Skip to main content
  1. Home
  2. >
  3. Azure
  4. >
  5. AZ-305
  6. >
  7. This article

Azure AZ-305 Drill: Hybrid Network Diagnostics - IP Flow Verification for ExpressRoute Environments

·1177 words·6 mins·
Architecture Drills Microsoft Azure AZ-305 Azure CAF Governance Network Watcher ExpressRoute Hybrid Networking Azure Arc
Jeff Taakey
Author
Jeff Taakey
21+ Year Enterprise Architect | Multi-Cloud Architect & Strategist.
Jeff's Architecture Insights
Go beyond static exam dumps. Jeff’s Insights is engineered to cultivate the mindset of a Production-Ready Architect. We move past ‘correct answers’ to dissect the strategic trade-offs and multi-cloud patterns required to balance reliability, security, and TCO in mission-critical environments.
Table of Contents

While preparing for the AZ-305 (Designing Microsoft Azure Infrastructure Solutions), many candidates struggle with hybrid network troubleshooting tooling. In the enterprise world, this decision often hinges on diagnostic precision vs. operational overhead. Let’s drill into a simulated hybrid connectivity scenario.

The Scenario
#

Fabrikam Manufacturing operates a global hybrid cloud infrastructure with critical workloads distributed across their Minneapolis datacenter and three Azure regions (East US, West Europe, Southeast Asia). The company established an Azure ExpressRoute circuit (1 Gbps, Private Peering) six months ago to support their SAP migration and real-time IoT telemetry ingestion from factory floor equipment.

Recently, the Network Operations Center (NOC) received alerts that several Azure Virtual Machines in the East US spoke VNet are experiencing intermittent connectivity issues. On-premises applications cannot consistently reach these VMs, and packet loss patterns suggest Network Security Group (NSG) or User Defined Route (UDR) misconfiguration during last week’s security hardening initiative.

The Cloud Architect needs to quickly determine whether traffic is being allowed or denied at the NSG/NIC level for specific 5-tuple flows (source IP, destination IP, protocol, source port, destination port) without deploying agents or modifying existing configurations.

Key Requirements
#

Analyze network traffic patterns to definitively identify whether packets from on-premises systems are being allowed or denied when reaching Azure VMs, with results available within minutes and no infrastructure changes required.

The Options
#

  • A) Yes – Using Azure Network Watcher’s IP Flow Verify feature meets the goal
  • B) No – This approach does not meet the goal

Correct Answer
#

Option A.

The Architect’s Analysis
#

Correct Answer
#

Option A – Yes, Azure Network Watcher IP Flow Verify meets the goal.

Step-by-Step Winning Logic
#

Azure Network Watcher’s IP Flow Verify is purpose-built for this exact scenario. Here’s why it’s the optimal choice through the Well-Architected Framework lens:

1. Operational Excellence

  • Zero infrastructure changes: No agents, no redeployment, no configuration modifications required
  • Immediate results: Query returns within seconds showing Allow/Deny decision
  • Change control compliant: Read-only operation suitable for production environments

2. Security

  • Tests the entire security rule chain: Evaluates NSG rules (subnet-level + NIC-level), Azure Firewall policies, and effective routes
  • Provides rule precedence visibility: Shows which specific NSG rule caused the allow/deny decision
  • Non-invasive auditing: Complies with least-privilege principles (requires Network Contributor or Network Watcher Contributor role)

3. Reliability

  • Supports hybrid scenarios: Works seamlessly with ExpressRoute, VPN Gateway, and Azure Arc-connected machines
  • Direction-aware testing: Can verify both inbound (on-premises → Azure) and outbound (Azure → on-premises) flows
  • Protocol coverage: Supports TCP, UDP, ICMP for comprehensive testing

Technical Implementation:

# Test connectivity from on-premises source to Azure VM
Test-AzNetworkWatcherIPFlow `
  -NetworkWatcher $nw `
  -TargetVirtualMachineId "/subscriptions/.../vm-eastus-app01" `
  -Direction Inbound `
  -Protocol TCP `
  -LocalIPAddress "10.0.2.4" `
  -LocalPort 443 `
  -RemoteIPAddress "192.168.1.50" `
  -RemotePort 52341

Sample Output:

Access: Deny
RuleName: DenyInboundFromCorpNetwork

The Trap (Distractor Analysis)
#

Why “No” (Option B) is incorrect:

Candidates might incorrectly choose “No” if they confuse IP Flow Verify with other Network Watcher tools:

  • Network Performance Monitor (NPM) – Requires Log Analytics agents on both endpoints (violates the “no infrastructure changes” requirement)
  • Connection Monitor – Requires deploying monitoring agents and creating test configurations
  • NSG Flow Logs – Provides historical traffic analysis but requires Storage Account configuration and 10-15 minute latency before logs appear
  • Packet Capture – Requires installing the Network Watcher VM extension and generates large PCAP files

None of these alternatives provide immediate, agent-less, point-in-time analysis of NSG rule evaluation.

Common misconception: “IP Flow Verify only works for intra-Azure traffic”

  • Reality: It fully supports hybrid scenarios where the source IP is from an ExpressRoute-connected on-premises network

The Architect Blueprint
#

graph TB subgraph "On-Premises Datacenter" OnPremApp[SAP Application<br/>192.168.1.50] end subgraph "Azure ExpressRoute Circuit" ER[ExpressRoute<br/>Private Peering<br/>1 Gbps] end subgraph "Azure East US VNet" GW[Virtual Network Gateway<br/>ExpressRoute] NSG_Subnet[Subnet NSG<br/>Priority 100-4096] NSG_NIC[NIC NSG<br/>Priority 100-4096] VM[Azure VM<br/>10.0.2.4] end subgraph "Network Watcher" IPFV[IP Flow Verify] Result[Result: Deny<br/>Rule: DenyInboundFromCorpNetwork<br/>Priority: 150] end OnPremApp -->|TCP 443| ER ER --> GW GW --> NSG_Subnet NSG_Subnet --> NSG_NIC NSG_NIC --> VM IPFV -.->|Simulates packet flow| VM IPFV --> Result style ER fill:#0078D4,stroke:#333,color:#fff style IPFV fill:#5C2D91,stroke:#333,color:#fff style Result fill:#D83B01,stroke:#333,color:#fff style VM fill:#50E6FF,stroke:#333,color:#000

Diagram Note: IP Flow Verify simulates the packet’s journey through the NSG rule chain without actually sending traffic, returning the exact rule that caused the Allow/Deny decision.

The Decision Matrix
#

Option Est. Complexity Est. Monthly Cost Pros Cons
IP Flow Verify Low
Single PowerShell/CLI command		 ~$1-2/month
(Network Watcher base cost, pay-per-check: $0.0004/check)		 • Zero infrastructure changes
• Immediate results (< 5 sec)
• Shows exact NSG rule
• Hybrid-aware
• CAF-compliant (no change control needed)		 • Point-in-time only (not continuous monitoring)
• Requires Network Watcher enabled per region
• Limited to NSG/UDR analysis (doesn’t show application-layer issues)
NSG Flow Logs Medium
Requires Storage Account + Log Analytics workspace setup		 ~$50-200/month
(Storage: ~$20, Log Analytics ingestion: ~$2.30/GB, Traffic Analytics: ~$30)		 • Historical analysis
• Traffic pattern visualization
• Compliance audit trail		 • 10-15 min latency
• Requires configuration changes
• High data volume
• Does NOT show rule-level deny reasons in real-time
Connection Monitor High
Requires VM extension deployment + test configuration		 ~$10-40/month
(Per monitored endpoint: ~$2.40, Network Watcher storage: ~$5)		 • Continuous monitoring
• Latency metrics
• Alerting capability		 • Requires agent installation
• Not suitable for immediate troubleshooting
• Violates “no changes” requirement
Packet Capture High
Requires VM extension + PCAP analysis tools		 ~$5-15/month
(Storage for PCAP files: ~$5, capture session time charges)		 • Deep packet inspection
• Application-layer troubleshooting		 • Requires VM extension
• Large storage requirements
• Manual PCAP analysis needed
• Not scalable for hybrid diagnostics

Cost Estimation Context:

  • Network Watcher base deployment: $1/region/month
  • IP Flow Verify checks: $0.0004 per check (100 troubleshooting checks = $0.04)
  • NSG Flow Logs for 50 VMs generating 100 GB/month: ~$250/month (storage + analytics)

Real-World Practitioner Insight
#

Exam Rule
#

“For the exam, always choose Azure Network Watcher IP Flow Verify when the question asks for immediate packet-level allow/deny analysis with no infrastructure changes, especially in hybrid ExpressRoute/VPN scenarios.”

Key exam trigger words:

  • “Determine whether packets are allowed or denied”
  • “No changes to existing infrastructure”
  • “Immediate analysis required”
  • “ExpressRoute/hybrid environment”

Real World
#

“In reality, we implement a three-tier troubleshooting strategy at enterprise scale:

  1. Tier 1 (Immediate): IP Flow Verify for L3/L4 connectivity issues during incidents (< 5 minutes to resolution)
  2. Tier 2 (Continuous): NSG Flow Logs + Traffic Analytics for baseline traffic patterns and security analytics (SOC team)
  3. Tier 3 (Deep Dive): Packet Capture reserved for application-layer issues that survive NSG validation

Real deployment gotcha: While IP Flow Verify is perfect for NSG troubleshooting, it won’t detect Azure Firewall policy blocks unless the firewall is in the direct path of the tested flow. For hub-and-spoke topologies with centralized Azure Firewall, you need to test the flow from the source VM to the firewall’s private IP first, then from the firewall to the destination.

CAF Governance Integration: We codify this in our Landing Zone Network Policy:

{
  "networkWatcherAutoDeployment": "enabled",
  "requiredRBACRoles": ["Network Watcher Contributor"],
  "diagnosticToolingPreference": {
    "immediateIncidents": "IP Flow Verify",
    "continuousMonitoring": "Connection Monitor",
    "complianceAudits": "NSG Flow Logs"
  }
}

Azure Arc Integration: For hybrid machines managed by Azure Arc, IP Flow Verify can test flows to Arc-connected servers if they have the Network Watcher VM extension deployed—this creates a unified troubleshooting experience across cloud and on-premises.”

Related Articles

Weekly Azure AZ-305 Drills: Architect Solutions

Design identity, governance, and monitoring solutions. Master Azure infrastructure and data storage.