Azure Azure Networking Azure Tip

Azure Tip: Use Azure Network Watcher to view or download the network topology of a VNet

by wmatthyssen
Comment 1


Most of you will probably at some point require a visual overview of the network topology of one or more virtual networks (VNet)s in your own, your companies or even a customer Azure environment. Luckily, you can use the topology capability of Network Watcher for this.

Like some of you will know, Azure Network Watcher provides tools that allow you to monitor, diagnose, view metrics and gain insight in the performance of network resources in a VNet.

You can use tools like the Connection troubleshoot, which enables you to for example test a connection between an Azure virtual machine (VM) and another Azure VM. Or you can use NSG flow logs, which allows you to log information about IP traffic flowing through an Azure network security group (NSG).

But in this Azure tip blog post, I will show you how easy it is to get a view of a VNet’s network topology by using Network Watcher Topology* in the Azure Portal and with the use of an Azure PowerShell script.


If you want to read some more about Azure Network Watcher, you can do so via the following Microsoft Docs link: Azure Network Watcher documentation


* You should also keep in mind that Network Watcher Topology supports a limited set of Azure networking resources, which include all of the following: VNet, Subnet, Network Interface, NSG, Load Balancer, Load Balancer Health probe, Public IP, Virtual Network Peering, Virtual network gateway, VPN Gateway Connection, Virtual Machine, and Virtual Machine Scale Set.


Prerequisites

  • An Azure subscription.
  • An Azure Administrator account with the necessary RBAC roles.
  • An existing VNet.
  • A network watcher enabled in the same region as the VNet you want to generate a topology for.


View a network topology with Network Watcher using the Azure Portal

Logon to the Azure Portal and type in ā€œnetwork watcherā€ in the Global search bar. Then click on Network Watcher.


In theĀ Network Watcher screenĀ (blade), select Topology under the Monitoring section.


Select a Subscription, the Resource Group of a VNet (all resource groups under the chosen subscription that have a VNet are automatically shown in a drop-down list) you want to view the topology for, and then select the VNet itself.Ā When all are selected the topology of the selected VNet will be shown, like you can also see on the below picture. You can now use this generated topology to analyze, troubleshoot issues, or even identify misconfigurations in this VNet.


Next to this, if you also want to download the topology in SVG file format, you just need to click on Download topology.


When the topology.svg file is downloaded, just click on it to see the VNEt’s network topology (you can view an .svg file with Edge or any other modern web browser). Afterwards, you can also use this image to add it in any documentation you want, like for example an Azure environment assessment or a Low-Level Design (LLD).



View a network topology in JSON format with Network Watcher using an Azure PowerShell script

You can use the below Azure PowerShell script to get the network topology of a VNet in a JSON output. This output will give you a network level view of all networking resources and their relationships from a specific resource group.
Just keep in mind that if resources from multiple regions reside in the resource group, that only the resources in the same region as the Network Watcher will be included in the JSON output.

To use the script copy and save it as Get-Network-Topology-of-a-VNet-in-JSON-format.ps1 or download it from GitHub. Then run the script with Administrator privileges from Windows TerminalVisual Studio Code, or Windows PowerShell. Or you can simply run it from Cloud Shell.

Keep in mind that if you are not running the script from Cloud Shell, like when you are using Windows Terminal, you first need to sign in with the Connect-AzAccount cmdlet to connect with an authenticated account. Next to that if you are using multiple Azure subscriptions, select the proper subscription with the Set-AzContext cmdlet before running the script.


## ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

## Connect to Azure with an authenticated account

Connect-AzAccount

## Select an Azure Subscription

Set-AzContext -Subscription "<SubscriptionName>" (if not using the default subscription)

## ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------



Then run the script to get the network topology of a specific VNet in a JSON output.


<#
.SYNOPSIS

An Azure PowerShell script used to get the network topology of a VNet in a JSON output.

.DESCRIPTION

An Azure PowerShell script used to get the network topology of a VNet in a JSON output.
This output will give you a network level view of all networking resources and their relationships from a specific resource group.
If resources from multiple regions reside in the resource group, only the resources in the same region as the Network Watcher will be included in the JSON output.

.NOTES

Filename:       Get-Network-Topology-of-a-VNet-in-JSON-format.ps1
Created:        07/08/2022
Last modified:  07/08/2022
Author:         Wim Matthyssen
Version:        1.0
PowerShell:     Azure PowerShell and Cloud Shell
Requires:       PowerShell Az (v8.1.0) and Az.Network (v4.18.0)
Action:         Change variables were needed to fit your needs.
Disclaimer:     This script is provided "As Is" with no warranties.

.EXAMPLE

Connect-AzAccount
Get-AzTenant (if not using the default tenant)
Set-AzContext -tenantID "<xxxxxxxx-xxxx-xxxx-xxxxxxxxxxxx>" (if not using the default tenant)
Set-AzContext -Subscription "<SubscriptionName>" (if not using the default subscription)
.\Get-Network-Topology-of-a-VNet-in-JSON-format.ps1 <"your network watcher name here"> <"your networking resource group here">

-> .\Get-Network-Level-View-of-a-VNet.ps1 nw-hub-myh-we-01 rg-hub-myh-networking-01

.LINK

https://wmatthyssen.com/2022/08/09/azure-tip-use-azure-network-watcher-to-view-or-download-the-network-topology-of-a-vnet/
#>

## ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

## Parameters

param(
    [parameter(Mandatory =$true)][ValidateNotNullOrEmpty()] [string] $networkWatcherName,
    [parameter(Mandatory =$true)][ValidateNotNullOrEmpty()] [string] $rgNameVNet
)

## ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

## Variables

$global:currenttime= Set-PSBreakpoint -Variable currenttime -Mode Read -Action {$global:currenttime= Get-Date -UFormat "%A %m/%d/%Y %R"}
$foregroundColor1 = "Red"
$foregroundColor2 = "Yellow"
$writeEmptyLine = "`n"
$writeSeperatorSpaces = " - "

## ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

## Retrieve a VNet network level view

# Get the properties of the Network Watcher
$networkWatcher = Get-AzNetworkWatcher -Name $networkWatcherName -ResourceGroupName $networkWatcherResourceGroup

#Get network topology
Get-AzNetworkWatcherTopology -NetworkWatcher $networkWatcher -TargetResourceGroupName $rgNameVNet

Write-Host ($writeEmptyLine + "# VNet network level view created " + $writeSeperatorSpaces + $currentTime)`
-foregroundcolor $foregroundColor2 $writeEmptyLine

## ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

## Write script completed

Write-Host ($writeEmptyLine + "# Script completed" + $writeSeperatorSpaces + $currentTime)`
-foregroundcolor $foregroundColor1 $writeEmptyLine 

## ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------




If you want to export the JSON output to a JSON file, run the script with the Out-File cmdlet at the end, like shown in the below example.


## ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

.\Get-Network-Topology-of-a-VNet-in-JSON-format.ps1 "<your network watcher name here>" "<your target VNet resource group here>" | Out-File -FilePath "<folder location \ filename.json>"

## ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------




I hope this tip and Azure PowerShell script can help you whenever you need to get a network topology of a VNet in an Azure environment.

If you have any questions or recommendations about it, feel free to contact me through my Twitter handle (@wmatthyssen) or to just leave a comment.


1 comment on “Azure Tip: Use Azure Network Watcher to view or download the network topology of a VNet

  1. Pingback: Use Azure Community Watcher to view or obtain the community topology of a VNet ā€“ Wim Matthyssen - Firnco

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

%d bloggers like this: