Like any good Azure admin, I was cleaning up unused resources in a dev subscription. You know the drill — rogue resource groups, random NICs, and “test” VMs from two years ago still eating budget. Then I saw it. A weirdly named resource in every region, “NetworkWatcher_regionname.” This looks like auto-generated bloat. Probably optional. I deleted them. And I regret everything.
What Is Azure Network Watcher Doing?
Microsoft says:
“Network Watcher provides tools to monitor, diagnose, view metrics, and enable or disable logs for resources in a virtual network.”
If you want ANY kind of network visibility, you need it.
We’re talking
- NSG Flow Logs
- Connection Monitors
- Packet Captures
- IP Flow Verification
- Topology Maps
- Next Hop Analysis
Without Network Watcher in a region, you won’t get alerts, and you won’t get traces. You won’t know why your API isn’t hitting your backend. You will be debugging in the dark.
Why 90% of Azure Engineers Get This Wrong
There are three reasons:
1. It’s Created Automatically — But Only Sometimes
Azure will create a Network Watcher instance the first time you do something diagnostic in that region. So in your first month with Azure, you might not even notice it exists.
2. It Doesn’t Cost You Much
There’s no screaming budget alert tied to it. It’s nearly free unless you’re running flow logs constantly. So it quietly lives in your resource group, forgotten.
3. It Feels Optional
Unlike a VM or App Service, nothing seems to depend on Network Watcher until it’s not there. And when is it missing? Your tools won’t error out.
Outages Caused by This One Delete
Case 1: Lost Logs = Failed Audit
A FinTech client deleted Network Watcher to “clean up” unused services. A month later, their compliance auditor asked for flow logs from a high-sensitivity subnet. Guess what? No logs. No audit trail. That’s a big problem when you’re under SOC 2 and PCI-DSS.
Case 2: Impossible Bug to Trace
A dev team working with private endpoints noticed intermittent failures from one region. After days of packet tracing, they realized no Connection Monitor alerts were firing. Network Watcher was deleted during a Terraform “destroy” in test and never recreated in prod.
How to Fix It — and Never Get Burned Again
Step 1: Check Where It’s Missing
Run this in Azure CLI:
az network watcher list --output tableYou should see a Network Watcher in every region you operate in.
Run this to create one:
az network watcher configure --location <region> --resource-group <your-rg> --enabled trueStep 2: Protect It From Accidental Deletion
Tag it clearly.
Environment: Production
Owner: AzureNetworking
DoNotDelete: trueApply resource locks to stop eager admins from removing it via the portal or automation.
az lock create --name "protect-nw" --lock-type CanNotDelete --resource-group <your-rg> --resource <network-watcher-name> --resource-type Microsoft.Network/networkWatchersTips That Nobody Talks About
- Use Network Watcher Across Subscriptions: It’s regional, not tenant-specific. One instance in the East US can monitor multiple subscriptions.
- Don’t Just Use Flow Logs — Export Them to Log Analytics or Storage. Otherwise, retention is short and hard to search.
- Secure Diagnostic Destinations. Many people turn on diagnostics but leave log writing to insecure blobs.
No comments:
Post a Comment