Next Hop
The Next Hop tool provides a useful way to understand how a VM’s outbound traffic is being directed. For a given outbound flow, it shows the next hop IP address and type as well as the route table ID of any user-defined route in effect. Possible next hop types are
- Internet
- VirtualAppliance
- VirtualNetworkGateway
- VirtualNetwork
- VirtualNetworkPeering
- VirtualNetworkServiceEndpoint
- None (this is used for user-defined routes)
To use Next Hop via the Azure portal, open Network Watcher and click Next Hop. Select the source VM, NIC, IP address, and the destination address, as shown in Figure 5-42.
The destination can be any IP address, either on the internal network or the internet.
FIGURE 5-42 Network Watcher Next Hop
Next Hop can also be used from PowerShell using the Get-AzNetworkWatcherNextHop cmdlet, or the Azure CLI using the az network watcher show-next-hop command.
Packet Capture
The Packet Capture tool captures network packets entering or leaving your virtual machines. It is a powerful tool for deep network diagnostics.
You can capture all packets, or a filtered subset based on the protocol and local and remote IP addresses and ports. You can also specify the maximum packet and overall capture size, and a time limit (captures start almost immediately once configured).
Packet captures are stored as a file on the VM or in an Azure storage account, in which case NSGs must allow access from the VM to Azure Storage. These captures are in a standard format and can be analyzed off line using common tools such as WireShark or Microsoft Message Analyzer.
To use the Packet Capture tool, open Network Watcher and click Packet Capture, Add.
Select the VM, give the capture a name, and specify the destination, packet and total size, time limit, and filters. An example is shown in Figure 5-43.
FIGURE 5-43 Network Watcher Packet Capture
Network topology
The network topology view in Network Watcher provides a diagrammatic view of the resources in your virtual network. It is not a diagnostic or alerting tool. It is a quick and easy way to review your network resources and manually check for misconfiguration.
A limitation of the tool is that it only shows the topology within a single virtual network. All common network resource types are supported, although for application gateways, only the backend pool connected to the network interface is shown.
To view the network topology via the Azure portal, open Network Watcher and click Topology. Select the resource group and virtual network, and the topology will be shown.
An example topology is given in Figure 5-44.
FIGURE 5-44 Viewing network topology in Network Watcher
The underlying topology data can be downloaded in JSON format via Azure PowerShell or the Azure CLI, using the Get-AzNetworkWatcherTopology cmdlet or the az network watcher show-topology command, respectively.