WEBVTT 0:00:02.700000 --> 0:00:07.700000 In this video, we're going to take a look at monitoring Azure Virtual 0:00:07.700000 --> 0:00:11.700000 Networks. What we're going to do is we're going to talk about what components 0:00:11.700000 --> 0:00:14.000000 you can monitor. 0:00:14.000000 --> 0:00:18.620000 Then we'll look at Network Watcher and what that is and what it brings 0:00:18.620000 --> 0:00:22.660000 to the table. We'll drill into troubleshooting networking, what are some 0:00:22.660000 --> 0:00:25.120000 of the capabilities we have for troubleshooting networking. 0:00:25.120000 --> 0:00:31.420000 Then we'll go into one of the more interesting and complex components 0:00:31.420000 --> 0:00:35.380000 of network monitoring, which is network performance monitoring. 0:00:35.380000 --> 0:00:38.980000 Finally, I'm going to demonstrate network monitoring. 0:00:38.980000 --> 0:00:42.700000 I'm going to go through the Network Watcher options and we're going to 0:00:42.700000 --> 0:00:45.640000 take a look at network performance monitor. 0:00:45.640000 --> 0:00:49.020000 Let's go ahead and let's jump into this. 0:00:49.020000 --> 0:00:58.660000 We're going to start out talking about the components that we can monitor. 0:00:58.660000 --> 0:01:03.180000 These are the basic components that you can monitor. 0:01:03.180000 --> 0:01:09.360000 By monitoring these, you can use standard Azure monitoring capabilities. 0:01:09.360000 --> 0:01:12.820000 In other words, that monitor option that will allow you to write diagnostic 0:01:12.820000 --> 0:01:18.940000 data out to a storage account, out to log analytics, or out to an event 0:01:18.940000 --> 0:01:24.800000 hub. For virtual networks and Nix and public IP addresses and NSGs and 0:01:24.800000 --> 0:01:29.320000 load balancers and application gateways, these different components of 0:01:29.320000 --> 0:01:35.760000 your networking capabilities, all of these can be monitored through standard 0:01:35.760000 --> 0:01:37.660000 Azure monitoring means. 0:01:37.660000 --> 0:01:43.860000 Beyond that, we also have what's called Network Watcher. 0:01:43.860000 --> 0:01:48.280000 Network Watcher is a component of Azure Monitor. 0:01:48.280000 --> 0:01:53.980000 What's interesting is that literally this morning, while I was setting 0:01:53.980000 --> 0:01:59.380000 up for this video, I went into the portal and the portals changed a little 0:01:59.380000 --> 0:02:00.020000 bit around this. 0:02:00.020000 --> 0:02:01.500000 This is actually evolving. 0:02:01.500000 --> 0:02:05.520000 They're adding a new layer of monitoring, kind of a monitoring dashboard, 0:02:05.520000 --> 0:02:10.240000 but you can still get to this detailed capabilities, or these detailed 0:02:10.240000 --> 0:02:12.880000 capabilities. I'll show you that in the demonstration. 0:02:12.880000 --> 0:02:18.260000 Really, if we look at this, we've got three, four different components 0:02:18.260000 --> 0:02:20.460000 of Network Watcher. 0:02:20.460000 --> 0:02:22.320000 First of all, you've got monitoring. 0:02:22.320000 --> 0:02:28.620000 You can see things like topology and connection monitor and network performance. 0:02:28.620000 --> 0:02:32.580000 Then you've got diagnostics tools, which is that last topic there. 0:02:32.580000 --> 0:02:34.960000 You've got IP flow verify. 0:02:34.960000 --> 0:02:38.020000 You've got next hop, effective security rules. 0:02:38.020000 --> 0:02:39.540000 You can see VPN packet capture. 0:02:39.540000 --> 0:02:43.520000 This will even do packet capture, which is pretty cool, and connection 0:02:43.520000 --> 0:02:47.800000 troubleshoot. You've got metrics and you also have logs. 0:02:47.800000 --> 0:02:53.340000 Not only diagnostic logs, but NSG, flow logs, you can see how your NSG 0:02:53.340000 --> 0:02:59.120000 has been implemented or how it's affecting your traffic. 0:02:59.120000 --> 0:03:01.640000 All of these are part of what's called Network Watcher. 0:03:01.640000 --> 0:03:04.540000 Now, what's interesting about Network Watchers, there's a couple of different 0:03:04.540000 --> 0:03:08.020000 levels. The basic level of Network Watcher, which will give you things 0:03:08.020000 --> 0:03:13.240000 like topology, that requires you to activate Network Watcher in a region 0:03:13.240000 --> 0:03:15.160000 within your subscription. 0:03:15.160000 --> 0:03:19.320000 And any region that you want to monitor, you activate the Network Watcher 0:03:19.320000 --> 0:03:22.740000 component for. And you can do that through monitor. 0:03:22.740000 --> 0:03:26.780000 The other element, the other layer, is more sophisticated. 0:03:26.780000 --> 0:03:31.640000 And in order to have things like Network Performance Monitor, you actually 0:03:31.640000 --> 0:03:38.640000 have to have an agent running on a Windows server in a given network that 0:03:38.640000 --> 0:03:40.500000 you want to monitor. 0:03:40.500000 --> 0:03:43.980000 So it's not that I can just come in here right away and I've got networks 0:03:43.980000 --> 0:03:45.860000 going, I just pop in and get this information. 0:03:45.860000 --> 0:03:48.820000 There's going to be a little bit of work that I need to do to configure 0:03:48.820000 --> 0:03:54.040000 the system so that it will, in fact, support what I'm looking to do. 0:03:54.040000 --> 0:03:57.180000 Now, speaking of which, I'm going to go through some of these when we 0:03:57.180000 --> 0:03:58.660000 talk about troubleshooting. 0:03:58.660000 --> 0:04:03.020000 What are some of the troubleshooting capabilities that we have right here? 0:04:03.020000 --> 0:04:07.020000 I have some things like IP Flow Verify. 0:04:07.020000 --> 0:04:12.180000 I want to make sure that an IP request can get from a source to a destination. 0:04:12.180000 --> 0:04:17.540000 Very simple diagnostic or troubleshooting capability. 0:04:17.540000 --> 0:04:21.320000 Next top, I use this sadly more than I'd like to admit. 0:04:21.320000 --> 0:04:22.700000 I've set up routing rules. 0:04:22.700000 --> 0:04:24.800000 I've set up a route table with routing rules. 0:04:24.800000 --> 0:04:29.680000 And I want to make sure that when I'm trying to go to a particular address 0:04:29.680000 --> 0:04:33.780000 from a source in a virtual network, that it's actually going to the next 0:04:33.780000 --> 0:04:35.280000 hop as I expect it to. 0:04:35.280000 --> 0:04:37.140000 So make sure I've got my rules right there. 0:04:37.140000 --> 0:04:40.980000 Effective security rules, there's actually a few different places that 0:04:40.980000 --> 0:04:42.880000 you can go to for that. 0:04:42.880000 --> 0:04:44.880000 You can go to this. 0:04:44.880000 --> 0:04:48.780000 I can also go, for example, to a virtual machine and pull up the effective 0:04:48.780000 --> 0:04:50.080000 security rules for that. 0:04:50.080000 --> 0:04:53.240000 It's really just looking at the combination of security rules that may 0:04:53.240000 --> 0:04:58.860000 be applied based on the subnet and NIC settings for a particular virtual 0:04:58.860000 --> 0:05:03.300000 machine. VPN troubleshoot is going to let you walk through issues with 0:05:03.300000 --> 0:05:07.620000 a VPN. Make sure that your VPN traffic is working properly. 0:05:07.620000 --> 0:05:11.320000 Packet capture, very low level stuff. 0:05:11.320000 --> 0:05:13.360000 There we go. I was too excited about it. 0:05:13.360000 --> 0:05:17.200000 Packet capture. If you're familiar with tools like Wireshark, it is not 0:05:17.200000 --> 0:05:19.820000 Wireshark. It's not that sophisticated. 0:05:19.820000 --> 0:05:24.160000 But, for example, capability that we used to have on Windows, with the 0:05:24.160000 --> 0:05:27.840000 old network monitor capability, it's doing exactly what it sounds like. 0:05:27.840000 --> 0:05:30.740000 It's listening for any kind of packet traffic. 0:05:30.740000 --> 0:05:34.080000 It's recording that traffic so you can later analyze it. 0:05:34.080000 --> 0:05:38.240000 Now, connection troubleshoot is actually kind of similar to connection 0:05:38.240000 --> 0:05:43.780000 monitor. Monitor is looking at connectivity over time. 0:05:43.780000 --> 0:05:47.520000 Connection troubleshoot allows you to take a one-off test. 0:05:47.520000 --> 0:05:51.260000 So if you want to make sure that traffic is getting from point A to point 0:05:51.260000 --> 0:05:55.620000 B, that's what you would use connection troubleshoot for. 0:05:55.620000 --> 0:05:59.800000 Those are what I would consider the primary troubleshooting tools. 0:05:59.800000 --> 0:06:04.100000 If you need to see history, you want to go back and see what's been happening, 0:06:04.100000 --> 0:06:08.480000 that's where I would go and look at the logs, NSG flow logs, diagnostic 0:06:08.480000 --> 0:06:14.940000 logs, as well to see what kinds of issues that you might be running into. 0:06:14.940000 --> 0:06:18.940000 Now, the next thing I want to talk about is network performance monitor. 0:06:18.940000 --> 0:06:22.720000 I'm going to talk about network performance monitor here because it really 0:06:22.720000 --> 0:06:28.980000 is the key service that requires some of the configuration I'm going to 0:06:28.980000 --> 0:06:33.540000 talk about. If you want to set up network performance monitor, there's 0:06:33.540000 --> 0:06:38.480000 actually a number of configuration items that you have to go through. 0:06:38.480000 --> 0:06:43.920000 Now, performance monitor, as you will see, is actually a log analytics 0:06:43.920000 --> 0:06:50.080000 solution. So in order to have network performance monitor, I need to have 0:06:50.080000 --> 0:07:00.840000 a log analytics workspace. 0:07:00.840000 --> 0:07:11.700000 And if I have a log analytics workspace, I can then install the network 0:07:11.700000 --> 0:07:25.000000 performance monitor as a solution in the log analytics workspace. 0:07:25.000000 --> 0:07:29.640000 And what that will do is collect data from virtual networks. 0:07:29.640000 --> 0:07:36.320000 However, in order to collect data from a virtual network, these are two 0:07:36.320000 --> 0:07:40.040000 VNets. I'll just write that in real quick. 0:07:40.040000 --> 0:07:47.380000 VNet. That's a V, not a U. 0:07:47.380000 --> 0:07:52.400000 There you go. What you have to have in any virtual network that you want 0:07:52.400000 --> 0:07:57.680000 to participate in network performance monitor, you need to have a Windows 0:07:57.680000 --> 0:08:08.600000 server with the log analytics agent installed and properly configured. 0:08:08.600000 --> 0:08:16.240000 Now, once I have that, installing configured, then those log analytics 0:08:16.240000 --> 0:08:22.300000 agents are going to report analytics data, including networking analytics 0:08:22.300000 --> 0:08:26.080000 data into network performance monitor. 0:08:26.080000 --> 0:08:29.860000 And then once I'm in network performance monitor, I've got a solution 0:08:29.860000 --> 0:08:34.260000 that I can view where I see things like charts and graphs of performance. 0:08:34.260000 --> 0:08:36.620000 And we'll just put, there you go. 0:08:36.620000 --> 0:08:39.040000 There's a line chart, there's a bar chart, sorry. 0:08:39.040000 --> 0:08:42.840000 I have no graphical capabilities whatsoever. 0:08:42.840000 --> 0:08:47.560000 But in addition to network performance monitor itself, which you saw in 0:08:47.560000 --> 0:08:52.800000 the little slide on the network watcher, other capabilities require this 0:08:52.800000 --> 0:08:57.200000 as well. For example, if you're going to do packet capture, you have to 0:08:57.200000 --> 0:09:01.380000 have this configuration in any network that you're going to capture the 0:09:01.380000 --> 0:09:04.840000 data from. You have to have that agent that can be controlled through 0:09:04.840000 --> 0:09:08.080000 the performance monitor. 0:09:08.080000 --> 0:09:11.600000 Let's go ahead and let's take a look. 0:09:11.600000 --> 0:09:16.960000 I did that a little bit quickly, but we're going to take a look at network 0:09:16.960000 --> 0:09:24.520000 monitoring. And what I'm going to do is I am going to actually start out 0:09:24.520000 --> 0:09:26.600000 from my dashboard. 0:09:26.600000 --> 0:09:29.960000 And this is just my demo environment. 0:09:29.960000 --> 0:09:34.640000 And what I'm going to do is come down to monitor. 0:09:34.640000 --> 0:09:36.580000 You have a network monitor, just to monitor. 0:09:36.580000 --> 0:09:38.360000 This is not network monitor. 0:09:38.360000 --> 0:09:40.380000 Then I'm going to click on networks. 0:09:40.380000 --> 0:09:43.280000 And this interface is fairly new. 0:09:43.280000 --> 0:09:47.280000 It's really within the last week in terms of when this is being recorded. 0:09:47.280000 --> 0:09:49.600000 And in fact, it changed this morning. 0:09:49.600000 --> 0:09:51.180000 I actually think it changed sometime around noon. 0:09:51.180000 --> 0:09:52.860000 But this is pretty cool. 0:09:52.860000 --> 0:09:59.640000 Right away, I can pop in and I get the overall health of my networking 0:09:59.640000 --> 0:10:01.420000 within this subscription. 0:10:01.420000 --> 0:10:05.700000 And in fact, you can see this is actually across all subscriptions. 0:10:05.700000 --> 0:10:10.760000 I've got three subscriptions, resource groups, all types of networking 0:10:10.760000 --> 0:10:12.820000 and sorting doesn't really matter. 0:10:12.820000 --> 0:10:18.220000 And I can see everything available, anything degraded, unavailable or 0:10:18.220000 --> 0:10:20.660000 unknown or help not support it. 0:10:20.660000 --> 0:10:26.040000 And so I've got three things here that are healthy. 0:10:26.040000 --> 0:10:29.540000 I've got a couple of things here that aren't reporting right now. 0:10:29.540000 --> 0:10:31.520000 Nothing degraded, which is good. 0:10:31.520000 --> 0:10:34.440000 And nothing that is unavailable. 0:10:34.440000 --> 0:10:37.180000 I also look through here and I don't have any alerts, which is great. 0:10:37.180000 --> 0:10:41.580000 So what I have now, and again, it's fairly new, is I have this dashboard 0:10:41.580000 --> 0:10:43.040000 and I can drill down. 0:10:43.040000 --> 0:10:46.160000 I'm going to go into application gateway. 0:10:46.160000 --> 0:10:49.680000 I can drill down into that. 0:10:49.680000 --> 0:10:53.380000 And then that actually takes me over to the item itself. 0:10:53.380000 --> 0:10:55.140000 Okay, so this is a bit new. 0:10:55.140000 --> 0:10:59.700000 Kind of cool. What I want to do though is I'm going to pop over to my 0:10:59.700000 --> 0:11:03.560000 network watcher, which now, to get there, I go to networks, useful links, 0:11:03.560000 --> 0:11:07.400000 network. Although I suspect, seen as that literal just changed today, 0:11:07.400000 --> 0:11:11.820000 that it may well change for you by the time you view this, but you should 0:11:11.820000 --> 0:11:15.240000 still be able to get to these basic options. 0:11:15.240000 --> 0:11:19.720000 Now, the first thing, if you're going to use network watcher is you have 0:11:19.720000 --> 0:11:26.880000 to enable it across your subscriptions and any regions that you want it 0:11:26.880000 --> 0:11:39.180000 in. And if I expand it down, I can see which of the regions I have this 0:11:39.180000 --> 0:11:40.960000 active in in which I do not. 0:11:40.960000 --> 0:11:45.000000 So I've got this turned on for West US and East US because that's typically 0:11:45.000000 --> 0:11:47.500000 where I'm working. 0:11:47.500000 --> 0:11:49.500000 So that's the first thing I set that up. 0:11:49.500000 --> 0:11:53.320000 Then, once I have that set up, I can have some pretty cool capabilities. 0:11:53.320000 --> 0:12:00.760000 For example, I can go to topology and I can view any networking topology. 0:12:00.760000 --> 0:12:04.220000 So here's one networking topology that I've got. 0:12:04.220000 --> 0:12:07.300000 And here's another. 0:12:07.300000 --> 0:12:11.960000 And it shows me, and I've used this actually in several of my demonstrations. 0:12:11.960000 --> 0:12:13.580000 I use this all the time. 0:12:13.580000 --> 0:12:16.920000 It's just giving me all of the different elements that are in a particular, 0:12:16.920000 --> 0:12:18.840000 in this case, resource group. 0:12:18.840000 --> 0:12:21.820000 I can select that down to a virtual network if I want. 0:12:21.820000 --> 0:12:23.520000 Okay, I just want hubnet. 0:12:23.520000 --> 0:12:28.800000 And I can see the details of what's there. 0:12:28.800000 --> 0:12:30.760000 So pretty cool stuff. 0:12:30.760000 --> 0:12:32.100000 Okay, building there. 0:12:32.100000 --> 0:12:33.940000 Connection Monitor. 0:12:33.940000 --> 0:12:36.100000 Go to connection monitor. 0:12:36.100000 --> 0:12:38.160000 I don't have any connection monitors. 0:12:38.160000 --> 0:12:41.660000 What I can do is add a connection monitor. 0:12:41.660000 --> 0:12:48.100000 And I'm going to say, all right, let's go demo monitor. 0:12:48.100000 --> 0:12:55.640000 And I'm going to take this from win server zero. 0:12:55.640000 --> 0:13:02.680000 And I want that to go to monitor VM. 0:13:02.680000 --> 0:13:12.520000 And I want to do this on port, we'll say, 3389. 0:13:12.520000 --> 0:13:17.940000 And if I want, I can actually set up a source port and a probing interval. 0:13:17.940000 --> 0:13:21.120000 And so what that's going to do is it's going to, in this case, every 30 0:13:21.120000 --> 0:13:25.140000 seconds, it's going to check and make sure that I have connectivity between 0:13:25.140000 --> 0:13:28.020000 those two machines. 0:13:28.020000 --> 0:13:33.220000 All right, and to set that up, by the way, I also have to have that agent 0:13:33.220000 --> 0:13:36.420000 installed on at least one machine in each virtual network. 0:13:36.420000 --> 0:13:37.640000 And we'll get there. 0:13:37.640000 --> 0:13:40.020000 I'm going to come back to network performance monitor because that will 0:13:40.020000 --> 0:13:42.940000 kind of be the end of the demonstration. 0:13:42.940000 --> 0:13:45.600000 I want to show you IP flow verify. 0:13:45.600000 --> 0:13:47.580000 So here we go. I'm going to say, you know what? 0:13:47.580000 --> 0:13:51.620000 I want to see the flow and I'm going to go from, let's say, win server 0:13:51.620000 --> 0:13:55.560000 zero off of its network interface zero. 0:13:55.560000 --> 0:13:57.760000 I'm going to use TCP. 0:13:57.760000 --> 0:14:00.600000 I want this to be outbound. 0:14:00.600000 --> 0:14:07.100000 And the local port is the local IP address is 10.1.0.4. 0:14:07.100000 --> 0:14:10.160000 Local port, in this case, it doesn't matter, we'll set it at 80. 0:14:10.160000 --> 0:14:17.280000 The remote is 10.0.0.5, which hopefully is still running. 0:14:17.280000 --> 0:14:20.160000 And the remote port on that is 80. 0:14:20.160000 --> 0:14:24.600000 Actually, let's go with 22 because I don't think my 80 is running anymore. 0:14:24.600000 --> 0:14:29.080000 All right. And just to be consistent, even though I know that's not actually 0:14:29.080000 --> 0:14:30.460000 where it comes from. 0:14:30.460000 --> 0:14:33.640000 And I simply check that and I'm going to give that a moment and it's going 0:14:33.640000 --> 0:14:38.260000 to come back and tell me whether or not that connection was successful. 0:14:38.260000 --> 0:14:46.120000 All right. And it tells me that the access was allowed and it did hit 0:14:46.120000 --> 0:14:48.500000 a security role, allow VNet outbound. 0:14:48.500000 --> 0:14:51.580000 Awesome. Now, next hop is pretty cool. 0:14:51.580000 --> 0:14:53.440000 It's going to show you any routing. 0:14:53.440000 --> 0:14:56.600000 I don't have any routing rules set up. 0:14:56.600000 --> 0:15:00.020000 So this will be a pretty quick demonstration, but I can show it to you. 0:15:00.020000 --> 0:15:06.760000 Let's say I'm going to go from the win server zero and source IP is 10 0:15:06.760000 --> 0:15:13.420000 .1.0.4 and destination is 10.0.0.5. 0:15:13.420000 --> 0:15:22.020000 Now, in this case, when I hit the next hop, I should be very simple because 0:15:22.020000 --> 0:15:22.800000 I don't have any routing. 0:15:22.800000 --> 0:15:25.740000 It should go directly to the destination. 0:15:25.740000 --> 0:15:31.420000 If I've got routing set up, it's going to give me what the next hop would 0:15:31.420000 --> 0:15:33.360000 be. But in this case, it's actually pretty cool. 0:15:33.360000 --> 0:15:37.980000 Technically, there is a route that's a system route, virtual network pairing. 0:15:37.980000 --> 0:15:42.600000 So that's how it gets from 10.1.0.4 to 10.0.0.5. 0:15:42.600000 --> 0:15:45.860000 All right. Effective security rules, you can view that. 0:15:45.860000 --> 0:15:46.640000 That's pretty simple. 0:15:46.640000 --> 0:15:51.580000 You're just looking at a VM and seeing what the security rules are. 0:15:51.580000 --> 0:15:52.700000 VPN troubleshoot. 0:15:52.700000 --> 0:15:56.240000 Actually, have a couple of VPNs. 0:15:56.240000 --> 0:16:00.100000 I'm not going to run troubleshooting because it takes about an hour. 0:16:00.100000 --> 0:16:08.140000 And it does a full diagnostics to see how your VPN gateways are working. 0:16:08.140000 --> 0:16:13.120000 Packet capture. It's actually pretty cool here. 0:16:13.120000 --> 0:16:17.880000 And apparently, oh, that was an old one that I had. 0:16:17.880000 --> 0:16:22.000000 Delete that. That no longer exists. 0:16:22.000000 --> 0:16:25.140000 But I can add a new packet capture. 0:16:25.140000 --> 0:16:30.700000 So all right. One of my machines that actually are capturing, I say, monitor 0:16:30.700000 --> 0:16:33.980000 packet captured name demo. 0:16:33.980000 --> 0:16:38.600000 I'm going to go and send that to a storage account. 0:16:38.600000 --> 0:16:40.600000 Sure, we'll go with that one. 0:16:40.600000 --> 0:16:44.740000 I can set maximum bytes per packet, maximum bytes per session. 0:16:44.740000 --> 0:16:50.900000 And the time limit, which is by default, 18,000 seconds. 0:16:50.900000 --> 0:16:54.060000 I can filter this if I don't want everything. 0:16:54.060000 --> 0:16:58.080000 Add filtering based on certain filter capabilities. 0:16:58.080000 --> 0:16:59.440000 I want to do that. 0:16:59.440000 --> 0:17:00.640000 And then I'm going to hit OK. 0:17:00.640000 --> 0:17:04.260000 And what that's going to do is it's going to create a capture file out 0:17:04.260000 --> 0:17:05.380000 in that storage account. 0:17:05.380000 --> 0:17:09.480000 And then you can pull that capture file into packet analysis tools such 0:17:09.480000 --> 0:17:13.720000 as the, it actually can be pulled into a wire truck to be analyzed that 0:17:13.720000 --> 0:17:15.940000 way. And there's other tools as well. 0:17:15.940000 --> 0:17:18.220000 And so I'm not going to actually start capturing this because I'll forget 0:17:18.220000 --> 0:17:21.440000 about it. And it's not really going to do me much good right now. 0:17:21.440000 --> 0:17:22.600000 And there we go. 0:17:22.600000 --> 0:17:24.640000 Now, I had connection monitor. 0:17:24.640000 --> 0:17:27.740000 I can also use connection troubleshoot. 0:17:27.740000 --> 0:17:32.140000 And connection troubleshoot is going to let me see if there actually is 0:17:32.140000 --> 0:17:34.760000 connectivity between two machines. 0:17:34.760000 --> 0:17:36.700000 And pretty simple there. 0:17:36.700000 --> 0:17:38.060000 I've got I-Any demonstrations. 0:17:38.060000 --> 0:17:41.080000 Let's go from one server zero. 0:17:41.080000 --> 0:17:45.380000 And I'm going to go to monitor. 0:17:45.380000 --> 0:17:50.400000 And the protocol can be TCP or ICMP. 0:17:50.400000 --> 0:17:54.360000 And the destination port will say is 33.89. 0:17:54.360000 --> 0:17:56.820000 Which should sound very similar because it's very similar to connection 0:17:56.820000 --> 0:18:02.360000 manager. The difference is this is giving you one time real time connectivity. 0:18:02.360000 --> 0:18:06.220000 Now, while that's coming up, the difference between that and IP flow verify 0:18:06.220000 --> 0:18:10.540000 is that IP flow verify is going to be a little bit more specific. 0:18:10.540000 --> 0:18:13.240000 And so I'm going to take a look at the connection that is not disallowed 0:18:13.240000 --> 0:18:15.540000 by any kind of rules. 0:18:15.540000 --> 0:18:19.280000 But the connection troubleshoot is actually going to go and make sure 0:18:19.280000 --> 0:18:23.540000 that that connection can be made between the two systems. 0:18:23.540000 --> 0:18:26.200000 And if I go through here, it's actually gives me preview of how to make 0:18:26.200000 --> 0:18:27.740000 a lot of information. 0:18:27.740000 --> 0:18:29.120000 It says it's reachable. 0:18:29.120000 --> 0:18:33.520000 It gives me the agent which has to have the agents installed in any virtual 0:18:33.520000 --> 0:18:35.880000 network that's participating. 0:18:35.880000 --> 0:18:38.340000 Source is when server zero VM. 0:18:38.340000 --> 0:18:43.240000 And I can see status both of these are good to go. 0:18:43.240000 --> 0:18:45.180000 And you can see the different settings there. 0:18:45.180000 --> 0:18:48.580000 And if I go to topology view, it's actually going to generate a little 0:18:48.580000 --> 0:18:50.560000 mini topology view for that. 0:18:50.560000 --> 0:18:55.360000 But those are my primary troubleshooting capabilities. 0:18:55.360000 --> 0:18:58.380000 Now the next component that I want to show you, I'm not going to wait 0:18:58.380000 --> 0:19:02.880000 for that to come up, is the network performance monitor. 0:19:02.880000 --> 0:19:06.380000 Now getting the network performance monitor set up can be a little bit 0:19:06.380000 --> 0:19:11.040000 complex. A little bit, I would say convoluted, the way that you would 0:19:11.040000 --> 0:19:12.260000 typically go through this. 0:19:12.260000 --> 0:19:13.540000 I'm going to walk you through the process. 0:19:13.540000 --> 0:19:16.600000 Now there are some shortcuts once you have it set up that you could do 0:19:16.600000 --> 0:19:21.540000 in terms of downloading and configuring your agents correctly. 0:19:21.540000 --> 0:19:24.100000 Once you do that, it's actually relatively simple to do. 0:19:24.100000 --> 0:19:29.120000 But in order to have network performance monitor, you have to have an 0:19:29.120000 --> 0:19:33.760000 existing and available log analytics workspace. 0:19:33.760000 --> 0:19:38.720000 And I have two different log analytics workspaces that I've already added 0:19:38.720000 --> 0:19:40.380000 the network performance monitor to. 0:19:40.380000 --> 0:19:43.240000 I think I have another one, I'm not going to actually add it. 0:19:43.240000 --> 0:19:46.620000 But if I wanted to add another one, what I would do is I would go in and 0:19:46.620000 --> 0:19:50.080000 pick which of my workspaces I want to add this to. 0:19:50.080000 --> 0:19:53.280000 So I've got, for example, Kubernetes, which I'm not going to add it to, 0:19:53.280000 --> 0:20:01.620000 but I could. So I've got this solution, because that's really what it 0:20:01.620000 --> 0:20:03.140000 is, a log analytic solution. 0:20:03.140000 --> 0:20:07.260000 I've got it installed in a couple of different workspaces. 0:20:07.260000 --> 0:20:09.240000 And even though you would think I'd use the demo one, I'm actually going 0:20:09.240000 --> 0:20:12.160000 to use this because this is where I have it set up. 0:20:12.160000 --> 0:20:16.180000 Now if I click over to this, after I've added it, I get this summary with 0:20:16.180000 --> 0:20:19.240000 this box here that gives me the network performance monitor. 0:20:19.240000 --> 0:20:21.740000 And I can click view summary. 0:20:21.740000 --> 0:20:24.540000 Now I will tell you, for some reason, this has been taking a little while 0:20:24.540000 --> 0:20:30.680000 to open up. So through the magic of having extra tabs, I've already clicked 0:20:30.680000 --> 0:20:32.120000 over on it here. 0:20:32.120000 --> 0:20:37.260000 Now it's going to tell me that I've got just a very high level connectivity. 0:20:37.260000 --> 0:20:42.200000 I've got two subnet work links that are zero or two that are unhealthy. 0:20:42.200000 --> 0:20:44.640000 I do have a service test that is unhealthy. 0:20:44.640000 --> 0:20:48.220000 So what I want to do is click, and that's what I just did very quickly, 0:20:48.220000 --> 0:20:51.380000 I clicked on that solution. 0:20:51.380000 --> 0:20:56.240000 And I'm going to get this dashboard that comes up for my network monitoring. 0:20:56.240000 --> 0:20:59.140000 And we'll wait just a moment for that dashboard to come up. 0:20:59.140000 --> 0:21:11.520000 Okay. Here I've got the dashboard for my network performance monitor. 0:21:11.520000 --> 0:21:16.900000 And it's really giving me just that high level view, which of course, 0:21:16.900000 --> 0:21:19.500000 as soon as I started talking, decided to auto refresh. 0:21:19.500000 --> 0:21:23.900000 So we'll give it just another moment here. 0:21:23.900000 --> 0:21:33.380000 All right. So as it appears here, I've got my dashboard that comes up. 0:21:33.380000 --> 0:21:37.060000 I see I've got a health event, and I've got one unhealthy test, and we'll 0:21:37.060000 --> 0:21:42.340000 get to that. And over here under performance monitor, I can see that I've 0:21:42.340000 --> 0:21:47.200000 got two subnet links, one network link. 0:21:47.200000 --> 0:21:50.440000 All of this looks like it's running well. 0:21:50.440000 --> 0:21:56.360000 And I'm going to see if I can go ahead and dive down into one of these. 0:21:56.360000 --> 0:22:02.120000 While it once again decides to refresh on me, tell you what, rather than 0:22:02.120000 --> 0:22:05.100000 waiting for that to refresh, I'm going to show you the configuration. 0:22:05.100000 --> 0:22:06.440000 You did see that though. 0:22:06.440000 --> 0:22:09.280000 So now I'm going to pull up the configuration. 0:22:09.280000 --> 0:22:14.020000 When you first set up the network performance monitor, and you try to 0:22:14.020000 --> 0:22:18.380000 click into it, it's actually going to go here first and allow you to set 0:22:18.380000 --> 0:22:20.680000 up your configuration. 0:22:20.680000 --> 0:22:25.780000 Now, you can see down the left side that there's a few different settings. 0:22:25.780000 --> 0:22:29.300000 And what I'm going to do is go directly to nodes, because that's really 0:22:29.300000 --> 0:22:32.980000 where it starts. 0:22:32.980000 --> 0:22:39.720000 And under nodes right now, I've got two different nodes here. 0:22:39.720000 --> 0:22:43.080000 I've got W monitor and W wins over one. 0:22:43.080000 --> 0:22:53.300000 These are the two servers that I have installed the actual agents on. 0:22:53.300000 --> 0:22:56.360000 And so I can see I've got those. 0:22:56.360000 --> 0:23:04.240000 And if I go to networks then, I've got a default network and a demo network. 0:23:04.240000 --> 0:23:07.000000 And the demo network has two subnets. 0:23:07.000000 --> 0:23:10.120000 These are the two subnets that are actually associated with those nodes. 0:23:10.120000 --> 0:23:12.980000 And I'll show you in a minute where you can go back and set the nodes. 0:23:12.980000 --> 0:23:19.100000 I also have set up, well, and if I go to subnet works, again, that's just 0:23:19.100000 --> 0:23:22.300000 another, really just another view of pretty much the same thing. 0:23:22.300000 --> 0:23:26.580000 One thing that's a little weird is that you kind of have to, even though 0:23:26.580000 --> 0:23:29.280000 it shows like you've got a lot of check marks, if you want to see anything, 0:23:29.280000 --> 0:23:30.920000 just have to uncheck. 0:23:30.920000 --> 0:23:34.680000 And I can see that I've got, you know, that node is monitored is really 0:23:34.680000 --> 0:23:36.000000 what I get there. 0:23:36.000000 --> 0:23:40.180000 All right, so then I go down to performance monitor and this is actually 0:23:40.180000 --> 0:23:44.220000 setting rules that will give you your alerts. 0:23:44.220000 --> 0:23:47.920000 And as you saw before decided to refresh, I don't have any alerts right 0:23:47.920000 --> 0:23:54.880000 now. And I've got a default as well as a demo rule that's checking up. 0:23:54.880000 --> 0:24:02.460000 The demo rule is looking specifically from my 10 1.0.0 slash 24 subnet, 0:24:02.460000 --> 0:24:07.720000 which is where my wind servers are to my 10.0.0.0 24, which is where my 0:24:07.720000 --> 0:24:10.520000 monitor and web servers are. 0:24:10.520000 --> 0:24:13.260000 And that's all fairly easily configurable. 0:24:13.260000 --> 0:24:19.480000 Now the one error that I'm getting is, I actually know why I'm getting 0:24:19.480000 --> 0:24:22.420000 this, got it on the wrong item. 0:24:22.420000 --> 0:24:23.520000 I've got a test here. 0:24:23.520000 --> 0:24:27.140000 We're saying, okay, I want to monitor my HTTP. 0:24:27.140000 --> 0:24:30.620000 So I've got this HTTP and it's a simple test. 0:24:30.620000 --> 0:24:32.020000 It's a web test. 0:24:32.020000 --> 0:24:34.080000 It's using HTTP. 0:24:34.080000 --> 0:24:36.540000 I can perform network measurements over it. 0:24:36.540000 --> 0:24:42.380000 Now, fun part is that should be 10.0.0.5. 0:24:42.380000 --> 0:24:46.340000 And it's going port number 80 every five minutes. 0:24:46.340000 --> 0:24:49.280000 And the key thing here is you have to have agents. 0:24:49.280000 --> 0:24:50.560000 Where do you want to run this from? 0:24:50.560000 --> 0:24:55.400000 And I actually have this running from two agents. 0:24:55.400000 --> 0:24:58.060000 Right now, both of the agents are selected. 0:24:58.060000 --> 0:25:01.180000 I could deselect one if I only wanted to run from one, et cetera. 0:25:01.180000 --> 0:25:03.200000 But that's the interface there. 0:25:03.200000 --> 0:25:05.400000 And I can enable health monitoring. 0:25:05.400000 --> 0:25:08.040000 And I can also set my rules. 0:25:08.040000 --> 0:25:10.340000 What is going to give me a health event? 0:25:10.340000 --> 0:25:13.840000 So I've set up for response time greater than two seconds. 0:25:13.840000 --> 0:25:16.120000 Network latency greater than three seconds. 0:25:16.120000 --> 0:25:18.080000 And network loss greater than 50%. 0:25:18.080000 --> 0:25:24.340000 And that is a service connection rule. 0:25:24.340000 --> 0:25:26.980000 And that's actually where I'm getting my one error from. 0:25:26.980000 --> 0:25:30.560000 Now, before I go back and show you that interface again and drill down 0:25:30.560000 --> 0:25:33.360000 just a little bit, I want to show you the setup for this. 0:25:33.360000 --> 0:25:39.180000 And again, I know I'm kind of traipsing through here in terms of really 0:25:39.180000 --> 0:25:42.600000 digging in and diving into the network performance monitor. 0:25:42.600000 --> 0:25:45.280000 In reality, if I put you to sleep, you want to wake up for this. 0:25:45.280000 --> 0:25:50.760000 Because this is what really matters for a lot of network performance monitoring, 0:25:50.760000 --> 0:25:53.140000 network monitoring, and network troubleshooting. 0:25:53.140000 --> 0:26:01.200000 And that is having a log analytics workspace and having agents on Windows 0:26:01.200000 --> 0:26:07.980000 servers that will report their diagnostic data to that log analytics workspace. 0:26:07.980000 --> 0:26:11.700000 That is what's going to give you the capability to collect the data necessary 0:26:11.700000 --> 0:26:15.220000 for all of these different advanced capabilities. 0:26:15.220000 --> 0:26:17.000000 So how do you go about doing it? 0:26:17.000000 --> 0:26:20.120000 Well, what you really do is you just, initially, the first part is you 0:26:20.120000 --> 0:26:23.500000 set up your basic log analytics. 0:26:23.500000 --> 0:26:26.800000 And this actually isn't any different than a standard log analytics. 0:26:26.800000 --> 0:26:28.120000 There's an agent. 0:26:28.120000 --> 0:26:30.480000 You can click here to download the agent. 0:26:30.480000 --> 0:26:34.680000 Now, this is only for Windows, either 64-bit or 32-bit. 0:26:34.680000 --> 0:26:38.220000 There is a log analytics agent that you can run otherwise, but this is 0:26:38.220000 --> 0:26:42.980000 the one that's going to actually collect the networking data. 0:26:42.980000 --> 0:26:46.660000 So you would go and download it and install it. 0:26:46.660000 --> 0:26:49.460000 And when you install it, you're going to be asked for a workspace ID and 0:26:49.460000 --> 0:26:54.380000 a key. And so then it's going to start dumping data in there. 0:26:54.380000 --> 0:26:59.580000 Then what you do is you would download a PowerShell script. 0:26:59.580000 --> 0:27:02.120000 And click that actually opens up another page. 0:27:02.120000 --> 0:27:06.460000 And what this PowerShell script does is you run it on the server that 0:27:06.460000 --> 0:27:08.080000 you've installed the agent on. 0:27:08.080000 --> 0:27:13.040000 And it opens up ports and sets things so that it can collect TCP data. 0:27:13.040000 --> 0:27:18.840000 If I do not run, if I do not enable these rules, then the only thing that 0:27:18.840000 --> 0:27:22.560000 the network agent can do or the log analytics agent can do for network 0:27:22.560000 --> 0:27:27.460000 performance is collect ICMP data, which is not going to be terribly useful. 0:27:27.460000 --> 0:27:33.400000 So I want to run this so that I can collect TCP data on my agents. 0:27:33.400000 --> 0:27:38.540000 And again, you don't have to have these agents on every single server. 0:27:38.540000 --> 0:27:43.060000 They just have to be on one server per network. 0:27:43.060000 --> 0:27:45.220000 And that's the key configuration. 0:27:45.220000 --> 0:27:48.300000 All right, now let's jump back, which is what I was going to do before 0:27:48.300000 --> 0:27:50.360000 I decided to freeze up. 0:27:50.360000 --> 0:27:52.880000 I'm going to wait one more moment and then I'm going to drill down just 0:27:52.880000 --> 0:28:00.640000 a little bit into one of these different items that come up on my dashboard. 0:28:00.640000 --> 0:28:09.620000 All right, let's take a look at that unhealthy test. 0:28:09.620000 --> 0:28:11.700000 I'm going to click on that. 0:28:11.700000 --> 0:28:22.040000 All right, let's take a look at this test. 0:28:22.040000 --> 0:28:25.360000 And right now you can see, even though it's not really pulling up the 0:28:25.360000 --> 0:28:30.980000 graphic too well, we have a hundred percent average loss and a hundred 0:28:30.980000 --> 0:28:32.480000 percent peak loss. 0:28:32.480000 --> 0:28:34.600000 Fortunately, there's no response time. 0:28:34.600000 --> 0:28:38.240000 The response time is fantastic because there was no response. 0:28:38.240000 --> 0:28:41.320000 But you can see things like I can view the test details. 0:28:41.320000 --> 0:28:42.460000 I can view the topology. 0:28:42.460000 --> 0:28:43.780000 I can go into the diagnostics. 0:28:43.780000 --> 0:28:46.780000 I've drilled down a lot and you don't really necessarily need to go into 0:28:46.780000 --> 0:28:48.640000 that unless you're really planning on using this. 0:28:48.640000 --> 0:28:50.320000 I just want to expose it to you. 0:28:50.320000 --> 0:28:52.860000 So I think we will leave it there. 0:28:52.860000 --> 0:28:57.080000 We've covered a pretty wide range of concepts in this video. 0:28:57.080000 --> 0:29:01.540000 We talked about the different ways that you can monitor networks, the 0:29:01.540000 --> 0:29:04.880000 different components that have standard monitoring capabilities where 0:29:04.880000 --> 0:29:09.740000 I can connect them to either log analytics or storage account or event 0:29:09.740000 --> 0:29:13.400000 hub. We looked at what Network Watcher does and what the different elements 0:29:13.400000 --> 0:29:14.420000 of Network Watcher are. 0:29:14.420000 --> 0:29:18.560000 And we've looked at Network Performance Monitor and the agents required 0:29:18.560000 --> 0:29:22.060000 for that and some of the information that you can get from Network Performance