Verify that Network Watcher is 'Enabled' for all locations in the Azure subscription

Framework Reference: A.8.20 Integration: Azure – Network Watcher

Why this matters
Azure Network Watcher provides diagnostic and logging capabilities that are essential for investigating network issues and monitoring traffic. Without Network Watcher enabled in regions where resources are deployed, security teams may lose visibility into key network activities and face blind spots in their forensic investigations or compliance audits.


What this check does
This Auto Check verifies that Network Watcher is provisioned and successfully enabled (provisioningState = Succeeded) in every Azure region where resources are deployed.

Check Logic:
Passes if:

  • Network Watcher exists in every in-use Azure region
  • Each Network Watcher has provisioningState = Succeeded

Fails if:

  • Any in-use Azure region lacks a Network Watcher
    OR
  • Any Network Watcher has a provisioningState β‰  Succeeded

How to fix it

Azure Portal:

  1. Use the top search bar to find Network Watcher
  2. In the Overview tab, verify that each region in use has a Network Watcher listed
  3. If missing, click Create
  4. Select the required Region from the dropdown
  5. Click Add

Azure CLI:

az network watcher configure \  --locations <region-name> \  --enabled true \  --resource-group <resource-group-name>

PowerShell:

Get-AzNetworkWatcher

Ensure that each region in use has a watcher with ProvisioningState = Succeeded. If missing, use:

New-AzNetworkWatcher `  -Name <watcher-name> `  -Location <region-name> `  -ResourceGroupName <resource-group-name>


Exceptions
None. Network Watcher must be active in all regions where resources are deployed.


Was this article helpful?