Technical Lab: Use Azure Network Watcher and Connection Monitor
Questionsβ
Question 1 β Multiple Choiceβ
An administrator needs to capture all inbound and outbound traffic from a specific VM during a limited time interval for forensic analysis. The generated file should be stored in a storage account and analyzed later with a packet analysis tool.
Which Network Watcher feature is most suitable for this need?
A. NSG Flow Logs, configured to capture traffic on the VM's subnet
B. Packet Capture, configured directly on the VM with destination to the storage account
C. Connection Monitor, with a source endpoint pointing to the VM
D. IP Flow Verify, executed with the VM's source and destination parameters
Question 2 β Technical Scenarioβ
An operations team reports that a distributed application across two Azure regions started experiencing intermittent latency between two endpoints. The team wants to continuously monitor this connectivity, receive alerts when latency exceeds a threshold, and visualize the degradation history over time.
The team already has Network Watcher enabled in both regions.
Region A: Source VM β 10.1.0.4
Region B: Destination endpoint β app.contoso.internal (port 443)
What is the correct approach to meet this requirement?
A. Configure IP Flow Verify periodically via Azure Automation to test port 443 between regions
B. Create a Connection Monitor with the source endpoint in Region A, the destination endpoint in Region B, and a test group with TCP verification on port 443
C. Enable NSG Flow Logs in both regions and create alert rules based on logs in Log Analytics
D. Use the classic Network Performance Monitor from Log Analytics, since Connection Monitor doesn't support endpoints in different regions
Question 3 β True or Falseβ
The IP Flow Verify feature of Network Watcher is capable of identifying which specific NSG rule is blocking or allowing a traffic flow, informing the name of the rule applied in the decision.
True or False?
Question 4 β Technical Scenarioβ
An administrator executes Next Hop from Network Watcher to diagnose why traffic from a VM is not reaching the expected destination. The returned result is as follows:
Next hop type: None
Next hop IP: -
Route table: System
What is the correct interpretation of this result?
A. Traffic is being forwarded by the system's default route to the Internet
B. No valid route exists for the specified destination; traffic is being dropped at the routing layer
C. The next hop is an NVA (Network Virtual Appliance), but the IP address hasn't been propagated yet
D. The source VM doesn't have a network adapter configured with static IP, preventing route calculation
Question 5 β Multiple Choiceβ
When comparing Connection Monitor with the legacy Network Performance Monitor (NPM) feature, which statement correctly describes an exclusive or enhanced capability of Connection Monitor?
A. Connection Monitor is the only one that allows ICMP-based tests between Azure VMs
B. Connection Monitor supports endpoints external to the Azure network, such as public URLs and addresses outside the VNet, as source or destination for tests
C. Connection Monitor is the only feature that requires the Log Analytics agent installed on VMs to function
D. Connection Monitor replaces NPM only for hybrid scenarios; for traffic exclusively within Azure, NPM is still the recommended option
Answer Key and Explanationsβ
Answer Key β Question 1β
Answer: B
Packet Capture is the Network Watcher feature designed exactly to capture packets directly on a VM during a defined period, with output to a storage account or the VM's local file system. It installs a temporary extension on the VM and operates at the network adapter level, producing .cap files compatible with tools like Wireshark.
The distractors represent frequent conceptual errors: NSG Flow Logs records flow metadata (5-tuple fields), not packet content, and operates at the NSG level, not individually per VM. Connection Monitor monitors connectivity continuously, without capturing packet content. IP Flow Verify tests a single flow combination on a point-in-time basis and returns only whether it would be allowed or blocked, without capturing anything.
Choosing NSG Flow Logs in this scenario would result in insufficient data for forensic analysis, as the logs don't contain the payload or complete packet headers.
Answer Key β Question 2β
Answer: B
Connection Monitor is the correct feature because it was designed exactly for continuous connectivity monitoring between endpoints, with support for alerts based on latency and packet loss thresholds, history persisted in Log Analytics, and native support for endpoints in different Azure regions, including destinations by hostname and specific port.
Alternative A describes a manual and reactive process that doesn't offer continuous history or native alerts. Alternative C confuses the purpose of NSG Flow Logs, which record flows approved or denied by NSGs, without measuring latency between endpoints. Alternative D is factually incorrect: Connection Monitor replaces NPM and supports multi-region scenarios, with NPM being considered legacy.
Answer Key β Question 3β
Answer: True
IP Flow Verify not only returns whether traffic would be allowed or denied, but also informs the NSG rule name that made the decision. This is precisely what differentiates it from a simple connectivity check: it inspects the NSG rule stack associated with the network adapter (and the subnet NSG, if any) and points to which specific rule was triggered.
This behavior is especially useful in diagnostics because it allows identifying whether the block came from an explicit rule created by the administrator or from a default system rule, without needing to manually review all configured rules.
Answer Key β Question 4β
Answer: B
The result Next hop type: None indicates that no valid route exists for the specified destination prefix. In this case, Azure silently drops packets addressed to this destination. This can occur when the destination address doesn't belong to any connected subnet, any custom route (UDR), or any applicable system route.
Alternative A describes the expected behavior when the returned Next hop type is Internet, not None. Alternative C describes a different condition, normally represented by a Next hop type: VirtualAppliance with an associated IP. Alternative D is a distractor that mixes VM IP configuration with network routing functionality, which are independent layers: Next Hop analyzes the effective route table, not the VM's IP configuration.
Answer Key β Question 5β
Answer: B
Connection Monitor significantly expands the scope of supported endpoints compared to NPM. It allows both source and destination to be resources outside the Azure VNet, including public URLs, external IP addresses, and on-premises endpoints, making it suitable for monitoring end-to-end connectivity experience in hybrid and multi-cloud scenarios.
Alternative A is incorrect because both Connection Monitor and NPM support ICMP. Alternative C reverses the logic: Connection Monitor can use both the Log Analytics agent and the Network Watcher Agent, and in some cases requires no agent at all for external endpoints. Alternative D is incorrect because Connection Monitor is the recommended solution for all scenarios, with NPM having been marked as legacy by Microsoft regardless of the type of traffic being monitored.