-next-hop visit https://docs.microsoft.com/azure/network-watcher/network-watcher-check-next-hop-cli.

az network watcher show-next-hop --dest-ip
                                 --resource-group
                                 --source-ip
                                 --vm
                                 [--nic]
                                 [--subscription]

Examples

Get the next hop from a VMs assigned IP address to a destination at 10.1.0.4.

az network watcher show-next-hop -g MyResourceGroup --vm MyVm --source-ip 10.0.0.4 --dest-ip 10.1.0.4

Required Parameters

--dest-ip

Destination IPv4 address.

--resource-group -g

Name of the resource group the target VM is in.

--source-ip

Source IPv4 address.

--vm

Name or ID of the VM to target. If the name of the VM is provided, the --resource-group is required.

Optional Parameters

--nic

Name or ID of the NIC resource to test. If the VM has multiple NICs and IP forwarding is enabled on any of them, this parameter is required.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

az network watcher show-security-group-view

Get detailed security information on a VM for the currently configured network security group.

For more information on using security group view visit https://docs.microsoft.com/azure/network-watcher/network-watcher-security-group-view-cli.

az network watcher show-security-group-view --resource-group
                                            --vm
                                            [--subscription]

Examples

Get the network security group information for the specified VM.

az network watcher show-security-group-view -g MyResourceGroup --vm MyVm

Required Parameters

--resource-group -g

Name of the resource group the target VM is in.

--vm

Name or ID of the VM to target. If the name of the VM is provided, the --resource-group is required.

Optional Parameters

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

az network watcher show-topology

Get the network topology of a resource group, virtual network or subnet.

For more information about using network topology visit https://docs.microsoft.com/azure/network-watcher/network-watcher-topology-cli.

az network watcher show-topology [--location]
                                 [--resource-group]
                                 [--subnet]
                                 [--subscription]
                                 [--vnet]

Examples

Use show-topology to get the topology of resources within a resource group.

az network watcher show-topology -g MyResourceGroup

Optional Parameters

--location -l

Location. Defaults to the location of the target resource group.

--resource-group -g

The name of the target resource group to perform topology on.

--subnet

Name or ID of the subnet to target. If name is used, --vnet NAME must also be supplied.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--vnet

Name or ID of the virtual network to target.

az network watcher test-connectivity

Test if a connection can be established between a Virtual Machine and a given endpoint.

To check connectivity between two VMs in different regions, use the VM ids instead of the VM names for the source and destination resource arguments. To register for this feature or see additional examples visit https://docs.microsoft.com/azure/network-watcher/network-watcher-connectivity-cli.

az network watcher test-connectivity --source-resource
                                     [--dest-address]
                                     [--dest-port]
                                     [--dest-resource]
                                     [--headers]
                                     [--method {Get}]
                                     [--protocol {Http, Https, Icmp, Tcp}]
                                     [--resource-group]
                                     [--source-port]
                                     [--subscription]
                                     [--valid-status-codes]

Examples

Check connectivity between two virtual machines in the same resource group over port 80.

az network watcher test-connectivity -g MyResourceGroup --source-resource MyVmName1 --dest-resource MyVmName2 --dest-port 80

Check connectivity between two virtual machines in the same subscription in two different resource groups over port 80.

az network watcher test-connectivity --source-resource MyVmId1 --dest-resource MyVmId2 --dest-port 80

Required Parameters

--source-resource

Name or ID of the resource from which to originate traffic.

Optional Parameters

--dest-address

The IP address or URI at which to receive traffic.

--dest-port

Port number on which to receive traffic.

--dest-resource

Name or ID of the resource to receive traffic.

--headers

Space-separated list of headers in KEY=VALUE format.

--method

HTTP method to use.

accepted values: Get
--protocol

Protocol to test on.

accepted values: Http, Https, Icmp, Tcp
--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

--source-port

Port number from which to originate traffic.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--valid-status-codes

Space-separated list of HTTP status codes considered valid.

az network watcher test-ip-flow

Test IP flow to/from a VM given the currently configured network security group rules.

Requires that Network Watcher is enabled for the region in which the VM is located. For more information visit https://docs.microsoft.com/azure/network-watcher/network-watcher-check-ip-flow-verify-cli.

az network watcher test-ip-flow --direction {Inbound, Outbound}
                                --local
                                --protocol {Http, Https, Icmp, Tcp}
                                --remote
                                --vm
                                [--nic]
                                [--resource-group]
                                [--subscription]

Examples

Run test-ip-flow verify to test logical connectivity from a VM to the specified destination IPv4 address and port.

az network watcher test-ip-flow -g MyResourceGroup --direction Outbound \
    --protocol TCP --local 10.0.0.4:* --remote 10.1.0.4:80 --vm MyVm

Required Parameters

--direction

Direction of the packet relative to the VM.

accepted values: Inbound, Outbound
--local

The private IPv4 address for the VMs NIC and the port of the packet in X.X.X.X:PORT format. \* can be used for port when direction is outbound.

--protocol

Protocol to test.

accepted values: Http, Https, Icmp, Tcp
--remote

The IPv4 address and port for the remote side of the packet X.X.X.X:PORT format. \* can be used for port when the direction is inbound.

--vm

Name or ID of the VM to target. If the name of the VM is provided, the --resource-group is required.

Optional Parameters

--nic

Name or ID of the NIC resource to test. If the VM has multiple NICs and IP forwarding is enabled on any of them, this parameter is required.

--resource-group -g

Name of the resource group the target VM is in.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.