Logo of Trend Micro

Enable Azure Network Watcher

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: Medium (should be achieved)
Rule ID: Network-003

Ensure that Network Watcher service is enabled within your Azure account subscriptions to help you monitor and diagnose various conditions at the network level. Microsoft Azure Network Watcher provides tools to monitor, diagnose, view metrics, and enable or disable logs for resources within a virtual network.

This rule resolution is part of the Cloud Conformity Security & Compliance tool for Azure

Security

The network diagnostic and visualization tools provided by Azure Network Watcher help users understand, diagnose, and gain insight into the Azure cloud network infrastructure.

Audit

To determine if the Network Watcher service is enabled within your Microsoft Azure subscription, perform the following actions:

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to Network Watcher blade at https://portal.azure.com/#blade/Microsoft_Azure_Network/NetworkWatcherMenuBlade/overview.

03 In the navigation panel, select Overview to access the main configuration details for the Azure Network Watcher.

04 On the page, choose the Azure subscription that you want to examine and check the Network Watcher status available in the STATUS column. If the status is set to Disabled, the Network Watcher service is not enabled for the selected Microsoft Azure subscription. If the status is set to Partially enabled, determine if the Network Watcher is enabled for the right Azure region(s).

05 Repeat steps no. 4 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run network watcher list command (Windows/macOS/Linux) using custom query filters to list the region name, service status and the associated resource group for each Network Watcher enabled within the current Azure subscription: 

az network watcher list
	--query '[*].{"location":location,"provisioningState":provisioningState,"resourceGroup":resourceGroup}'

02 Based on the Network Watcher configuration, the network watcher list command request should produce one of the following outputs:

  1. If the command output returns an empty array, i.e. [], as shown in the example below, the Network Watcher service is not enabled for the current Microsoft Azure subscription: 
    []
  2. If the network watcher list command output returns metadata for one or more Azure locations, as shown in the example below, verify if the Network Watcher service is enabled for the right Azure region(s): 
    [
  {
    "location": "northeurope",
    "provisioningState": "Succeeded",
    "resourceGroup": "cloud-shell-storage-westeurope"
  },
  {
    "location": "westeurope",
    "provisioningState": "Succeeded",
    "resourceGroup": "cloud-shell-storage-westeurope"
  }
]

03 Repeat step no. 1 and 2 for each subscription available within your Microsoft Azure cloud account.

Remediation / Resolution

To enable Network Watcher service for all your Microsoft Azure subscriptions, perform the following:

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to Network Watcher blade at https://portal.azure.com/#blade/Microsoft_Azure_Network/NetworkWatcherMenuBlade/overview.

03 In the navigation panel, select Overview to access the main configuration details for the Azure Network Watcher.

04 On the Overview page, choose the Azure subscription for which you want to enable Network Watcher, then perform one the following actions:

  1. To enable Network Watcher for all Azure cloud regions/locations, right click on the selected subscription and choose Enable network watcher in all regions option.
  2. To enable Network Watcher for individual Azure cloud regions, click on the selected subscription to expand the panel with all the available Azure locations, then right click on the required region and select Enable network watcher to enable the service for the specified region.

05 Repeat steps no. 4 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run network watcher configure command (Windows/macOS/Linux) to enable the Network Watcher service for the Microsoft Azure regions/locations specified as values for the --locations parameter. For example, the following network watcher configure command request enables Azure Network Watcher for the West and North Europe regions: 

az network watcher configure
	--locations westeurope northeurope
	--enabled true
	--resource-group "cloud-shell-storage-westeurope"

02 The command output should return the Network Watcher service configuration metadata available for the specified Azure regions: 

[
  {
    "id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/networkWatchers/northeurope-watcher",
    "location": "northeurope",
    "name": "northeurope-watcher",
    "provisioningState": "Succeeded",
    "resourceGroup": "cloud-shell-storage-westeurope",
    "tags": null,
    "type": "Microsoft.Network/networkWatchers"
  },
  {
    "id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/networkWatchers/westeurope-watcher",
    "location": "westeurope",
    "name": "westeurope-watcher",
    "provisioningState": "Succeeded",
    "resourceGroup": "cloud-shell-storage-westeurope",
    "tags": null,
    "type": "Microsoft.Network/networkWatchers"
  }
]

03 Repeat step no. 1 and 2 for each subscription created within your Microsoft Azure cloud account.

References

Publication date Apr 2, 2020

Related Network rules

Unlock the Remediation Steps

Gain free unlimited access
to our full Knowledge Base

Over 750 rules & best practices
for AWS and Azure

You are auditing:

Enable Azure Network Watcher

Risk level: Medium