Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Enable Azure Network Watcher

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: Network-003

Ensure that Azure Network Watcher service is enabled for all regions in your Microsoft Azure subscription in order to help you monitor and diagnose various conditions at the network level. Microsoft Azure Network Watcher provides tools to monitor, diagnose, and enable or disable logs for the cloud resources within a Virtual Network (VNet).

This rule resolution is part of the Conformity Security & Compliance tool for Azure.

Security

The network diagnostic and visualization tools provided by the Network Watcher service help users and organizations understand, diagnose, and troubleshoot their Azure cloud network infrastructure.

Audit

To determine if Azure Network Watcher is enabled for your Microsoft Azure subscriptions, perform the following operations:

Using Azure Portal

01 Sign in to the Azure Management Console.

02 Navigate to Network Watcher blade at https://portal.azure.com/#view/Microsoft_Azure_Network/NetworkWatcherMenuBlade/~/overview.

03 In the main navigation panel, select Overview to access the list with the active network watchers provisioned within your Azure account.

04 On the Overview page, choose the Azure subscription that you want to examine and check for any network watchers created for the selected subscription. If there are no network watchers listed on this page and the following confirmation status is returned: No network watchers to display, Azure Network Watcher is not enabled for the selected Microsoft Azure subscription. If one or more network watchers are listed on this page, check the Location column to determine if Azure Network Watcher is enabled for all the Azure regions within the selected subscription, otherwise the Network Watcher service configuration is not compliant.

05 Repeat step no. 4 for each subscription created within your Microsoft Azure cloud account.

Using Azure CLI

01 Run account list-locations command (Windows/macOS/Linux) to list the name of each Microsoft Azure location (region) supported by Network Watcher: 

az account list-locations
  --query '[*].name'

02 The command output should return the requested information: 

[
	"eastus",
	"eastus2",
	"southcentralus",
	"westus2",
	"westus3",
	"australiaeast",
	"southeastasia",
	"northeurope",
	"swedencentral",
	"uksouth",
	"westeurope",
	"centralus",
	"southafricanorth",
	"centralindia",
	"eastasia",
	"japaneast",
	"koreacentral",
	"canadacentral",
	"francecentral",
	"germanywestcentral",
	"norwayeast",
	"polandcentral",
	"switzerlandnorth",
	"uaenorth",
	"brazilsouth",
	"centraluseuap",
	"eastus2euap",
	"qatarcentral",
	"centralusstage",
	"eastusstage",
	"eastus2stage",
	"northcentralusstage",
	"southcentralusstage",
	"westusstage",
	"westus2stage",
	"asia",
	"asiapacific",
	"australia",
	"brazil",
	"canada",
	"europe",
	"france",
	"germany",
	"global",
	"india",
	"japan",
	"korea",
	"norway",
	"singapore",
	"southafrica",
	"switzerland",
	"uae",
	"uk",
	"unitedstates",
	"unitedstateseuap",
	"eastasiastage",
	"southeastasiastage",
	"brazilus",
	"eastusstg",
	"northcentralus",
	"westus",
	"jioindiawest",
	"southcentralusstg",
	"westcentralus",
	"southafricawest",
	"australiacentral",
	"australiacentral2",
	"australiasoutheast",
	"japanwest",
	"jioindiacentral",
	"koreasouth",
	"southindia",
	"westindia",
	"canadaeast",
	"francesouth",
	"germanynorth",
	"norwaywest",
	"switzerlandwest",
	"ukwest",
	"uaecentral",
	"brazilsoutheast"
]

03 Run network watcher list command (Windows/macOS/Linux) with custom query filters to list the region name, service status, and the associated resource group for each network watcher enabled in the selected subscription: 

az network watcher list
  --subscription abcdabcd-1234-abcd-1234-abcdabcdabcd
  --query '[*].{"location":location,"provisioningState":provisioningState,"resourceGroup":resourceGroup}'

04 The az network watcher list command request should produce one of the following outputs:

  1. If the command output returns an empty array, i.e. [], as shown in the example below, the Network Watcher service is not enabled for the selected Microsoft Azure subscription: 
    []
  2. If the network watcher list command output returns the requested information for one or more Azure locations, compare the list with the one returned at step no. 2 to determine if Network Watcher is enabled for all the supported Azure locations. If the service is not successfully enabled for all the supported regions, the Network Watcher configuration is not compliant: 
    [
	{
		"location": "northeurope",
		"provisioningState": "Succeeded",
		"resourceGroup": "NetworkWatcherRG"
	},
	{
		"location": "westeurope",
		"provisioningState": "Succeeded",
		"resourceGroup": "NetworkWatcherRG"
	}
]

05 Repeat steps no. 1 - 4 for each subscription available within your Microsoft Azure cloud account.

Remediation / Resolution

To enable Network Watcher service for all your Microsoft Azure subscriptions, perform the following:

Using Azure Portal

01 Sign in to the Azure Management Console.

02 Navigate to Network Watcher blade at https://portal.azure.com/#view/Microsoft_Azure_Network/NetworkWatcherMenuBlade/~/overview.

03 In the main navigation panel, select Overview.

04 On the Overview page, choose Create, select the Azure subscription for which you want to enable Network Watcher, choose Select all from the Region dropdown list, and select Add to enable the service for all the supported Azure locations (regions).

05 Repeat step no. 4 for each subscription available in your Microsoft Azure cloud account.

Using Azure CLI

01 Run network watcher configure command (Windows/macOS/Linux) to enable the Network Watcher service for all the Microsoft Azure regions specified as values for the --locations parameter. For example, the following network watcher configure command request enables Azure Network Watcher for all the supported Azure regions: 

az network watcher configure
  --locations eastus eastus2 southcentralus westus2 westus3 australiaeast southeastasia northeurope swedencentral uksouth westeurope centralus southafricanort centralindia eastasia japaneast koreacentral canadacentral francecentral germanywestcentral norwayeast polandcentral switzerlandnorth uaenorth brazilsouth centraluseuap eastus2euap qatarcentral centralusstage eastusstage eastus2stage northcentralusstage southcentralusstage westusstage westus2stage asia asiapacific australia brazil canada europe france germany global india japan korea norway singapore outhafrica switzerland uae uk unitedstates unitedstateseuap eastasiastage southeastasiastage brazilus eastusstg northcentralus westus jioindiawest southcentralusstg westcentralus southafricawest australiacentral australiacentral2 australiasoutheast japanwest jioindiacentral koreasouth southindia westindia canadaeast francesouth germanynorth norwaywest switzerlandwest ukwest uaecentral brazilsoutheast
  --enabled true
  --resource-group "NetworkWatcherRG"
  --subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

02 The command output should return the Network Watcher service configuration information available for the selected Azure regions: 

[
	{
		"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/NetworkWatcherRG/providers/Microsoft.Network/networkWatchers/northeurope-watcher",
		"location": "northeurope",
		"name": "northeurope-watcher",
		"provisioningState": "Succeeded",
		"resourceGroup": "NetworkWatcherRG",
		"tags": null,
		"type": "Microsoft.Network/networkWatchers"
	},

	...

	{
		"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/NetworkWatcherRG/providers/Microsoft.Network/networkWatchers/westeurope-watcher",
		"location": "westeurope",
		"name": "westeurope-watcher",
		"provisioningState": "Succeeded",
		"resourceGroup": "NetworkWatcherRG",
		"tags": null,
		"type": "Microsoft.Network/networkWatchers"
	}
]

03 Repeat steps no. 1 and 2 for each subscription created within your Microsoft Azure cloud account.

References

Publication date Apr 6, 2020

Related Network rules